diff --git a/examples/remediation-kits/services/3.1-disable-http-server.sh b/examples/remediation-kits/services/3.1-disable-http-server.sh index 91c1117c976ae6dacbd355732fbc1e75b4d88a1f..bb3a8cd4f05fe636d2af513c656630d2c2439755 100755 --- a/examples/remediation-kits/services/3.1-disable-http-server.sh +++ b/examples/remediation-kits/services/3.1-disable-http-server.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + systemctl --now disable httpd diff --git a/examples/scanners/services/3.1-disable-http-server.sh b/examples/scanners/services/3.1-disable-http-server.sh index a5318fe10402393a4b4fe7bc3d3d8af652e6bc43..66bcbfdadece88c780bc62aff4398d8b563cdd53 100755 --- a/examples/scanners/services/3.1-disable-http-server.sh +++ b/examples/scanners/services/3.1-disable-http-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [ "$(rpm -qa httpd)" ]; then result=$(systemctl is-enabled httpd) if [ $result != enabled ]; then diff --git a/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh b/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh old mode 100644 new mode 100755 index 8b7f2d56c26717ce54e35d1b11a9652ef10ff173..bcbb7dec0181ea7c3facf96aa666884117f0c978 --- a/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh +++ b/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=$(systemctl is-enabled crond) if [[ $result == "masked" ]] ; then diff --git a/remediation-kits/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh b/remediation-kits/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh old mode 100644 new mode 100755 index c180b963b59597ebef58656aef76ae082e9ab6b8..d8b470db99baf14cc9cc55516ffae06d9a6ff239 --- a/remediation-kits/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh +++ b/remediation-kits/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod u-x,g-wx,o-rwx {} \; find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:ssh_keys {} \; \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh b/remediation-kits/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh old mode 100644 new mode 100755 index c554f6b7768e30d807f63530ec46042c33415f78..dab28ff9a2c7775ab7bbf7163b2122ac301f1a3c --- a/remediation-kits/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh +++ b/remediation-kits/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod u-x,go-wx {} \; find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \; \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh b/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh old mode 100644 new mode 100755 index 74429bb5654ba8abd7e861858496fa2e896999b4..db837147452a29b2042f91e7fdf0d84549f56d5f --- a/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh +++ b/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + sshLogLevelCount=$(grep -icP "Loglevel\s+.*" /etc/ssh/sshd_config) sshLogLevel=$(grep -iP "Loglevel\s+.*" /etc/ssh/sshd_config) sshLogLevelNum=$(grep -iPn "Loglevel\s+.*" /etc/ssh/sshd_config | cut -d: -f1) diff --git a/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh b/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh old mode 100644 new mode 100755 index 3602004149f6568ae65c9e847d0403f6d9834c23..3b351410645af5a5e1132a89132e92724e733d7b --- a/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh +++ b/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh b/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh old mode 100644 new mode 100755 index 7c87ca4f34f1b0860a495622e535a354c845a18f..fdc641f84bbac9c84c66b29dd7e4fd448b3d243f --- a/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh +++ b/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + IgnoreRhosts=$(grep -E "^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config | awk '{print $2}') if [[ $IgnoreRhosts == 'no' ]] ; then diff --git a/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh b/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh old mode 100644 new mode 100755 index 9e173b0ba03cdf80fa771f9bc32eadc1c5abdae3..78987d3adacd066da1c97184504d9d6e9b81d53d --- a/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh +++ b/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$/\1HostbasedAuthentication no\2/" /etc/ssh/sshd_config || echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh b/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh old mode 100644 new mode 100755 index 1df9463f4f13898867cd7c6638b40c4038289856..053498b14359cb04361d20f30523012fe4e68848 --- a/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh +++ b/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$/\1PermitRootLogin no\2/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh b/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh old mode 100644 new mode 100755 index c77c66a0308d7e416a85b9dcb8e9d4536b32f557..97103b22edb6c0e3606da9654138df2dc3c4d03d --- a/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh +++ b/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$/\1PermitEmptyPasswords no\2/" /etc/ssh/sshd_config || echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh b/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh old mode 100644 new mode 100755 index 5aec304b69446ebd14d83d939e2b55c1c455e55c..b27d2a41d8d3182b750509dafe78932722efa9df --- a/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh +++ b/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$/\1PermitUserEnvironment no\2/" /etc/ssh/sshd_config || echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh b/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh old mode 100644 new mode 100755 index 017bb83894c38a7a390f2e1849d78bbc7fee6cfa..82a338cb47fd1628477567250a8d175a4ce09335 --- a/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh +++ b/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/crontab ]] && chown root:root /etc/crontab && chmod og-rwx /etc/crontab \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh old mode 100644 new mode 100755 index 13eed9cfe39e6a59dbdc51a91f87158218d9a902..3c7f0e1f0599bcd813cb22034db787f7aa4e4aa8 --- a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh +++ b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Pq "^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$/\1ClientAliveInterval 900\2/" /etc/ssh/sshd_config || echo "ClientAliveInterval 900" >> /etc/ssh/sshd_config grep -Pq "^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$/\1ClientAliveCountMax 0\2/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config diff --git a/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh b/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh old mode 100644 new mode 100755 index 0ad3948c3a8c6623bb47ae364c92c0bb07cd27cc..5555cecc99ba24a1b74f8b4cebf0a3f78d5154aa --- a/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh +++ b/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$/\1LoginGraceTime 60\2/" /etc/ssh/sshd_config || echo "LoginGraceTime 60" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh b/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh old mode 100644 new mode 100755 index a23b9727e092801c4ec322097be4f14ea9e7c4c4..772c702203e379d6c64cfd60a5d1a5eb038440a9 --- a/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh +++ b/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)Banner\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)Banner\s+\S+(\s*#.*)?\s*$/\1Banner \/etc\/issue.net\2/" /etc/ssh/sshd_config || echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh b/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh old mode 100644 new mode 100755 index 9e1d387c6a29ed7ec15a65a22137700fca1e9554..f57646e1aecb97871f4a0659ce5862b363487dc1 --- a/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh +++ b/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eiq '^\s*UsePAM\s+yes' /etc/ssh/sshd_config || echo "UsePAM yes" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh b/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh old mode 100644 new mode 100755 index 29ef0b4260849cb518e61b1d7ef607ff84135fb0..f9371a20ab2314ba4cd7dcd5696f8aedb3433691 --- a/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh +++ b/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -iq "MaxStartups" /etc/ssh/sshd_config && sed -i "/maxstartups/Id" /etc/ssh/sshd_config && echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config || echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh b/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh old mode 100644 new mode 100755 index 84e3faf403a274b938761514b94b9ce2e545167a..1047f7857f59ebd13f29d48cf60652e67ca389c0 --- a/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh +++ b/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + maxSessions=$(grep -iP "^(\s*)MaxSessions\s+" /etc/ssh/sshd_config) maxSessionsNum=$(grep -iP "^(\s*)MaxSessions\s+" /etc/ssh/sshd_config | awk '{print $2}') diff --git a/remediation-kits/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh b/remediation-kits/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh old mode 100644 new mode 100755 index e1723e845f93066e9bee60b10ae1d23d6dfdb8fd..c754746599a9b0b6b8a83432577283369cbb508f --- a/remediation-kits/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh +++ b/remediation-kits/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh b/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh old mode 100644 new mode 100755 index fe2eff8aaca6a63afbaeb388f269fa626c5f3b9f..ef6fa9952c2bd73443406f502043a1db23e9395c --- a/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh +++ b/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + authselect check &> /dev/null && auCheck=0 diff --git a/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh b/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh old mode 100644 new mode 100755 index 8a76518d7eb84a4650b927370ba99b146e3848a5..1cd9a3567fb8ffe24ab39fac5268e316254f58f6 --- a/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + authselect check &> /dev/null && auCheck=0 diff --git a/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh b/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh old mode 100644 new mode 100755 index b7a5482e1320cab7537cf6d124e28204e65c5741..32cb942b39e8f9dbab794c9393b1da2599383787 --- a/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh +++ b/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + authselect check &> /dev/null && auCheck=0 diff --git a/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh b/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh old mode 100644 new mode 100755 index f0513a833e69be7f60975788d5f030302d8a51f5..ea5cc6466e0a3de9fd46731d2e1c4a7011a8c81d --- a/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh +++ b/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/cron.hourly ]] && chown root:root /etc/cron.hourly && chmod og-rwx /etc/cron.hourly \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh b/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh old mode 100644 new mode 100755 index fa0e62956af13017620482a4793fdb520ee019e7..7b4fe2f1d3b02601a342443e5661994e2e547aef --- a/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh +++ b/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + authselect check &> /dev/null && auCheck=0 diff --git a/remediation-kits/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh b/remediation-kits/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh old mode 100644 new mode 100755 index 8029db2d7f8609c97c67dd471ff4bfb7432c8001..101bfdc20638a1fe1505e364742c5cce20068a3b --- a/remediation-kits/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh +++ b/remediation-kits/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)PASS_MAX_DAYS\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MAX_DAYS\s+\S+(\s*#.*)?\s*$/\PASS_MAX_DAYS 365\2/" /etc/login.defs || echo "PASS_MAX_DAYS 365" >> /etc/login.defs getent passwd | cut -f1 -d ":" | xargs -n1 chage --maxdays 365 diff --git a/remediation-kits/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh b/remediation-kits/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh old mode 100644 new mode 100755 index 0f1777209b70514dcd9d6e84a80619669f02f8d0..262e8c6bd7b757b27292bc5dac76d709c2dde7ba --- a/remediation-kits/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh +++ b/remediation-kits/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)PASS_MIN_DAYS\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_DAYS\s+\S+(\s*#.*)?\s*$/\PASS_MIN_DAYS 7\2/" /etc/login.defs || echo "PASS_MIN_DAYS 7" >> /etc/login.defs getent passwd | cut -f1 -d ":" | xargs -n1 chage --mindays 7 diff --git a/remediation-kits/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh b/remediation-kits/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh old mode 100644 new mode 100755 index 424e0126cd74a61649d23422304d55f519b4324d..e768d0db3a9d044fd8dab2c4f5a0b9ff56713728 --- a/remediation-kits/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh +++ b/remediation-kits/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)PASS_WARN_AGE\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_WARN_AGE\s+\S+(\s*#.*)?\s*$/\PASS_WARN_AGE 7\2/" /etc/login.defs || echo "PASS_WARN_AGE 7" >> /etc/login.defs getent passwd | cut -f1 -d ":" | xargs -n1 chage --warndays 7 diff --git a/remediation-kits/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh b/remediation-kits/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh old mode 100644 new mode 100755 index 32dee3e21ca0797ae86c59e89a3478cb8383e5ea..daab7356260c4b4193d056652ce4d573da07bae2 --- a/remediation-kits/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh +++ b/remediation-kits/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + # Before running this script, check whether any user whose password has expired. If yes, run this script after handling the problem. Otherwise, the user may be locked for n in $(getent shadow | cut -d : -f 1,3) ; do diff --git a/remediation-kits/access-and-control/1.36-ensure-system-accounts-are-secured.sh b/remediation-kits/access-and-control/1.36-ensure-system-accounts-are-secured.sh old mode 100644 new mode 100755 index af394ac5d6017e3598cc010c2bccde72788261ee..5158dca916fc777e1b998e3e83c13e49ec0ebc8c --- a/remediation-kits/access-and-control/1.36-ensure-system-accounts-are-secured.sh +++ b/remediation-kits/access-and-control/1.36-ensure-system-accounts-are-secured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + # /usr/sbin/nologin与/sbin/nologin文件效果一致,配置其中任意一个即可 awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/sbin/nologin" && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print $1}' /etc/passwd | while read user; do diff --git a/remediation-kits/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh b/remediation-kits/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh old mode 100644 new mode 100755 index c516a5cc64b7cd6678b47e1277082a670ad15fc8..888ea7460c6471e91e760a6c62a4917b0a456544 --- a/remediation-kits/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh +++ b/remediation-kits/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + [ -f /etc/bashrc ] && BRC="/etc/bashrc" for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do val_TMOUT=$(grep -vP "^#.*" $f | grep -Pio "TMOUT=[0-9]+" | tail -1 | cut -d"=" -f 2) diff --git a/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh b/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh old mode 100644 new mode 100755 index d611e123112e9833b79f6a78638fb2df418b0f43..59a4ce81b61e792b2eb8dee78f0b48d30de13418 --- a/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh +++ b/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + rootGid=$(grep "^root:" /etc/passwd | cut -f4 -d:) [[ $rootGid != 0 ]] && usermod -g 0 root \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh old mode 100644 new mode 100755 index 5e34b48cd0583f32411d9377ce77f6b7c628d470..ddddd12cb46223d59cefaeecaa18f4c0f5a74fcb --- a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh +++ b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + # 仅对/etc/login.defs /etc/profile* /etc/bashrc*中的umask值进行加固修复,不修改PAM文件中的pam_umask.so repairFile=$(grep -RPHi '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/profile* /etc/bashrc* | cut -d: -f1 | sort -u) diff --git a/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh b/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh old mode 100644 new mode 100755 index aaec1f4c5292e81e7058c1fa78a6a4e9b855bc34..4f64b45f5412ca69f1d04f2b123c1f4c7fd4c8a9 --- a/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh +++ b/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/cron.daily ]] && chown root:root /etc/cron.daily && chmod og-rwx /etc/cron.daily \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh b/remediation-kits/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh old mode 100644 new mode 100755 index ef027872b9a8da610933924d62274804f21c02d5..4348d150c727a6cb00b36e9fba5672558bec32de --- a/remediation-kits/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh +++ b/remediation-kits/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Eq "^\s*auth\s+required\s+pam_wheel.so(\s+.*)?$" /etc/pam.d/su && sed -ri '/^\s*auth\s+required\s+pam_wheel.so(\s+.*)?$/ { /^\s*auth\s+required\s+pam_wheel.so(\s+\S+)*(\s+use_uid)(\s+.*)?$/! s/^(\s*auth\s+required\s+pam_wheel.so)(\s+.*)?$/\1 use_uid\2/ }' /etc/pam.d/su || echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su diff --git a/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh b/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh index e6123afb6eff62946c29243872b6f75093fac7f0..420dab3322d7748f07069bce826734b8a4a35187 100755 --- a/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh +++ b/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + grep -qiP '^Protocol' /etc/ssh/sshd_config && sed -i "/^Protocol/cProtocol 2" /etc/ssh/sshd_config || echo -e "Protocol 2" >> /etc/ssh/sshd_config systemctl restart sshd diff --git a/remediation-kits/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh b/remediation-kits/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh old mode 100644 new mode 100755 index 78cc58bafbe05b724730a8bdf767944858819d80..e29f7d5a7311ae12d438e4554978dfee069c2723 --- a/remediation-kits/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh +++ b/remediation-kits/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + passMaxDaysRowNum=($(cat /etc/login.defs | awk '{if($1 == "PASS_MAX_DAYS") print NR}')) targetString="PASS_MAX_DAYS 90" if [ -n "$passMaxDaysRowNum" ]; then diff --git a/remediation-kits/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh b/remediation-kits/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh old mode 100644 new mode 100755 index fe265a0734e784ea74e53731213d9555bb33033d..4dc4fcceba09cce5621040de80bb6960e55f623c --- a/remediation-kits/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh +++ b/remediation-kits/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + passMinDaysRowNum=($(cat /etc/login.defs | awk '{if($1 == "PASS_MIN_DAYS") print NR}')) targetString="PASS_MIN_DAYS 7" if [ -n "$passMinDaysRowNum" ]; then diff --git a/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh b/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh old mode 100644 new mode 100755 index b7a5482e1320cab7537cf6d124e28204e65c5741..32cb942b39e8f9dbab794c9393b1da2599383787 --- a/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh +++ b/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + authselect check &> /dev/null && auCheck=0 diff --git a/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh old mode 100644 new mode 100755 index 8a76518d7eb84a4650b927370ba99b146e3848a5..1cd9a3567fb8ffe24ab39fac5268e316254f58f6 --- a/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + authselect check &> /dev/null && auCheck=0 diff --git a/remediation-kits/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh b/remediation-kits/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh old mode 100644 new mode 100755 index 88495314632965d7863d05110f2e19176ed3fa50..8dcd595a3f908e3b7cce498291474dabff40509f --- a/remediation-kits/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh +++ b/remediation-kits/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + [ -f /etc/bashrc ] && BRC="/etc/bashrc" for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do val_TMOUT=$(grep -vP "^#.*" $f | grep -Pio "TMOUT=[0-9]+" | tail -1 | cut -d"=" -f 2) diff --git a/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh b/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh old mode 100644 new mode 100755 index 3602004149f6568ae65c9e847d0403f6d9834c23..3b351410645af5a5e1132a89132e92724e733d7b --- a/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh +++ b/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh b/remediation-kits/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh old mode 100644 new mode 100755 index cd85095dd0ac3e5772e2da685e3291efad6b4f96..bd87a34d4444e2da69fa4cadea2e44a4f6b1b5e7 --- a/remediation-kits/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh +++ b/remediation-kits/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + usermod -L shutdown usermod -L halt \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh b/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh old mode 100644 new mode 100755 index 1cb124a6c3d778a67403a85768b0237b63f53e9c..843a6e6642e904ebd4a9146e5fb781de6f8e53f1 --- a/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh +++ b/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/cron.weekly ]] && chown root:root /etc/cron.weekly && chmod og-rwx /etc/cron.weekly \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh b/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh old mode 100644 new mode 100755 index 3a0c22a2e14bca6260edec681eb4e0dc6afed166..7660ca489932550598af13922f82a59fad374efa --- a/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh +++ b/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)X11Forwarding\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)X11Forwarding\s+\S+(\s*#.*)?\s*$/\1X11Forwarding no\2/" /etc/ssh/sshd_config || echo "X11Forwarding no" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh b/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh old mode 100644 new mode 100755 index d51c68dc79c3c5fffcfba0a687c3d977d0b4db8e..a209e979c04117d58bfb9339af8377e490b077aa --- a/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh +++ b/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Psq "^install udf /bin/false" /etc/modprobe.d/udf.conf || echo "install udf /bin/false" >> /etc/modprobe.d/udf.conf grep -Psq "^blacklist udf" /etc/modprobe.d/udf.conf || echo "blacklist udf" >> /etc/modprobe.d/udf.conf modprobe -r udf diff --git a/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh b/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh old mode 100644 new mode 100755 index 289975990119ae1872b712850017150bfe184e73..6d1da658227c3e89507f47e2b535473ae3a61a76 --- a/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh +++ b/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Psq "^install cramfs /bin/false" /etc/modprobe.d/cramfs.conf || echo "install cramfs /bin/false" >> /etc/modprobe.d/cramfs.conf grep -Psq "^blacklist cramfs" /etc/modprobe.d/cramfs.conf || echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf modprobe -r cramfs diff --git a/remediation-kits/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh b/remediation-kits/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh old mode 100644 new mode 100755 index 1bbe41eb8f34d63b07baa5b42c4184c028425afb..031463dbe28474560104103866332b7bd325ab9e --- a/remediation-kits/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh +++ b/remediation-kits/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Psq "^install\s+squashfs\s+\/bin\/false$" /etc/modprobe.d/*.conf || echo "install squashfs /bin/false" >> /etc/modprobe.d/squashfs.conf grep -Psq "^blacklist\s+squashfs$" /etc/modprobe.d/*.conf || echo "blacklist squashfs" >> /etc/modprobe.d/squashfs.conf modprobe -r squashfs \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.54-lock-the-bin-and-adm-users.sh b/remediation-kits/access-and-control/1.54-lock-the-bin-and-adm-users.sh old mode 100644 new mode 100755 index 3ef8c55360805030d522d04db91c1842f8d0a633..65d02a0cbb539fcdfd19ed599c2260a24b6d477d --- a/remediation-kits/access-and-control/1.54-lock-the-bin-and-adm-users.sh +++ b/remediation-kits/access-and-control/1.54-lock-the-bin-and-adm-users.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + usermod -L bin usermod -L adm \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh b/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh old mode 100644 new mode 100755 index 96c90b1d2732d04ea9d779cbfe4d4f42eb64576b..3826c2d9a64ce9994a4506673aab7825ec4c00da --- a/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh +++ b/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/cron.monthly ]] && chown root:root /etc/cron.monthly && chmod og-rwx /etc/cron.monthly \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh b/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh old mode 100644 new mode 100755 index b043518e29677ca2d79265550bcccb5981fc3749..1a1c1885fe995de9f697e24e4c59fecaca3ba2cf --- a/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh +++ b/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/cron.d ]] && chown root:root /etc/cron.d && chmod og-rwx /etc/cron.d \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh b/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh old mode 100644 new mode 100755 index f237fcccb2b3dbee286e25bfed1ca35c4feb95a8..6d705361bfec0f2718f7616de4193cea83d923d2 --- a/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh +++ b/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + [[ -e /etc/cron.deny ]] && rm -f /etc/cron.deny [[ -e /etc/at.deny ]] && rm -f /etc/at.deny [[ ! -e /etc/cron.allow ]] && touch /etc/cron.allow diff --git a/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh b/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh old mode 100644 new mode 100755 index f44bbbff1ffdea0503d80985f39abca46c4d6e64..9aa0689f70689a40147306a762b52b293a6cf217 --- a/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh +++ b/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/ssh/sshd_config ]] && chown root:root /etc/ssh/sshd_config && chmod og-rwx /etc/ssh/sshd_config \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh b/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh old mode 100644 new mode 100755 index 9e3d13d78072a425364803ff54cff5fa0143d6c1..97be703d4ff71707305343715cc241fb9935fe5f --- a/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh +++ b/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + logFile=$(grep -iw log_file /etc/audit/auditd.conf | cut -d= -f2) logDir=$(dirname $logFile) [[ $logDir ]] && test -f $logDir/* && chmod 0600 $logDir/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh b/remediation-kits/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh old mode 100644 new mode 100755 index 456b1066a37d6d788a5b73ede3c80ade3e151502..0650f9e1375c424d4d26f299e7fe595837c8414c --- a/remediation-kits/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh +++ b/remediation-kits/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + chown :root /sbin/auditctl chown :root /sbin/aureport chown :root /sbin/ausearch diff --git a/remediation-kits/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh b/remediation-kits/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh old mode 100644 new mode 100755 index 9c431f5c8835d9fffdb9d0225f36c94ca97751af..7f8770fc49ee9e3466ee5471e95bb1474f1c9418 --- a/remediation-kits/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh +++ b/remediation-kits/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + mkdir -p /etc/aide grep -Psq "^\/sbin\/auditctl p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512" /etc/aide/aide.conf || echo "/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf grep -Psq "^\/sbin\/auditd p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512" /etc/aide/aide.conf || echo "/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf diff --git a/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh b/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh old mode 100644 new mode 100755 index 3050ee6e9049c8258e15e374666e401620afe77e..af3cc9617ff053af492ecdc703710ec767527db7 --- a/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh +++ b/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [ ! "$(rpm -qa rsyslog | grep -i "rsyslog\-")" ]; then diff --git a/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh b/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh old mode 100644 new mode 100755 index 96b92acbbbad7537e70791db1df88728234f37f4..a5377bce2483e6612d7007ba27001b06801dcd4f --- a/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh +++ b/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [ "$(rpm -qa rsyslog)" ]; then diff --git a/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh b/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh old mode 100644 new mode 100755 index e4ef60aa8f12f68c76dd957937e15b2d9704d5db..98b05e39c8ca72134d24980755d8e8cfaf52cead --- a/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh +++ b/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Psq "^\\\$FileCreateMode 0640" /etc/rsyslog.conf || echo "\$FileCreateMode 0640" >> /etc/rsyslog.conf \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh b/remediation-kits/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh old mode 100644 new mode 100755 index 3344bca555467548c99908de52f71f82eeda1c03..587da8fac3f467bc8318243df638c6352619605d --- a/remediation-kits/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh +++ b/remediation-kits/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Psq "^ForwardToSyslog=yes" /etc/systemd/journald.conf ||echo "ForwardToSyslog=yes" >> /etc/systemd/journald.conf diff --git a/remediation-kits/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh b/remediation-kits/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh old mode 100644 new mode 100755 index 8ce6ef66673e8aa9107dd01a15076eacc6391387..67d4bd948e243258536a431d34a8228972d4704c --- a/remediation-kits/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh +++ b/remediation-kits/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Psq "^Compress=yes" /etc/systemd/journald.conf ||echo "Compress=yes" >> /etc/systemd/journald.conf diff --git a/remediation-kits/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh b/remediation-kits/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh old mode 100644 new mode 100755 index a11656cc00793925e0c0cbcbef6fd116cf69b3b5..a22b2927b611cc211dffbfbad8772f0bb13254da --- a/remediation-kits/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh +++ b/remediation-kits/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Psq "^Storage=persistent" /etc/systemd/journald.conf || echo "Storage=persistent" >> /etc/systemd/journald.conf diff --git a/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh b/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh old mode 100644 new mode 100755 index 331b4f89ae8cdc49a8480f5ca74d1b68cba34fc0..583dadf83c92b54056f827055aff7a5f06266eb4 --- a/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh +++ b/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [ ! "$(rpm -qa audit)" ]; then diff --git a/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh b/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh old mode 100644 new mode 100755 index 0a6b0d5f7d77ee269b8a0112898092ca5cccb671..daea736e306b4c51be8c9e1040ac6a4c9edb166d --- a/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh +++ b/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + logFile=$(grep -iw log_file /etc/audit/auditd.conf | cut -d= -f2) logDir=$(dirname $logFile) [[ $logDir ]] && test -f $logDir/* && chown root $logDir/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh b/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh old mode 100644 new mode 100755 index 93c8ea2b674c317ce784ba70d35340e5f9842a91..b45975122d21d5322bf8d84fbc9620056daf0883 --- a/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh +++ b/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [ "$(rpm -qa audit)" ]; then diff --git a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh old mode 100644 new mode 100755 index f52af7f34db59d7ec91422bc067541edc6b7a56a..50254fed590a8e594e022b118fa8810b0bcbd4e4 --- a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh +++ b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + Rule32="-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete" x86Rule64="-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete" diff --git a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh old mode 100644 new mode 100755 index 46316781416de8eaaa19e7146c62c44ddd61a1ba..11ee460394f94f7bb5f3686bd3c75df656ba7248 --- a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -q "\-w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope" /etc/audit/rules.d/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d -p wa -k scope" >> /etc/audit/rules.d/audit.rules diff --git a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh old mode 100644 new mode 100755 index 17edb959c2c16ce772f28b582c96a431b3cd07bb..8319c0974d902f6fadd79b2247534c63a02d210d --- a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -q "\-w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity diff --git a/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh b/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh old mode 100644 new mode 100755 index 1e3a00c7fedf9bba9f30090d7abfa972bb4bfd3d..25c668783594a330cf44240ee18d65f9cdb33057 --- a/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh +++ b/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh @@ -1,3 +1,4 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + grep -Ps "^(?=^\s*-a\s+always,exit)(?=.*-S\s+all)(?=.*-F\s+path=/usr/bin/chsh)(?=.*-F\s+perm=x)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" /etc/audit/rules.d/*.rules || echo -e "-a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd" >> /etc/audit/rules.d/stig.rules augenrules --load diff --git a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh old mode 100644 new mode 100755 index 08d7b60e3a745a27d80543c280e3460fa8d5a3c8..b765fd01b216a5cc37c0a319085fd0cb4ee84b80 --- a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh +++ b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + grep -Psq "^max_log_file_action\s*=.*" /etc/audit/auditd.conf && sed -i 's/^max_log_file_action.*/max_log_file_action = keep_logs/' /etc/audit/auditd.conf || echo "max_log_file_action = keep_logs" >> /etc/audit/auditd.conf diff --git a/remediation-kits/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh b/remediation-kits/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh old mode 100644 new mode 100755 index 7352aba0285b101d60f6c16187cccdcf1b8ae815..9c74c566b2171f56e6bf37984c7617a92ea72497 --- a/remediation-kits/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh +++ b/remediation-kits/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + augenrules --load if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then diff --git a/remediation-kits/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh b/remediation-kits/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh old mode 100644 new mode 100755 index 07227ad450d146514694a124c053aa241c0c52b7..97fe6ed5dc7d58f51ef7825fd9783d48bd275cf9 --- a/remediation-kits/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh +++ b/remediation-kits/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + sed -ri /'^LogDenied\=\s*(unicast|broadcast|multicast|off)$'/s/'^LogDenied\=\s*(unicast|broadcast|multicast|off)$'/LogDenied=all/ /etc/firewalld/firewalld.conf grep -Psq "^LogDenied\=\s*(all|unicast|broadcast|multicast|off)$" /etc/firewalld/firewalld.conf || echo "LogDenied=all" >> /etc/firewalld/firewalld.conf diff --git a/remediation-kits/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh b/remediation-kits/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh old mode 100644 new mode 100755 index 064b24b58415c1cbb947db4e5b3b6864efb7f7f3..1170d886d5a6636ad8d4fab58eba8d22975ce445 --- a/remediation-kits/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Psq "\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(\-k\s+.*)" /etc/audit/rules.d/*.rules || echo -e "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/rules.d/audit-root.rules grep -Psq "\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(\-k\s+.*)" /etc/audit/rules.d/*.rules || echo -e "-w /var/run/faillock -p wa -k logins" >> /etc/audit/rules.d/audit-root.rules diff --git a/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh b/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh old mode 100644 new mode 100755 index 61db05a1a47b1be9f7e9607aa329f4717768f246..15cc5d0393835be73c93a431bf51f333c44632c1 --- a/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Psq "^\s*Defaults\s+logfile\s*=\s*(/?)([a-zA-Z0-9_.-]+/?)*" /etc/sudoers || echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers diff --git a/remediation-kits/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh b/remediation-kits/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh old mode 100644 new mode 100755 index f8762ebbd97091c89f9888c3b249d1dec9579652..0c4c571473903d2f7818efb9e67103442421a61d --- a/remediation-kits/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh +++ b/remediation-kits/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + logFile=$(grep -iw log_file /etc/audit/auditd.conf | cut -d= -f2) logDir=$(dirname $logFile) [[ $logDir ]] && chown :adm $logDir diff --git a/remediation-kits/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh b/remediation-kits/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh old mode 100644 new mode 100755 index c2ef6d3008d20d3da4a6ba1d6969db9ed498c54e..e6012b770458020a92979ae2786501bc0e5934a1 --- a/remediation-kits/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + sudoLogFile=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g') [ -n "${sudoLogFile}" ] && printf " -w ${sudoLogFile} -p wa -k sudo_log_file diff --git a/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh b/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh old mode 100644 new mode 100755 index a81c7b784cb5dc33419c47b479844bca510ccf39..5d1ca7f506f138c333da29323d6bedb5f17047c2 --- a/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh @@ -1,4 +1,5 @@ -#! /bin/bash +#!/usr/bin/bash + build_audit_rules() ( UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) diff --git a/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh b/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh old mode 100644 new mode 100755 index 7c7692b170aa0efb3a7cbfd2c196063beabff4c3..0b019ceb7294673a425b6291c8db2a0eede986d1 --- a/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + for BIT in b32 b64 ; do checkRule="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=$BIT)(?=.*chmod)(?=.*fchmod)(?=.*chown)(?=.*fchown)(?=.*lchown)(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr)(?=.*fchownat)(?=.*fchmodat)" grep -Pq $checkRule /etc/audit/rules.d/*.rules /etc/audit/*.rules || echo "-a always,exit -F arch=$BIT -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules diff --git a/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh b/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh old mode 100644 new mode 100755 index 1c1b53100bf64486afa636c42acc0bafc7006d9e..0ede152a1476571e3ca9ecf9cddf7c50ee6b78a9 --- a/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh +++ b/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + logFile=$(grep -iw log_file /etc/audit/auditd.conf | cut -d= -f2) logDir=$(dirname $logFile) [[ $logDir ]] && chmod -R g-w,o-rwx $logDir \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh b/remediation-kits/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh old mode 100644 new mode 100755 index c6667a68867629ed07dc826405e07efb0446f7ef..1ce4c6da24a4ad9ffd0adad451432da22ea45061 --- a/remediation-kits/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh +++ b/remediation-kits/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh b/remediation-kits/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh old mode 100644 new mode 100755 index c4083410dc3bf8635885eb107856abedac4c071a..74cc71ded86a786d603b1510a883a283c0f13af4 --- a/remediation-kits/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh +++ b/remediation-kits/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh b/remediation-kits/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh old mode 100644 new mode 100755 index 93bfed18520ad1a349e52089dad039f59fb4f4c9..3d02605ba193389353429bb59097c400f03d16ba --- a/remediation-kits/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh +++ b/remediation-kits/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh b/remediation-kits/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh old mode 100644 new mode 100755 index 1efcba18c9b92bee1bc7b66cfdb6075995f4a9b8..74e8b00786f7ade3b339e4dd7ec3c0394c338564 --- a/remediation-kits/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh +++ b/remediation-kits/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + chmod 0755 /sbin/auditctl chmod 0755 /sbin/aureport chmod 0755 /sbin/ausearch diff --git a/remediation-kits/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh b/remediation-kits/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh old mode 100644 new mode 100755 index f855ed78e5ffac77b5b3b8850118cd5367d1eebd..adaad21ffd4a5f49e105a0d77c277a79d3a0b83a --- a/remediation-kits/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh +++ b/remediation-kits/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + chown root /sbin/auditctl chown root /sbin/aureport chown root /sbin/ausearch diff --git a/remediation-kits/mandatory-access-control/5.1-ensure-selinux-is-installed.sh b/remediation-kits/mandatory-access-control/5.1-ensure-selinux-is-installed.sh old mode 100644 new mode 100755 index d69c8fed6a60fee5fa18e17b83ccf253b8464926..a1e52c722be91ff7f1595f0c2da68963c86e9c21 --- a/remediation-kits/mandatory-access-control/5.1-ensure-selinux-is-installed.sh +++ b/remediation-kits/mandatory-access-control/5.1-ensure-selinux-is-installed.sh @@ -1,2 +1,3 @@ -#!/bin/bash +#!/usr/bin/bash + dnf install libselinux selinux-policy-mls selinux-policy-targeted -y diff --git a/remediation-kits/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh b/remediation-kits/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh index 4e707a78d7c6dd174a0b976f67a360c39d25b1dd..a0627b4bd59c69b7adcddccac44c20903c5824c6 100755 --- a/remediation-kits/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh +++ b/remediation-kits/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh @@ -1,2 +1,3 @@ -#!/bin/bash +#!/usr/bin/bash + sed -i '/^SELINUXTYPE=/cSELINUXTYPE=mls' /etc/selinux/config diff --git a/remediation-kits/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh b/remediation-kits/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh index d38a62a700c0a136895b590f689af7bdeda66e4a..65dee13000bea92a07eabaa76dd00f706fe0539f 100755 --- a/remediation-kits/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh +++ b/remediation-kits/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh @@ -1,2 +1,3 @@ -#!/bin/bash +#!/usr/bin/bash + sed -i '/^SELINUX=/cSELINUX=permissive' /etc/selinux/config diff --git a/remediation-kits/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh b/remediation-kits/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh index d4f6fcf02c45711f93b3166700cb9cd7fd8c2008..eee010ffae54fae83045959da14eaf27133ea64c 100755 --- a/remediation-kits/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh +++ b/remediation-kits/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh @@ -1,2 +1,3 @@ -#!/bin/bash +#!/usr/bin/bash + sed -i '/^SELINUX=/cSELINUX=enforcing' /etc/selinux/config diff --git a/remediation-kits/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh b/remediation-kits/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh old mode 100644 new mode 100755 index 9f67a73b853936c24b3f365538fa3d49dcf3ea3e..1f00d0e09ab48d73a545db6ef877735726242062 --- a/remediation-kits/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh +++ b/remediation-kits/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + dnf remove -y setroubleshoot diff --git a/remediation-kits/services/3.1-disable-http-server.sh b/remediation-kits/services/3.1-disable-http-server.sh index d5e53b1e44813fd46aec862b342b65fd67273f1f..d32fa7b49a51c4c1bdcf11332a856f294a987496 100755 --- a/remediation-kits/services/3.1-disable-http-server.sh +++ b/remediation-kits/services/3.1-disable-http-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa httpd) ]]; then diff --git a/remediation-kits/services/3.10-disable-rsync-server.sh b/remediation-kits/services/3.10-disable-rsync-server.sh old mode 100644 new mode 100755 index ca87512b7e24f6adc1dd90197c5c87b47a2033f7..970775c6a030ab052cac34a32c28445b8cb4da5d --- a/remediation-kits/services/3.10-disable-rsync-server.sh +++ b/remediation-kits/services/3.10-disable-rsync-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa | grep rsync) ]]; then diff --git a/remediation-kits/services/3.11-disable-avahi-server.sh b/remediation-kits/services/3.11-disable-avahi-server.sh old mode 100644 new mode 100755 index 17bcb880be13f0f320e84992be8dff3a7082a24c..2723b01cf5b8425de0f7ea58bf24e87288daf2be --- a/remediation-kits/services/3.11-disable-avahi-server.sh +++ b/remediation-kits/services/3.11-disable-avahi-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa avahi) ]]; then diff --git a/remediation-kits/services/3.12-disable-snmp-server.sh b/remediation-kits/services/3.12-disable-snmp-server.sh old mode 100644 new mode 100755 index 7914d0a6738def3cf415b309538772b02a1a21cf..8ab85fca08d946c9f6a08e30e5a3dec4d2b095ca --- a/remediation-kits/services/3.12-disable-snmp-server.sh +++ b/remediation-kits/services/3.12-disable-snmp-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa net-snmp) ]]; then diff --git a/remediation-kits/services/3.13-disable-http-proxy-server.sh b/remediation-kits/services/3.13-disable-http-proxy-server.sh old mode 100644 new mode 100755 index 2debf62c858f7c9554c05958cd9db9e68c023637..e34d0d4138e0906889b6b5eb3c131e68fa2f9f32 --- a/remediation-kits/services/3.13-disable-http-proxy-server.sh +++ b/remediation-kits/services/3.13-disable-http-proxy-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa squid) ]]; then diff --git a/remediation-kits/services/3.14-disable-samba.sh b/remediation-kits/services/3.14-disable-samba.sh old mode 100644 new mode 100755 index ad4dc28c89565dedaf064e2cae7d4ac97bcd1601..ed20cf3fb130136427107b20029eeae5bb6c5d94 --- a/remediation-kits/services/3.14-disable-samba.sh +++ b/remediation-kits/services/3.14-disable-samba.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa samba) ]]; then diff --git a/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh b/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh old mode 100644 new mode 100755 index b3711ce0bbff41deede074cb0d002d8673c558e7..c7d58a3409cbb812afd06af0c3e71bcda7dd85f0 --- a/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh +++ b/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa dovecot) ]]; then diff --git a/remediation-kits/services/3.16-disable-smtp-protocol.sh b/remediation-kits/services/3.16-disable-smtp-protocol.sh old mode 100644 new mode 100755 index 1ab7081d0c4c78ed58321c874bacdc7a3e819699..359de322cb717e0fb2c84fc09b3ed29b0f492490 --- a/remediation-kits/services/3.16-disable-smtp-protocol.sh +++ b/remediation-kits/services/3.16-disable-smtp-protocol.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa postfix) ]]; then diff --git a/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh b/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh old mode 100644 new mode 100755 index cbb1ab918284591a1f892b9f43d2c693d32fdad1..a1e07a70c055722b3abc348060490391195f60a0 --- a/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh +++ b/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh @@ -1,10 +1,11 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + export LANG="en_US.UTF-8" -if [[ $(rpm -qa | grep telnet) ]]; then +if [[ $(rpm -qa | grep telnet-server) ]]; then dnf remove -y telnet telnet-server [[ $? != 0 ]] && result=$(systemctl is-enabled telnet.socket) if [[ $result == enabled ]]; then systemctl --now disable telnet.socket fi -fi \ No newline at end of file +fi diff --git a/remediation-kits/services/3.18-uninstall-the-avahi-server.sh b/remediation-kits/services/3.18-uninstall-the-avahi-server.sh old mode 100644 new mode 100755 index 80d7df653f1bced09de43b428ac09bbdca8c68e1..aa18c704171a964b28491bf2d034bc2e4de68de7 --- a/remediation-kits/services/3.18-uninstall-the-avahi-server.sh +++ b/remediation-kits/services/3.18-uninstall-the-avahi-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa avahi) ]]; then diff --git a/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh b/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh old mode 100644 new mode 100755 index f23b6564b67447c4ab570cd872ac5c01b4394205..f48e2305072b6b842690a830dc5471ec8dd0d798 --- a/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh +++ b/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa | grep kexec) ]]; then diff --git a/remediation-kits/services/3.2-disable-ftp-server.sh b/remediation-kits/services/3.2-disable-ftp-server.sh old mode 100644 new mode 100755 index 0ce1e466499c90474a64939f11d7f1a027fc4e66..2d83d0a346f12471089b674bc851c07f8356d9d9 --- a/remediation-kits/services/3.2-disable-ftp-server.sh +++ b/remediation-kits/services/3.2-disable-ftp-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa vsftpd) ]]; then diff --git a/remediation-kits/services/3.20-uninstall-the-firstboot.sh b/remediation-kits/services/3.20-uninstall-the-firstboot.sh old mode 100644 new mode 100755 index de29b2628d0b69a633a1186cd8230c76f84cdd0b..de588e95e8f063f49f8bdef027d27eddb8189b93 --- a/remediation-kits/services/3.20-uninstall-the-firstboot.sh +++ b/remediation-kits/services/3.20-uninstall-the-firstboot.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa | grep firstboot) ]]; then diff --git a/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh b/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh old mode 100644 new mode 100755 index 76e507f1f1bae4b123926777f6a2e43b8a718658..161e2d57e13a6c70c00aaa06423daca795a1393e --- a/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh +++ b/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa wpa_supplicant) ]]; then diff --git a/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh b/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh old mode 100644 new mode 100755 index c7187a505bb29c3c0c17fc608887756445058032..731e8708b4c9ceeb5046c6c00c36418d23bfa8a9 --- a/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh +++ b/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa ypbind) ]]; then diff --git a/remediation-kits/services/3.23-disable-rsh.sh b/remediation-kits/services/3.23-disable-rsh.sh old mode 100644 new mode 100755 index 84c121376f89e93b5e88a1a013a287924fc84c29..08fb9e783a5774b7119cae2b85a41ebdee0338c8 --- a/remediation-kits/services/3.23-disable-rsh.sh +++ b/remediation-kits/services/3.23-disable-rsh.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa rsh) ]]; then diff --git a/remediation-kits/services/3.24-disable-ntalk.sh b/remediation-kits/services/3.24-disable-ntalk.sh old mode 100644 new mode 100755 index 38d0d5d26410fed0250740a299fd18d0fc8f9d14..6e755cddcc87c307b3e2d580bec92dce52e2e9f2 --- a/remediation-kits/services/3.24-disable-ntalk.sh +++ b/remediation-kits/services/3.24-disable-ntalk.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa ntalk) ]]; then diff --git a/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh b/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh old mode 100644 new mode 100755 index f04a43f3f994c66e6d4d4d71813c27966d6d2011..4d67e183d548f5d76f569e4c763d74cfd4190f68 --- a/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh +++ b/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa xinetd) ]]; then diff --git a/remediation-kits/services/3.26-disable-usb-storage.sh b/remediation-kits/services/3.26-disable-usb-storage.sh old mode 100644 new mode 100755 index d4d32184e171b403cb63cbb1d9a23a5b3ffc923f..85e3875881a590b26da56aa1f940366cd2a38880 --- a/remediation-kits/services/3.26-disable-usb-storage.sh +++ b/remediation-kits/services/3.26-disable-usb-storage.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + grep -Psq "^install\s+usb\-storage\s+\/bin\/true$" /etc/modprobe.d/*.conf || echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb_storage.conf [[ $(lsmod | grep -P "^usb(_|-)storage\b") ]] && rmmod usb-storage diff --git a/remediation-kits/services/3.27-ensure-time-synchronization-is-installed.sh b/remediation-kits/services/3.27-ensure-time-synchronization-is-installed.sh old mode 100644 new mode 100755 index 750f16c753d35b5596774addb87950926cbb42f7..82e61f0425d6aed64c97cedad1536398ae3d54c4 --- a/remediation-kits/services/3.27-ensure-time-synchronization-is-installed.sh +++ b/remediation-kits/services/3.27-ensure-time-synchronization-is-installed.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -qa | grep -q chrony || dnf install chrony -y diff --git a/remediation-kits/services/3.28-disable-automounting.sh b/remediation-kits/services/3.28-disable-automounting.sh old mode 100644 new mode 100755 index ea0c847a30488c55d783813658616988a142a4ad..e9f9ed7ad3737749f75ccc73d548ce302204db7e --- a/remediation-kits/services/3.28-disable-automounting.sh +++ b/remediation-kits/services/3.28-disable-automounting.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa autofs) ]]; then diff --git a/remediation-kits/services/3.3-disable-dns-server.sh b/remediation-kits/services/3.3-disable-dns-server.sh old mode 100644 new mode 100755 index 146a90591230855804b7a03aa91da1acb975bb8f..388d8290356acac0e7f20dd7fe18c00eb0e79a89 --- a/remediation-kits/services/3.3-disable-dns-server.sh +++ b/remediation-kits/services/3.3-disable-dns-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ "$(rpm -qa bind)" ]]; then diff --git a/remediation-kits/services/3.4-disable-nfs.sh b/remediation-kits/services/3.4-disable-nfs.sh old mode 100644 new mode 100755 index 8f2873b01613adbc735b997559547a36b5146016..76d4ea2d09de3b09d3df314ef0985a0d0aa3bf7c --- a/remediation-kits/services/3.4-disable-nfs.sh +++ b/remediation-kits/services/3.4-disable-nfs.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa nfs-utils) ]]; then diff --git a/remediation-kits/services/3.5-disable-rpc.sh b/remediation-kits/services/3.5-disable-rpc.sh old mode 100644 new mode 100755 index 12d62df4d30d7287532d133b441b1db28ea2297d..6831852b4ce32b0dd9f0ae2cb171895d58ccf415 --- a/remediation-kits/services/3.5-disable-rpc.sh +++ b/remediation-kits/services/3.5-disable-rpc.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa rpcbind) ]]; then diff --git a/remediation-kits/services/3.6-disable-ldap-server.sh b/remediation-kits/services/3.6-disable-ldap-server.sh old mode 100644 new mode 100755 index 5e8b12068c05e178174c153816c05badebcec2a9..1c616384f296ce79598b9743b8bac7c873d01369 --- a/remediation-kits/services/3.6-disable-ldap-server.sh +++ b/remediation-kits/services/3.6-disable-ldap-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa openldap-servers) ]]; then diff --git a/remediation-kits/services/3.7-disable-dhcp-server.sh b/remediation-kits/services/3.7-disable-dhcp-server.sh old mode 100644 new mode 100755 index 018e9d5cadc1461572b25f114b86c72deb399e79..ac410906c311b904e2241ca44d077216914a3d50 --- a/remediation-kits/services/3.7-disable-dhcp-server.sh +++ b/remediation-kits/services/3.7-disable-dhcp-server.sh @@ -1,8 +1,10 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" -if [[ $(rpm -qa | grep dhcp) ]]; then +if [[ $(rpm -qa | grep dhcp-server) ]]; then result=$(systemctl is-enabled dhcpd) if [[ $result == enabled ]]; then systemctl --now disable dhcpd fi -fi \ No newline at end of file +fi diff --git a/remediation-kits/services/3.8-disable-cups.sh b/remediation-kits/services/3.8-disable-cups.sh old mode 100644 new mode 100755 index ee73b8ef22e513a644e7ca688925bcd02ae5c57c..7e610d1b467fd8f9c8993e36084ba340e99e11cf --- a/remediation-kits/services/3.8-disable-cups.sh +++ b/remediation-kits/services/3.8-disable-cups.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa cups) ]]; then diff --git a/remediation-kits/services/3.9-disable-nis-server.sh b/remediation-kits/services/3.9-disable-nis-server.sh old mode 100644 new mode 100755 index 7d042391d7ffcc623fab65618a2785995101f8fe..004941e3e1b1d10672cb2ec959be0d0adf1530e2 --- a/remediation-kits/services/3.9-disable-nis-server.sh +++ b/remediation-kits/services/3.9-disable-nis-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa ypserv) ]]; then diff --git a/remediation-kits/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh b/remediation-kits/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh old mode 100644 new mode 100755 index 3317c780f18f06529b0952dcdb6c73507c757de9..75b631505e1ef1fb70ba02fd872a5717d318ff1b --- a/remediation-kits/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh +++ b/remediation-kits/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh b/remediation-kits/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh old mode 100644 new mode 100755 index fb2091f39ff2068fd8856bdee4803e1e76547975..29232f569ac1c9234b446d9701e36efdd17ae271 --- a/remediation-kits/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh +++ b/remediation-kits/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + osID=$(cat /etc/os-release | grep -Pi "^ID=" | cut -f2 -d= | sed -rn "s/\"//gp") [ -f /boot/grub2/grub.cfg ] && chown root:root /boot/grub2/grub.cfg; diff --git a/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh b/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh old mode 100644 new mode 100755 index fb4c736a2ec1e28c3da3017c1127d6e3e54ae2fa..b614c6e0f96ae1b77edb32f176d4e57ca133b827 --- a/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh +++ b/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + grep -Pq "^\s*ExecStart\=" /usr/lib/systemd/system/rescue.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell rescue/" /usr/lib/systemd/system/rescue.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" >> /usr/lib/systemd/system/rescue.service grep -Pq "^\s*ExecStart\=" /usr/lib/systemd/system/emergency.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell emergency/" /usr/lib/systemd/system/emergency.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" >> /usr/lib/systemd/system/emergency.service diff --git a/remediation-kits/system-configurations/4.13-ensure-core-dumps-are-restricted.sh b/remediation-kits/system-configurations/4.13-ensure-core-dumps-are-restricted.sh old mode 100644 new mode 100755 index c0c4e6bf2612295dfd13d12a13be60e9f68c4c14..8124d433e5ecf1f52c19d7e515034219e6cff1c6 --- a/remediation-kits/system-configurations/4.13-ensure-core-dumps-are-restricted.sh +++ b/remediation-kits/system-configurations/4.13-ensure-core-dumps-are-restricted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$" /etc/security/limits.conf && sed -ri "s/^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$/\1* hard core 0\2/" /etc/security/limits.conf || echo "* hard core 0" >> /etc/security/limits.conf grep -Eq "^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$/\1fs.suid_dumpable = 0\2/" /etc/sysctl.conf || echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf sysctl -w fs.suid_dumpable=0 diff --git a/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh b/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh old mode 100644 new mode 100755 index 9b78d09fee1eae3b72cec007b6b068f75123fb8b..ec213d94cc993eb5ba980e8d02314b65699ef89c --- a/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh +++ b/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + configExistenceFlag="false" [[ -n $(grep -Ps "^kernel\.randomize_va_space\s*=.*" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf) ]] && configExistenceFlag="true" diff --git a/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh b/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh old mode 100644 new mode 100755 index 558827cb2e1bc6ac2c35a2558daa68b55952839f..f5aa04694086552d7312a34e9267845037979c22 --- a/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh +++ b/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Eiq '^\s*LEGACY\s*(\s+#.*)?$' /etc/crypto-policies/config && update-crypto-policies --set DEFAULT && update-crypto-policies \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh b/remediation-kits/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh old mode 100644 new mode 100755 index 1eecf1028352575f42fe56999c9df9613b8abf6d..9d235afc6cbe9a3d30034de0dd314516730944c1 --- a/remediation-kits/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh +++ b/remediation-kits/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}' \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh b/remediation-kits/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh old mode 100644 new mode 100755 index 16188ca8a107156c9487f8892bfd732b0fe5b4a5..9b28b8ba7bae4f8019a7c9ae7b9edc03625229d8 --- a/remediation-kits/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh +++ b/remediation-kits/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/passwd chmod 644 /etc/passwd \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh b/remediation-kits/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh old mode 100644 new mode 100755 index c06631223743ccc48005dcced81886201b8639ab..a30eb2643858c9700f7da3c648ec506c868e1ca6 --- a/remediation-kits/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh +++ b/remediation-kits/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/shadow chmod 0000 /etc/shadow \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh b/remediation-kits/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh old mode 100644 new mode 100755 index 0a3e3755e8996d0d8dacc9e0c8a9faa4b3e680da..a8bc86e7a2b94e720b659e37fd878e2a7f88d8e2 --- a/remediation-kits/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh +++ b/remediation-kits/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/group chmod u-x,g-wx,o-wx /etc/group \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh b/remediation-kits/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh old mode 100644 new mode 100755 index 2f496acb4ef665f58c2ca0ab5b48819f07ff8177..4af3e3b55a608f3283c840ae7c74d70033429bf1 --- a/remediation-kits/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh +++ b/remediation-kits/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh b/remediation-kits/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh old mode 100644 new mode 100755 index 09ea44221dd887de241cf17d30e75c7cf6f65663..0adf02f041f0ca1b2855f0d0e2a5298436dab978 --- a/remediation-kits/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh +++ b/remediation-kits/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/gshadow chmod 0000 /etc/gshadow \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh b/remediation-kits/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh old mode 100644 new mode 100755 index eab44897ec7c55297febfc7ec5982d6c50fd70ee..8fc358644be63924e103939fa3bc2c1e178244f2 --- a/remediation-kits/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh +++ b/remediation-kits/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/passwd- chmod u-x,go-wx /etc/passwd- \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh b/remediation-kits/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh old mode 100644 new mode 100755 index 0162493adbda4b37995bce528e49a51a9c3786a5..215a9f42e6e26073497913e957e0a97b57409e2d --- a/remediation-kits/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh +++ b/remediation-kits/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/shadow- chmod 0000 /etc/shadow- \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh b/remediation-kits/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh old mode 100644 new mode 100755 index 701ee8cb8aa258df517eb46f9f87f316ac1acf5e..47f503eb3eb7e6447a8b3077d69bf2ffa11d647b --- a/remediation-kits/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh +++ b/remediation-kits/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/group- chmod u-x,go-wx /etc/group- \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh b/remediation-kits/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh old mode 100644 new mode 100755 index 8b428bd97c2a596d3d11a4d4ae5f1b779546d436..c77c26a9cc7a41bd455b8432d2d2124ca4d0a47c --- a/remediation-kits/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh +++ b/remediation-kits/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/gshadow- chmod 0000 /etc/gshadow- \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh b/remediation-kits/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh old mode 100644 new mode 100755 index 6394d8f83f6828233dd0b5eac2d6425a5b8c78a0..97d45288e9f7b2fd4f80e8902beb95b48153c0b0 --- a/remediation-kits/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh +++ b/remediation-kits/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh b/remediation-kits/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh old mode 100644 new mode 100755 index 0010b4b31065a555c4ec3a9a4c202f74895850a8..5ec6d794cb261a39dae0ade1931b5a6ac96b146a --- a/remediation-kits/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh +++ b/remediation-kits/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $6}' /etc/passwd | while read -r dir; do if [ -d "$dir" ]; then diff --git a/remediation-kits/system-configurations/4.32-ensure-users-own-their-home-directories.sh b/remediation-kits/system-configurations/4.32-ensure-users-own-their-home-directories.sh old mode 100644 new mode 100755 index 9191dbcfa1c8956b3cd74222a11ffbfcbbde11cc..d52b58e8385aaad7111abc2acd768a7a6bd7a1e5 --- a/remediation-kits/system-configurations/4.32-ensure-users-own-their-home-directories.sh +++ b/remediation-kits/system-configurations/4.32-ensure-users-own-their-home-directories.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $1 " " $6 }' /etc/passwd | while read -r user dir; do if [ ! -d "$dir" ]; then echo "User: \"$user\" home directory: \"$dir\" does not exist, creating home directory" diff --git a/remediation-kits/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh b/remediation-kits/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh old mode 100644 new mode 100755 index dfb1e1e844cf5c9f95aba03b6bf886caf161b248..fa1c4407a425f81e352bbef7f49da3fc18d589e7 --- a/remediation-kits/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh +++ b/remediation-kits/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $6 }' /etc/passwd | while read -r dir; do if [ -d "$dir" ]; then for file in "$dir"/.*; do diff --git a/remediation-kits/system-configurations/4.34-ensure-no-users-have-.forward-files.sh b/remediation-kits/system-configurations/4.34-ensure-no-users-have-.forward-files.sh old mode 100644 new mode 100755 index 4322a69a1038dd9cabda078ebed6cff10081b2f4..2e53c4204f890de7e65fb152dedd2c2ed5caa197 --- a/remediation-kits/system-configurations/4.34-ensure-no-users-have-.forward-files.sh +++ b/remediation-kits/system-configurations/4.34-ensure-no-users-have-.forward-files.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $6 }' /etc/passwd | while read -r dir; do if [ -d "$dir" ]; then diff --git a/remediation-kits/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh b/remediation-kits/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh old mode 100644 new mode 100755 index 9c6a84f618ed3045d5dea697c456d328dd78c2f2..d3879f68eabb88e54d31be4fd495a5419f1f38c6 --- a/remediation-kits/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh +++ b/remediation-kits/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $6 }' /etc/passwd | while read -r dir; do if [ -d "$dir" ]; then diff --git a/remediation-kits/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh b/remediation-kits/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh old mode 100644 new mode 100755 index 2a41e8a482549777d2b5934f70223b97df328e1d..af9e1b7422036344216f62656c204f7666e9cdd1 --- a/remediation-kits/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh +++ b/remediation-kits/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $6 }' /etc/passwd | while read -r dir; do diff --git a/remediation-kits/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh b/remediation-kits/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh old mode 100644 new mode 100755 index 488c49bbd947f9fae1ce7d9945a4d1b0eb947e14..de3a44da56b010c2c6eed7517a3de60fdddd619d --- a/remediation-kits/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh +++ b/remediation-kits/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $6 }' /etc/passwd | while read -r dir; do if [ -d "$dir" ]; then file="$dir/.rhosts" diff --git a/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh b/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh old mode 100644 new mode 100755 index 50d5a4d8cd8807df546cc4ac70f74c90e2b1e462..8b86b6dc8b9f4017aa4c99dea86700c28f569105 --- a/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh +++ b/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + [[ -e /etc/motd ]] && chown root:root /etc/motd [[ -e /etc/motd ]] && chmod u-x,go-wx /etc/motd [[ -f /var/lib/update-motd/motd ]] && chown root:root /var/lib/update-motd/motd diff --git a/remediation-kits/system-configurations/4.43-ensure-all-users-home-directories-exist.sh b/remediation-kits/system-configurations/4.43-ensure-all-users-home-directories-exist.sh old mode 100644 new mode 100755 index ce2aaf4c4f0a03350da1b14d59b6da854627d44a..f39c41b4f803be3b6db83a1d06caa570ddeb3558 --- a/remediation-kits/system-configurations/4.43-ensure-all-users-home-directories-exist.sh +++ b/remediation-kits/system-configurations/4.43-ensure-all-users-home-directories-exist.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $1 " " $6 }' /etc/passwd | while read -r user dir; do if [ ! -d "$dir" ]; then mkdir "$dir" diff --git a/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh b/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh old mode 100644 new mode 100755 index 91ec526a77954d9a07b66f58ff1b0fcb3d4990b1..78ad91c971b9c6d3dd49bc059d359333a1ebd7fd --- a/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh +++ b/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + modprobe -n -q sctp && modprobe -n -v sctp | grep -Pq "^install\s*\/bin\/true\s*$" if [[ $? -ne 0 ]]; then diff --git a/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh b/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh old mode 100644 new mode 100755 index d3d0efe771495b40d9b85d4f0804a336d39ac43f..78ae938425452a2a074339f767f492553697623c --- a/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh +++ b/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + modprobe -n -vq dccp if [[ $? -ne 0 ]]; then diff --git a/remediation-kits/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh b/remediation-kits/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh old mode 100644 new mode 100755 index d9f477ef46e34fb2ec02e16392b23af45711d532..0fba97670575262632ea71f21764a3cf5dd47c58 --- a/remediation-kits/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh +++ b/remediation-kits/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + wireless_disable() { if command -v nmcli >/dev/null 2>&1 ; then diff --git a/remediation-kits/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh b/remediation-kits/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh old mode 100644 new mode 100755 index 065708252e5ae49163ae54ca421261f0e42e33e9..b4f634b099686c8d0b50d083f1cf54c26137f24e --- a/remediation-kits/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh +++ b/remediation-kits/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + grep -Ps "^\s*net\.ipv4\.ip_forward\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.ip_forward\s*=\s*0\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv4\.ip_forward\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.ip_forward=0; sysctl -w net.ipv4.route.flush=1 grep -Ps "^\s*net\.ipv6\.conf\.all\.forwarding\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv6.conf.all.forwarding\s*=\s*0\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv6\.conf\.all\.forwarding\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.route.flush=1 diff --git a/remediation-kits/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh b/remediation-kits/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh old mode 100644 new mode 100755 index 0f2c20f4a9daaf94c7bf216c36c35381e51ccc2d..c7253097bacf89aad6b6d72b3eaf9c44bd612757 --- a/remediation-kits/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh +++ b/remediation-kits/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.send_redirects=0 diff --git a/remediation-kits/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh b/remediation-kits/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh old mode 100644 new mode 100755 index dd1feb184b39255d6494ce1867997dd18e793155..0a002e89ccc9a31f4c7e92f681138946df23574e --- a/remediation-kits/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh +++ b/remediation-kits/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv6.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_source_route = 0" >> /etc/sysctl.conf diff --git a/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh b/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh old mode 100644 new mode 100755 index 5acd8381b1814415f60aa4aa0d2eec6ed7c7b9a5..f8990839af1aa2e5a4ee9b900d8b27578fa2f38f --- a/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh +++ b/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + [[ -e /etc/issue ]] && chown root:root /etc/issue [[ -e /etc/issue ]] && chmod u-x,go-wx /etc/issue \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh b/remediation-kits/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh old mode 100644 new mode 100755 index 025b16960113adc15fd7931ea1f247f0b512b3fc..6873aac8f5dd738f14df7b99bb801bb4c24a7086 --- a/remediation-kits/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh +++ b/remediation-kits/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv6.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf diff --git a/remediation-kits/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh b/remediation-kits/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh old mode 100644 new mode 100755 index 051910d8311d164045cc9caa9c53defea255beaf..9c470c6c69f60bb3f4e51b4fa5884bb309251e25 --- a/remediation-kits/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh +++ b/remediation-kits/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.secure_redirects=0 diff --git a/remediation-kits/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh b/remediation-kits/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh old mode 100644 new mode 100755 index 1dda5ca7da8934268e5b60f339eaacffabea84d7..97c78418d37c79666486ebe1eaaf395f04b231b4 --- a/remediation-kits/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh +++ b/remediation-kits/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.log_martians=1 diff --git a/remediation-kits/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh b/remediation-kits/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh old mode 100644 new mode 100755 index 11b71baae1e9fd354f3f8a9e5a7fb003a01d87f5..2c7b79a710ac491cde7fd6eda798cbe8ac7205f0 --- a/remediation-kits/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh +++ b/remediation-kits/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Ps "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv4\.icmp_echo_ignore_broadcasts\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1; sysctl -w net.ipv4.route.flush=1 diff --git a/remediation-kits/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh b/remediation-kits/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh old mode 100644 new mode 100755 index 30f4f624f5e79a05d132110b908fa76b61cfffe3..118540e678faa2eb517eed97490259c3979940ee --- a/remediation-kits/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh +++ b/remediation-kits/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Ps "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv4\.icmp_ignore_bogus_error_responses\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1; sysctl -w net.ipv4.route.flush=1 \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh b/remediation-kits/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh old mode 100644 new mode 100755 index eb376f81d618c3fb2d1d999bbd0cf238b22ca037..8953c2a5e33968f7d0ec1abb8879b99cbc917880 --- a/remediation-kits/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh +++ b/remediation-kits/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.rp_filter=1 diff --git a/remediation-kits/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh b/remediation-kits/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh old mode 100644 new mode 100755 index a1b54a60b9269368c1d1118af1536aa36ebd9342..6a0444ef8c187648c841a750716672e957c633ad --- a/remediation-kits/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh +++ b/remediation-kits/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Els "^\s*net\.ipv4\.tcp_syncookies\s*=\s*[02]*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv4\.tcp_syncookies\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.tcp_syncookies=1; sysctl -w net.ipv4.route.flush=1 \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh b/remediation-kits/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh old mode 100644 new mode 100755 index b22df1d97d0fad3a0f5468376c87c0644b06b235..e33265f26d760290739d7c3ff68e213e4affe32a --- a/remediation-kits/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh +++ b/remediation-kits/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv6.conf.all.accept_ra\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_ra\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_ra = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv6.conf.default.accept_ra\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.default.accept_ra\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.default.accept_ra = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf sysctl -w net.ipv6.conf.all.accept_ra=0 diff --git a/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh b/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh old mode 100644 new mode 100755 index 375556c96e8060d3391b8b1a6430fa4ee8bf9a5a..5f2d7edaf7f50c987057f8e3842cc3375b8534be --- a/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh +++ b/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + dnf install firewalld nftables iptables iptables-services -y \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh b/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh old mode 100644 new mode 100755 index 91ac10ae1f312d19636de36538169869714ec368..1eef0b585b1938162a0463a496a5fd4786c19ffb --- a/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh +++ b/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa firewalld) ]]; then diff --git a/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh b/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh old mode 100644 new mode 100755 index 534fc6a1d0e6f695ecff68bbd99791fa76dedf86..ace735dabc8e216dda65bfdbe130411c4781dc96 --- a/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh +++ b/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + [[ -e /etc/issue.net ]] && chown root:root /etc/issue.net [[ -e /etc/issue.net ]] && chmod u-x,go-wx /etc/issue.net \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh b/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh old mode 100644 new mode 100755 index 4145f02e4e1d54a9f8cf4bc1e9f949eb2e4be738..cdb6a4a934457ec10a9f3d1bca831f21945f2da0 --- a/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh +++ b/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -q iptables-services | grep -Psq "^iptables\-services.*" && systemctl is-enabled iptables | grep -Psiq "^enabled" && systemctl --now mask iptables.service \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh b/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh old mode 100644 new mode 100755 index 384e893b6193efde2cbe394c5c229c129dab1a3e..2a086f8b4111ada9ad45817584d79f4bc764c8fd --- a/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh +++ b/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -q nftables | grep -Psq "^nftables\-*" && systemctl is-enabled nftables | grep -Psiq "^enabled" && systemctl --now mask nftables \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh b/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh old mode 100644 new mode 100755 index 808e41056b8ab64cb8ed7cc7ac4ac7736a909022..871572d06e06dfefd6727c4909a28a0c258f5063 --- a/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh +++ b/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [ "$(rpm -qa nftables)" ]; then diff --git a/remediation-kits/system-configurations/4.63-ensure-iptables-packages-are-installed.sh b/remediation-kits/system-configurations/4.63-ensure-iptables-packages-are-installed.sh old mode 100644 new mode 100755 index df9fa2c58120267d6afaf452f4a3c258f51a607a..5ef75e83268720a4e63c2aca557d9dbf64c3f58a --- a/remediation-kits/system-configurations/4.63-ensure-iptables-packages-are-installed.sh +++ b/remediation-kits/system-configurations/4.63-ensure-iptables-packages-are-installed.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + yum list | grep -q iptables && yum install -y iptables yum list | grep iptables-services && yum install -y iptables-services diff --git a/remediation-kits/system-configurations/4.64-ensure-nftables-is-not-installed.sh b/remediation-kits/system-configurations/4.64-ensure-nftables-is-not-installed.sh old mode 100644 new mode 100755 index e587dc635fa77f55e6dadac8bb4c21546ebda886..201344cbd5d7cb7a65e052a43e643ee933a3b22a --- a/remediation-kits/system-configurations/4.64-ensure-nftables-is-not-installed.sh +++ b/remediation-kits/system-configurations/4.64-ensure-nftables-is-not-installed.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + yum remove -y nftables \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh b/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh old mode 100644 new mode 100755 index 5be62a6381fca480d35461be055d4a6170ba341f..9866acec86869b6820d0ff009af841770f5ba8d8 --- a/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh +++ b/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -q firewalld | grep -Psq "^firewalld\-" && systemctl is-enabled firewalld | grep -Psiq "^enabled" && systemctl --now mask firewalld \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh b/remediation-kits/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh index 5a196627a3c36e44cfaf392e6eb98ecf5e69bd0d..86b2a9371e36705a53b326a580035d28003fcd00 100755 --- a/remediation-kits/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh +++ b/remediation-kits/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + grep -qiP "^HISTSIZE" /etc/profile && sed -i "/^HISTSIZE/cHISTSIZE=100" /etc/profile || echo -e "HISTSIZE=100" >> /etc/profile diff --git a/remediation-kits/system-configurations/4.67-ensure-system-histfilesize-100.sh b/remediation-kits/system-configurations/4.67-ensure-system-histfilesize-100.sh index 51efeffece6d497e13031de46401fdd8a6a2a7dc..46d686213c124f0e677306308ffc6455295b0535 100755 --- a/remediation-kits/system-configurations/4.67-ensure-system-histfilesize-100.sh +++ b/remediation-kits/system-configurations/4.67-ensure-system-histfilesize-100.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + grep -qiP "^HISTFILESIZE" /etc/profile && sed -i "/^HISTFILESIZE/cHISTFILESIZE=100" /etc/profile || echo -e "HISTFILESIZE=100" >> /etc/profile diff --git a/remediation-kits/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh b/remediation-kits/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh old mode 100644 new mode 100755 index b6b5356403fa90499259d5e27e57340c4f572230..9eff1ed2b7a796beaf25b0725d2a3e8fb88121c9 --- a/remediation-kits/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh +++ b/remediation-kits/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh @@ -1,3 +1,4 @@ -#!/bin/bash +#!/usr/bin/bash + ls -l / | grep tmp | grep rwt || chmod o+t /tmp/ diff --git a/remediation-kits/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh b/remediation-kits/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh old mode 100644 new mode 100755 index 5e17351324975ff3c2bf9b8fc47efd7082fdf793..1c9c27774cd7e4d90fb3613f836c025dc4d1ea4d --- a/remediation-kits/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh +++ b/remediation-kits/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + chmod 400 /etc/ssh/*key chmod 400 /etc/ssh/*key.pub \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh b/remediation-kits/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh old mode 100644 new mode 100755 index 73c9468e8191ffc015310020baaae6616985485e..a728480a423e40342c01156611562f71e8dd9a26 --- a/remediation-kits/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh +++ b/remediation-kits/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$" /etc/yum.conf && sed -ri "s/^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$/\1gpgcheck=1\2/" /etc/yum.conf || echo "gpgcheck=1" >> /etc/yum.conf for file in /etc/yum.repos.d/*; do grep -Eq "^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$" $file && sed -ri "s/^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$/\1gpgcheck=1\2/" $file || echo "gpgcheck=1" >> $file diff --git a/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh b/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh old mode 100644 new mode 100755 index 580737fa502c18963654f7d52e287e69401a98bb..644ce5893380d697e2f15f06931b5387e2588902 --- a/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh +++ b/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh @@ -1,3 +1,4 @@ -#!/bin/bash +#!/usr/bin/bash + grep -Eisq '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf && sed -i '/\s*Enable\s*=\s*true/Id' /etc/gdm/custom.conf \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh b/remediation-kits/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh old mode 100644 new mode 100755 index c99d025ce7095358291461c43c7463ace76de23d..411838c68daf805e823cba69b1aa9f494d1bdc29 --- a/remediation-kits/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh +++ b/remediation-kits/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ -e /etc/fstab ]] && [[ -n "$(grep -Ps "\s+\/var\s+" /etc/fstab)" ]] && [[ -z "$(grep -Ps "\s+\/var\s+.*nosuid" /etc/fstab)" ]] ; then varLine=$(grep -Pn "\s+\/var\s+" /etc/fstab | cut -d: -f1) varCon=$(grep "\/var" /etc/fstab | awk '{print $4}') diff --git a/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh b/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh old mode 100644 new mode 100755 index 326d680094770805062216230752f4fc945537ea..ea79848adf3906f8a0d48bf633d8752ec55774a3 --- a/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh +++ b/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [ ! "$(rpm -qa aide)" ]; then diff --git a/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh b/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh old mode 100644 new mode 100755 index ee68146a6b1e5ef8515790a317363bd999367804..c9643fe72819e3ce01b2b5b45077e91318af8f52 --- a/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh +++ b/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -q aide | grep -Piq aide-.* && (crontab -u root -l; crontab -u root -l | grep -Eq "^0 5 \* \* \* /usr/sbin/aide --check$" || echo "0 5 * * * /usr/sbin/aide --check" ) | crontab -u root - diff --git a/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh b/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh old mode 100644 new mode 100755 index 708f491c834d9a7dc2db5f46c493af2ce7c0cb74..b9432fcdb7c35c5a4b6eff46e7cf5c4355ff0323 --- a/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh +++ b/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=$(systemctl is-enabled crond) if [[ $result == "enabled" ]]; then echo "pass" diff --git a/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh b/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh old mode 100644 new mode 100755 index e939fc41708f03435d680423923d6d292d885df0..a36b36cbd06a066b776d8a5610d48c8cfab16ec9 --- a/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh +++ b/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sshd -T | grep -Piq '^(allow|deny)(users|groups)\s+.*' && grep -Piq '^\h*(allow|deny)(users|groups)\h+.*$' /etc/ssh/sshd_config && result=true diff --git a/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh b/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh old mode 100644 new mode 100755 index ab197fd6da5005a659db173d25a3699ded2d1900..52889e708ceaae5785464f7e0f0ce20113dd4db3 --- a/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh +++ b/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result_root=false result_ssh_keys=false diff --git a/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh b/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh old mode 100644 new mode 100755 index 545fbba2a1acd133fc8643f75107bca0a3c6ac33..dd081e286ac507aed25b069cd751c7b0900f7cf6 --- a/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh +++ b/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec stat -c %G-%U-%a {} \; | grep -Piq "root\-root\-([7][5-7][5-7]|[0-7][5-7][5-7])" || result=true diff --git a/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh b/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh old mode 100644 new mode 100755 index 9756b8c4d7e75e82bdf92c961f3c3bdd1fe18f6f..a17e4cb6717b487122cc3114e0720394feddbe00 --- a/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh +++ b/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^loglevel\s+(INFO|VERBOSE)$") configFileSettings=$(grep -Pi '^\s*loglevel\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*loglevel\s+(INFO|VERBOSE)\b') diff --git a/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh b/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh old mode 100644 new mode 100755 index 2b29e1136a2390912c081f6a1edf10e18defd31e..167eb4e5fb3d69f07f1bb46cb097955a29024619 --- a/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh +++ b/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi '^\s*maxauthtries\s+[0-4]$') configFileSettings=$(grep -Pim1 '^\s*maxauthtries\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*maxauthtries\s+[0-4]{1}\b') diff --git a/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh b/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh old mode 100644 new mode 100755 index 8f30d5b62e11bf77203fe36150508e7db1f6e846..fdd8d172807da03b94eacff4f5d9f1b07079bd8b --- a/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh +++ b/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^ignorerhosts\s+yes$") configFileSettings=$(grep -Pim1 '^\s*ignorerhosts\b' /etc/ssh/sshd_config | grep -Pvi '^\s*ignorerhosts\s+yes\b') diff --git a/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh b/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh old mode 100644 new mode 100755 index e77578e780422962c841c7e0967a4963a3ef1803..8e027e59e67da2354855a07fd5c72ea0831e0542 --- a/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh +++ b/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^hostbasedauthentication\s+no$") configFileSettings=$(grep -Pim1 '^\s*hostbasedauthentication\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*hostbasedauthentication\s+no\b') diff --git a/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh b/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh old mode 100644 new mode 100755 index ab9dc779fcec243ccd05db748a0eae8fd35dd2c2..02bba6e8872e02a76a935e0bcb652d366f13f4f6 --- a/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh +++ b/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^permitrootlogin\s+no$") configFileSettings=$(grep -Pim1 '^\s*permitrootlogin\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permitrootlogin\s+no\b') diff --git a/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh b/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh old mode 100644 new mode 100755 index 80641bb30b4c36d8f828b3c2edf0d7fb7e6166d3..4b0f1229f4eb97f3c4c8f794a8272b1adca2f603 --- a/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh +++ b/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^permitemptypasswords\s+no$") configFileSettings=$(grep -Pim1 '^\s*permitemptypasswords\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permitemptypasswords\s+no\b') diff --git a/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh b/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh old mode 100644 new mode 100755 index 073bd98e6780da435441765c1a6f6a46f4044d83..2558c4c4335cb0c8753facad7c7ae3f361df3a1e --- a/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh +++ b/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^permituserenvironment\s+no$") configFileSettings=$(grep -Pim1 '^\s*permituserenvironment\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permituserenvironment\s+no\b') diff --git a/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh b/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh old mode 100644 new mode 100755 index 0debad126c81bce671b9eb76dde45cc661ffd56f..7f3bd77ee10dfed85bbaad2dc9ab4703220bdfa4 --- a/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh +++ b/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/crontab | grep -Pq '^[0-6][0][0]\-root\-root$' && result=true diff --git a/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh b/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh old mode 100644 new mode 100755 index 2cd6792c31aa8f8756304770bd997509ef2a4c9e..b57c8ff3a64caa8373db85c0d1bd18ffe4b9f1c3 --- a/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh +++ b/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + checkPoint=false loadedSystemConfig_clientalivecountmax=$(sshd -T | grep -Pi '^clientalivecountmax\s+[0]{1}$') configFileSettings_clientalivecountmax=$(grep -Pim1 '^\s*ClientAliveCountMax\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*ClientAliveCountMax\s+[0]{1}\b') diff --git a/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh b/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh old mode 100644 new mode 100755 index e57f146f2518f456c1ab65459396ec4213c2def6..5204ebc9719ee41314d084c9eb08a1fd81d2f50f --- a/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh +++ b/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^logingracetime\b" | awk '{ if ($2 > 60) print 1; else print 0 }') configFileType=$(grep -Pim1 '^\s*logingracetime\s+[0-9]+' /etc/ssh/sshd_config | awk '{print $2}' | grep -Poi '[s|m]$' | tr 'A-Z' 'a-z') configFileSettings=$(grep -Poim1 '^\s*logingracetime\s+[0-9]+' /etc/ssh/sshd_config | awk '{print $2}') diff --git a/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh b/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh old mode 100644 new mode 100755 index ce0cfbd620fd7d73e9d07c01fca6aaa45ce15a19..124664fb6edb7fef7d53075adc2c38907e4165b0 --- a/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh +++ b/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^banner\s+none$") configFileSettings=$(grep -Pim1 "^\s*Banner\s+.*$" /etc/ssh/sshd_config) diff --git a/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh b/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh old mode 100644 new mode 100755 index e0bf8585398787ccfa833a1a831940974e2be1a0..d6cb387a6a45ba4c28ffaa362fc36f473fee5fe4 --- a/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh +++ b/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^usepam\s+yes$") configFileSettings=$(grep -Pi '^\s*usepam\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*usepam\s+yes\b') diff --git a/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh b/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh old mode 100644 new mode 100755 index e2a0e29e8de8ed85f5e7aa21466fe68561c41f19..80df41eacdad57f485d7594b9ac032ae216423ce --- a/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh +++ b/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false maxstartups_first=$(sshd -T | grep -Pi "^\s*maxstartups\b" | awk '{print $2}' | awk -F: '{print $1}') diff --git a/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh b/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh old mode 100644 new mode 100755 index 4f6d3d8fa820720f5c9969e93451dafa6ff3a466..dadc542c4fc7db67894e913560055ffe64a6cb07 --- a/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh +++ b/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^MaxSessions\b" | awk '{ if ($2 > 10) print 1; else print 0 }') configFileSettings=$(grep -Pim1 '^\s*MaxSessions\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 10) print 1; else print 0 }') diff --git a/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh b/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh old mode 100644 new mode 100755 index 853874e37a6964d44451910b61b0db608be53644..a15af4bd42756f681dd413ecdb50b003e8df4ca0 --- a/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh +++ b/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -iPq '^\s*CRYPTO_POLICY\s*\=' /etc/sysconfig/sshd || result=true diff --git a/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh b/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh old mode 100644 new mode 100755 index f7ad91bb127b37eb3931fd5c1f330da2bec946c1..813cf8e5fe2d3f8c6dc90f8ddf50ce9820cc1b28 --- a/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh +++ b/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + # 定义检查函数 check_file_contains() { diff --git a/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh b/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh old mode 100644 new mode 100755 index 977e56ebf96aef74bf1eda970247c236a37b5727..8cd87f3b93cdb194334fed4475c899ebb8459efc --- a/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/password-auth | grep -Pqiv "(?=.*\bdeny=[0-9]+\b)(?=.*unlock_time=[0-9]+)" && echo 'fail' && exit 1 grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/system-auth | grep -Pqiv "(?=.*\bdeny=[0-9]+\b)(?=.*unlock_time=[0-9]+)" && echo 'fail' && exit 1 diff --git a/scanners/access-and-control/1.29-ensure-password-reuse-is-limited.sh b/scanners/access-and-control/1.29-ensure-password-reuse-is-limited.sh old mode 100644 new mode 100755 index 3d2e3ef4116c296e01e896f0cb7ec487af02f765..e5059aaa485f94c7510403ccb1100bc9abbaf469 --- a/scanners/access-and-control/1.29-ensure-password-reuse-is-limited.sh +++ b/scanners/access-and-control/1.29-ensure-password-reuse-is-limited.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Pi "^\h+password\h+sufficient\h+pam_unix.so\h+" /etc/pam.d/system-auth | grep -Pqv "\bremember\s*=\s*[0-9]+" && echo 'fail' && exit 1 grep -Pi "^\h+password\h+requisite\h+pam_pwhistory.so\h+" /etc/pam.d/system-auth | grep -Pqv "\bremember\s*=\s*[0-9]+" && echo 'fail' && exit 1 diff --git a/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh b/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh old mode 100644 new mode 100755 index ebcfa84c39ec196a5dbdd1a13c839326856b18ff..ca3844769b014059b0d7064e903f74e23598a0d3 --- a/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh +++ b/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/cron.hourly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true diff --git a/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh b/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh old mode 100644 new mode 100755 index 9dc74f6a381c56b16007710cb16172f235ef8900..a4a0d323c0fae61e3d27cad7f0af877b3b51d0e4 --- a/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh +++ b/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Eiq "^\s*password\s+\bsufficient\s+\bpam_unix.so\s+.*\bsha512\s*.*$" /etc/pam.d/password-auth && grep -Eiq "^\s*password\s+\bsufficient\s+\bpam_unix.so\s+.*\bsha512\s*.*$" /etc/pam.d/system-auth && result=true diff --git a/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh b/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh old mode 100644 new mode 100755 index b3378407e147392004bf51147674fa55bf7a0989..bb668756648ed403f94c56f5178af4951ca59ded --- a/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh +++ b/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loginPassMaxDaysVaule=$(grep -P "^\s*PASS_MAX_DAYS\s+[0-9]+\b" /etc/login.defs | awk '{ if ($2 <= 365) print $2;}') userPassMaxDaysVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$5 == "" || $5 > 365 {print 1}') diff --git a/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh b/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh old mode 100644 new mode 100755 index 019a2355c3673c852a7f2069ab46a858ab02405d..7c2250e2fca4faa8272c223e3961d56c7490e5a0 --- a/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh +++ b/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loginPassMinDaysVaule=$(grep -P "^\s*PASS_MIN_DAYS\s+[0-9]+\b" /etc/login.defs | awk '{ if ($2 >= 7) print $2;}') userPassMinDaysVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$4 == "" || $4 < 7 {print 1}') diff --git a/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh b/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh old mode 100644 new mode 100755 index 0acea60edc273b6c59da560b63c37bb17b4304de..ef1cac7d26674d40d854c1dc882ed51215044a35 --- a/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh +++ b/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loginPassWarnageVaule=$(grep -P "^\s*PASS_WARN_AGE\s+[0-9]+\b" /etc/login.defs | awk '{ if ($2 >= 7) print $2;}') userPassWarnageVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$6 == "" || $6 < 7 {print 1}') diff --git a/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh b/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh old mode 100644 new mode 100755 index 0598ef6d19fe50ca992e048aa01f34a9bbc0bb2e..7c9bd8c91e61215319391ec40e051fa7b8184536 --- a/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh +++ b/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + inactiveVaule=$(grep -P "^\s*INACTIVE=[0-9]+\b" /etc/default/useradd | awk -F= '{ if ($2 <= 30) print $2;}') userInactiveVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$7 == "" || $7 > 30 { print 1 }') diff --git a/scanners/access-and-control/1.35-ensure-all-users-last-password-change-date-is-in-the-past.sh b/scanners/access-and-control/1.35-ensure-all-users-last-password-change-date-is-in-the-past.sh old mode 100644 new mode 100755 index 184d6026c3dd1cd5a5a769af2736bcab46d67a81..079d21363f20aee0ed1aaf7e7bac88662cba82be --- a/scanners/access-and-control/1.35-ensure-all-users-last-password-change-date-is-in-the-past.sh +++ b/scanners/access-and-control/1.35-ensure-all-users-last-password-change-date-is-in-the-past.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`for usr in $(cut -d: -f1 /etc/shadow); do [[ $(chage --list $usr | grep '^Last password change' | cut -d: -f2) > $(date) ]] && echo "$usr :$(chage --list $usr | grep '^Last password change' | cut -d: -f2)"; done` if [[ -z "$result" ]]; then diff --git a/scanners/access-and-control/1.36-ensure-system-accounts-are-secured.sh b/scanners/access-and-control/1.36-ensure-system-accounts-are-secured.sh old mode 100644 new mode 100755 index 996932a22ab52975eee7ab7ccdffe13130136bf6..ad95c998eadbcc3a6aa48e68a1de33d8ccc7a2bf --- a/scanners/access-and-control/1.36-ensure-system-accounts-are-secured.sh +++ b/scanners/access-and-control/1.36-ensure-system-accounts-are-secured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + val_nologin="" val_lock="" diff --git a/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh b/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh old mode 100644 new mode 100755 index f51d16af53dd866af1f7e29b4d89564f75390825..7319e73b8cd3d228dabb1455238b8482e11b2338 --- a/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh +++ b/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=true [ -f /etc/bashrc ] && BRC="/etc/bashrc" diff --git a/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh b/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh old mode 100644 new mode 100755 index 4f9bb38f47c24e6a7f32ca7be64cfa64888bcc63..fa85c8b764742e03c215ec229a66526d8902685f --- a/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh +++ b/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep "^root:" /etc/passwd | cut -f4 -d: | grep -q 0 && result=true diff --git a/scanners/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh b/scanners/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh old mode 100644 new mode 100755 index 8a1e366b80bf05e81159bd08f21c451ac3bb4740..306bedc4297e8e2881a30a5be8b58ce2093eec43 --- a/scanners/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh +++ b/scanners/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + # umask 设置标记,检查umask是否已配置 umaskSetTag="" # 以下两个条件,符合其中一种即为true diff --git a/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh b/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh old mode 100644 new mode 100755 index 9db8477dfe709ce5fda385e95c885b8cc26fc604..db3455a9a38f7db7fb23c4ad72c827ca66919028 --- a/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh +++ b/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/cron.daily | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true diff --git a/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh b/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh old mode 100644 new mode 100755 index 7b557779bf434dc550c6321586a974b1cc0fb1b0..3d53eb1d412d2b688f6ef1170135eba4a65447b5 --- a/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh +++ b/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Eiq "^\s*auth\s+required\s+pam_wheel.so(\s+\S+)*\s+use_uid(\s+\S+)*\s*(\s+#.*)?$" /etc/pam.d/su && grep -Eiq "^wheel:x:10:" /etc/group && result=true diff --git a/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh b/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh index b10a2622a36c80f8cca6e92641eda0644915a547..85d62b334b14b8558e8a7e264bb028826a16f6ec 100755 --- a/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh +++ b/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false protocol_value=$(grep -Pim1 "^Protocol\s+" /etc/ssh/sshd_config | awk '{print $2}') diff --git a/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh b/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh old mode 100644 new mode 100755 index f174ae83c75c69a11516b2db34c07ded686f6c60..ae4017b4fc70c3ed03efff8f680c892cf023151e --- a/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh +++ b/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + val_Pass_Max_Days=99999 result_Pass_Max_Days_User=true val_Pass_Max_Days=`grep -Ei "^\s*\bPASS_MAX_DAYS\b\s" /etc/login.defs | cut -f2` diff --git a/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh b/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh old mode 100644 new mode 100755 index b7f93ddcf07c5e5c036d787d30a9f412b0fa0ae9..3aa38ad96398605feafd6f4e6204515000059b3d --- a/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh +++ b/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + val_Pass_Min_Days=0 result_Pass_Min_Days_User=true val_Pass_Min_Days=`grep -Ei "^\s*\bPASS_Min_DAYS\b\s" /etc/login.defs | cut -f2` diff --git a/scanners/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh b/scanners/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh old mode 100644 new mode 100755 index 8ab4fb55e036e0f3786f108af47cf92a39280393..ce7fb1a15f71eadc7c79e3ae294f3e135a78aa21 --- a/scanners/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh +++ b/scanners/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Pi "^\s*password\h+sufficient\h+pam_unix.so\h+" /etc/pam.d/system-auth | grep -Pqv "\bremember\s*=\s*[0-9]+" && echo 'fail' && exit 1 grep -Pi "^\s*password\h+requisite\h+pam_pwhistory.so\h+" /etc/pam.d/system-auth | grep -Pqv "\bremember\s*=\s*[0-9]+" && echo 'fail' && exit 1 diff --git a/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh old mode 100644 new mode 100755 index 6f390397da61787bdbf03b22646ff1f96d099e4f..c2f3dc12e81a352788b3451081d8c55f60bc75cd --- a/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/password-auth | grep -Pqiv "(?=.*\bdeny=[0-9]+\b)(?=.*unlock_time=[0-9]+)" && echo 'fail' && exit 1 grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/system-auth | grep -Pqiv "(?=.*\bdeny=[0-9]+\b)(?=.*unlock_time=[0-9]+)" && echo 'fail' && exit 1 diff --git a/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh b/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh old mode 100644 new mode 100755 index 83d9899a4bef6dd10c18cd49760f7c3e9719e4e8..bdb94d730f5deafb28f45151b4c793974a53177f --- a/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh +++ b/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=true [ -f /etc/bashrc ] && BRC="/etc/bashrc" diff --git a/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh old mode 100644 new mode 100755 index ac88a2612939da42aad36f40f46ee445976d4087..75f22309f8c37a0bc066f7d67d83646103d5fafe --- a/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh +++ b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi '^\s*maxauthtries\b' | awk '{ if ($2 > 5 || $2 < 3) print 1; else print 0 }') configFileSettings=$(grep -Pim1 '^\s*maxauthtries\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 5 || $2 < 3) print 1; else print 0 }') diff --git a/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh b/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh old mode 100644 new mode 100755 index 3b3b272973757a7b8f3bbb49c11942c2d744fefb..9a7a6d5f652273d50c90f21d3ad6322abd2ff3b5 --- a/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh +++ b/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" shutdownCheck=$(grep -P "^shutdown\b" /etc/shadow) haltCheck=$(grep -P "^halt\b" /etc/shadow) diff --git a/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh b/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh old mode 100644 new mode 100755 index 0648967e750cd6f7241392f428eedf38641d6cc3..02e990e265f45ec9cb0047f4bba1043f9c19faed --- a/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh +++ b/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/cron.weekly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true diff --git a/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh b/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh old mode 100644 new mode 100755 index 85f8e6ac5f86a7fb61166577b0c22793e96345f4..129355a773cb4342f844f29f04a0b691efe67939 --- a/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh +++ b/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^x11forwarding\s+no$") configFileSettings=$(grep -Pim1 '^\s*x11forwarding\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*x11forwarding\s+no\b') diff --git a/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh old mode 100644 new mode 100755 index 8a98570717284678f12962594c0b8b3569539a3d..eaf145f45930240a138fde5ffdb577e9e3327634 --- a/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh +++ b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false modprobe -n -v udf | grep -Pq "^install\s+\/bin/false\b" && test -z "$(lsmod | grep -P "^udf\b")" && grep -Pq "^blacklist\s*udf\b" /etc/modprobe.d/* && result=true diff --git a/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh b/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh old mode 100644 new mode 100755 index 02544269ec2872c464eceb02d9d97cfd00ab373c..179fc59fbf472da534305cecf9e7a1532f733b20 --- a/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh +++ b/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false modprobe -n -v cramfs | grep -Pq "^install\s+\/bin/false\b" && test -z "$(lsmod | grep -P "^cramfs\b")" && grep -Pq "^blacklist\b\s*cramfs\b" /etc/modprobe.d/* && result=true diff --git a/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh b/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh old mode 100644 new mode 100755 index 06f19b6a102393364a10962429e70173a2ad338b..e0e828de3bc091fc3177b4d0bbd8a0fb628bdc4a --- a/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh +++ b/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false echo $(modprobe -n -v squashfs) | grep -Psq "^install\s+\/bin/false\b" && test -z "$(lsmod | grep -P "^squashfs\b")" && grep -Pq "^blacklist\s+squashfs\b" /etc/modprobe.d/* && result=true if [[ "$result" == "true" ]]; then diff --git a/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh b/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh old mode 100644 new mode 100755 index 0b37fde39765feeae5d81009b2ba43ed548efc21..b6cb50359bc55ad06a3eaa4e16e4cb6db73939e3 --- a/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh +++ b/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" shutdownCheck=$(grep -P "^bin\b" /etc/shadow) result=false diff --git a/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh b/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh old mode 100644 new mode 100755 index e3faeef90c43860156b581cae5931e270c021792..49c4b2ab07a5fc7785284c3f6286618759147a5d --- a/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh +++ b/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/cron.monthly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true diff --git a/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh b/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh old mode 100644 new mode 100755 index dd2a6c9f04a9fc9685ba1bccdc352cb3eb0c8150..8cdd627ff67045269f64c04e4ef18d0cc14ee853 --- a/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh +++ b/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/cron.d | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true diff --git a/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh b/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh old mode 100644 new mode 100755 index 1b70bfc453e468efc14de96596d2e3eba4f3c931..f2900dd808272a8a4d0a4fb882c7753568c7db32 --- a/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh +++ b/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result_cron_deny=false result_at_deny=false result_cron_allow=false diff --git a/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh b/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh old mode 100644 new mode 100755 index f36559d116e8fd40764a09d9de125a8834879666..85b512cf9ad5bc378df876eaa534a993fa39bcea --- a/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh +++ b/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/ssh/sshd_config | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true diff --git a/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh b/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh old mode 100644 new mode 100755 index 9d01c4e4f6b2ba58cddf9f93d162f1efb11584ca..ab33767e7abbc1c5c315ba16e4a198bdc6c8247c --- a/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh +++ b/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf)") diff --git a/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh b/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh old mode 100644 new mode 100755 index 685e5c782c61bdedbd9a3b2b5a51958e8d925e37..372c059d77630c9dd870fdfdf1eeb7d1ad6ce03d --- a/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh +++ b/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=0 for i in $(stat -c "%G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules) do diff --git a/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh b/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh old mode 100644 new mode 100755 index 451fb7b2aa0fc5969b237c495bd0e1e887598750..0e5d7cf0fc8040cdad69c3bdd7fd66dd5f8c98fc --- a/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh +++ b/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ -e /etc/aide/aide.conf ]]; then checkContent="p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512\b$" lineNumber=$(grep -Ecs -e "^/sbin/auditctl\s+$checkContent" \ diff --git a/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh b/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh old mode 100644 new mode 100755 index fae435ed294d336b3c45bf5472784f2f01a3fef5..98dbf3af60bc9e2ed795e9ed4bb9c4fddb16cde0 --- a/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh +++ b/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -q rsyslog >/dev/null 2>&1 && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh b/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh old mode 100644 new mode 100755 index 72814464d912331fbf072a64f49fb3ba17d203c7..b38473b4238d6a081089108fd11d17bda7ab7f7c --- a/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh +++ b/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if rpm -q rsyslog >/dev/null 2>&1 ; then result=$(systemctl is-enabled rsyslog) if [[ $result == "enabled" ]]; then diff --git a/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh b/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh old mode 100644 new mode 100755 index adeaa1cd48e71908582c4b1ca49bd9d20d16b424..df9408aec69b987bd007bab5920a2932b487ec29 --- a/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh +++ b/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + value=$(grep -P "^\s*\\\$FileCreateMode\s+[0-9]{4}\s*$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf | grep -o [0-9]*) if [[ -n $value ]]; then diff --git a/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh b/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh old mode 100644 new mode 100755 index c211841c2e8a8b1ad32f9eeeff852cc64c358c64..478eeb7e74429388bac1e130c0de43d1208294ae --- a/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh +++ b/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Psq "^\*\.\*\s*\@{1,2}.*" /etc/rsyslog.conf /etc/rsyslog.d/*.conf && result=true diff --git a/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh b/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh old mode 100644 new mode 100755 index 84c7445fefa703d0cd03acc09b99e9b80b423a4f..5e219b707d85270c1641b5cda8740e55d93391c3 --- a/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh +++ b/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false if [[ -e /etc/systemd/journald.conf ]]; then diff --git a/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh b/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh old mode 100644 new mode 100755 index fde67760b6e44697a3a98db6653a35c1e095baf8..60e167f5aa27836824e1f2b128f4c9b1926d12b2 --- a/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh +++ b/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false if [[ -e /etc/systemd/journald.conf ]]; then diff --git a/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh b/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh old mode 100644 new mode 100755 index 63f439968f50a601da131eec760b7f6742d81947..b05137806cb692bffd1b4fb5c26ab4c3e1a20ca9 --- a/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh +++ b/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false if [[ -e /etc/systemd/journald.conf ]]; then diff --git a/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh b/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh old mode 100644 new mode 100755 index dcd71daa59ad2d57cc02dc6da1b603c0e58b9e36..02571007698666722710be882f51c6951efcc809 --- a/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh +++ b/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -q audit >/dev/null 2>&1 && rpm -q audit-libs >/dev/null 2>&1 && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh b/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh old mode 100644 new mode 100755 index 0d051e7a7d95ed0f898e61f2b9aebd0a9e78f85c..38adc58d27e17c6abce88eb928f9639c290b0a1f --- a/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh +++ b/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf)") diff --git a/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh b/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh old mode 100644 new mode 100755 index 7d1e1fe51bc4551348f09e36b9012bbd007ca48d..ae5ed342d97a4d069992b9919c2be9d2e88736a0 --- a/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh +++ b/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if rpm -q audit >/dev/null 2>&1 && rpm -q audit-libs >/dev/null 2>&1 ; then result=$(systemctl is-enabled auditd) if [[ $result == "enabled" ]]; then diff --git a/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh b/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh old mode 100644 new mode 100755 index ea181cc982fd748a48688c9ae0fd46c7cfe2aeb6..f98ce7a30163380dce62d5af291d0428e8ec6bd7 --- a/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh +++ b/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + result='true' diff --git a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh old mode 100644 new mode 100755 index 78da0fbd40dfbdab9ea8d5a744c9049d86a0b275..2f59c5e1e2b6457b75eee20f3b3750af5d26790b --- a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh +++ b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -q "\-w /etc/sudoers -p wa -k scope diff --git a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh old mode 100644 new mode 100755 index fcbd3e8d99d843c4790c4baf489605173ba333ea..0fdde4162b9c5c7d1e57264de05fc15c5c71e650 --- a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh +++ b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=true checkFile=$(echo "/etc/group" "/etc/passwd" "/etc/gshadow" "/etc/shadow " "/etc/security/opasswd") diff --git a/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh b/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh old mode 100644 new mode 100755 index 8b35c1f0a13c51e395a549c09cdd9e4f2687aade..79a2a853056e3c7ad38668188e6f62ca56d868f9 --- a/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh +++ b/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + result=false checkRule="^(?=^\s*-a\s+always,exit)(?=.*-S\s+all)(?=.*-F\s+path=/usr/bin/chsh)(?=.*-F\s+perm=x)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" diff --git a/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh old mode 100644 new mode 100755 index a5ed931835712f59ff6c513277db811b39419749..8c25287149e68174aa6a4b5b3b31bb25240eea5b --- a/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh +++ b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + [[ -e /etc/audit/auditd.conf ]] && output=$(grep -P "^max_log_file_action\s*=.*" /etc/audit/auditd.conf | cut -f2 -d= | sed -e 's/^[ ]*//g') diff --git a/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh b/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh old mode 100644 new mode 100755 index ca00b10900a75b90964a5cf2e61129a41f0a925e..601a1b2f5e3fe454241ff224786e72a4b982442c --- a/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh +++ b/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + checkResult=$(augenrules --check) echo $checkResult | grep -Psiq "\bNo\s+change$" && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh b/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh old mode 100644 new mode 100755 index b53d3e6267ba7a4f9b3e0d89ed9ff56b24409251..f58ea0c1c77912d9935bf55d72eb4c97ac17f6cd --- a/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh +++ b/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + fwDenied=$(firewall-cmd --get-log-denied 2>&1) fwDeniedFile=$(grep -Pm1 "^\s*LogDenied=all\s*$" /etc/firewalld/firewalld.conf | grep -Po "LogDenied=all") diff --git a/scanners/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh b/scanners/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh old mode 100644 new mode 100755 index b48a52e9c1d195992a176533695d5e3d064f2d49..50e5235178309129283cf5f52900e708cd01ca57 --- a/scanners/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh +++ b/scanners/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + ( grep -Psq "\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(\-k\s+.*)" /etc/audit/rules.d/*.rules /etc/audit/*.rules && grep -Psq "\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(\-k\s+.*)" /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -Psq "\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+\-k\s+.*" && auditctl -l | grep -Psq "\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+\-k\s+.*" && echo 'pass' ) || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh b/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh old mode 100644 new mode 100755 index 5347af972818e08e1fae7b292fa7d0aa6fd01d66..0c8889e9bbc303fe7c3487858e8ee82403ef418f --- a/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh +++ b/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + ( awk '/Defaults\s+logfile\s*/ {line = $0; nr = NR} END {if (nr) print line}' /etc/sudoers | grep -Psq "^\s*Defaults\s+logfile\s*=\s*(/?)([a-zA-Z0-9_.-]+/?)*" && echo 'pass' ) || echo 'fail' diff --git a/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh b/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh old mode 100644 new mode 100755 index a9d59db8e95888895277b2c1e174e7304bde571f..3d64a752737f5668ecd1bc6cb2be43d42d8527ab --- a/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh +++ b/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf)") diff --git a/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh b/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh old mode 100644 new mode 100755 index 9d455f7c55af82f9a6881206e709eebdf8ee3699..2f7bc1118f629f3b6e31e4b5acc0626b6f7322a7 --- a/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh +++ b/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + sudoLogFilePath=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g' -e 's|/|\\/|g') sudoLogRunning=$(auditctl -l | awk "/^ *-w/ &&/"${sudoLogFilePath}"/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)") diff --git a/scanners/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh b/scanners/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh old mode 100644 new mode 100755 index d0cf6db64085186656fe02e3d15a2bfc8cf74858..b390dafa775ce488b1197f0c723707257d0bd6d3 --- a/scanners/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh +++ b/scanners/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=true for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do diff --git a/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh b/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh old mode 100644 new mode 100755 index 9409d64f75d7386b6175f90adaf1711b7b2ecb7e..f68e3acdec7fc2680a83c57a6bd5fc99610635f5 --- a/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh +++ b/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=true for BIT in b32 b64 ; do diff --git a/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh b/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh old mode 100644 new mode 100755 index ce499d34c5036e187705ab31828c8a64ea785820..af3efd70a7876ce040028bb7fb0a2a9ce042cf51 --- a/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh +++ b/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')") diff --git a/scanners/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh b/scanners/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh old mode 100644 new mode 100755 index 7f13eb0992aec1ccbad4a163aa4c23e39912e34b..5c1873ca11428f9265b8bd27e6891470d80bd687 --- a/scanners/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh +++ b/scanners/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + result=0 for p in `find /etc/audit/rules.d/ -name *.rules ; find /etc/audit/rules.d/ -name *.conf ; find /etc/audit/audit*.rules ; find /etc/audit/audit*.conf` ; do diff --git a/scanners/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh b/scanners/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh old mode 100644 new mode 100755 index 8801597f167545559356f12e9cf117d62ae63934..07d1b2921e18bdbbfdbf171895d4f5e6c329432d --- a/scanners/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh +++ b/scanners/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + result=0 for p in `find /etc/audit/rules.d/ -name *.rules ; find /etc/audit/rules.d/ -name *.conf ; find /etc/audit/audit*.rules ; find /etc/audit/audit*.conf` ; do diff --git a/scanners/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh b/scanners/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh old mode 100644 new mode 100755 index a31d8bfded62563ae591ece010eec7472b5dda0a..5061ce87ad2fc40ef9e7829011903dcdd022bc56 --- a/scanners/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh +++ b/scanners/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + result=0 for p in `find /etc/audit/rules.d/ -name *.rules ; find /etc/audit/rules.d/ -name *.conf ; find /etc/audit/audit*.rules ; find /etc/audit/audit*.conf` ; do diff --git a/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh b/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh old mode 100644 new mode 100755 index 4b2cec38074ecaf6352d57204f40681da0018fef..2793c3e328312ba41cd76cbd9b1746c78e7c9f7c --- a/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh +++ b/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=0 for i in $(stat -c "%a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules) do diff --git a/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh b/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh old mode 100644 new mode 100755 index 2c92a494e639dd5085645854edbb801760eb3e21..9130143ecd140e534d17bf1621d57d777e2af627 --- a/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh +++ b/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=0 for i in $(stat -c "%U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules) do diff --git a/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh b/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh old mode 100644 new mode 100755 index fd1d6b97920ea9b2183808bbd1f719f5b822772f..d1ededa9bfd846070f7e5eb382693b463e2613ce --- a/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh +++ b/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa libselinux)" ]] && [[ "$(rpm -qa selinux-policy-mls)" ]] && [[ "$(rpm -qa selinux-policy-targeted )" ]]; then echo "pass" else diff --git a/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh b/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh index fc7f43e6e96d440a1a86bee40bbb648d5dabeb14..0fb5cd39bf42dac18b87a59338a641854feff036 100755 --- a/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh +++ b/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + export LANG="en_US.UTF-8" SELINUX=`grep -E "^\s*SELINUX=disabled\b" /etc/selinux/config` diff --git a/scanners/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh b/scanners/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh index 9bd97d4f98445477704262871fe336d62be200d8..f67418fbe2feca8083d2b25d9cb7b675a3c1706a 100755 --- a/scanners/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh +++ b/scanners/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + SElINUX_TYPE=`grep -Ei "^\s*SELINUX=(enforcing|permissive)" /etc/selinux/config` diff --git a/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh b/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh index 957015b6b7ac88d0df2ce2b17d853817bf41d60e..fbe01d3692bda92283d7478f3d074864dbebb9b6 100755 --- a/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh +++ b/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + TYPE=`grep -Ei "^\s*SELINUX=enforcing" /etc/selinux/config` TYPE_R=`echo $?` # include 0 diff --git a/scanners/mandatory-access-control/5.5-ensure-no-unconfined-services-exist.sh b/scanners/mandatory-access-control/5.5-ensure-no-unconfined-services-exist.sh index ac16dc25eca283627a59dcf55b8f457291a53e7d..d8afd79c54990fc008b24b956f51a0c0d802f5eb 100755 --- a/scanners/mandatory-access-control/5.5-ensure-no-unconfined-services-exist.sh +++ b/scanners/mandatory-access-control/5.5-ensure-no-unconfined-services-exist.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + result=`ps -eZ | grep unconfined_service_t` if [[ $result == "" ]];then diff --git a/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh b/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh old mode 100644 new mode 100755 index 73f19a0df542df63e428634ab5c7837724901f97..d82589dfc1566a7a6616bc778bdd13c591e25b30 --- a/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh +++ b/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.1-disable-http-server.sh b/scanners/services/3.1-disable-http-server.sh index c4c6f1f70a231d662eed6982c1548a21fc4e65eb..bd7076254dafef0d273aec2a4c202e8462f67a62 100755 --- a/scanners/services/3.1-disable-http-server.sh +++ b/scanners/services/3.1-disable-http-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa httpd)" ]]; then result=$(systemctl is-enabled httpd) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.10-disable-rsync-server.sh b/scanners/services/3.10-disable-rsync-server.sh old mode 100644 new mode 100755 index 7a7125c0ed497e01fcea75b56e9661a9b85cae9a..1cd649a5f429cb0a9b1bba6e4de26910ba524ab3 --- a/scanners/services/3.10-disable-rsync-server.sh +++ b/scanners/services/3.10-disable-rsync-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa rsync-daemon)" ]]; then result=$(systemctl is-enabled rsyncd) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.11-disable-avahi-server.sh b/scanners/services/3.11-disable-avahi-server.sh old mode 100644 new mode 100755 index 4919b1b61789a698d6b2b7e9ef180a1cd0a89f86..070db708236ba4b9a2142eb1194b08b6f0b63ba0 --- a/scanners/services/3.11-disable-avahi-server.sh +++ b/scanners/services/3.11-disable-avahi-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa avahi)" ]]; then result=$(systemctl is-enabled avahi-daemon.socket) result2=$(systemctl is-enabled avahi-daemon) diff --git a/scanners/services/3.12-disable-snmp-server.sh b/scanners/services/3.12-disable-snmp-server.sh old mode 100644 new mode 100755 index 85f1ff20c985d6399dc982510956e4d587fa3933..a0cb10479c26a217c04c33373822cba96553f8c8 --- a/scanners/services/3.12-disable-snmp-server.sh +++ b/scanners/services/3.12-disable-snmp-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa net-snmp)" ]]; then result=$(systemctl is-enabled snmpd) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.13-disable-http-proxy-server.sh b/scanners/services/3.13-disable-http-proxy-server.sh old mode 100644 new mode 100755 index 13de594daecd23a527f929cf2bea1125537c7a23..79d89a6f2bdaa1f08518710f77096b478290776d --- a/scanners/services/3.13-disable-http-proxy-server.sh +++ b/scanners/services/3.13-disable-http-proxy-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa squid)" ]]; then result=$(systemctl is-enabled squid) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.14-disable-samba.sh b/scanners/services/3.14-disable-samba.sh old mode 100644 new mode 100755 index e4bd3fa6570e25e258172ec4e1c291dc7ffe74b3..fcff5e9d0ab77e7389752aab3f8a6f8c6b6b50bf --- a/scanners/services/3.14-disable-samba.sh +++ b/scanners/services/3.14-disable-samba.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa samba)" ]]; then result=$(systemctl is-enabled smb) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.15-disable-imap-and-pop3-server.sh b/scanners/services/3.15-disable-imap-and-pop3-server.sh old mode 100644 new mode 100755 index fd49de54b1fd60153ab5206854c339efb5fc4198..a9630cf247d7544b40976345f23237e7bd557126 --- a/scanners/services/3.15-disable-imap-and-pop3-server.sh +++ b/scanners/services/3.15-disable-imap-and-pop3-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa dovecot)" ]]; then result=$(systemctl is-enabled dovecot) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.16-disable-smtp-protocol.sh b/scanners/services/3.16-disable-smtp-protocol.sh old mode 100644 new mode 100755 index c77a750f2f17123713dac728645e40659dc9edcb..9a06acecc1c789675ee889505e4b6ad008a7253a --- a/scanners/services/3.16-disable-smtp-protocol.sh +++ b/scanners/services/3.16-disable-smtp-protocol.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa postfix)" ]]; then result=$(systemctl is-enabled postfix.service) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.17-disable-or-uninstall-the-telnet.sh b/scanners/services/3.17-disable-or-uninstall-the-telnet.sh old mode 100644 new mode 100755 index 2994e00d7df81ee6c1b4c126ceb7ce88b5453cd9..9e372f613fd415bcfad1f300b87a4dbe970e6ad4 --- a/scanners/services/3.17-disable-or-uninstall-the-telnet.sh +++ b/scanners/services/3.17-disable-or-uninstall-the-telnet.sh @@ -1,5 +1,6 @@ -#!/usr/bin/env bash -if [[ "$(rpm -qa | grep telnet)" ]]; then +#!/usr/bin/bash + +if [[ "$(rpm -qa | grep telnet-server)" ]]; then result=$(systemctl is-enabled telnet.socket) if [[ $result != enabled ]]; then echo "pass" diff --git a/scanners/services/3.18-uninstall-the-avahi-server.sh b/scanners/services/3.18-uninstall-the-avahi-server.sh old mode 100644 new mode 100755 index 32bfe74c56896103eed87adfad236990ceeed598..2e4755dbc67a0efde84619e8833ee5fdb9c607c9 --- a/scanners/services/3.18-uninstall-the-avahi-server.sh +++ b/scanners/services/3.18-uninstall-the-avahi-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.19-uninstall-the-kexec-tools.sh b/scanners/services/3.19-uninstall-the-kexec-tools.sh old mode 100644 new mode 100755 index 6ebc164f93604aed8cfae857dc52e3826e7cfeda..108a66e40803cccb0b79550839932f6fc5e2fbfc --- a/scanners/services/3.19-uninstall-the-kexec-tools.sh +++ b/scanners/services/3.19-uninstall-the-kexec-tools.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.2-disable-ftp-server.sh b/scanners/services/3.2-disable-ftp-server.sh old mode 100644 new mode 100755 index ea33f1071d43ba2134e7182abba10e0d765e9de4..40a5dbb9bdeb882cf4b0c060590827cd26ff3c8b --- a/scanners/services/3.2-disable-ftp-server.sh +++ b/scanners/services/3.2-disable-ftp-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa vsftpd)" ]]; then result=$(systemctl is-enabled vsftpd) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.20-uninstall-the-firstboot.sh b/scanners/services/3.20-uninstall-the-firstboot.sh old mode 100644 new mode 100755 index a3a54b295035ae178fbaf660f830321f068d98cc..f4577b5ba82adea67840ce8869e7d7181b00ae56 --- a/scanners/services/3.20-uninstall-the-firstboot.sh +++ b/scanners/services/3.20-uninstall-the-firstboot.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.21-uninstall-the-wpa_supplicant.sh b/scanners/services/3.21-uninstall-the-wpa_supplicant.sh old mode 100644 new mode 100755 index 596dd2c311095e44d789a4c834e4e3528453b3de..a809fc184756f47ef456bb2100e18496de25d9ad --- a/scanners/services/3.21-uninstall-the-wpa_supplicant.sh +++ b/scanners/services/3.21-uninstall-the-wpa_supplicant.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh b/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh old mode 100644 new mode 100755 index 34ef54080d3806f9b3b566f6bb3b6ead8040706b..91d9998a5b923f9a420e0341cbb1a784d92312df --- a/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh +++ b/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.23-disable-rsh.sh b/scanners/services/3.23-disable-rsh.sh old mode 100644 new mode 100755 index f5410bab645184522683b60985c7b02c68321d62..7c03b52116e751b23ca12b6dc1a8610ff9c46038 --- a/scanners/services/3.23-disable-rsh.sh +++ b/scanners/services/3.23-disable-rsh.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa rsh-server)" ]]; then result=$(systemctl is-enabled rsh.socket) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.24-disable-ntalk.sh b/scanners/services/3.24-disable-ntalk.sh old mode 100644 new mode 100755 index 2af51e84215b3b6131e2fd94d4e7d3bd6adc91f0..d05c0900d0b5826ce4fe4d37c409c9790e78db24 --- a/scanners/services/3.24-disable-ntalk.sh +++ b/scanners/services/3.24-disable-ntalk.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa ntalk)" ]]; then result=$(systemctl is-enabled ntalk.socket) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.25-ensure-xinetd-is-not-installed.sh b/scanners/services/3.25-ensure-xinetd-is-not-installed.sh old mode 100644 new mode 100755 index 69c8df1805a4517033bc8bdf783c44e97be4ff5e..406de985cea0cb37f24c1a5befc7cff5fa18472c --- a/scanners/services/3.25-ensure-xinetd-is-not-installed.sh +++ b/scanners/services/3.25-ensure-xinetd-is-not-installed.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.26-disable-usb-storage.sh b/scanners/services/3.26-disable-usb-storage.sh old mode 100644 new mode 100755 index 2b00572450f4a7cdb60f738c7411f464061874ea..afb12686b4494bf9b36f0cb6168e86921d764594 --- a/scanners/services/3.26-disable-usb-storage.sh +++ b/scanners/services/3.26-disable-usb-storage.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=true echo $(modprobe -n -v usb-storage) | grep -Psq "^install\s+\/bin\/true$" || result=false lsmod | grep -Pq "^usb(_|-)storage\b" && result=false diff --git a/scanners/services/3.27-ensure-time-synchronization-is-installed.sh b/scanners/services/3.27-ensure-time-synchronization-is-installed.sh old mode 100644 new mode 100755 index 59e09c8cc00fb567567aedf6f2e9e7f57b81ce69..c2b40f22775c4c7fff8a04ff68b2616899313b81 --- a/scanners/services/3.27-ensure-time-synchronization-is-installed.sh +++ b/scanners/services/3.27-ensure-time-synchronization-is-installed.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + result=false rpm -q chrony | grep -Psiq "^chrony\-" && result=true diff --git a/scanners/services/3.28-disable-automounting.sh b/scanners/services/3.28-disable-automounting.sh old mode 100644 new mode 100755 index d4619b63a6ecd4e148a0d725693330a2a86d2e84..953dfc2f165427164e24d22b32ff252c2680e4eb --- a/scanners/services/3.28-disable-automounting.sh +++ b/scanners/services/3.28-disable-automounting.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" rpmAutofs=$(rpm -qa | grep ^autofs) diff --git a/scanners/services/3.3-disable-dns-server.sh b/scanners/services/3.3-disable-dns-server.sh old mode 100644 new mode 100755 index 9535028c5b451b420d136bd0c4d4a0fdab7d0928..6eb18023736c614769a4f29afe817bdffee84092 --- a/scanners/services/3.3-disable-dns-server.sh +++ b/scanners/services/3.3-disable-dns-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa bind)" ]]; then result=$(systemctl is-enabled named) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.4-disable-nfs.sh b/scanners/services/3.4-disable-nfs.sh old mode 100644 new mode 100755 index d0c5fa52f0b8786a01bab8148526b3bd335be2c8..a59119ac6e3dea29c88eb07d7f13106b83e3f3ec --- a/scanners/services/3.4-disable-nfs.sh +++ b/scanners/services/3.4-disable-nfs.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa nfs-utils)" ]]; then result=$(systemctl is-enabled nfs-server) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.5-disable-rpc.sh b/scanners/services/3.5-disable-rpc.sh old mode 100644 new mode 100755 index b775bc749bbb158604dfb4b9918550e389d0e705..c1723efa8cfeb5b906715f8e7fe0b66a9879d1ba --- a/scanners/services/3.5-disable-rpc.sh +++ b/scanners/services/3.5-disable-rpc.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa rpcbind)" ]]; then result=$(systemctl is-enabled rpcbind) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.6-disable-ldap-server.sh b/scanners/services/3.6-disable-ldap-server.sh old mode 100644 new mode 100755 index 3f70aa559ce102223e512497d13d8b685c5c9eb0..3c065205b561e4040c08adbd2c2009a4019c80fb --- a/scanners/services/3.6-disable-ldap-server.sh +++ b/scanners/services/3.6-disable-ldap-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa openldap-servers)" ]]; then result=$(systemctl is-enabled slapd) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.7-disable-dhcp-server.sh b/scanners/services/3.7-disable-dhcp-server.sh old mode 100644 new mode 100755 index 4309c706c9c31af27a8159601f7e2b2a81fa77ea..3cfcef62424514c76eba2fb6f79a83f550102046 --- a/scanners/services/3.7-disable-dhcp-server.sh +++ b/scanners/services/3.7-disable-dhcp-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa dhcp-server)" ]]; then result=$(systemctl is-enabled dhcpd) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.8-disable-cups.sh b/scanners/services/3.8-disable-cups.sh old mode 100644 new mode 100755 index 89e4ce3506c7b0810d354b0273f3a0db2d91a35f..40cf59ec09f4fdce567678c6a7b52d2cfe153bbb --- a/scanners/services/3.8-disable-cups.sh +++ b/scanners/services/3.8-disable-cups.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa cups)" ]]; then result=$(systemctl is-enabled cups) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.9-disable-nis-server.sh b/scanners/services/3.9-disable-nis-server.sh old mode 100644 new mode 100755 index e3b8dd386d2323e5a31f9cb83d542506f4a5b904..19adda8178f69f199979068ce13644ddcd0c1671 --- a/scanners/services/3.9-disable-nis-server.sh +++ b/scanners/services/3.9-disable-nis-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa ypserv)" ]]; then result=$(systemctl is-enabled ypserv) if [[ $result != enabled ]]; then diff --git a/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh b/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh old mode 100644 new mode 100755 index 689f983ee9f97999723c8ff3fb51cf90c1e1d2c9..c07de6b7c006395621c1b7201b807e12ef5a4399 --- a/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh +++ b/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Eiq "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd || result=true diff --git a/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh b/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh old mode 100644 new mode 100755 index 416b38700b1f2fbf7713f1e12b503bc012c718b2..6759411909873366f77f50ce014b4113de4b60c9 --- a/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh +++ b/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false if [[ -e /boot/grub2/user.cfg ]]; then diff --git a/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh b/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh old mode 100644 new mode 100755 index 9d6a13cf15cca257a0bab3e66229395b6eed3b26..25e143b9d31dc117446390d8e40f51f3503256d1 --- a/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh +++ b/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh @@ -1,10 +1,11 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + osID=$(cat /etc/os-release | grep -Pi "^ID=" | cut -f2 -d= | sed -rn "s/\"//gp") -[[ -f /boot/grub2/grub.cfg ]] && file_path='/boot/grub2/grub.cfg' -[[ -f /boot/grub2/grubenv ]] && file_path=$file_path' /boot/grub2/grubenv' -[[ -f /boot/grub2/user.cfg ]] && file_path=$file_path' /boot/grub2/user.cfg' -[[ -f /boot/efi/EFI/$osID/grubenv ]] && file_path=$file_path" /boot/efi/EFI/$osID/grubenv" +[[ -f $(realpath /boot/grub2/grub.cfg) ]] && file_path=$(realpath /boot/grub2/grub.cfg) +[[ -f $(realpath /boot/grub2/grubenv) ]] && file_path=$file_path" $(realpath /boot/grub2/grubenv)" +[[ -f $(realpath /boot/grub2/user.cfg) ]] && file_path=$file_path" $(realpath /boot/grub2/user.cfg)" +[[ -f $(realpath /boot/efi/EFI/$osID/grubenv) ]] && file_path=$file_path" $(realpath /boot/efi/EFI/$osID/grubenv)" result=0 if [[ -n $file_path ]] ; then diff --git a/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh b/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh old mode 100644 new mode 100755 index 892913cb75f335c6006818fe45aa0050bb0d2aba..0c4f9320b70cc25ba602387cf97e0a33e263b74b --- a/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh +++ b/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Pq "^\s*ExecStart=-/usr/lib/systemd/systemd-sulogin-shell(\s+emergency|\s*)\s*(\s+#.*)?$" /usr/lib/systemd/system/emergency.service && grep -Pq "^\s*ExecStart=-/usr/lib/systemd/systemd-sulogin-shell(\s+rescue\s*|\s*)\s*(\s+#.*)?$" /usr/lib/systemd/system/rescue.service && result=true diff --git a/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh b/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh old mode 100644 new mode 100755 index 32bd3aa0f4af5a2f0611a337765be6ac4e591b0b..336a554e72d998adf6dce604a8e67b0a178a9461 --- a/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh +++ b/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Pq "^\s*\*\s+hard\s+core\s+0\s*(\s+#.*)?$" /etc/security/limits.conf && grep -Pq "^\s*fs\.suid_dumpable\s*=\s*0\s*(\s+#.*)?$" /etc/sysctl.conf /etc/sysctl.d/* && sysctl fs.suid_dumpable|grep -Pq "fs\.suid\_dumpable\s+=\s+0" && result=true diff --git a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh old mode 100644 new mode 100755 index dc5b1b912862c1b86da8b0ada664f40c1704ba19..3a3c9887b0f292a63fb03fcc9f4e02d0f0c21dd4 --- a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh +++ b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && [[ -z $(grep -Phs "^kernel\.randomize_va_space\s*=\s*" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | grep -Psv "^kernel\.randomize_va_space\s*=\s*2\b$") ]] && [[ -n $(grep -Phs "^kernel\.randomize_va_space\s*=\s*" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | grep -Ps "^kernel\.randomize_va_space\s*=\s*2\b$") ]] && result=true diff --git a/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh b/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh old mode 100644 new mode 100755 index da8c820af33f86f68a5f7169b01a782bfb65e472..7ca8df187cc9390b98d17df9d0b5931b47fb4ce0 --- a/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh +++ b/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Eiq '^\s*LEGACY\s*(\s+#.*)?$' /etc/crypto-policies/config || result=true diff --git a/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh b/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh old mode 100644 new mode 100755 index adfc90f464359cbab967e288e227f42540977e9c..9387dfc1b4e7b12058bd08df72449f5a581d3e84 --- a/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh +++ b/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null` if [[ -z "$result" ]] ; then diff --git a/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh b/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh old mode 100644 new mode 100755 index 07f1178f1ff7214ec4bd27d59941821ebd8082f1..051039d2cf673df4584d11027afc6e0521717344 --- a/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh +++ b/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/passwd | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh b/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh old mode 100644 new mode 100755 index 10a26c34196533708efae8bd0c7cd6870b6f6fb9..b605c7b5c3945cc6bf84149b35247ec809e8c46c --- a/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh +++ b/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/shadow | grep -Pq '^[0]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh b/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh old mode 100644 new mode 100755 index 4dae52514ac8d4b5f19a7392440ba5343ed05fcc..6734ee306256e65ac0d2cbc12861df6b9beecb83 --- a/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh +++ b/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/group | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh b/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh old mode 100644 new mode 100755 index bc3ee42f0b87af7e48614381608dda04d5e0b90f..ff6a11ad7d8740ab2445f3a00b6a9de8bef6a725 --- a/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh +++ b/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Eiq "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue || result=true diff --git a/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh b/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh old mode 100644 new mode 100755 index cec1409b5312d1bbf4403ed96da8af5e92eb6352..0e4461d827306b06f2f70b90626c7eaddc57b520 --- a/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh +++ b/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/gshadow | grep -Pq '^[0]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh b/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh old mode 100644 new mode 100755 index 21944a03dda6a75f023d32eb621d49d464eb05f2..32a8e98c078c9f87f99452b03480965b8b2ad852 --- a/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh +++ b/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/passwd- | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh b/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh old mode 100644 new mode 100755 index 57c35620eb8c18a96a884be7ff0809aae3966b1f..282e7757d950878b860550d57a5d13afa359543c --- a/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh +++ b/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/shadow- | grep -Pq '^[0]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh b/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh old mode 100644 new mode 100755 index ce4a660b096b6515b01482669131f9945bf52a39..af17fcb6ad4704d63b11433540b3e19347b2182b --- a/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh +++ b/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/group- | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh b/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh old mode 100644 new mode 100755 index 6935dc97dc53143e9df01f0cbe752b40a896e41e..9e0fbf3904b6bf7197568d6d9bf8282deab0a5af --- a/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh +++ b/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/gshadow- | grep -Pq '^[0]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh b/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh old mode 100644 new mode 100755 index 2767e90d173f7a79e6c80dde3d721cc41235d6de..cd4c252da870734e9b87ddcd80d1e09d16fe4fef --- a/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh +++ b/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002` if [[ -z "$result" ]] ; then diff --git a/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh b/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh old mode 100644 new mode 100755 index b30007f1837c9b8b99224cbc7033e5cb4620099c..cd7072bcd50a2598b16c0adfa2e899bd0c967e99 --- a/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh +++ b/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser` if [[ -z "$result" ]] ; then diff --git a/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh b/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh old mode 100644 new mode 100755 index 3367243fc4b33d27fd1f7642c8dfa17ab004f0c4..5d2cb0a188510acc232dc2dd6bd43ea11ffbc00d --- a/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh +++ b/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup` if [[ -z "$result" ]] ; then diff --git a/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh b/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh old mode 100644 new mode 100755 index 19b6df507e1029c667702f26a52a7e50592c0afa..114e12712e1d287416a7912470cce06f82e8d972 --- a/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh +++ b/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow` if [[ -z "$result" ]] ; then diff --git a/scanners/system-configurations/4.29-ensure-root-path-integrity.sh b/scanners/system-configurations/4.29-ensure-root-path-integrity.sh old mode 100644 new mode 100755 index 40ff5e5b038b6a589516f96f28d38f1fff4dc143..849a76f7ad59444fdce42c31998d1184c55131d4 --- a/scanners/system-configurations/4.29-ensure-root-path-integrity.sh +++ b/scanners/system-configurations/4.29-ensure-root-path-integrity.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=` RPCV="$(sudo -Hiu root env | grep '^PATH=' | cut -d= -f2)" echo "$RPCV" | grep -q "::" && echo "root's path contains a empty directory (::)" diff --git a/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh b/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh old mode 100644 new mode 100755 index 12f68026e415a02f86fba840b6c74bd9e26dfa0f..dc5842cecd0c1bf3c1da4f80cfd7c2dc27236570 --- a/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh +++ b/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Eiq "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net || result=true diff --git a/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh b/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh old mode 100644 new mode 100755 index 5164024e0951d5ed45763e11b3bedfb8dfeb9394..7b3972e0034ae458e04cb1ab5f5c6bdf357c3906 --- a/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh +++ b/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`awk -F: '($3 == 0) { print $1 }' /etc/passwd` if [[ "$result" == "root" ]] ; then diff --git a/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh b/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh old mode 100644 new mode 100755 index 328731779214db20deb98d7d92ac6d3c7d95aa05..a8675d43e3487e265f508bc148a14615bb88fee9 --- a/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh +++ b/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh b/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh old mode 100644 new mode 100755 index 222816eeb747ed779db63a9bd001282300246d56..36a6c15a87b756f4f8c5619852a0564c0811acd5 --- a/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh +++ b/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh b/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh old mode 100644 new mode 100755 index 14fefaa2f2e47659f96263630d2d85ba35ec00a7..70a7359b6775674fa23c77c1a55a0d2844de398d --- a/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh +++ b/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh b/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh old mode 100644 new mode 100755 index 1bb8ff6728edc8dffc92f58aaf00cbc50be90a87..33002334d84d86bef72842e846d12d8c3a0f0a4d --- a/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh +++ b/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh b/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh old mode 100644 new mode 100755 index 3758ea525f7ad263ebaf346a1052792b47e25168..d340533b4f4857616702d44fc750b636ea1e4a24 --- a/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh +++ b/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh b/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh old mode 100644 new mode 100755 index cd387634190632e2e0625b46afdffce87e803817..9e3d4fdb2e00715fccf80937afc111f722a5b38c --- a/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh +++ b/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh b/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh old mode 100644 new mode 100755 index a7ea78218a1c597fc1e42ce77c955eca7a30861b..77d40307dc33254cc1a40ae687c2670fe24eca46 --- a/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh +++ b/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh b/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh old mode 100644 new mode 100755 index d59409dda52d5665a456e45ecdd0d6578ef2b7e7..77916241930c5d4991c6755b1d9d2993dc0c54f9 --- a/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh +++ b/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do diff --git a/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh b/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh old mode 100644 new mode 100755 index f73ae43b70e3367cc8bdddf02bae3fbeacf84b13..24817b3a0a1f9f7cdec2dbb2e09c7e3049184ad6 --- a/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh +++ b/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" for i in $(cut -f3 -d":" /etc/passwd | sort -n | uniq -d); do diff --git a/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh b/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh old mode 100644 new mode 100755 index a227acd7efe812c846e7c794610d782b04025474..6405b58c6fe34e5d4c7c34839bf6918ab6c18fbc --- a/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh +++ b/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false if [[ ! -f /etc/motd ]] ; then diff --git a/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh b/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh old mode 100644 new mode 100755 index 2418ea0903021fdc86dc7da77ef80d82f1fa3306..3363a2edc784f6123433cdd2e0755f0f41d34b8c --- a/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh +++ b/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" for i in $(cut -d: -f3 /etc/group | sort | uniq -d); do diff --git a/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh b/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh old mode 100644 new mode 100755 index 8406358aa679b77ac55e6c2b06e47f19dd6b1487..f7ace3706edd3e5fe7052d18f551084fed0773c4 --- a/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh +++ b/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" for i in $(cut -d: -f1 /etc/passwd | sort | uniq -d); do diff --git a/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh b/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh old mode 100644 new mode 100755 index f1e063a16ea6acf68c0193f6d47ee13f5b90d8b6..9a1413bd5fa8d0c22ef6f95300d2e5285c49750d --- a/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh +++ b/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" for i in $(cut -d: -f1 /etc/group | sort | uniq -d); do diff --git a/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh b/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh old mode 100644 new mode 100755 index e42dd4941bd946e8957a0098007158c7eadbc8d8..3adb045ab2f0a8f55cc377981c40b2ed498a7e86 --- a/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh +++ b/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh b/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh old mode 100644 new mode 100755 index 691eaa2855ed3a06032bb6d2da96bf851ee0d3d7..512029d7a39bddb6b358df2742440be77dd46ffe --- a/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh +++ b/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false lsmod | grep -Pq "^sctp\b" || { modprobe -n -q sctp && modprobe -n -v sctp | grep -Pq "^install\s*\/bin\/true\s*$" && result=true; } diff --git a/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh b/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh old mode 100644 new mode 100755 index 134d90da22ac0e8f0891317877adb1d875e85353..2be12902e1137e25ca73ff914d1bc0b174114e95 --- a/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh +++ b/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false modprobe -n -vq dccp && result="" diff --git a/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh b/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh old mode 100644 new mode 100755 index aa1406b19645b80346fac2d491f456c7aedf673a..68cabf6722e69f4abd78b52623fce78d52153312 --- a/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh +++ b/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if command -v nmcli >/dev/null 2>&1 ; then diff --git a/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh b/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh old mode 100644 new mode 100755 index 56d75336c09e2d6379119f787a5bac9c57219aa2..7f9eddf6e1e1bc387b8879e4c52b4644debf4b79 --- a/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh +++ b/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv4.ip_forward | grep -Psq "^net\.ipv4\.ip\_forward\s+=\s+0$" && sysctl net.ipv6.conf.all.forwarding | grep -Psq "^net\.ipv6\.conf\.all\.forwarding\s+=\s+0$" && result="" diff --git a/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh b/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh old mode 100644 new mode 100755 index 48190453638a4b6a045ccba53d4930385a06e9a4..aed766d508126f32a00628a2f5726688364105df --- a/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh +++ b/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv4.conf.all.send_redirects | grep -Psq "^net\.ipv4\.conf\.all\.send\_redirects\s+=\s+0$" && sysctl net.ipv4.conf.default.send_redirects | grep -Psq "^net\.ipv4\.conf\.default\.send\_redirects\s+=\s+0$" && grep -Psq "net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -Psq "net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* && result=true diff --git a/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh b/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh old mode 100644 new mode 100755 index 5795b4fcae79db963732662bdd6c653afea91dda..74411d33e581430048c9b2ba751e73296c64f0ea --- a/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh +++ b/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv4.conf.all.accept_source_route | grep -Psq "^net\.ipv4\.conf\.all\.accept_source_route\s+=\s+0$" && sysctl net.ipv4.conf.default.accept_source_route | grep -Psq "^net\.ipv4\.conf\.default\.accept_source_route\s+=\s+0$" && grep -q "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && sysctl net.ipv6.conf.all.accept_source_route | grep -Psq "^net\.ipv6\.conf\.all\.accept_source_route\s+=\s+0$" && sysctl net.ipv6.conf.default.accept_source_route | grep -Psq "^net\.ipv6\.conf\.default\.accept_source_route\s+=\s+0$" && grep -q "net\.ipv6\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv6\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && result=true diff --git a/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh b/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh old mode 100644 new mode 100755 index 3f24a2aebcda4d579dd798204374c44f4f1b0991..df03b057f2bec51ae0fa1f66c3cd0d7713a95168 --- a/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh +++ b/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/issue | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh b/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh old mode 100644 new mode 100755 index 9853da28c85ce2e64dec3a6da9f5e246d4ea1d0d..c333ae1fd185df14c0f58e4a352e1fe7a0a73534 --- a/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh +++ b/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv4.conf.all.accept_redirects | grep -Psq "^net\.ipv4\.conf\.all\.accept_redirects\s+=\s+0$" && sysctl net.ipv4.conf.default.accept_redirects | grep -Psq "^net\.ipv4\.conf\.default\.accept_redirects\s+=\s+0$" && grep -q "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && sysctl net.ipv6.conf.all.accept_redirects | grep -Psq "^net\.ipv6\.conf\.all\.accept_redirects\s+=\s+0$" && sysctl net.ipv6.conf.default.accept_redirects | grep -Psq "^net\.ipv6\.conf\.default\.accept_redirects\s+=\s+0$" && grep -q "net\.ipv6\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv6\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && result=true diff --git a/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh b/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh old mode 100644 new mode 100755 index 29b55a6ed8961c42affcf46080623c2f77fc38c8..ab4604a8d7f5d4782dc82e27b5e9f52427028e5d --- a/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh +++ b/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv4.conf.all.secure_redirects | grep -Psq "^net\.ipv4\.conf\.all\.secure_redirects\s+=\s+0$" && sysctl net.ipv4.conf.default.secure_redirects | grep -Psq "^net\.ipv4\.conf\.default\.secure_redirects\s+=\s+0$" && grep -q "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* && result=true diff --git a/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh b/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh old mode 100644 new mode 100755 index 40ca3fefa931de290eac4f4b82785d328be562b8..9a50793460d95759a78504b9753817919502e344 --- a/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh +++ b/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv4.conf.all.log_martians | grep -Psq "^net\.ipv4\.conf\.all\.log_martians\s+=\s+1$" && sysctl net.ipv4.conf.default.log_martians | grep -Psq "^net\.ipv4\.conf\.default\.log_martians\s+=\s+1$" && grep -q "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* && result=true diff --git a/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh b/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh old mode 100644 new mode 100755 index 798666152a0e6ea68c1beacb9bc367664e3b8123..0a332ef62d4bdbd44023bd78eb5d438e4ff0a712 --- a/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh +++ b/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false result=$(grep -E -s "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*[^1]+" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf) diff --git a/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh b/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh old mode 100644 new mode 100755 index 7447b782e8c787adb0968a67ef55dc312953fbd5..b22422aff3047028493519b899300039ff9ed55b --- a/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh +++ b/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false result=$(grep -E -s "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=\s*[^1]+" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf) diff --git a/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh b/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh old mode 100644 new mode 100755 index 7deb0cf0979169ae9e92d255ea351f61540c79d8..046d175ea36a6f844317c77df201d19d6d8bd068 --- a/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh +++ b/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false result=`grep -E -s "^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` diff --git a/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh b/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh old mode 100644 new mode 100755 index 56013846bb857fbfb57df96681d5317cab12ab2a..cab2bdb0e75b56412f22aba51fbd034245fcacfa --- a/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh +++ b/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false result=`grep -E -r "^\s*net\.ipv4\.tcp_syncookies\s*=\s*[02]" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf` diff --git a/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh b/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh old mode 100644 new mode 100755 index 6eb63572aec66300c8bbdf317fc5aa2a14498fcf..7a95e86cd3401ce6bdd96eadabc6f54cad323ad8 --- a/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh +++ b/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv6.conf.all.accept_ra | grep -Psq "^net\.ipv6\.conf\.all.accept_ra\s+=\s+0$" && sysctl net.ipv6.conf.default.accept_ra | grep -Psq "^net\.ipv6\.conf\.default\.accept_ra\s+=\s+0$" && grep -q "net\.ipv6\.conf\.all\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv6\.conf\.default\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* && result=true diff --git a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh old mode 100644 new mode 100755 index 783c1a23a29005a7d4d05bb8bef75699772f1451..f1e6fa10bd0058745ac97f54650da3499f81b9d4 --- a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh +++ b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" rpm -qa | grep -Psq "^iptables\-.*" && rpm -qa | grep -Psq "^iptables\-services.*" && result=true diff --git a/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh b/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh old mode 100644 new mode 100755 index 088b0948ed7ae4bd6688deabdfbfc7105e6d25fd..f332a052d54925d05bfdf6a9b9ef5455b2abdd13 --- a/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh +++ b/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false [[ $(systemctl list-unit-files | grep firewalld) ]] && systemctl is-enabled firewalld | grep -Psq "^enabled$" && firewall-cmd --state -q && result=true diff --git a/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh b/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh old mode 100644 new mode 100755 index 2b18f4789aa10c9404f613ed5ceb77e456e4b05e..f56007b978a0e395a02b4f76c992fbe485090204 --- a/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh +++ b/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/issue.net | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh b/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh old mode 100644 new mode 100755 index df2ec0465c81958b65d7fc950f6a11de10b61a09..9317c8271bac1426235821db0d9b72ea195cfc07 --- a/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh +++ b/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result="" diff --git a/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh b/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh old mode 100644 new mode 100755 index c100d5ed0ab7ea943325baf5dea8d3539d1f1e67..ea7349841b2deedc7be01555e1e3e711f146453e --- a/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh +++ b/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result="" diff --git a/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh b/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh old mode 100644 new mode 100755 index 766737e333791d43051f18001765312465ebb043..0607257f7fe56157273601040e5c30aac1530b6e --- a/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh +++ b/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false rpm -q nftables | grep -Psq "^nftables\-.*" && systemctl is-enabled nftables | grep -Psiq "^enabled$" && result=true diff --git a/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh b/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh old mode 100644 new mode 100755 index 50f695245c8ac509474926d7e0a4832b6e7b34ba..5fdbdf512518d904fd537f3caf609c15d924437d --- a/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh +++ b/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false rpm -qa | grep -Psq "^iptables\-.*" && rpm -q iptables-services | grep -Psq "^iptables\-services\-.*" && result=true diff --git a/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh b/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh old mode 100644 new mode 100755 index 7bc4cd05550e4ca2fdd0632955ad2ac66649ab4e..fefb2dd2ed308b88979c9850d2d2eafac2ec5961 --- a/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh +++ b/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh b/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh old mode 100644 new mode 100755 index de4d417fd18035dffa72ba3e105844a1e8c5038e..03d05a8ba8a43be60f865f05a7f817da38f0bbae --- a/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh +++ b/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result="" diff --git a/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh b/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh index 6e64dec127f3d9b41745b15c0d36a86ca3fbfbc9..85e79806fad153ab1d4556fbbc54dd7931b07e9e 100755 --- a/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh +++ b/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + source /etc/profile HIST=$(echo $HISTSIZE | awk '($1 > 100 || $1 == "" ) {print 1}') HIST_FILE=$(grep -P "^HISTSIZE\b\=[0-9]+\b" /etc/profile | grep -Po "\b[0-9]+\b" | awk '($1 > 100 || $1 == "" ) {print 1}') diff --git a/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh b/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh index d425e99eabb86ba2db417d86cc33b22ad4900a4e..be2d80318ebb673d1e2862bf313a66aa6ee56142 100755 --- a/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh +++ b/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + source /etc/profile HIST=$(echo $HISTFILESIZE | awk '($1 > 100 || $1 == "" ) {print 1}') HIST_FILE=$(grep -P "^HISTFILESIZE\b\=[0-9]+\b" /etc/profile | grep -Po "\b[0-9]+\b" | awk '($1 > 100 || $1 == "" ) {print 1}') diff --git a/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh b/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh old mode 100644 new mode 100755 index 7cfb93d85db8968119946805823fbc53dc78d716..080de01a25d8935a4fb7a132a9c99473040f52ed --- a/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh +++ b/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + ls -l / | grep tmp | grep rwt >> /dev/null diff --git a/scanners/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh b/scanners/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh old mode 100644 new mode 100755 index 81dec0a01ed78134956cfb130511aaa9b2c2e098..4c4d3a6678f336a93dffa9bd13664ad51efb69b1 --- a/scanners/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh +++ b/scanners/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + for i in `stat -c "%a-%U-%G" {/etc/ssh/*key,/etc/ssh/*key.pub}` do diff --git a/scanners/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh b/scanners/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh old mode 100644 new mode 100755 index 0820ab0497c27bbadc6a69932f80577012a657ff..ce1b7bf4d12f9a19dd0e212c973e637896e3310f --- a/scanners/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh +++ b/scanners/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result_dnf_conf=false result_yum_repos_d=false diff --git a/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh old mode 100644 new mode 100755 index 14d7931e018f31f921d177fc71c185eb8e1907f7..6f26a2f497e54dc03b061b19d3d2f44a52fe18a2 --- a/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh +++ b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + result=true diff --git a/scanners/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh b/scanners/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh old mode 100644 new mode 100755 index b94142125a87b0de5321d8ada1ba89defc97c1ef..814b3a77a1dab5c6f5bbf4d28547ac7f83f145bd --- a/scanners/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh +++ b/scanners/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/fstab ]] && [[ -n $(grep -Ps "\s+\/var\s+.*nosuid" /etc/fstab) ]] && [[ -n $(findmnt --kernel /var | grep nosuid) ]] && echo "pass" || echo "fail" \ No newline at end of file diff --git a/scanners/system-configurations/4.8-ensure-aide-is-installed.sh b/scanners/system-configurations/4.8-ensure-aide-is-installed.sh old mode 100644 new mode 100755 index 6e0624b668f72b7c5f975d3bbb9c2caa7c6ed8a9..8ebde619109f3c4aa0cffadd9ebec308a8626625 --- a/scanners/system-configurations/4.8-ensure-aide-is-installed.sh +++ b/scanners/system-configurations/4.8-ensure-aide-is-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false rpm -q aide | grep -Piq aide-.* && result=true diff --git a/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh b/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh old mode 100644 new mode 100755 index 9f6097f6dc8de4c357b8f380612c446428d9ebf9..811c4432c673fda58227b9123e799194adc8af60 --- a/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh +++ b/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false if [[ -e /var/spool/cron/root ]]; then diff --git a/tools/release/config_zh_font.sh b/tools/release/config_zh_font.sh index 6e4fe2ba8017fda3c48f2dd72d31db620cf21346..7569cf74d969dfb927248dccaf043a3bc6b96a62 100755 --- a/tools/release/config_zh_font.sh +++ b/tools/release/config_zh_font.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + mkdir -p /usr/share/fonts/winsfonts cur=$(pwd) diff --git a/tools/remediation-kits/run_Anolis_remediation_kit.sh b/tools/remediation-kits/run_Anolis_remediation_kit.sh index 93cdf0b888359032f0a0f8e115076bdde8a4aaae..ac0d541283121bd069408cea909499e14a3ed935 100755 --- a/tools/remediation-kits/run_Anolis_remediation_kit.sh +++ b/tools/remediation-kits/run_Anolis_remediation_kit.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + function helpinfo() { diff --git a/tools/scanners/run_Anolis_scanners.sh b/tools/scanners/run_Anolis_scanners.sh index 8cec3df4c21244e5997ad9e1dee29b769f50db70..f18773678db2cf89800e66753a7a4ba98bed5718 100755 --- a/tools/scanners/run_Anolis_scanners.sh +++ b/tools/scanners/run_Anolis_scanners.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + function helpInfo() {