From 931c0ffd4585bcd42acf5c0f9f768c2c4d2daf6d Mon Sep 17 00:00:00 2001 From: YuQing Yang Date: Tue, 3 Sep 2024 10:37:00 +0800 Subject: [PATCH 1/3] remediation-kits:Add shebang and execute permissions. Fixes: #IAO84G Signed-off-by: YuQing Yang --- examples/remediation-kits/services/3.1-disable-http-server.sh | 2 ++ examples/scanners/services/3.1-disable-http-server.sh | 2 ++ .../access-and-control/1.1-ensure-cron-daemon-is-enabled.sh | 2 ++ ...permissions-on-ssh-private-host-key-files-are-configured.sh | 2 ++ ...-permissions-on-ssh-public-host-key-files-are-configured.sh | 2 ++ .../1.13-ensure-ssh-loglevel-is-appropriate.sh | 2 ++ .../1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh | 2 ++ .../1.15-ensure-ssh-ignorerhosts-is-enabled.sh | 2 ++ .../1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh | 2 ++ .../1.17-ensure-ssh-root-login-is-disabled.sh | 2 ++ .../1.18-ensure-ssh-permitemptypasswords-is-disabled.sh | 2 ++ .../1.19-ensure-ssh-permituserenvironment-is-disabled.sh | 2 ++ .../1.2-ensure-permissions-on-etc-crontab-are-configured.sh | 2 ++ .../1.20-ensure-ssh-idle-timeout-interval-is-configured.sh | 2 ++ ...1-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh | 2 ++ .../1.22-ensure-ssh-warning-banner-is-configured.sh | 2 ++ .../access-and-control/1.23-ensure-ssh-pam-is-enabled.sh | 2 ++ .../1.24-ensure-ssh-maxstartups-is-configured.sh | 2 ++ .../1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh | 2 ++ ...1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh | 2 ++ ....27-ensure-password-creation-requirements-are-configured.sh | 3 ++- ...nsure-lockout-for-failed-password-attempts-is-configured.sh | 3 ++- .../1.29-ensure-password-reuse-is-limited.sh | 3 ++- ...1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh | 2 ++ .../1.30-ensure-password-hashing-algorithm-is-sha-512.sh | 3 ++- .../1.31-ensure-password-expiration-is-365-days-or-less.sh | 2 ++ ...nsure-minimum-days-between-password-changes-is-7-or-more.sh | 2 ++ ....33-ensure-password-expiration-warning-days-is-7-or-more.sh | 2 ++ .../1.34-ensure-inactive-password-lock-is-30-days-or-less.sh | 2 ++ .../1.36-ensure-system-accounts-are-secured.sh | 2 ++ ...ensure-default-user-shell-timeout-is-900-seconds-or-less.sh | 2 ++ .../1.38-ensure-default-group-for-the-root-account-is-gid-0.sh | 2 ++ ....39-ensure-default-user-umask-is-027-or-more-restrictive.sh | 2 ++ .../1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh | 2 ++ .../1.40-ensure-access-to-the-su-command-is-restricted.sh | 2 ++ .../1.41-ensure-ssh-server-use-protocol_2.sh | 3 ++- ...-ensure-that-the-password-expires-between-30-and-90-days.sh | 2 ++ ...e-that-the-minimum-password-change-between-7-and-14-days.sh | 2 ++ ...sure-that-password-reuse-limit-is-between-5-and-25-times.sh | 3 ++- ...nsure-lockout-for-failed-password-attempts-is-configured.sh | 3 ++- ...fault-user-shell-timeout-is-between-600-and-1800-seconds.sh | 2 ++ .../1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh | 2 ++ .../1.49-lock-or-delete-the-shutdown-and-halt-users.sh | 2 ++ ...1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh | 2 ++ .../1.50-ensure-ssh-x11-forwarding-is-disabled.sh | 2 ++ .../1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh | 2 ++ .../1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh | 2 ++ ...1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh | 2 ++ .../access-and-control/1.54-lock-the-bin-and-adm-users.sh | 2 ++ ....6-ensure-permissions-on-etc-cron.monthly-are-configured.sh | 2 ++ .../1.7-ensure-permissions-on-etc-cron.d-are-configured.sh | 2 ++ .../1.8-ensure-at-cron-is-restricted-to-authorized-users.sh | 2 ++ ...ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh | 2 ++ ...s-are-not-read-or-write-accessible-by-unauthorized-users.sh | 2 ++ .../2.10-ensure-audit-tools-are-group-owned-by-root.sh | 2 ++ ...hanisms-are-used-to-protect-the-integrity-of-audit-tools.sh | 2 ++ .../logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh | 2 ++ .../2.13-ensure-rsyslog-service-is-enabled.sh | 2 ++ .../2.14-ensure-rsyslog-default-file-permissions-configured.sh | 2 ++ ...16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh | 2 ++ ...nsure-journald-is-configured-to-compress-large-log-files.sh | 2 ++ ...rnald-is-configured-to-write-logfiles-to-persistent-disk.sh | 2 ++ .../logging-and-auditing/2.19-ensure-audit-is-installed.sh | 2 ++ .../2.2-ensure-only-authorized-users-own-audit-log-files.sh | 2 ++ .../2.20-ensure-audit-service-is-enabled.sh | 2 ++ ...2.21-make-sure-to-collect-file-deletion-events-for-users.sh | 2 ++ ...ges-to-the-system-management-scope-sudoers-are-collected.sh | 2 ++ ...-events-that-modify-user-group-information-are-collected.sh | 2 ++ ...successful-attempts-to-use-the-chsh-command-are-recorded.sh | 3 ++- .../2.25-ensure-audit-logs-are-not-automatically-deleted.sh | 3 ++- ...ensure-the-running-and-on-disk-configuration-is-the-same.sh | 2 ++ ....27-ensure-that-the-firewall-logging-function-is-enabled.sh | 2 ++ .../2.28-ensure-login-and-logout-events-are-collected.sh | 2 ++ .../logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh | 2 ++ ...sure-only-authorized-groups-ownership-of-audit-log-files.sh | 2 ++ ...nsure-events-that-modify-the-sudo-log-file-are-collected.sh | 2 ++ .../2.31-ensure-use-of-privileged-commands-are-collected.sh | 3 ++- ...ess-control-permission-modification-events-are-collected.sh | 2 ++ ...sure-the-audit-log-directory-is-0750-or-more-restrictive.sh | 2 ++ ...e-audit-configuration-files-are-0640-or-more-restrictive.sh | 2 ++ ...ly-authorized-accounts-own-the-audit-configuration-files.sh | 2 ++ ...only-authorized-groups-own-the-audit-configuration-files.sh | 2 ++ ...-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh | 2 ++ .../2.9-ensure-audit-tools-are-owned-by-root.sh | 2 ++ .../5.1-ensure-selinux-is-installed.sh | 3 ++- .../5.2-ensure-selinux-policy-is-configured.sh | 3 ++- .../5.3-ensure-the-selinux-mode-is-enabled.sh | 3 ++- .../5.4-ensure-the-selinux-mode-is-enforcing.sh | 3 ++- .../5.9-ensure-setroubleshoot-is-not-installed.sh | 2 ++ remediation-kits/services/3.1-disable-http-server.sh | 2 ++ remediation-kits/services/3.10-disable-rsync-server.sh | 2 ++ remediation-kits/services/3.11-disable-avahi-server.sh | 2 ++ remediation-kits/services/3.12-disable-snmp-server.sh | 2 ++ remediation-kits/services/3.13-disable-http-proxy-server.sh | 2 ++ remediation-kits/services/3.14-disable-samba.sh | 2 ++ remediation-kits/services/3.15-disable-imap-and-pop3-server.sh | 2 ++ remediation-kits/services/3.16-disable-smtp-protocol.sh | 2 ++ .../services/3.17-disable-or-uninstall-the-telnet.sh | 3 ++- remediation-kits/services/3.18-uninstall-the-avahi-server.sh | 2 ++ remediation-kits/services/3.19-uninstall-the-kexec-tools.sh | 2 ++ remediation-kits/services/3.2-disable-ftp-server.sh | 2 ++ remediation-kits/services/3.20-uninstall-the-firstboot.sh | 2 ++ remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh | 2 ++ .../services/3.22-ensure-NIS-Client-is-not-installed.sh | 2 ++ remediation-kits/services/3.23-disable-rsh.sh | 2 ++ remediation-kits/services/3.24-disable-ntalk.sh | 2 ++ .../services/3.25-ensure-xinetd-is-not-installed.sh | 2 ++ remediation-kits/services/3.26-disable-usb-storage.sh | 2 ++ .../services/3.27-ensure-time-synchronization-is-installed.sh | 2 ++ remediation-kits/services/3.28-disable-automounting.sh | 2 ++ remediation-kits/services/3.3-disable-dns-server.sh | 2 ++ remediation-kits/services/3.4-disable-nfs.sh | 2 ++ remediation-kits/services/3.5-disable-rpc.sh | 2 ++ remediation-kits/services/3.6-disable-ldap-server.sh | 2 ++ remediation-kits/services/3.7-disable-dhcp-server.sh | 2 ++ remediation-kits/services/3.8-disable-cups.sh | 2 ++ remediation-kits/services/3.9-disable-nis-server.sh | 2 ++ .../4.1-ensure-message-of-the-day-is-configured-properly.sh | 2 ++ ...1-ensure-permissions-on-bootloader-config-are-configured.sh | 2 ++ ...4.12-ensure-authentication-required-for-single-user-mode.sh | 2 ++ .../4.13-ensure-core-dumps-are-restricted.sh | 2 ++ ...ure-address-space-layout-randomization-(ASLR)-is-enabled.sh | 2 ++ .../4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh | 2 ++ ...sure-sticky-bit-is-set-on-all-world-writable-directories.sh | 2 ++ .../4.17-ensure-permissions-on-etc-passwd-are-configured.sh | 2 ++ .../4.18-ensure-permissions-on-etc-shadow-are-configured.sh | 2 ++ .../4.19-ensure-permissions-on-etc-group-are-configured.sh | 2 ++ ...ensure-local-login-warning-banner-is-configured-properly.sh | 2 ++ .../4.20-ensure-permissions-on-etc-gshadow-are-configured.sh | 2 ++ .../4.21-ensure-permissions-on-etc-passwd--are-configured.sh | 2 ++ .../4.22-ensure-permissions-on-etc-shadow--are-configured.sh | 2 ++ .../4.23-ensure-permissions-on-etc-group--are-configured.sh | 2 ++ .../4.24-ensure-permissions-on-etc-gshadow--are-configured.sh | 2 ++ ...nsure-remote-login-warning-banner-is-configured-properly.sh | 2 ++ ...home-directories-permissions-are-750-or-more-restrictive.sh | 3 ++- .../4.32-ensure-users-own-their-home-directories.sh | 3 ++- ...3-ensure-users-dot-files-are-not-group-or-world-writable.sh | 3 ++- .../4.34-ensure-no-users-have-.forward-files.sh | 3 ++- .../4.35-ensure-no-users-have-.netrc-files.sh | 3 ++- ...ure-users-.netrc-files-are-not-group-or-world-accessible.sh | 3 ++- .../4.37-ensure-no-users-have-.rhosts-files.sh | 3 ++- .../4.4-ensure-permissions-on-etc-motd-are-configured.sh | 2 ++ .../4.43-ensure-all-users-home-directories-exist.sh | 3 ++- .../system-configurations/4.44-ensure-sctp-is-disabled.sh | 2 ++ .../system-configurations/4.45-ensure-dccp-is-disabled.sh | 2 ++ .../4.46-ensure-wireless-interfaces-are-disabled.sh | 3 ++- .../4.47-ensure-ip-forwarding-is-disabled.sh | 2 ++ .../4.48-ensure-packet-redirect-sending-is-disabled.sh | 2 ++ .../4.49-ensure-source-routed-packets-are-not-accepted.sh | 2 ++ .../4.5-ensure-permissions-on-etc-issue-are-configured.sh | 2 ++ .../4.50-ensure-icmp-redirects-are-not-accepted.sh | 2 ++ .../4.51-ensure-secure-icmp-redirects-are-not-accepted.sh | 2 ++ .../4.52-ensure-suspicious-packets-are-logged.sh | 2 ++ .../4.53-ensure-broadcast-icmp-requests-are-ignored.sh | 2 ++ .../4.54-ensure-bogus-icmp-responses-are-ignored.sh | 2 ++ .../4.55-ensure-reverse-path-filtering-is-enabled.sh | 2 ++ .../4.56-ensure-tcp-syn-cookies-is-enabled.sh | 2 ++ .../4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh | 2 ++ .../4.58-ensure-a-firewall-package-is-installed.sh | 2 ++ .../4.59-ensure-firewalld-service-is-enabled-and-running.sh | 2 ++ .../4.6-ensure-permissions-on-etc-issue.net-are-configured.sh | 2 ++ .../4.60-ensure-iptables-is-not-enabled.sh | 2 ++ .../4.61-ensure-nftables-is-not-enabled.sh | 2 ++ .../4.62-ensure-nftables-service-is-enabled.sh | 2 ++ .../4.63-ensure-iptables-packages-are-installed.sh | 2 ++ .../4.64-ensure-nftables-is-not-installed.sh | 2 ++ ...-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh | 2 ++ .../4.66-ensure-system-histsize-as-100-or-other.sh | 3 ++- .../4.67-ensure-system-histfilesize-100.sh | 3 ++- .../4.68-ensure-permissions-TMP-is-correct.sh | 3 ++- ....69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh | 3 ++- .../4.7-ensure-gpgcheck-is-globally-activated.sh | 2 ++ .../system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh | 3 ++- ...4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh | 2 ++ .../system-configurations/4.8-ensure-aide-is-installed.sh | 2 ++ .../4.9-ensure-filesystem-integrity-is-regularly-checked.sh | 2 ++ tools/release/config_zh_font.sh | 3 ++- tools/remediation-kits/run_Anolis_remediation_kit.sh | 3 ++- tools/scanners/run_Anolis_scanners.sh | 3 ++- 179 files changed, 358 insertions(+), 32 deletions(-) mode change 100644 => 100755 remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.36-ensure-system-accounts-are-secured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.54-lock-the-bin-and-adm-users.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh mode change 100644 => 100755 remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh mode change 100644 => 100755 remediation-kits/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh mode change 100644 => 100755 remediation-kits/mandatory-access-control/5.1-ensure-selinux-is-installed.sh mode change 100644 => 100755 remediation-kits/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh mode change 100644 => 100755 remediation-kits/services/3.10-disable-rsync-server.sh mode change 100644 => 100755 remediation-kits/services/3.11-disable-avahi-server.sh mode change 100644 => 100755 remediation-kits/services/3.12-disable-snmp-server.sh mode change 100644 => 100755 remediation-kits/services/3.13-disable-http-proxy-server.sh mode change 100644 => 100755 remediation-kits/services/3.14-disable-samba.sh mode change 100644 => 100755 remediation-kits/services/3.15-disable-imap-and-pop3-server.sh mode change 100644 => 100755 remediation-kits/services/3.16-disable-smtp-protocol.sh mode change 100644 => 100755 remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh mode change 100644 => 100755 remediation-kits/services/3.18-uninstall-the-avahi-server.sh mode change 100644 => 100755 remediation-kits/services/3.19-uninstall-the-kexec-tools.sh mode change 100644 => 100755 remediation-kits/services/3.2-disable-ftp-server.sh mode change 100644 => 100755 remediation-kits/services/3.20-uninstall-the-firstboot.sh mode change 100644 => 100755 remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh mode change 100644 => 100755 remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh mode change 100644 => 100755 remediation-kits/services/3.23-disable-rsh.sh mode change 100644 => 100755 remediation-kits/services/3.24-disable-ntalk.sh mode change 100644 => 100755 remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh mode change 100644 => 100755 remediation-kits/services/3.26-disable-usb-storage.sh mode change 100644 => 100755 remediation-kits/services/3.27-ensure-time-synchronization-is-installed.sh mode change 100644 => 100755 remediation-kits/services/3.28-disable-automounting.sh mode change 100644 => 100755 remediation-kits/services/3.3-disable-dns-server.sh mode change 100644 => 100755 remediation-kits/services/3.4-disable-nfs.sh mode change 100644 => 100755 remediation-kits/services/3.5-disable-rpc.sh mode change 100644 => 100755 remediation-kits/services/3.6-disable-ldap-server.sh mode change 100644 => 100755 remediation-kits/services/3.7-disable-dhcp-server.sh mode change 100644 => 100755 remediation-kits/services/3.8-disable-cups.sh mode change 100644 => 100755 remediation-kits/services/3.9-disable-nis-server.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.13-ensure-core-dumps-are-restricted.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.32-ensure-users-own-their-home-directories.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.34-ensure-no-users-have-.forward-files.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.43-ensure-all-users-home-directories-exist.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.63-ensure-iptables-packages-are-installed.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.64-ensure-nftables-is-not-installed.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh mode change 100644 => 100755 remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh diff --git a/examples/remediation-kits/services/3.1-disable-http-server.sh b/examples/remediation-kits/services/3.1-disable-http-server.sh index 91c1117..bb3a8cd 100755 --- a/examples/remediation-kits/services/3.1-disable-http-server.sh +++ b/examples/remediation-kits/services/3.1-disable-http-server.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + systemctl --now disable httpd diff --git a/examples/scanners/services/3.1-disable-http-server.sh b/examples/scanners/services/3.1-disable-http-server.sh index a5318fe..66bcbfd 100755 --- a/examples/scanners/services/3.1-disable-http-server.sh +++ b/examples/scanners/services/3.1-disable-http-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [ "$(rpm -qa httpd)" ]; then result=$(systemctl is-enabled httpd) if [ $result != enabled ]; then diff --git a/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh b/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh old mode 100644 new mode 100755 index 8b7f2d5..bcbb7de --- a/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh +++ b/remediation-kits/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=$(systemctl is-enabled crond) if [[ $result == "masked" ]] ; then diff --git a/remediation-kits/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh b/remediation-kits/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh old mode 100644 new mode 100755 index c180b96..d8b470d --- a/remediation-kits/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh +++ b/remediation-kits/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod u-x,g-wx,o-rwx {} \; find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:ssh_keys {} \; \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh b/remediation-kits/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh old mode 100644 new mode 100755 index c554f6b..dab28ff --- a/remediation-kits/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh +++ b/remediation-kits/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod u-x,go-wx {} \; find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \; \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh b/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh old mode 100644 new mode 100755 index 74429bb..db83714 --- a/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh +++ b/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + sshLogLevelCount=$(grep -icP "Loglevel\s+.*" /etc/ssh/sshd_config) sshLogLevel=$(grep -iP "Loglevel\s+.*" /etc/ssh/sshd_config) sshLogLevelNum=$(grep -iPn "Loglevel\s+.*" /etc/ssh/sshd_config | cut -d: -f1) diff --git a/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh b/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh old mode 100644 new mode 100755 index 3602004..3b35141 --- a/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh +++ b/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh b/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh old mode 100644 new mode 100755 index 7c87ca4..fdc641f --- a/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh +++ b/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + IgnoreRhosts=$(grep -E "^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config | awk '{print $2}') if [[ $IgnoreRhosts == 'no' ]] ; then diff --git a/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh b/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh old mode 100644 new mode 100755 index 9e173b0..78987d3 --- a/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh +++ b/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$/\1HostbasedAuthentication no\2/" /etc/ssh/sshd_config || echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh b/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh old mode 100644 new mode 100755 index 1df9463..053498b --- a/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh +++ b/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$/\1PermitRootLogin no\2/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh b/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh old mode 100644 new mode 100755 index c77c66a..97103b2 --- a/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh +++ b/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$/\1PermitEmptyPasswords no\2/" /etc/ssh/sshd_config || echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh b/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh old mode 100644 new mode 100755 index 5aec304..b27d2a4 --- a/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh +++ b/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$/\1PermitUserEnvironment no\2/" /etc/ssh/sshd_config || echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh b/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh old mode 100644 new mode 100755 index 017bb83..82a338c --- a/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh +++ b/remediation-kits/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/crontab ]] && chown root:root /etc/crontab && chmod og-rwx /etc/crontab \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh old mode 100644 new mode 100755 index 13eed9c..3c7f0e1 --- a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh +++ b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Pq "^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$/\1ClientAliveInterval 900\2/" /etc/ssh/sshd_config || echo "ClientAliveInterval 900" >> /etc/ssh/sshd_config grep -Pq "^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$/\1ClientAliveCountMax 0\2/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config diff --git a/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh b/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh old mode 100644 new mode 100755 index 0ad3948..5555cec --- a/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh +++ b/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$/\1LoginGraceTime 60\2/" /etc/ssh/sshd_config || echo "LoginGraceTime 60" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh b/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh old mode 100644 new mode 100755 index a23b972..772c702 --- a/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh +++ b/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)Banner\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)Banner\s+\S+(\s*#.*)?\s*$/\1Banner \/etc\/issue.net\2/" /etc/ssh/sshd_config || echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh b/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh old mode 100644 new mode 100755 index 9e1d387..f57646e --- a/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh +++ b/remediation-kits/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eiq '^\s*UsePAM\s+yes' /etc/ssh/sshd_config || echo "UsePAM yes" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh b/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh old mode 100644 new mode 100755 index 29ef0b4..f9371a2 --- a/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh +++ b/remediation-kits/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -iq "MaxStartups" /etc/ssh/sshd_config && sed -i "/maxstartups/Id" /etc/ssh/sshd_config && echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config || echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh b/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh old mode 100644 new mode 100755 index 84e3faf..1047f78 --- a/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh +++ b/remediation-kits/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + maxSessions=$(grep -iP "^(\s*)MaxSessions\s+" /etc/ssh/sshd_config) maxSessionsNum=$(grep -iP "^(\s*)MaxSessions\s+" /etc/ssh/sshd_config | awk '{print $2}') diff --git a/remediation-kits/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh b/remediation-kits/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh old mode 100644 new mode 100755 index e1723e8..c754746 --- a/remediation-kits/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh +++ b/remediation-kits/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh b/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh old mode 100644 new mode 100755 index fe2eff8..ef6fa99 --- a/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh +++ b/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + authselect check &> /dev/null && auCheck=0 diff --git a/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh b/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh old mode 100644 new mode 100755 index 8a76518..1cd9a35 --- a/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/remediation-kits/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + authselect check &> /dev/null && auCheck=0 diff --git a/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh b/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh old mode 100644 new mode 100755 index b7a5482..32cb942 --- a/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh +++ b/remediation-kits/access-and-control/1.29-ensure-password-reuse-is-limited.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + authselect check &> /dev/null && auCheck=0 diff --git a/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh b/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh old mode 100644 new mode 100755 index f0513a8..ea5cc64 --- a/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh +++ b/remediation-kits/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/cron.hourly ]] && chown root:root /etc/cron.hourly && chmod og-rwx /etc/cron.hourly \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh b/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh old mode 100644 new mode 100755 index fa0e629..7b4fe2f --- a/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh +++ b/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + authselect check &> /dev/null && auCheck=0 diff --git a/remediation-kits/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh b/remediation-kits/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh old mode 100644 new mode 100755 index 8029db2..101bfdc --- a/remediation-kits/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh +++ b/remediation-kits/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)PASS_MAX_DAYS\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MAX_DAYS\s+\S+(\s*#.*)?\s*$/\PASS_MAX_DAYS 365\2/" /etc/login.defs || echo "PASS_MAX_DAYS 365" >> /etc/login.defs getent passwd | cut -f1 -d ":" | xargs -n1 chage --maxdays 365 diff --git a/remediation-kits/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh b/remediation-kits/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh old mode 100644 new mode 100755 index 0f17772..262e8c6 --- a/remediation-kits/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh +++ b/remediation-kits/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)PASS_MIN_DAYS\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_DAYS\s+\S+(\s*#.*)?\s*$/\PASS_MIN_DAYS 7\2/" /etc/login.defs || echo "PASS_MIN_DAYS 7" >> /etc/login.defs getent passwd | cut -f1 -d ":" | xargs -n1 chage --mindays 7 diff --git a/remediation-kits/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh b/remediation-kits/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh old mode 100644 new mode 100755 index 424e012..e768d0d --- a/remediation-kits/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh +++ b/remediation-kits/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)PASS_WARN_AGE\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_WARN_AGE\s+\S+(\s*#.*)?\s*$/\PASS_WARN_AGE 7\2/" /etc/login.defs || echo "PASS_WARN_AGE 7" >> /etc/login.defs getent passwd | cut -f1 -d ":" | xargs -n1 chage --warndays 7 diff --git a/remediation-kits/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh b/remediation-kits/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh old mode 100644 new mode 100755 index 32dee3e..daab735 --- a/remediation-kits/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh +++ b/remediation-kits/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + # Before running this script, check whether any user whose password has expired. If yes, run this script after handling the problem. Otherwise, the user may be locked for n in $(getent shadow | cut -d : -f 1,3) ; do diff --git a/remediation-kits/access-and-control/1.36-ensure-system-accounts-are-secured.sh b/remediation-kits/access-and-control/1.36-ensure-system-accounts-are-secured.sh old mode 100644 new mode 100755 index af394ac..5158dca --- a/remediation-kits/access-and-control/1.36-ensure-system-accounts-are-secured.sh +++ b/remediation-kits/access-and-control/1.36-ensure-system-accounts-are-secured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + # /usr/sbin/nologin与/sbin/nologin文件效果一致,配置其中任意一个即可 awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/sbin/nologin" && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print $1}' /etc/passwd | while read user; do diff --git a/remediation-kits/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh b/remediation-kits/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh old mode 100644 new mode 100755 index c516a5c..888ea74 --- a/remediation-kits/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh +++ b/remediation-kits/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + [ -f /etc/bashrc ] && BRC="/etc/bashrc" for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do val_TMOUT=$(grep -vP "^#.*" $f | grep -Pio "TMOUT=[0-9]+" | tail -1 | cut -d"=" -f 2) diff --git a/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh b/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh old mode 100644 new mode 100755 index d611e12..59a4ce8 --- a/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh +++ b/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + rootGid=$(grep "^root:" /etc/passwd | cut -f4 -d:) [[ $rootGid != 0 ]] && usermod -g 0 root \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh old mode 100644 new mode 100755 index 5e34b48..ddddd12 --- a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh +++ b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + # 仅对/etc/login.defs /etc/profile* /etc/bashrc*中的umask值进行加固修复,不修改PAM文件中的pam_umask.so repairFile=$(grep -RPHi '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/profile* /etc/bashrc* | cut -d: -f1 | sort -u) diff --git a/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh b/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh old mode 100644 new mode 100755 index aaec1f4..4f64b45 --- a/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh +++ b/remediation-kits/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/cron.daily ]] && chown root:root /etc/cron.daily && chmod og-rwx /etc/cron.daily \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh b/remediation-kits/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh old mode 100644 new mode 100755 index ef02787..4348d15 --- a/remediation-kits/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh +++ b/remediation-kits/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Eq "^\s*auth\s+required\s+pam_wheel.so(\s+.*)?$" /etc/pam.d/su && sed -ri '/^\s*auth\s+required\s+pam_wheel.so(\s+.*)?$/ { /^\s*auth\s+required\s+pam_wheel.so(\s+\S+)*(\s+use_uid)(\s+.*)?$/! s/^(\s*auth\s+required\s+pam_wheel.so)(\s+.*)?$/\1 use_uid\2/ }' /etc/pam.d/su || echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su diff --git a/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh b/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh index e6123af..420dab3 100755 --- a/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh +++ b/remediation-kits/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + grep -qiP '^Protocol' /etc/ssh/sshd_config && sed -i "/^Protocol/cProtocol 2" /etc/ssh/sshd_config || echo -e "Protocol 2" >> /etc/ssh/sshd_config systemctl restart sshd diff --git a/remediation-kits/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh b/remediation-kits/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh old mode 100644 new mode 100755 index 78cc58b..e29f7d5 --- a/remediation-kits/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh +++ b/remediation-kits/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + passMaxDaysRowNum=($(cat /etc/login.defs | awk '{if($1 == "PASS_MAX_DAYS") print NR}')) targetString="PASS_MAX_DAYS 90" if [ -n "$passMaxDaysRowNum" ]; then diff --git a/remediation-kits/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh b/remediation-kits/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh old mode 100644 new mode 100755 index fe265a0..4dc4fcc --- a/remediation-kits/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh +++ b/remediation-kits/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + passMinDaysRowNum=($(cat /etc/login.defs | awk '{if($1 == "PASS_MIN_DAYS") print NR}')) targetString="PASS_MIN_DAYS 7" if [ -n "$passMinDaysRowNum" ]; then diff --git a/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh b/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh old mode 100644 new mode 100755 index b7a5482..32cb942 --- a/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh +++ b/remediation-kits/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + authselect check &> /dev/null && auCheck=0 diff --git a/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh old mode 100644 new mode 100755 index 8a76518..1cd9a35 --- a/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/remediation-kits/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + authselect check &> /dev/null && auCheck=0 diff --git a/remediation-kits/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh b/remediation-kits/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh old mode 100644 new mode 100755 index 8849531..8dcd595 --- a/remediation-kits/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh +++ b/remediation-kits/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + [ -f /etc/bashrc ] && BRC="/etc/bashrc" for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do val_TMOUT=$(grep -vP "^#.*" $f | grep -Pio "TMOUT=[0-9]+" | tail -1 | cut -d"=" -f 2) diff --git a/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh b/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh old mode 100644 new mode 100755 index 3602004..3b35141 --- a/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh +++ b/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh b/remediation-kits/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh old mode 100644 new mode 100755 index cd85095..bd87a34 --- a/remediation-kits/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh +++ b/remediation-kits/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + usermod -L shutdown usermod -L halt \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh b/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh old mode 100644 new mode 100755 index 1cb124a..843a6e6 --- a/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh +++ b/remediation-kits/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/cron.weekly ]] && chown root:root /etc/cron.weekly && chmod og-rwx /etc/cron.weekly \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh b/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh old mode 100644 new mode 100755 index 3a0c22a..7660ca4 --- a/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh +++ b/remediation-kits/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)X11Forwarding\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)X11Forwarding\s+\S+(\s*#.*)?\s*$/\1X11Forwarding no\2/" /etc/ssh/sshd_config || echo "X11Forwarding no" >> /etc/ssh/sshd_config systemctl restart sshd \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh b/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh old mode 100644 new mode 100755 index d51c68d..a209e97 --- a/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh +++ b/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Psq "^install udf /bin/false" /etc/modprobe.d/udf.conf || echo "install udf /bin/false" >> /etc/modprobe.d/udf.conf grep -Psq "^blacklist udf" /etc/modprobe.d/udf.conf || echo "blacklist udf" >> /etc/modprobe.d/udf.conf modprobe -r udf diff --git a/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh b/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh old mode 100644 new mode 100755 index 2899759..6d1da65 --- a/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh +++ b/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Psq "^install cramfs /bin/false" /etc/modprobe.d/cramfs.conf || echo "install cramfs /bin/false" >> /etc/modprobe.d/cramfs.conf grep -Psq "^blacklist cramfs" /etc/modprobe.d/cramfs.conf || echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf modprobe -r cramfs diff --git a/remediation-kits/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh b/remediation-kits/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh old mode 100644 new mode 100755 index 1bbe41e..031463d --- a/remediation-kits/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh +++ b/remediation-kits/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Psq "^install\s+squashfs\s+\/bin\/false$" /etc/modprobe.d/*.conf || echo "install squashfs /bin/false" >> /etc/modprobe.d/squashfs.conf grep -Psq "^blacklist\s+squashfs$" /etc/modprobe.d/*.conf || echo "blacklist squashfs" >> /etc/modprobe.d/squashfs.conf modprobe -r squashfs \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.54-lock-the-bin-and-adm-users.sh b/remediation-kits/access-and-control/1.54-lock-the-bin-and-adm-users.sh old mode 100644 new mode 100755 index 3ef8c55..65d02a0 --- a/remediation-kits/access-and-control/1.54-lock-the-bin-and-adm-users.sh +++ b/remediation-kits/access-and-control/1.54-lock-the-bin-and-adm-users.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + usermod -L bin usermod -L adm \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh b/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh old mode 100644 new mode 100755 index 96c90b1..3826c2d --- a/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh +++ b/remediation-kits/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/cron.monthly ]] && chown root:root /etc/cron.monthly && chmod og-rwx /etc/cron.monthly \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh b/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh old mode 100644 new mode 100755 index b043518..1a1c188 --- a/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh +++ b/remediation-kits/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/cron.d ]] && chown root:root /etc/cron.d && chmod og-rwx /etc/cron.d \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh b/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh old mode 100644 new mode 100755 index f237fcc..6d70536 --- a/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh +++ b/remediation-kits/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + [[ -e /etc/cron.deny ]] && rm -f /etc/cron.deny [[ -e /etc/at.deny ]] && rm -f /etc/at.deny [[ ! -e /etc/cron.allow ]] && touch /etc/cron.allow diff --git a/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh b/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh old mode 100644 new mode 100755 index f44bbbf..9aa0689 --- a/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh +++ b/remediation-kits/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/ssh/sshd_config ]] && chown root:root /etc/ssh/sshd_config && chmod og-rwx /etc/ssh/sshd_config \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh b/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh old mode 100644 new mode 100755 index 9e3d13d..97be703 --- a/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh +++ b/remediation-kits/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + logFile=$(grep -iw log_file /etc/audit/auditd.conf | cut -d= -f2) logDir=$(dirname $logFile) [[ $logDir ]] && test -f $logDir/* && chmod 0600 $logDir/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh b/remediation-kits/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh old mode 100644 new mode 100755 index 456b106..0650f9e --- a/remediation-kits/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh +++ b/remediation-kits/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + chown :root /sbin/auditctl chown :root /sbin/aureport chown :root /sbin/ausearch diff --git a/remediation-kits/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh b/remediation-kits/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh old mode 100644 new mode 100755 index 9c431f5..7f8770f --- a/remediation-kits/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh +++ b/remediation-kits/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + mkdir -p /etc/aide grep -Psq "^\/sbin\/auditctl p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512" /etc/aide/aide.conf || echo "/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf grep -Psq "^\/sbin\/auditd p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512" /etc/aide/aide.conf || echo "/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf diff --git a/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh b/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh old mode 100644 new mode 100755 index 3050ee6..af3cc96 --- a/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh +++ b/remediation-kits/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [ ! "$(rpm -qa rsyslog | grep -i "rsyslog\-")" ]; then diff --git a/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh b/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh old mode 100644 new mode 100755 index 96b92ac..a5377bc --- a/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh +++ b/remediation-kits/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [ "$(rpm -qa rsyslog)" ]; then diff --git a/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh b/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh old mode 100644 new mode 100755 index e4ef60a..98b05e3 --- a/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh +++ b/remediation-kits/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Psq "^\\\$FileCreateMode 0640" /etc/rsyslog.conf || echo "\$FileCreateMode 0640" >> /etc/rsyslog.conf \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh b/remediation-kits/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh old mode 100644 new mode 100755 index 3344bca..587da8f --- a/remediation-kits/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh +++ b/remediation-kits/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Psq "^ForwardToSyslog=yes" /etc/systemd/journald.conf ||echo "ForwardToSyslog=yes" >> /etc/systemd/journald.conf diff --git a/remediation-kits/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh b/remediation-kits/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh old mode 100644 new mode 100755 index 8ce6ef6..67d4bd9 --- a/remediation-kits/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh +++ b/remediation-kits/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Psq "^Compress=yes" /etc/systemd/journald.conf ||echo "Compress=yes" >> /etc/systemd/journald.conf diff --git a/remediation-kits/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh b/remediation-kits/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh old mode 100644 new mode 100755 index a11656c..a22b292 --- a/remediation-kits/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh +++ b/remediation-kits/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Psq "^Storage=persistent" /etc/systemd/journald.conf || echo "Storage=persistent" >> /etc/systemd/journald.conf diff --git a/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh b/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh old mode 100644 new mode 100755 index 331b4f8..583dadf --- a/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh +++ b/remediation-kits/logging-and-auditing/2.19-ensure-audit-is-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [ ! "$(rpm -qa audit)" ]; then diff --git a/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh b/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh old mode 100644 new mode 100755 index 0a6b0d5..daea736 --- a/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh +++ b/remediation-kits/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + logFile=$(grep -iw log_file /etc/audit/auditd.conf | cut -d= -f2) logDir=$(dirname $logFile) [[ $logDir ]] && test -f $logDir/* && chown root $logDir/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh b/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh old mode 100644 new mode 100755 index 93c8ea2..b459751 --- a/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh +++ b/remediation-kits/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [ "$(rpm -qa audit)" ]; then diff --git a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh old mode 100644 new mode 100755 index f52af7f..50254fe --- a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh +++ b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + Rule32="-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete" x86Rule64="-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete" diff --git a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh old mode 100644 new mode 100755 index 4631678..11ee460 --- a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -q "\-w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope" /etc/audit/rules.d/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d -p wa -k scope" >> /etc/audit/rules.d/audit.rules diff --git a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh old mode 100644 new mode 100755 index 17edb95..8319c09 --- a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -q "\-w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity diff --git a/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh b/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh old mode 100644 new mode 100755 index 1e3a00c..25c6687 --- a/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh +++ b/remediation-kits/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh @@ -1,3 +1,4 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + grep -Ps "^(?=^\s*-a\s+always,exit)(?=.*-S\s+all)(?=.*-F\s+path=/usr/bin/chsh)(?=.*-F\s+perm=x)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" /etc/audit/rules.d/*.rules || echo -e "-a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=priv_cmd" >> /etc/audit/rules.d/stig.rules augenrules --load diff --git a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh old mode 100644 new mode 100755 index 08d7b60..b765fd0 --- a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh +++ b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + grep -Psq "^max_log_file_action\s*=.*" /etc/audit/auditd.conf && sed -i 's/^max_log_file_action.*/max_log_file_action = keep_logs/' /etc/audit/auditd.conf || echo "max_log_file_action = keep_logs" >> /etc/audit/auditd.conf diff --git a/remediation-kits/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh b/remediation-kits/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh old mode 100644 new mode 100755 index 7352aba..9c74c56 --- a/remediation-kits/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh +++ b/remediation-kits/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + augenrules --load if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then diff --git a/remediation-kits/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh b/remediation-kits/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh old mode 100644 new mode 100755 index 07227ad..97fe6ed --- a/remediation-kits/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh +++ b/remediation-kits/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + sed -ri /'^LogDenied\=\s*(unicast|broadcast|multicast|off)$'/s/'^LogDenied\=\s*(unicast|broadcast|multicast|off)$'/LogDenied=all/ /etc/firewalld/firewalld.conf grep -Psq "^LogDenied\=\s*(all|unicast|broadcast|multicast|off)$" /etc/firewalld/firewalld.conf || echo "LogDenied=all" >> /etc/firewalld/firewalld.conf diff --git a/remediation-kits/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh b/remediation-kits/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh old mode 100644 new mode 100755 index 064b24b..1170d88 --- a/remediation-kits/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Psq "\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(\-k\s+.*)" /etc/audit/rules.d/*.rules || echo -e "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/rules.d/audit-root.rules grep -Psq "\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(\-k\s+.*)" /etc/audit/rules.d/*.rules || echo -e "-w /var/run/faillock -p wa -k logins" >> /etc/audit/rules.d/audit-root.rules diff --git a/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh b/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh old mode 100644 new mode 100755 index 61db05a..15cc5d0 --- a/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Psq "^\s*Defaults\s+logfile\s*=\s*(/?)([a-zA-Z0-9_.-]+/?)*" /etc/sudoers || echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers diff --git a/remediation-kits/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh b/remediation-kits/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh old mode 100644 new mode 100755 index f8762eb..0c4c571 --- a/remediation-kits/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh +++ b/remediation-kits/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + logFile=$(grep -iw log_file /etc/audit/auditd.conf | cut -d= -f2) logDir=$(dirname $logFile) [[ $logDir ]] && chown :adm $logDir diff --git a/remediation-kits/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh b/remediation-kits/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh old mode 100644 new mode 100755 index c2ef6d3..e6012b7 --- a/remediation-kits/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + sudoLogFile=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g') [ -n "${sudoLogFile}" ] && printf " -w ${sudoLogFile} -p wa -k sudo_log_file diff --git a/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh b/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh old mode 100644 new mode 100755 index a81c7b7..5d1ca7f --- a/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh @@ -1,4 +1,5 @@ -#! /bin/bash +#!/usr/bin/bash + build_audit_rules() ( UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) diff --git a/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh b/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh old mode 100644 new mode 100755 index 7c7692b..0b019ce --- a/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + for BIT in b32 b64 ; do checkRule="^(?=^\s*-a\s+always,exit)(?=.*-F\s+arch=$BIT)(?=.*chmod)(?=.*fchmod)(?=.*chown)(?=.*fchown)(?=.*lchown)(?=.*setxattr)(?=.*lsetxattr)(?=.*fsetxattr)(?=.*removexattr)(?=.*lremovexattr)(?=.*fremovexattr)(?=.*fchownat)(?=.*fchmodat)" grep -Pq $checkRule /etc/audit/rules.d/*.rules /etc/audit/*.rules || echo "-a always,exit -F arch=$BIT -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" >> /etc/audit/rules.d/50-perm_mod.rules diff --git a/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh b/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh old mode 100644 new mode 100755 index 1c1b531..0ede152 --- a/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh +++ b/remediation-kits/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + logFile=$(grep -iw log_file /etc/audit/auditd.conf | cut -d= -f2) logDir=$(dirname $logFile) [[ $logDir ]] && chmod -R g-w,o-rwx $logDir \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh b/remediation-kits/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh old mode 100644 new mode 100755 index c6667a6..1ce4c6d --- a/remediation-kits/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh +++ b/remediation-kits/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh b/remediation-kits/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh old mode 100644 new mode 100755 index c408341..74cc71d --- a/remediation-kits/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh +++ b/remediation-kits/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh b/remediation-kits/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh old mode 100644 new mode 100755 index 93bfed1..3d02605 --- a/remediation-kits/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh +++ b/remediation-kits/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* \ No newline at end of file diff --git a/remediation-kits/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh b/remediation-kits/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh old mode 100644 new mode 100755 index 1efcba1..74e8b00 --- a/remediation-kits/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh +++ b/remediation-kits/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + chmod 0755 /sbin/auditctl chmod 0755 /sbin/aureport chmod 0755 /sbin/ausearch diff --git a/remediation-kits/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh b/remediation-kits/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh old mode 100644 new mode 100755 index f855ed7..adaad21 --- a/remediation-kits/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh +++ b/remediation-kits/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + chown root /sbin/auditctl chown root /sbin/aureport chown root /sbin/ausearch diff --git a/remediation-kits/mandatory-access-control/5.1-ensure-selinux-is-installed.sh b/remediation-kits/mandatory-access-control/5.1-ensure-selinux-is-installed.sh old mode 100644 new mode 100755 index d69c8fe..a1e52c7 --- a/remediation-kits/mandatory-access-control/5.1-ensure-selinux-is-installed.sh +++ b/remediation-kits/mandatory-access-control/5.1-ensure-selinux-is-installed.sh @@ -1,2 +1,3 @@ -#!/bin/bash +#!/usr/bin/bash + dnf install libselinux selinux-policy-mls selinux-policy-targeted -y diff --git a/remediation-kits/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh b/remediation-kits/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh index 4e707a7..a0627b4 100755 --- a/remediation-kits/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh +++ b/remediation-kits/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh @@ -1,2 +1,3 @@ -#!/bin/bash +#!/usr/bin/bash + sed -i '/^SELINUXTYPE=/cSELINUXTYPE=mls' /etc/selinux/config diff --git a/remediation-kits/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh b/remediation-kits/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh index d38a62a..65dee13 100755 --- a/remediation-kits/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh +++ b/remediation-kits/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh @@ -1,2 +1,3 @@ -#!/bin/bash +#!/usr/bin/bash + sed -i '/^SELINUX=/cSELINUX=permissive' /etc/selinux/config diff --git a/remediation-kits/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh b/remediation-kits/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh index d4f6fcf..eee010f 100755 --- a/remediation-kits/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh +++ b/remediation-kits/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh @@ -1,2 +1,3 @@ -#!/bin/bash +#!/usr/bin/bash + sed -i '/^SELINUX=/cSELINUX=enforcing' /etc/selinux/config diff --git a/remediation-kits/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh b/remediation-kits/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh old mode 100644 new mode 100755 index 9f67a73..1f00d0e --- a/remediation-kits/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh +++ b/remediation-kits/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + dnf remove -y setroubleshoot diff --git a/remediation-kits/services/3.1-disable-http-server.sh b/remediation-kits/services/3.1-disable-http-server.sh index d5e53b1..d32fa7b 100755 --- a/remediation-kits/services/3.1-disable-http-server.sh +++ b/remediation-kits/services/3.1-disable-http-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa httpd) ]]; then diff --git a/remediation-kits/services/3.10-disable-rsync-server.sh b/remediation-kits/services/3.10-disable-rsync-server.sh old mode 100644 new mode 100755 index ca87512..970775c --- a/remediation-kits/services/3.10-disable-rsync-server.sh +++ b/remediation-kits/services/3.10-disable-rsync-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa | grep rsync) ]]; then diff --git a/remediation-kits/services/3.11-disable-avahi-server.sh b/remediation-kits/services/3.11-disable-avahi-server.sh old mode 100644 new mode 100755 index 17bcb88..2723b01 --- a/remediation-kits/services/3.11-disable-avahi-server.sh +++ b/remediation-kits/services/3.11-disable-avahi-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa avahi) ]]; then diff --git a/remediation-kits/services/3.12-disable-snmp-server.sh b/remediation-kits/services/3.12-disable-snmp-server.sh old mode 100644 new mode 100755 index 7914d0a..8ab85fc --- a/remediation-kits/services/3.12-disable-snmp-server.sh +++ b/remediation-kits/services/3.12-disable-snmp-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa net-snmp) ]]; then diff --git a/remediation-kits/services/3.13-disable-http-proxy-server.sh b/remediation-kits/services/3.13-disable-http-proxy-server.sh old mode 100644 new mode 100755 index 2debf62..e34d0d4 --- a/remediation-kits/services/3.13-disable-http-proxy-server.sh +++ b/remediation-kits/services/3.13-disable-http-proxy-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa squid) ]]; then diff --git a/remediation-kits/services/3.14-disable-samba.sh b/remediation-kits/services/3.14-disable-samba.sh old mode 100644 new mode 100755 index ad4dc28..ed20cf3 --- a/remediation-kits/services/3.14-disable-samba.sh +++ b/remediation-kits/services/3.14-disable-samba.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa samba) ]]; then diff --git a/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh b/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh old mode 100644 new mode 100755 index b3711ce..c7d58a3 --- a/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh +++ b/remediation-kits/services/3.15-disable-imap-and-pop3-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa dovecot) ]]; then diff --git a/remediation-kits/services/3.16-disable-smtp-protocol.sh b/remediation-kits/services/3.16-disable-smtp-protocol.sh old mode 100644 new mode 100755 index 1ab7081..359de32 --- a/remediation-kits/services/3.16-disable-smtp-protocol.sh +++ b/remediation-kits/services/3.16-disable-smtp-protocol.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa postfix) ]]; then diff --git a/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh b/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh old mode 100644 new mode 100755 index cbb1ab9..7bf6ab0 --- a/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh +++ b/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa | grep telnet) ]]; then diff --git a/remediation-kits/services/3.18-uninstall-the-avahi-server.sh b/remediation-kits/services/3.18-uninstall-the-avahi-server.sh old mode 100644 new mode 100755 index 80d7df6..aa18c70 --- a/remediation-kits/services/3.18-uninstall-the-avahi-server.sh +++ b/remediation-kits/services/3.18-uninstall-the-avahi-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa avahi) ]]; then diff --git a/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh b/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh old mode 100644 new mode 100755 index f23b656..f48e230 --- a/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh +++ b/remediation-kits/services/3.19-uninstall-the-kexec-tools.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa | grep kexec) ]]; then diff --git a/remediation-kits/services/3.2-disable-ftp-server.sh b/remediation-kits/services/3.2-disable-ftp-server.sh old mode 100644 new mode 100755 index 0ce1e46..2d83d0a --- a/remediation-kits/services/3.2-disable-ftp-server.sh +++ b/remediation-kits/services/3.2-disable-ftp-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa vsftpd) ]]; then diff --git a/remediation-kits/services/3.20-uninstall-the-firstboot.sh b/remediation-kits/services/3.20-uninstall-the-firstboot.sh old mode 100644 new mode 100755 index de29b26..de588e9 --- a/remediation-kits/services/3.20-uninstall-the-firstboot.sh +++ b/remediation-kits/services/3.20-uninstall-the-firstboot.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa | grep firstboot) ]]; then diff --git a/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh b/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh old mode 100644 new mode 100755 index 76e507f..161e2d5 --- a/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh +++ b/remediation-kits/services/3.21-uninstall-the-wpa_supplicant.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa wpa_supplicant) ]]; then diff --git a/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh b/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh old mode 100644 new mode 100755 index c7187a5..731e870 --- a/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh +++ b/remediation-kits/services/3.22-ensure-NIS-Client-is-not-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa ypbind) ]]; then diff --git a/remediation-kits/services/3.23-disable-rsh.sh b/remediation-kits/services/3.23-disable-rsh.sh old mode 100644 new mode 100755 index 84c1213..08fb9e7 --- a/remediation-kits/services/3.23-disable-rsh.sh +++ b/remediation-kits/services/3.23-disable-rsh.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa rsh) ]]; then diff --git a/remediation-kits/services/3.24-disable-ntalk.sh b/remediation-kits/services/3.24-disable-ntalk.sh old mode 100644 new mode 100755 index 38d0d5d..6e755cd --- a/remediation-kits/services/3.24-disable-ntalk.sh +++ b/remediation-kits/services/3.24-disable-ntalk.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa ntalk) ]]; then diff --git a/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh b/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh old mode 100644 new mode 100755 index f04a43f..4d67e18 --- a/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh +++ b/remediation-kits/services/3.25-ensure-xinetd-is-not-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa xinetd) ]]; then diff --git a/remediation-kits/services/3.26-disable-usb-storage.sh b/remediation-kits/services/3.26-disable-usb-storage.sh old mode 100644 new mode 100755 index d4d3218..85e3875 --- a/remediation-kits/services/3.26-disable-usb-storage.sh +++ b/remediation-kits/services/3.26-disable-usb-storage.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + grep -Psq "^install\s+usb\-storage\s+\/bin\/true$" /etc/modprobe.d/*.conf || echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb_storage.conf [[ $(lsmod | grep -P "^usb(_|-)storage\b") ]] && rmmod usb-storage diff --git a/remediation-kits/services/3.27-ensure-time-synchronization-is-installed.sh b/remediation-kits/services/3.27-ensure-time-synchronization-is-installed.sh old mode 100644 new mode 100755 index 750f16c..82e61f0 --- a/remediation-kits/services/3.27-ensure-time-synchronization-is-installed.sh +++ b/remediation-kits/services/3.27-ensure-time-synchronization-is-installed.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -qa | grep -q chrony || dnf install chrony -y diff --git a/remediation-kits/services/3.28-disable-automounting.sh b/remediation-kits/services/3.28-disable-automounting.sh old mode 100644 new mode 100755 index ea0c847..e9f9ed7 --- a/remediation-kits/services/3.28-disable-automounting.sh +++ b/remediation-kits/services/3.28-disable-automounting.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa autofs) ]]; then diff --git a/remediation-kits/services/3.3-disable-dns-server.sh b/remediation-kits/services/3.3-disable-dns-server.sh old mode 100644 new mode 100755 index 146a905..388d829 --- a/remediation-kits/services/3.3-disable-dns-server.sh +++ b/remediation-kits/services/3.3-disable-dns-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ "$(rpm -qa bind)" ]]; then diff --git a/remediation-kits/services/3.4-disable-nfs.sh b/remediation-kits/services/3.4-disable-nfs.sh old mode 100644 new mode 100755 index 8f2873b..76d4ea2 --- a/remediation-kits/services/3.4-disable-nfs.sh +++ b/remediation-kits/services/3.4-disable-nfs.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa nfs-utils) ]]; then diff --git a/remediation-kits/services/3.5-disable-rpc.sh b/remediation-kits/services/3.5-disable-rpc.sh old mode 100644 new mode 100755 index 12d62df..6831852 --- a/remediation-kits/services/3.5-disable-rpc.sh +++ b/remediation-kits/services/3.5-disable-rpc.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa rpcbind) ]]; then diff --git a/remediation-kits/services/3.6-disable-ldap-server.sh b/remediation-kits/services/3.6-disable-ldap-server.sh old mode 100644 new mode 100755 index 5e8b120..1c61638 --- a/remediation-kits/services/3.6-disable-ldap-server.sh +++ b/remediation-kits/services/3.6-disable-ldap-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa openldap-servers) ]]; then diff --git a/remediation-kits/services/3.7-disable-dhcp-server.sh b/remediation-kits/services/3.7-disable-dhcp-server.sh old mode 100644 new mode 100755 index 018e9d5..07a7673 --- a/remediation-kits/services/3.7-disable-dhcp-server.sh +++ b/remediation-kits/services/3.7-disable-dhcp-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa | grep dhcp) ]]; then diff --git a/remediation-kits/services/3.8-disable-cups.sh b/remediation-kits/services/3.8-disable-cups.sh old mode 100644 new mode 100755 index ee73b8e..7e610d1 --- a/remediation-kits/services/3.8-disable-cups.sh +++ b/remediation-kits/services/3.8-disable-cups.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa cups) ]]; then diff --git a/remediation-kits/services/3.9-disable-nis-server.sh b/remediation-kits/services/3.9-disable-nis-server.sh old mode 100644 new mode 100755 index 7d04239..004941e --- a/remediation-kits/services/3.9-disable-nis-server.sh +++ b/remediation-kits/services/3.9-disable-nis-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa ypserv) ]]; then diff --git a/remediation-kits/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh b/remediation-kits/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh old mode 100644 new mode 100755 index 3317c78..75b6315 --- a/remediation-kits/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh +++ b/remediation-kits/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh b/remediation-kits/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh old mode 100644 new mode 100755 index fb2091f..29232f5 --- a/remediation-kits/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh +++ b/remediation-kits/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + osID=$(cat /etc/os-release | grep -Pi "^ID=" | cut -f2 -d= | sed -rn "s/\"//gp") [ -f /boot/grub2/grub.cfg ] && chown root:root /boot/grub2/grub.cfg; diff --git a/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh b/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh old mode 100644 new mode 100755 index fb4c736..b614c6e --- a/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh +++ b/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + grep -Pq "^\s*ExecStart\=" /usr/lib/systemd/system/rescue.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell rescue/" /usr/lib/systemd/system/rescue.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" >> /usr/lib/systemd/system/rescue.service grep -Pq "^\s*ExecStart\=" /usr/lib/systemd/system/emergency.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell emergency/" /usr/lib/systemd/system/emergency.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" >> /usr/lib/systemd/system/emergency.service diff --git a/remediation-kits/system-configurations/4.13-ensure-core-dumps-are-restricted.sh b/remediation-kits/system-configurations/4.13-ensure-core-dumps-are-restricted.sh old mode 100644 new mode 100755 index c0c4e6b..8124d43 --- a/remediation-kits/system-configurations/4.13-ensure-core-dumps-are-restricted.sh +++ b/remediation-kits/system-configurations/4.13-ensure-core-dumps-are-restricted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$" /etc/security/limits.conf && sed -ri "s/^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$/\1* hard core 0\2/" /etc/security/limits.conf || echo "* hard core 0" >> /etc/security/limits.conf grep -Eq "^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$/\1fs.suid_dumpable = 0\2/" /etc/sysctl.conf || echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf sysctl -w fs.suid_dumpable=0 diff --git a/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh b/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh old mode 100644 new mode 100755 index 9b78d09..ec213d9 --- a/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh +++ b/remediation-kits/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + configExistenceFlag="false" [[ -n $(grep -Ps "^kernel\.randomize_va_space\s*=.*" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf) ]] && configExistenceFlag="true" diff --git a/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh b/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh old mode 100644 new mode 100755 index 558827c..f5aa046 --- a/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh +++ b/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Eiq '^\s*LEGACY\s*(\s+#.*)?$' /etc/crypto-policies/config && update-crypto-policies --set DEFAULT && update-crypto-policies \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh b/remediation-kits/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh old mode 100644 new mode 100755 index 1eecf10..9d235af --- a/remediation-kits/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh +++ b/remediation-kits/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}' \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh b/remediation-kits/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh old mode 100644 new mode 100755 index 16188ca..9b28b8b --- a/remediation-kits/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh +++ b/remediation-kits/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/passwd chmod 644 /etc/passwd \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh b/remediation-kits/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh old mode 100644 new mode 100755 index c066312..a30eb26 --- a/remediation-kits/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh +++ b/remediation-kits/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/shadow chmod 0000 /etc/shadow \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh b/remediation-kits/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh old mode 100644 new mode 100755 index 0a3e375..a8bc86e --- a/remediation-kits/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh +++ b/remediation-kits/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/group chmod u-x,g-wx,o-wx /etc/group \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh b/remediation-kits/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh old mode 100644 new mode 100755 index 2f496ac..4af3e3b --- a/remediation-kits/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh +++ b/remediation-kits/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh b/remediation-kits/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh old mode 100644 new mode 100755 index 09ea442..0adf02f --- a/remediation-kits/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh +++ b/remediation-kits/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/gshadow chmod 0000 /etc/gshadow \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh b/remediation-kits/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh old mode 100644 new mode 100755 index eab4489..8fc3586 --- a/remediation-kits/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh +++ b/remediation-kits/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/passwd- chmod u-x,go-wx /etc/passwd- \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh b/remediation-kits/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh old mode 100644 new mode 100755 index 0162493..215a9f4 --- a/remediation-kits/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh +++ b/remediation-kits/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/shadow- chmod 0000 /etc/shadow- \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh b/remediation-kits/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh old mode 100644 new mode 100755 index 701ee8c..47f503e --- a/remediation-kits/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh +++ b/remediation-kits/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/group- chmod u-x,go-wx /etc/group- \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh b/remediation-kits/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh old mode 100644 new mode 100755 index 8b428bd..c77c26a --- a/remediation-kits/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh +++ b/remediation-kits/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + chown root:root /etc/gshadow- chmod 0000 /etc/gshadow- \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh b/remediation-kits/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh old mode 100644 new mode 100755 index 6394d8f..97d4528 --- a/remediation-kits/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh +++ b/remediation-kits/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh b/remediation-kits/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh old mode 100644 new mode 100755 index 0010b4b..5ec6d79 --- a/remediation-kits/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh +++ b/remediation-kits/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) {print $6}' /etc/passwd | while read -r dir; do if [ -d "$dir" ]; then diff --git a/remediation-kits/system-configurations/4.32-ensure-users-own-their-home-directories.sh b/remediation-kits/system-configurations/4.32-ensure-users-own-their-home-directories.sh old mode 100644 new mode 100755 index 9191dbc..d52b58e --- a/remediation-kits/system-configurations/4.32-ensure-users-own-their-home-directories.sh +++ b/remediation-kits/system-configurations/4.32-ensure-users-own-their-home-directories.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $1 " " $6 }' /etc/passwd | while read -r user dir; do if [ ! -d "$dir" ]; then echo "User: \"$user\" home directory: \"$dir\" does not exist, creating home directory" diff --git a/remediation-kits/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh b/remediation-kits/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh old mode 100644 new mode 100755 index dfb1e1e..fa1c440 --- a/remediation-kits/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh +++ b/remediation-kits/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $6 }' /etc/passwd | while read -r dir; do if [ -d "$dir" ]; then for file in "$dir"/.*; do diff --git a/remediation-kits/system-configurations/4.34-ensure-no-users-have-.forward-files.sh b/remediation-kits/system-configurations/4.34-ensure-no-users-have-.forward-files.sh old mode 100644 new mode 100755 index 4322a69..2e53c42 --- a/remediation-kits/system-configurations/4.34-ensure-no-users-have-.forward-files.sh +++ b/remediation-kits/system-configurations/4.34-ensure-no-users-have-.forward-files.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $6 }' /etc/passwd | while read -r dir; do if [ -d "$dir" ]; then diff --git a/remediation-kits/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh b/remediation-kits/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh old mode 100644 new mode 100755 index 9c6a84f..d3879f6 --- a/remediation-kits/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh +++ b/remediation-kits/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $6 }' /etc/passwd | while read -r dir; do if [ -d "$dir" ]; then diff --git a/remediation-kits/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh b/remediation-kits/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh old mode 100644 new mode 100755 index 2a41e8a..af9e1b7 --- a/remediation-kits/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh +++ b/remediation-kits/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $6 }' /etc/passwd | while read -r dir; do diff --git a/remediation-kits/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh b/remediation-kits/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh old mode 100644 new mode 100755 index 488c49b..de3a44d --- a/remediation-kits/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh +++ b/remediation-kits/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $6 }' /etc/passwd | while read -r dir; do if [ -d "$dir" ]; then file="$dir/.rhosts" diff --git a/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh b/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh old mode 100644 new mode 100755 index 50d5a4d..8b86b6d --- a/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh +++ b/remediation-kits/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + [[ -e /etc/motd ]] && chown root:root /etc/motd [[ -e /etc/motd ]] && chmod u-x,go-wx /etc/motd [[ -f /var/lib/update-motd/motd ]] && chown root:root /var/lib/update-motd/motd diff --git a/remediation-kits/system-configurations/4.43-ensure-all-users-home-directories-exist.sh b/remediation-kits/system-configurations/4.43-ensure-all-users-home-directories-exist.sh old mode 100644 new mode 100755 index ce2aaf4..f39c41b --- a/remediation-kits/system-configurations/4.43-ensure-all-users-home-directories-exist.sh +++ b/remediation-kits/system-configurations/4.43-ensure-all-users-home-directories-exist.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $1 " " $6 }' /etc/passwd | while read -r user dir; do if [ ! -d "$dir" ]; then mkdir "$dir" diff --git a/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh b/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh old mode 100644 new mode 100755 index 91ec526..78ad91c --- a/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh +++ b/remediation-kits/system-configurations/4.44-ensure-sctp-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + modprobe -n -q sctp && modprobe -n -v sctp | grep -Pq "^install\s*\/bin\/true\s*$" if [[ $? -ne 0 ]]; then diff --git a/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh b/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh old mode 100644 new mode 100755 index d3d0efe..78ae938 --- a/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh +++ b/remediation-kits/system-configurations/4.45-ensure-dccp-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + modprobe -n -vq dccp if [[ $? -ne 0 ]]; then diff --git a/remediation-kits/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh b/remediation-kits/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh old mode 100644 new mode 100755 index d9f477e..0fba976 --- a/remediation-kits/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh +++ b/remediation-kits/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + wireless_disable() { if command -v nmcli >/dev/null 2>&1 ; then diff --git a/remediation-kits/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh b/remediation-kits/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh old mode 100644 new mode 100755 index 0657082..b4f634b --- a/remediation-kits/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh +++ b/remediation-kits/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + grep -Ps "^\s*net\.ipv4\.ip_forward\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.ip_forward\s*=\s*0\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv4\.ip_forward\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.ip_forward=0; sysctl -w net.ipv4.route.flush=1 grep -Ps "^\s*net\.ipv6\.conf\.all\.forwarding\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv6.conf.all.forwarding\s*=\s*0\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv6\.conf\.all\.forwarding\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.route.flush=1 diff --git a/remediation-kits/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh b/remediation-kits/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh old mode 100644 new mode 100755 index 0f2c20f..c725309 --- a/remediation-kits/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh +++ b/remediation-kits/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.send_redirects=0 diff --git a/remediation-kits/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh b/remediation-kits/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh old mode 100644 new mode 100755 index dd1feb1..0a002e8 --- a/remediation-kits/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh +++ b/remediation-kits/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv6.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_source_route = 0" >> /etc/sysctl.conf diff --git a/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh b/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh old mode 100644 new mode 100755 index 5acd838..f899083 --- a/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh +++ b/remediation-kits/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + [[ -e /etc/issue ]] && chown root:root /etc/issue [[ -e /etc/issue ]] && chmod u-x,go-wx /etc/issue \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh b/remediation-kits/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh old mode 100644 new mode 100755 index 025b169..6873aac --- a/remediation-kits/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh +++ b/remediation-kits/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv6.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf diff --git a/remediation-kits/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh b/remediation-kits/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh old mode 100644 new mode 100755 index 051910d..9c470c6 --- a/remediation-kits/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh +++ b/remediation-kits/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.secure_redirects=0 diff --git a/remediation-kits/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh b/remediation-kits/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh old mode 100644 new mode 100755 index 1dda5ca..97c7841 --- a/remediation-kits/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh +++ b/remediation-kits/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.log_martians=1 diff --git a/remediation-kits/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh b/remediation-kits/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh old mode 100644 new mode 100755 index 11b71ba..2c7b79a --- a/remediation-kits/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh +++ b/remediation-kits/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Ps "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv4\.icmp_echo_ignore_broadcasts\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1; sysctl -w net.ipv4.route.flush=1 diff --git a/remediation-kits/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh b/remediation-kits/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh old mode 100644 new mode 100755 index 30f4f62..118540e --- a/remediation-kits/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh +++ b/remediation-kits/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Ps "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=.*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | grep -Pvs "net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1\s*$" | cut -f1 -d: | while read filename; do sed -ri "s/^\s*(net\.ipv4\.icmp_ignore_bogus_error_responses\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1; sysctl -w net.ipv4.route.flush=1 \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh b/remediation-kits/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh old mode 100644 new mode 100755 index eb376f8..8953c2a --- a/remediation-kits/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh +++ b/remediation-kits/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.rp_filter=1 diff --git a/remediation-kits/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh b/remediation-kits/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh old mode 100644 new mode 100755 index a1b54a6..6a0444e --- a/remediation-kits/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh +++ b/remediation-kits/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + grep -Els "^\s*net\.ipv4\.tcp_syncookies\s*=\s*[02]*" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv4\.tcp_syncookies\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv4.tcp_syncookies=1; sysctl -w net.ipv4.route.flush=1 \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh b/remediation-kits/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh old mode 100644 new mode 100755 index b22df1d..e33265f --- a/remediation-kits/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh +++ b/remediation-kits/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)net.ipv6.conf.all.accept_ra\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_ra\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_ra = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf grep -Eq "^(\s*)net.ipv6.conf.default.accept_ra\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.default.accept_ra\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.default.accept_ra = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf sysctl -w net.ipv6.conf.all.accept_ra=0 diff --git a/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh b/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh old mode 100644 new mode 100755 index 375556c..5f2d7ed --- a/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh +++ b/remediation-kits/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + dnf install firewalld nftables iptables iptables-services -y \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh b/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh old mode 100644 new mode 100755 index 91ac10a..1eef0b5 --- a/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh +++ b/remediation-kits/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [[ $(rpm -qa firewalld) ]]; then diff --git a/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh b/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh old mode 100644 new mode 100755 index 534fc6a..ace735d --- a/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh +++ b/remediation-kits/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + [[ -e /etc/issue.net ]] && chown root:root /etc/issue.net [[ -e /etc/issue.net ]] && chmod u-x,go-wx /etc/issue.net \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh b/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh old mode 100644 new mode 100755 index 4145f02..cdb6a4a --- a/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh +++ b/remediation-kits/system-configurations/4.60-ensure-iptables-is-not-enabled.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -q iptables-services | grep -Psq "^iptables\-services.*" && systemctl is-enabled iptables | grep -Psiq "^enabled" && systemctl --now mask iptables.service \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh b/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh old mode 100644 new mode 100755 index 384e893..2a086f8 --- a/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh +++ b/remediation-kits/system-configurations/4.61-ensure-nftables-is-not-enabled.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -q nftables | grep -Psq "^nftables\-*" && systemctl is-enabled nftables | grep -Psiq "^enabled" && systemctl --now mask nftables \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh b/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh old mode 100644 new mode 100755 index 808e410..871572d --- a/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh +++ b/remediation-kits/system-configurations/4.62-ensure-nftables-service-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [ "$(rpm -qa nftables)" ]; then diff --git a/remediation-kits/system-configurations/4.63-ensure-iptables-packages-are-installed.sh b/remediation-kits/system-configurations/4.63-ensure-iptables-packages-are-installed.sh old mode 100644 new mode 100755 index df9fa2c..5ef75e8 --- a/remediation-kits/system-configurations/4.63-ensure-iptables-packages-are-installed.sh +++ b/remediation-kits/system-configurations/4.63-ensure-iptables-packages-are-installed.sh @@ -1,2 +1,4 @@ +#!/usr/bin/bash + yum list | grep -q iptables && yum install -y iptables yum list | grep iptables-services && yum install -y iptables-services diff --git a/remediation-kits/system-configurations/4.64-ensure-nftables-is-not-installed.sh b/remediation-kits/system-configurations/4.64-ensure-nftables-is-not-installed.sh old mode 100644 new mode 100755 index e587dc6..201344c --- a/remediation-kits/system-configurations/4.64-ensure-nftables-is-not-installed.sh +++ b/remediation-kits/system-configurations/4.64-ensure-nftables-is-not-installed.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + yum remove -y nftables \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh b/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh old mode 100644 new mode 100755 index 5be62a6..9866ace --- a/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh +++ b/remediation-kits/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -q firewalld | grep -Psq "^firewalld\-" && systemctl is-enabled firewalld | grep -Psiq "^enabled" && systemctl --now mask firewalld \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh b/remediation-kits/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh index 5a19662..86b2a93 100755 --- a/remediation-kits/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh +++ b/remediation-kits/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + grep -qiP "^HISTSIZE" /etc/profile && sed -i "/^HISTSIZE/cHISTSIZE=100" /etc/profile || echo -e "HISTSIZE=100" >> /etc/profile diff --git a/remediation-kits/system-configurations/4.67-ensure-system-histfilesize-100.sh b/remediation-kits/system-configurations/4.67-ensure-system-histfilesize-100.sh index 51efeff..46d6862 100755 --- a/remediation-kits/system-configurations/4.67-ensure-system-histfilesize-100.sh +++ b/remediation-kits/system-configurations/4.67-ensure-system-histfilesize-100.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + grep -qiP "^HISTFILESIZE" /etc/profile && sed -i "/^HISTFILESIZE/cHISTFILESIZE=100" /etc/profile || echo -e "HISTFILESIZE=100" >> /etc/profile diff --git a/remediation-kits/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh b/remediation-kits/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh old mode 100644 new mode 100755 index b6b5356..9eff1ed --- a/remediation-kits/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh +++ b/remediation-kits/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh @@ -1,3 +1,4 @@ -#!/bin/bash +#!/usr/bin/bash + ls -l / | grep tmp | grep rwt || chmod o+t /tmp/ diff --git a/remediation-kits/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh b/remediation-kits/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh old mode 100644 new mode 100755 index 5e17351..1c9c277 --- a/remediation-kits/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh +++ b/remediation-kits/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + chmod 400 /etc/ssh/*key chmod 400 /etc/ssh/*key.pub \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh b/remediation-kits/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh old mode 100644 new mode 100755 index 73c9468..a728480 --- a/remediation-kits/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh +++ b/remediation-kits/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Eq "^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$" /etc/yum.conf && sed -ri "s/^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$/\1gpgcheck=1\2/" /etc/yum.conf || echo "gpgcheck=1" >> /etc/yum.conf for file in /etc/yum.repos.d/*; do grep -Eq "^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$" $file && sed -ri "s/^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$/\1gpgcheck=1\2/" $file || echo "gpgcheck=1" >> $file diff --git a/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh b/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh old mode 100644 new mode 100755 index 580737f..644ce58 --- a/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh +++ b/remediation-kits/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh @@ -1,3 +1,4 @@ -#!/bin/bash +#!/usr/bin/bash + grep -Eisq '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf && sed -i '/\s*Enable\s*=\s*true/Id' /etc/gdm/custom.conf \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh b/remediation-kits/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh old mode 100644 new mode 100755 index c99d025..411838c --- a/remediation-kits/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh +++ b/remediation-kits/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ -e /etc/fstab ]] && [[ -n "$(grep -Ps "\s+\/var\s+" /etc/fstab)" ]] && [[ -z "$(grep -Ps "\s+\/var\s+.*nosuid" /etc/fstab)" ]] ; then varLine=$(grep -Pn "\s+\/var\s+" /etc/fstab | cut -d: -f1) varCon=$(grep "\/var" /etc/fstab | awk '{print $4}') diff --git a/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh b/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh old mode 100644 new mode 100755 index 326d680..ea79848 --- a/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh +++ b/remediation-kits/system-configurations/4.8-ensure-aide-is-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if [ ! "$(rpm -qa aide)" ]; then diff --git a/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh b/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh old mode 100644 new mode 100755 index ee68146..c9643fe --- a/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh +++ b/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -q aide | grep -Piq aide-.* && (crontab -u root -l; crontab -u root -l | grep -Eq "^0 5 \* \* \* /usr/sbin/aide --check$" || echo "0 5 * * * /usr/sbin/aide --check" ) | crontab -u root - diff --git a/tools/release/config_zh_font.sh b/tools/release/config_zh_font.sh index 6e4fe2b..7569cf7 100755 --- a/tools/release/config_zh_font.sh +++ b/tools/release/config_zh_font.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + mkdir -p /usr/share/fonts/winsfonts cur=$(pwd) diff --git a/tools/remediation-kits/run_Anolis_remediation_kit.sh b/tools/remediation-kits/run_Anolis_remediation_kit.sh index 93cdf0b..ac0d541 100755 --- a/tools/remediation-kits/run_Anolis_remediation_kit.sh +++ b/tools/remediation-kits/run_Anolis_remediation_kit.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + function helpinfo() { diff --git a/tools/scanners/run_Anolis_scanners.sh b/tools/scanners/run_Anolis_scanners.sh index 8cec3df..f187736 100755 --- a/tools/scanners/run_Anolis_scanners.sh +++ b/tools/scanners/run_Anolis_scanners.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + function helpInfo() { -- Gitee From 9d974ddf586ae093b7dca57c8ddb4a0e076bc88b Mon Sep 17 00:00:00 2001 From: YuQing Yang Date: Tue, 3 Sep 2024 10:38:56 +0800 Subject: [PATCH 2/3] scanners:Add shebang and execute permissions. Fixes: #IAO84G Signed-off-by: YuQing Yang --- .../access-and-control/1.1-ensure-cron-daemon-is-enabled.sh | 2 ++ .../access-and-control/1.10-ensure-ssh-access-is-limited.sh | 2 ++ ...permissions-on-ssh-private-host-key-files-are-configured.sh | 2 ++ ...-permissions-on-ssh-public-host-key-files-are-configured.sh | 2 ++ .../1.13-ensure-ssh-loglevel-is-appropriate.sh | 2 ++ .../1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh | 2 ++ .../1.15-ensure-ssh-ignorerhosts-is-enabled.sh | 2 ++ .../1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh | 2 ++ .../1.17-ensure-ssh-root-login-is-disabled.sh | 2 ++ .../1.18-ensure-ssh-permitemptypasswords-is-disabled.sh | 2 ++ .../1.19-ensure-ssh-permituserenvironment-is-disabled.sh | 2 ++ .../1.2-ensure-permissions-on-etc-crontab-are-configured.sh | 2 ++ .../1.20-ensure-ssh-idle-timeout-interval-is-configured.sh | 2 ++ ...1-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh | 2 ++ .../1.22-ensure-ssh-warning-banner-is-configured.sh | 2 ++ scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh | 2 ++ .../1.24-ensure-ssh-maxstartups-is-configured.sh | 2 ++ .../1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh | 2 ++ ...1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh | 2 ++ ....27-ensure-password-creation-requirements-are-configured.sh | 3 ++- ...nsure-lockout-for-failed-password-attempts-is-configured.sh | 2 ++ .../1.29-ensure-password-reuse-is-limited.sh | 2 ++ ...1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh | 2 ++ .../1.30-ensure-password-hashing-algorithm-is-sha-512.sh | 2 ++ .../1.31-ensure-password-expiration-is-365-days-or-less.sh | 2 ++ ...nsure-minimum-days-between-password-changes-is-7-or-more.sh | 2 ++ ....33-ensure-password-expiration-warning-days-is-7-or-more.sh | 2 ++ .../1.34-ensure-inactive-password-lock-is-30-days-or-less.sh | 2 ++ ...nsure-all-users-last-password-change-date-is-in-the-past.sh | 2 ++ .../1.36-ensure-system-accounts-are-secured.sh | 2 ++ ...ensure-default-user-shell-timeout-is-900-seconds-or-less.sh | 2 ++ .../1.38-ensure-default-group-for-the-root-account-is-gid-0.sh | 2 ++ ....39-ensure-default-user-umask-is-027-or-more-restrictive.sh | 2 ++ .../1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh | 2 ++ .../1.40-ensure-access-to-the-su-command-is-restricted.sh | 2 ++ .../1.41-ensure-ssh-server-use-protocol_2.sh | 2 ++ ...-ensure-that-the-password-expires-between-30-and-90-days.sh | 2 ++ ...e-that-the-minimum-password-change-between-7-and-14-days.sh | 2 ++ ...sure-that-password-reuse-limit-is-between-5-and-25-times.sh | 2 ++ ...nsure-lockout-for-failed-password-attempts-is-configured.sh | 2 ++ ...fault-user-shell-timeout-is-between-600-and-1800-seconds.sh | 2 ++ .../1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh | 2 ++ .../1.49-lock-or-delete-the-shutdown-and-halt-users.sh | 2 ++ ...1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh | 2 ++ .../1.50-ensure-ssh-x11-forwarding-is-disabled.sh | 2 ++ .../1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh | 2 ++ .../1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh | 2 ++ ...1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh | 2 ++ scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh | 2 ++ ....6-ensure-permissions-on-etc-cron.monthly-are-configured.sh | 2 ++ .../1.7-ensure-permissions-on-etc-cron.d-are-configured.sh | 2 ++ .../1.8-ensure-at-cron-is-restricted-to-authorized-users.sh | 2 ++ ...ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh | 2 ++ ...s-are-not-read-or-write-accessible-by-unauthorized-users.sh | 2 ++ .../2.10-ensure-audit-tools-are-group-owned-by-root.sh | 2 ++ ...hanisms-are-used-to-protect-the-integrity-of-audit-tools.sh | 2 ++ .../logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh | 2 ++ .../2.13-ensure-rsyslog-service-is-enabled.sh | 2 ++ .../2.14-ensure-rsyslog-default-file-permissions-configured.sh | 2 ++ ...-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh | 2 ++ ...16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh | 2 ++ ...nsure-journald-is-configured-to-compress-large-log-files.sh | 2 ++ ...rnald-is-configured-to-write-logfiles-to-persistent-disk.sh | 2 ++ .../logging-and-auditing/2.19-ensure-audit-is-installed.sh | 2 ++ .../2.2-ensure-only-authorized-users-own-audit-log-files.sh | 2 ++ .../2.20-ensure-audit-service-is-enabled.sh | 2 ++ ...2.21-make-sure-to-collect-file-deletion-events-for-users.sh | 3 ++- ...ges-to-the-system-management-scope-sudoers-are-collected.sh | 2 ++ ...-events-that-modify-user-group-information-are-collected.sh | 2 ++ ...successful-attempts-to-use-the-chsh-command-are-recorded.sh | 3 ++- .../2.25-ensure-audit-logs-are-not-automatically-deleted.sh | 3 ++- ...ensure-the-running-and-on-disk-configuration-is-the-same.sh | 2 ++ ....27-ensure-that-the-firewall-logging-function-is-enabled.sh | 2 ++ .../2.28-ensure-login-and-logout-events-are-collected.sh | 2 ++ .../logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh | 2 ++ ...sure-only-authorized-groups-ownership-of-audit-log-files.sh | 2 ++ ...nsure-events-that-modify-the-sudo-log-file-are-collected.sh | 2 ++ .../2.31-ensure-use-of-privileged-commands-are-collected.sh | 2 ++ ...ess-control-permission-modification-events-are-collected.sh | 2 ++ ...sure-the-audit-log-directory-is-0750-or-more-restrictive.sh | 2 ++ ...e-audit-configuration-files-are-0640-or-more-restrictive.sh | 3 ++- ...ly-authorized-accounts-own-the-audit-configuration-files.sh | 3 ++- ...only-authorized-groups-own-the-audit-configuration-files.sh | 3 ++- ...-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh | 2 ++ .../2.9-ensure-audit-tools-are-owned-by-root.sh | 2 ++ .../5.1-ensure-selinux-is-installed.sh | 2 ++ .../5.2-ensure-selinux-policy-is-configured.sh | 3 ++- .../5.3-ensure-the-selinux-mode-is-enabled.sh | 3 ++- .../5.4-ensure-the-selinux-mode-is-enforcing.sh | 3 ++- .../5.5-ensure-no-unconfined-services-exist.sh | 3 ++- .../5.9-ensure-setroubleshoot-is-not-installed.sh | 3 ++- scanners/services/3.1-disable-http-server.sh | 2 ++ scanners/services/3.10-disable-rsync-server.sh | 2 ++ scanners/services/3.11-disable-avahi-server.sh | 2 ++ scanners/services/3.12-disable-snmp-server.sh | 2 ++ scanners/services/3.13-disable-http-proxy-server.sh | 2 ++ scanners/services/3.14-disable-samba.sh | 2 ++ scanners/services/3.15-disable-imap-and-pop3-server.sh | 2 ++ scanners/services/3.16-disable-smtp-protocol.sh | 2 ++ scanners/services/3.17-disable-or-uninstall-the-telnet.sh | 3 ++- scanners/services/3.18-uninstall-the-avahi-server.sh | 2 ++ scanners/services/3.19-uninstall-the-kexec-tools.sh | 2 ++ scanners/services/3.2-disable-ftp-server.sh | 2 ++ scanners/services/3.20-uninstall-the-firstboot.sh | 2 ++ scanners/services/3.21-uninstall-the-wpa_supplicant.sh | 2 ++ scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh | 3 ++- scanners/services/3.23-disable-rsh.sh | 2 ++ scanners/services/3.24-disable-ntalk.sh | 2 ++ scanners/services/3.25-ensure-xinetd-is-not-installed.sh | 3 ++- scanners/services/3.26-disable-usb-storage.sh | 2 ++ .../services/3.27-ensure-time-synchronization-is-installed.sh | 3 ++- scanners/services/3.28-disable-automounting.sh | 2 ++ scanners/services/3.3-disable-dns-server.sh | 2 ++ scanners/services/3.4-disable-nfs.sh | 2 ++ scanners/services/3.5-disable-rpc.sh | 2 ++ scanners/services/3.6-disable-ldap-server.sh | 2 ++ scanners/services/3.7-disable-dhcp-server.sh | 2 ++ scanners/services/3.8-disable-cups.sh | 2 ++ scanners/services/3.9-disable-nis-server.sh | 2 ++ .../4.1-ensure-message-of-the-day-is-configured-properly.sh | 2 ++ .../4.10-ensure-bootloader-password-is-set.sh | 2 ++ ...1-ensure-permissions-on-bootloader-config-are-configured.sh | 3 ++- ...4.12-ensure-authentication-required-for-single-user-mode.sh | 2 ++ .../4.13-ensure-core-dumps-are-restricted.sh | 2 ++ ...ure-address-space-layout-randomization-(ASLR)-is-enabled.sh | 2 ++ .../4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh | 2 ++ ...sure-sticky-bit-is-set-on-all-world-writable-directories.sh | 2 ++ .../4.17-ensure-permissions-on-etc-passwd-are-configured.sh | 2 ++ .../4.18-ensure-permissions-on-etc-shadow-are-configured.sh | 2 ++ .../4.19-ensure-permissions-on-etc-group-are-configured.sh | 2 ++ ...ensure-local-login-warning-banner-is-configured-properly.sh | 2 ++ .../4.20-ensure-permissions-on-etc-gshadow-are-configured.sh | 2 ++ .../4.21-ensure-permissions-on-etc-passwd--are-configured.sh | 2 ++ .../4.22-ensure-permissions-on-etc-shadow--are-configured.sh | 2 ++ .../4.23-ensure-permissions-on-etc-group--are-configured.sh | 2 ++ .../4.24-ensure-permissions-on-etc-gshadow--are-configured.sh | 2 ++ .../4.25-ensure-no-world-writable-files-exist.sh | 2 ++ .../4.26-ensure-no-unowned-files-or-directories-exist.sh | 2 ++ .../4.27-ensure-no-ungrouped-files-or-directories-exist.sh | 2 ++ .../4.28-ensure-no-password-fields-are-not-empty.sh | 2 ++ .../system-configurations/4.29-ensure-root-path-integrity.sh | 2 ++ ...nsure-remote-login-warning-banner-is-configured-properly.sh | 2 ++ .../4.30-ensure-root-is-the-only-uid-0-account.sh | 2 ++ ...home-directories-permissions-are-750-or-more-restrictive.sh | 2 ++ .../4.32-ensure-users-own-their-home-directories.sh | 2 ++ ...3-ensure-users-dot-files-are-not-group-or-world-writable.sh | 2 ++ .../4.34-ensure-no-users-have-.forward-files.sh | 2 ++ .../4.35-ensure-no-users-have-.netrc-files.sh | 2 ++ ...ure-users-.netrc-files-are-not-group-or-world-accessible.sh | 2 ++ .../4.37-ensure-no-users-have-.rhosts-files.sh | 2 ++ .../4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh | 2 ++ .../4.39-ensure-no-duplicate-uids-exist.sh | 2 ++ .../4.4-ensure-permissions-on-etc-motd-are-configured.sh | 2 ++ .../4.40-ensure-no-duplicate-gids-exist.sh | 2 ++ .../4.41-ensure-no-duplicate-user-names-exist.sh | 2 ++ .../4.42-ensure-no-duplicate-group-names-exist.sh | 2 ++ .../4.43-ensure-all-users-home-directories-exist.sh | 2 ++ scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh | 2 ++ scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh | 2 ++ .../4.46-ensure-wireless-interfaces-are-disabled.sh | 2 ++ .../4.47-ensure-ip-forwarding-is-disabled.sh | 2 ++ .../4.48-ensure-packet-redirect-sending-is-disabled.sh | 2 ++ .../4.49-ensure-source-routed-packets-are-not-accepted.sh | 2 ++ .../4.5-ensure-permissions-on-etc-issue-are-configured.sh | 2 ++ .../4.50-ensure-icmp-redirects-are-not-accepted.sh | 2 ++ .../4.51-ensure-secure-icmp-redirects-are-not-accepted.sh | 2 ++ .../4.52-ensure-suspicious-packets-are-logged.sh | 2 ++ .../4.53-ensure-broadcast-icmp-requests-are-ignored.sh | 2 ++ .../4.54-ensure-bogus-icmp-responses-are-ignored.sh | 2 ++ .../4.55-ensure-reverse-path-filtering-is-enabled.sh | 2 ++ .../4.56-ensure-tcp-syn-cookies-is-enabled.sh | 2 ++ .../4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh | 2 ++ .../4.58-ensure-a-firewall-package-is-installed.sh | 2 ++ .../4.59-ensure-firewalld-service-is-enabled-and-running.sh | 2 ++ .../4.6-ensure-permissions-on-etc-issue.net-are-configured.sh | 2 ++ .../4.60-ensure-iptables-is-not-enabled.sh | 2 ++ .../4.61-ensure-nftables-is-not-enabled.sh | 2 ++ .../4.62-ensure-nftables-service-is-enabled.sh | 2 ++ .../4.63-ensure-iptables-packages-are-installed.sh | 2 ++ .../4.64-ensure-nftables-is-not-installed.sh | 2 ++ ...-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh | 2 ++ .../4.66-ensure-system-histsize-as-100-or-other.sh | 3 ++- .../4.67-ensure-system-histfilesize-100.sh | 3 ++- .../4.68-ensure-permissions-TMP-is-correct.sh | 3 ++- ....69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh | 3 ++- .../4.7-ensure-gpgcheck-is-globally-activated.sh | 2 ++ .../system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh | 3 ++- ...4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh | 2 ++ scanners/system-configurations/4.8-ensure-aide-is-installed.sh | 2 ++ .../4.9-ensure-filesystem-integrity-is-regularly-checked.sh | 2 ++ 190 files changed, 380 insertions(+), 22 deletions(-) mode change 100644 => 100755 scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh mode change 100644 => 100755 scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh mode change 100644 => 100755 scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh mode change 100644 => 100755 scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh mode change 100644 => 100755 scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh mode change 100644 => 100755 scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh mode change 100644 => 100755 scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh mode change 100644 => 100755 scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh mode change 100644 => 100755 scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh mode change 100644 => 100755 scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh mode change 100644 => 100755 scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh mode change 100644 => 100755 scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh mode change 100644 => 100755 scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh mode change 100644 => 100755 scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.29-ensure-password-reuse-is-limited.sh mode change 100644 => 100755 scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh mode change 100644 => 100755 scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh mode change 100644 => 100755 scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh mode change 100644 => 100755 scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh mode change 100644 => 100755 scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh mode change 100644 => 100755 scanners/access-and-control/1.35-ensure-all-users-last-password-change-date-is-in-the-past.sh mode change 100644 => 100755 scanners/access-and-control/1.36-ensure-system-accounts-are-secured.sh mode change 100644 => 100755 scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh mode change 100644 => 100755 scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh mode change 100644 => 100755 scanners/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh mode change 100644 => 100755 scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh mode change 100644 => 100755 scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh mode change 100644 => 100755 scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh mode change 100644 => 100755 scanners/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh mode change 100644 => 100755 scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh mode change 100644 => 100755 scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh mode change 100644 => 100755 scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh mode change 100644 => 100755 scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh mode change 100644 => 100755 scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh mode change 100644 => 100755 scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh mode change 100644 => 100755 scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh mode change 100644 => 100755 scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh mode change 100644 => 100755 scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh mode change 100644 => 100755 scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh mode change 100644 => 100755 scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh mode change 100644 => 100755 scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh mode change 100644 => 100755 scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh mode change 100644 => 100755 scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh mode change 100644 => 100755 scanners/services/3.10-disable-rsync-server.sh mode change 100644 => 100755 scanners/services/3.11-disable-avahi-server.sh mode change 100644 => 100755 scanners/services/3.12-disable-snmp-server.sh mode change 100644 => 100755 scanners/services/3.13-disable-http-proxy-server.sh mode change 100644 => 100755 scanners/services/3.14-disable-samba.sh mode change 100644 => 100755 scanners/services/3.15-disable-imap-and-pop3-server.sh mode change 100644 => 100755 scanners/services/3.16-disable-smtp-protocol.sh mode change 100644 => 100755 scanners/services/3.17-disable-or-uninstall-the-telnet.sh mode change 100644 => 100755 scanners/services/3.18-uninstall-the-avahi-server.sh mode change 100644 => 100755 scanners/services/3.19-uninstall-the-kexec-tools.sh mode change 100644 => 100755 scanners/services/3.2-disable-ftp-server.sh mode change 100644 => 100755 scanners/services/3.20-uninstall-the-firstboot.sh mode change 100644 => 100755 scanners/services/3.21-uninstall-the-wpa_supplicant.sh mode change 100644 => 100755 scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh mode change 100644 => 100755 scanners/services/3.23-disable-rsh.sh mode change 100644 => 100755 scanners/services/3.24-disable-ntalk.sh mode change 100644 => 100755 scanners/services/3.25-ensure-xinetd-is-not-installed.sh mode change 100644 => 100755 scanners/services/3.26-disable-usb-storage.sh mode change 100644 => 100755 scanners/services/3.27-ensure-time-synchronization-is-installed.sh mode change 100644 => 100755 scanners/services/3.28-disable-automounting.sh mode change 100644 => 100755 scanners/services/3.3-disable-dns-server.sh mode change 100644 => 100755 scanners/services/3.4-disable-nfs.sh mode change 100644 => 100755 scanners/services/3.5-disable-rpc.sh mode change 100644 => 100755 scanners/services/3.6-disable-ldap-server.sh mode change 100644 => 100755 scanners/services/3.7-disable-dhcp-server.sh mode change 100644 => 100755 scanners/services/3.8-disable-cups.sh mode change 100644 => 100755 scanners/services/3.9-disable-nis-server.sh mode change 100644 => 100755 scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh mode change 100644 => 100755 scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh mode change 100644 => 100755 scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh mode change 100644 => 100755 scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh mode change 100644 => 100755 scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh mode change 100644 => 100755 scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh mode change 100644 => 100755 scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh mode change 100644 => 100755 scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh mode change 100644 => 100755 scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh mode change 100644 => 100755 scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh mode change 100644 => 100755 scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh mode change 100644 => 100755 scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh mode change 100644 => 100755 scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh mode change 100644 => 100755 scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh mode change 100644 => 100755 scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh mode change 100644 => 100755 scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh mode change 100644 => 100755 scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh mode change 100644 => 100755 scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh mode change 100644 => 100755 scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh mode change 100644 => 100755 scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh mode change 100644 => 100755 scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh mode change 100644 => 100755 scanners/system-configurations/4.29-ensure-root-path-integrity.sh mode change 100644 => 100755 scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh mode change 100644 => 100755 scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh mode change 100644 => 100755 scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh mode change 100644 => 100755 scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh mode change 100644 => 100755 scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh mode change 100644 => 100755 scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh mode change 100644 => 100755 scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh mode change 100644 => 100755 scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh mode change 100644 => 100755 scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh mode change 100644 => 100755 scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh mode change 100644 => 100755 scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh mode change 100644 => 100755 scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh mode change 100644 => 100755 scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh mode change 100644 => 100755 scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh mode change 100644 => 100755 scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh mode change 100644 => 100755 scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh mode change 100644 => 100755 scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh mode change 100644 => 100755 scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh mode change 100644 => 100755 scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh mode change 100644 => 100755 scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh mode change 100644 => 100755 scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh mode change 100644 => 100755 scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh mode change 100644 => 100755 scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh mode change 100644 => 100755 scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh mode change 100644 => 100755 scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh mode change 100644 => 100755 scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh mode change 100644 => 100755 scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh mode change 100644 => 100755 scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh mode change 100644 => 100755 scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh mode change 100644 => 100755 scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh mode change 100644 => 100755 scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh mode change 100644 => 100755 scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh mode change 100644 => 100755 scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh mode change 100644 => 100755 scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh mode change 100644 => 100755 scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh mode change 100644 => 100755 scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh mode change 100644 => 100755 scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh mode change 100644 => 100755 scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh mode change 100644 => 100755 scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh mode change 100644 => 100755 scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh mode change 100644 => 100755 scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh mode change 100644 => 100755 scanners/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh mode change 100644 => 100755 scanners/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh mode change 100644 => 100755 scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh mode change 100644 => 100755 scanners/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh mode change 100644 => 100755 scanners/system-configurations/4.8-ensure-aide-is-installed.sh mode change 100644 => 100755 scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh diff --git a/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh b/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh old mode 100644 new mode 100755 index 708f491..b9432fc --- a/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh +++ b/scanners/access-and-control/1.1-ensure-cron-daemon-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=$(systemctl is-enabled crond) if [[ $result == "enabled" ]]; then echo "pass" diff --git a/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh b/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh old mode 100644 new mode 100755 index e939fc4..a36b36c --- a/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh +++ b/scanners/access-and-control/1.10-ensure-ssh-access-is-limited.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sshd -T | grep -Piq '^(allow|deny)(users|groups)\s+.*' && grep -Piq '^\h*(allow|deny)(users|groups)\h+.*$' /etc/ssh/sshd_config && result=true diff --git a/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh b/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh old mode 100644 new mode 100755 index ab197fd..52889e7 --- a/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh +++ b/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result_root=false result_ssh_keys=false diff --git a/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh b/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh old mode 100644 new mode 100755 index 545fbba..dd081e2 --- a/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh +++ b/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec stat -c %G-%U-%a {} \; | grep -Piq "root\-root\-([7][5-7][5-7]|[0-7][5-7][5-7])" || result=true diff --git a/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh b/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh old mode 100644 new mode 100755 index 9756b8c..a17e4cb --- a/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh +++ b/scanners/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^loglevel\s+(INFO|VERBOSE)$") configFileSettings=$(grep -Pi '^\s*loglevel\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*loglevel\s+(INFO|VERBOSE)\b') diff --git a/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh b/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh old mode 100644 new mode 100755 index 2b29e11..167eb4e --- a/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh +++ b/scanners/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi '^\s*maxauthtries\s+[0-4]$') configFileSettings=$(grep -Pim1 '^\s*maxauthtries\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*maxauthtries\s+[0-4]{1}\b') diff --git a/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh b/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh old mode 100644 new mode 100755 index 8f30d5b..fdd8d17 --- a/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh +++ b/scanners/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^ignorerhosts\s+yes$") configFileSettings=$(grep -Pim1 '^\s*ignorerhosts\b' /etc/ssh/sshd_config | grep -Pvi '^\s*ignorerhosts\s+yes\b') diff --git a/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh b/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh old mode 100644 new mode 100755 index e77578e..8e027e5 --- a/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh +++ b/scanners/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^hostbasedauthentication\s+no$") configFileSettings=$(grep -Pim1 '^\s*hostbasedauthentication\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*hostbasedauthentication\s+no\b') diff --git a/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh b/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh old mode 100644 new mode 100755 index ab9dc77..02bba6e --- a/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh +++ b/scanners/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^permitrootlogin\s+no$") configFileSettings=$(grep -Pim1 '^\s*permitrootlogin\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permitrootlogin\s+no\b') diff --git a/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh b/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh old mode 100644 new mode 100755 index 80641bb..4b0f122 --- a/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh +++ b/scanners/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^permitemptypasswords\s+no$") configFileSettings=$(grep -Pim1 '^\s*permitemptypasswords\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permitemptypasswords\s+no\b') diff --git a/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh b/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh old mode 100644 new mode 100755 index 073bd98..2558c4c --- a/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh +++ b/scanners/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^permituserenvironment\s+no$") configFileSettings=$(grep -Pim1 '^\s*permituserenvironment\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*permituserenvironment\s+no\b') diff --git a/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh b/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh old mode 100644 new mode 100755 index 0debad1..7f3bd77 --- a/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh +++ b/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/crontab | grep -Pq '^[0-6][0][0]\-root\-root$' && result=true diff --git a/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh b/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh old mode 100644 new mode 100755 index 2cd6792..b57c8ff --- a/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh +++ b/scanners/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + checkPoint=false loadedSystemConfig_clientalivecountmax=$(sshd -T | grep -Pi '^clientalivecountmax\s+[0]{1}$') configFileSettings_clientalivecountmax=$(grep -Pim1 '^\s*ClientAliveCountMax\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*ClientAliveCountMax\s+[0]{1}\b') diff --git a/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh b/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh old mode 100644 new mode 100755 index e57f146..5204ebc --- a/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh +++ b/scanners/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^logingracetime\b" | awk '{ if ($2 > 60) print 1; else print 0 }') configFileType=$(grep -Pim1 '^\s*logingracetime\s+[0-9]+' /etc/ssh/sshd_config | awk '{print $2}' | grep -Poi '[s|m]$' | tr 'A-Z' 'a-z') configFileSettings=$(grep -Poim1 '^\s*logingracetime\s+[0-9]+' /etc/ssh/sshd_config | awk '{print $2}') diff --git a/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh b/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh old mode 100644 new mode 100755 index ce0cfbd..124664f --- a/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh +++ b/scanners/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^banner\s+none$") configFileSettings=$(grep -Pim1 "^\s*Banner\s+.*$" /etc/ssh/sshd_config) diff --git a/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh b/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh old mode 100644 new mode 100755 index e0bf858..d6cb387 --- a/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh +++ b/scanners/access-and-control/1.23-ensure-ssh-pam-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^usepam\s+yes$") configFileSettings=$(grep -Pi '^\s*usepam\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*usepam\s+yes\b') diff --git a/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh b/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh old mode 100644 new mode 100755 index e2a0e29..80df41e --- a/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh +++ b/scanners/access-and-control/1.24-ensure-ssh-maxstartups-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false maxstartups_first=$(sshd -T | grep -Pi "^\s*maxstartups\b" | awk '{print $2}' | awk -F: '{print $1}') diff --git a/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh b/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh old mode 100644 new mode 100755 index 4f6d3d8..dadc542 --- a/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh +++ b/scanners/access-and-control/1.25-ensure-ssh-maxsessions-is-set-to-10-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^MaxSessions\b" | awk '{ if ($2 > 10) print 1; else print 0 }') configFileSettings=$(grep -Pim1 '^\s*MaxSessions\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 10) print 1; else print 0 }') diff --git a/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh b/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh old mode 100644 new mode 100755 index 853874e..a15af4b --- a/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh +++ b/scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -iPq '^\s*CRYPTO_POLICY\s*\=' /etc/sysconfig/sshd || result=true diff --git a/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh b/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh old mode 100644 new mode 100755 index f7ad91b..813cf8e --- a/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh +++ b/scanners/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + # 定义检查函数 check_file_contains() { diff --git a/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh b/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh old mode 100644 new mode 100755 index 977e56e..8cd87f3 --- a/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/password-auth | grep -Pqiv "(?=.*\bdeny=[0-9]+\b)(?=.*unlock_time=[0-9]+)" && echo 'fail' && exit 1 grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/system-auth | grep -Pqiv "(?=.*\bdeny=[0-9]+\b)(?=.*unlock_time=[0-9]+)" && echo 'fail' && exit 1 diff --git a/scanners/access-and-control/1.29-ensure-password-reuse-is-limited.sh b/scanners/access-and-control/1.29-ensure-password-reuse-is-limited.sh old mode 100644 new mode 100755 index 3d2e3ef..e5059aa --- a/scanners/access-and-control/1.29-ensure-password-reuse-is-limited.sh +++ b/scanners/access-and-control/1.29-ensure-password-reuse-is-limited.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Pi "^\h+password\h+sufficient\h+pam_unix.so\h+" /etc/pam.d/system-auth | grep -Pqv "\bremember\s*=\s*[0-9]+" && echo 'fail' && exit 1 grep -Pi "^\h+password\h+requisite\h+pam_pwhistory.so\h+" /etc/pam.d/system-auth | grep -Pqv "\bremember\s*=\s*[0-9]+" && echo 'fail' && exit 1 diff --git a/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh b/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh old mode 100644 new mode 100755 index ebcfa84..ca38447 --- a/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh +++ b/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/cron.hourly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true diff --git a/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh b/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh old mode 100644 new mode 100755 index 9dc74f6..a4a0d32 --- a/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh +++ b/scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Eiq "^\s*password\s+\bsufficient\s+\bpam_unix.so\s+.*\bsha512\s*.*$" /etc/pam.d/password-auth && grep -Eiq "^\s*password\s+\bsufficient\s+\bpam_unix.so\s+.*\bsha512\s*.*$" /etc/pam.d/system-auth && result=true diff --git a/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh b/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh old mode 100644 new mode 100755 index b337840..bb66875 --- a/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh +++ b/scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loginPassMaxDaysVaule=$(grep -P "^\s*PASS_MAX_DAYS\s+[0-9]+\b" /etc/login.defs | awk '{ if ($2 <= 365) print $2;}') userPassMaxDaysVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$5 == "" || $5 > 365 {print 1}') diff --git a/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh b/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh old mode 100644 new mode 100755 index 019a235..7c2250e --- a/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh +++ b/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loginPassMinDaysVaule=$(grep -P "^\s*PASS_MIN_DAYS\s+[0-9]+\b" /etc/login.defs | awk '{ if ($2 >= 7) print $2;}') userPassMinDaysVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$4 == "" || $4 < 7 {print 1}') diff --git a/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh b/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh old mode 100644 new mode 100755 index 0acea60..ef1cac7 --- a/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh +++ b/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loginPassWarnageVaule=$(grep -P "^\s*PASS_WARN_AGE\s+[0-9]+\b" /etc/login.defs | awk '{ if ($2 >= 7) print $2;}') userPassWarnageVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$6 == "" || $6 < 7 {print 1}') diff --git a/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh b/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh old mode 100644 new mode 100755 index 0598ef6..7c9bd8c --- a/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh +++ b/scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + inactiveVaule=$(grep -P "^\s*INACTIVE=[0-9]+\b" /etc/default/useradd | awk -F= '{ if ($2 <= 30) print $2;}') userInactiveVaule=$(grep -P '^[^:]+:[^!*]' /etc/shadow | awk -F: '$7 == "" || $7 > 30 { print 1 }') diff --git a/scanners/access-and-control/1.35-ensure-all-users-last-password-change-date-is-in-the-past.sh b/scanners/access-and-control/1.35-ensure-all-users-last-password-change-date-is-in-the-past.sh old mode 100644 new mode 100755 index 184d602..079d213 --- a/scanners/access-and-control/1.35-ensure-all-users-last-password-change-date-is-in-the-past.sh +++ b/scanners/access-and-control/1.35-ensure-all-users-last-password-change-date-is-in-the-past.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`for usr in $(cut -d: -f1 /etc/shadow); do [[ $(chage --list $usr | grep '^Last password change' | cut -d: -f2) > $(date) ]] && echo "$usr :$(chage --list $usr | grep '^Last password change' | cut -d: -f2)"; done` if [[ -z "$result" ]]; then diff --git a/scanners/access-and-control/1.36-ensure-system-accounts-are-secured.sh b/scanners/access-and-control/1.36-ensure-system-accounts-are-secured.sh old mode 100644 new mode 100755 index 996932a..ad95c99 --- a/scanners/access-and-control/1.36-ensure-system-accounts-are-secured.sh +++ b/scanners/access-and-control/1.36-ensure-system-accounts-are-secured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + val_nologin="" val_lock="" diff --git a/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh b/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh old mode 100644 new mode 100755 index f51d16a..7319e73 --- a/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh +++ b/scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=true [ -f /etc/bashrc ] && BRC="/etc/bashrc" diff --git a/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh b/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh old mode 100644 new mode 100755 index 4f9bb38..fa85c8b --- a/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh +++ b/scanners/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep "^root:" /etc/passwd | cut -f4 -d: | grep -q 0 && result=true diff --git a/scanners/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh b/scanners/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh old mode 100644 new mode 100755 index 8a1e366..306bedc --- a/scanners/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh +++ b/scanners/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + # umask 设置标记,检查umask是否已配置 umaskSetTag="" # 以下两个条件,符合其中一种即为true diff --git a/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh b/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh old mode 100644 new mode 100755 index 9db8477..db3455a --- a/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh +++ b/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/cron.daily | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true diff --git a/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh b/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh old mode 100644 new mode 100755 index 7b55777..3d53eb1 --- a/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh +++ b/scanners/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Eiq "^\s*auth\s+required\s+pam_wheel.so(\s+\S+)*\s+use_uid(\s+\S+)*\s*(\s+#.*)?$" /etc/pam.d/su && grep -Eiq "^wheel:x:10:" /etc/group && result=true diff --git a/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh b/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh index b10a262..85d62b3 100755 --- a/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh +++ b/scanners/access-and-control/1.41-ensure-ssh-server-use-protocol_2.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false protocol_value=$(grep -Pim1 "^Protocol\s+" /etc/ssh/sshd_config | awk '{print $2}') diff --git a/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh b/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh old mode 100644 new mode 100755 index f174ae8..ae4017b --- a/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh +++ b/scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + val_Pass_Max_Days=99999 result_Pass_Max_Days_User=true val_Pass_Max_Days=`grep -Ei "^\s*\bPASS_MAX_DAYS\b\s" /etc/login.defs | cut -f2` diff --git a/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh b/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh old mode 100644 new mode 100755 index b7f93dd..3aa38ad --- a/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh +++ b/scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + val_Pass_Min_Days=0 result_Pass_Min_Days_User=true val_Pass_Min_Days=`grep -Ei "^\s*\bPASS_Min_DAYS\b\s" /etc/login.defs | cut -f2` diff --git a/scanners/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh b/scanners/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh old mode 100644 new mode 100755 index 8ab4fb5..ce7fb1a --- a/scanners/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh +++ b/scanners/access-and-control/1.44-ensure-that-password-reuse-limit-is-between-5-and-25-times.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Pi "^\s*password\h+sufficient\h+pam_unix.so\h+" /etc/pam.d/system-auth | grep -Pqv "\bremember\s*=\s*[0-9]+" && echo 'fail' && exit 1 grep -Pi "^\s*password\h+requisite\h+pam_pwhistory.so\h+" /etc/pam.d/system-auth | grep -Pqv "\bremember\s*=\s*[0-9]+" && echo 'fail' && exit 1 diff --git a/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh old mode 100644 new mode 100755 index 6f39039..c2f3dc1 --- a/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh +++ b/scanners/access-and-control/1.45-ensure-lockout-for-failed-password-attempts-is-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/password-auth | grep -Pqiv "(?=.*\bdeny=[0-9]+\b)(?=.*unlock_time=[0-9]+)" && echo 'fail' && exit 1 grep -Pi "^\s*auth\s+required\s+pam_faillock.so\b\s+.*" /etc/pam.d/system-auth | grep -Pqiv "(?=.*\bdeny=[0-9]+\b)(?=.*unlock_time=[0-9]+)" && echo 'fail' && exit 1 diff --git a/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh b/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh old mode 100644 new mode 100755 index 83d9899..bdb94d7 --- a/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh +++ b/scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=true [ -f /etc/bashrc ] && BRC="/etc/bashrc" diff --git a/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh old mode 100644 new mode 100755 index ac88a26..75f2230 --- a/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh +++ b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi '^\s*maxauthtries\b' | awk '{ if ($2 > 5 || $2 < 3) print 1; else print 0 }') configFileSettings=$(grep -Pim1 '^\s*maxauthtries\s+' /etc/ssh/sshd_config | awk '{ if ($2 > 5 || $2 < 3) print 1; else print 0 }') diff --git a/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh b/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh old mode 100644 new mode 100755 index 3b3b272..9a7a6d5 --- a/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh +++ b/scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" shutdownCheck=$(grep -P "^shutdown\b" /etc/shadow) haltCheck=$(grep -P "^halt\b" /etc/shadow) diff --git a/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh b/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh old mode 100644 new mode 100755 index 0648967..02e990e --- a/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh +++ b/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/cron.weekly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true diff --git a/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh b/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh old mode 100644 new mode 100755 index 85f8e6a..129355a --- a/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh +++ b/scanners/access-and-control/1.50-ensure-ssh-x11-forwarding-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + loadedSystemConfig=$(sshd -T | grep -Pi "^x11forwarding\s+no$") configFileSettings=$(grep -Pim1 '^\s*x11forwarding\s+' /etc/ssh/sshd_config | grep -Pvi '^\s*x11forwarding\s+no\b') diff --git a/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh old mode 100644 new mode 100755 index 8a98570..eaf145f --- a/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh +++ b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false modprobe -n -v udf | grep -Pq "^install\s+\/bin/false\b" && test -z "$(lsmod | grep -P "^udf\b")" && grep -Pq "^blacklist\s*udf\b" /etc/modprobe.d/* && result=true diff --git a/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh b/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh old mode 100644 new mode 100755 index 0254426..179fc59 --- a/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh +++ b/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false modprobe -n -v cramfs | grep -Pq "^install\s+\/bin/false\b" && test -z "$(lsmod | grep -P "^cramfs\b")" && grep -Pq "^blacklist\b\s*cramfs\b" /etc/modprobe.d/* && result=true diff --git a/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh b/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh old mode 100644 new mode 100755 index 06f19b6..e0e828d --- a/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh +++ b/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false echo $(modprobe -n -v squashfs) | grep -Psq "^install\s+\/bin/false\b" && test -z "$(lsmod | grep -P "^squashfs\b")" && grep -Pq "^blacklist\s+squashfs\b" /etc/modprobe.d/* && result=true if [[ "$result" == "true" ]]; then diff --git a/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh b/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh old mode 100644 new mode 100755 index 0b37fde..b6cb503 --- a/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh +++ b/scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" shutdownCheck=$(grep -P "^bin\b" /etc/shadow) result=false diff --git a/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh b/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh old mode 100644 new mode 100755 index e3faeef..49c4b2a --- a/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh +++ b/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/cron.monthly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true diff --git a/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh b/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh old mode 100644 new mode 100755 index dd2a6c9..8cdd627 --- a/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh +++ b/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/cron.d | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true diff --git a/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh b/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh old mode 100644 new mode 100755 index 1b70bfc..f2900dd --- a/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh +++ b/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result_cron_deny=false result_at_deny=false result_cron_allow=false diff --git a/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh b/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh old mode 100644 new mode 100755 index f36559d..85b512c --- a/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh +++ b/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/ssh/sshd_config | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true diff --git a/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh b/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh old mode 100644 new mode 100755 index 9d01c4e..ab33767 --- a/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh +++ b/scanners/logging-and-auditing/2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf)") diff --git a/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh b/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh old mode 100644 new mode 100755 index 685e5c7..372c059 --- a/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh +++ b/scanners/logging-and-auditing/2.10-ensure-audit-tools-are-group-owned-by-root.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=0 for i in $(stat -c "%G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules) do diff --git a/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh b/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh old mode 100644 new mode 100755 index 451fb7b..0e5d7cf --- a/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh +++ b/scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ -e /etc/aide/aide.conf ]]; then checkContent="p\+i\+n\+u\+g\+s\+b\+acl\+xattrs\+sha512\b$" lineNumber=$(grep -Ecs -e "^/sbin/auditctl\s+$checkContent" \ diff --git a/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh b/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh old mode 100644 new mode 100755 index fae435e..98dbf3a --- a/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh +++ b/scanners/logging-and-auditing/2.12-ensure-rsyslog-is-installed.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -q rsyslog >/dev/null 2>&1 && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh b/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh old mode 100644 new mode 100755 index 7281446..b38473b --- a/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh +++ b/scanners/logging-and-auditing/2.13-ensure-rsyslog-service-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if rpm -q rsyslog >/dev/null 2>&1 ; then result=$(systemctl is-enabled rsyslog) if [[ $result == "enabled" ]]; then diff --git a/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh b/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh old mode 100644 new mode 100755 index adeaa1c..df9408a --- a/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh +++ b/scanners/logging-and-auditing/2.14-ensure-rsyslog-default-file-permissions-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + value=$(grep -P "^\s*\\\$FileCreateMode\s+[0-9]{4}\s*$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf | grep -o [0-9]*) if [[ -n $value ]]; then diff --git a/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh b/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh old mode 100644 new mode 100755 index c211841..478eeb7 --- a/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh +++ b/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Psq "^\*\.\*\s*\@{1,2}.*" /etc/rsyslog.conf /etc/rsyslog.d/*.conf && result=true diff --git a/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh b/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh old mode 100644 new mode 100755 index 84c7445..5e219b7 --- a/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh +++ b/scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false if [[ -e /etc/systemd/journald.conf ]]; then diff --git a/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh b/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh old mode 100644 new mode 100755 index fde6776..60e167f --- a/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh +++ b/scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false if [[ -e /etc/systemd/journald.conf ]]; then diff --git a/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh b/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh old mode 100644 new mode 100755 index 63f4399..b051378 --- a/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh +++ b/scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false if [[ -e /etc/systemd/journald.conf ]]; then diff --git a/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh b/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh old mode 100644 new mode 100755 index dcd71da..0257100 --- a/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh +++ b/scanners/logging-and-auditing/2.19-ensure-audit-is-installed.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + rpm -q audit >/dev/null 2>&1 && rpm -q audit-libs >/dev/null 2>&1 && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh b/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh old mode 100644 new mode 100755 index 0d051e7..38adc58 --- a/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh +++ b/scanners/logging-and-auditing/2.2-ensure-only-authorized-users-own-audit-log-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf)") diff --git a/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh b/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh old mode 100644 new mode 100755 index 7d1e1fe..ae5ed34 --- a/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh +++ b/scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if rpm -q audit >/dev/null 2>&1 && rpm -q audit-libs >/dev/null 2>&1 ; then result=$(systemctl is-enabled auditd) if [[ $result == "enabled" ]]; then diff --git a/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh b/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh old mode 100644 new mode 100755 index ea181cc..f98ce7a --- a/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh +++ b/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + result='true' diff --git a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh old mode 100644 new mode 100755 index 78da0fb..2f59c5e --- a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh +++ b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -q "\-w /etc/sudoers -p wa -k scope diff --git a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh old mode 100644 new mode 100755 index fcbd3e8..0fdde41 --- a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh +++ b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=true checkFile=$(echo "/etc/group" "/etc/passwd" "/etc/gshadow" "/etc/shadow " "/etc/security/opasswd") diff --git a/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh b/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh old mode 100644 new mode 100755 index 8b35c1f..79a2a85 --- a/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh +++ b/scanners/logging-and-auditing/2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + result=false checkRule="^(?=^\s*-a\s+always,exit)(?=.*-S\s+all)(?=.*-F\s+path=/usr/bin/chsh)(?=.*-F\s+perm=x)(?=.*-F\s+auid>=1000)(?=.*-F\s+auid!=-1)" diff --git a/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh old mode 100644 new mode 100755 index a5ed931..8c25287 --- a/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh +++ b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + [[ -e /etc/audit/auditd.conf ]] && output=$(grep -P "^max_log_file_action\s*=.*" /etc/audit/auditd.conf | cut -f2 -d= | sed -e 's/^[ ]*//g') diff --git a/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh b/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh old mode 100644 new mode 100755 index ca00b10..601a1b2 --- a/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh +++ b/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + checkResult=$(augenrules --check) echo $checkResult | grep -Psiq "\bNo\s+change$" && echo 'pass' || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh b/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh old mode 100644 new mode 100755 index b53d3e6..f58ea0c --- a/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh +++ b/scanners/logging-and-auditing/2.27-ensure-that-the-firewall-logging-function-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + fwDenied=$(firewall-cmd --get-log-denied 2>&1) fwDeniedFile=$(grep -Pm1 "^\s*LogDenied=all\s*$" /etc/firewalld/firewalld.conf | grep -Po "LogDenied=all") diff --git a/scanners/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh b/scanners/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh old mode 100644 new mode 100755 index b48a52e..50e5235 --- a/scanners/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh +++ b/scanners/logging-and-auditing/2.28-ensure-login-and-logout-events-are-collected.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + ( grep -Psq "\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(\-k\s+.*)" /etc/audit/rules.d/*.rules /etc/audit/*.rules && grep -Psq "\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(\-k\s+.*)" /etc/audit/rules.d/*.rules /etc/audit/*.rules && auditctl -l | grep -Psq "\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+\-k\s+.*" && auditctl -l | grep -Psq "\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+\-k\s+.*" && echo 'pass' ) || echo 'fail' \ No newline at end of file diff --git a/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh b/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh old mode 100644 new mode 100755 index 5347af9..0c8889e --- a/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh +++ b/scanners/logging-and-auditing/2.29-ensure-sudo-log-are-collected.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + ( awk '/Defaults\s+logfile\s*/ {line = $0; nr = NR} END {if (nr) print line}' /etc/sudoers | grep -Psq "^\s*Defaults\s+logfile\s*=\s*(/?)([a-zA-Z0-9_.-]+/?)*" && echo 'pass' ) || echo 'fail' diff --git a/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh b/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh old mode 100644 new mode 100755 index a9d59db..3d64a75 --- a/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh +++ b/scanners/logging-and-auditing/2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf)") diff --git a/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh b/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh old mode 100644 new mode 100755 index 9d455f7..2f7bc11 --- a/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh +++ b/scanners/logging-and-auditing/2.30-ensure-events-that-modify-the-sudo-log-file-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + sudoLogFilePath=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g' -e 's|/|\\/|g') sudoLogRunning=$(auditctl -l | awk "/^ *-w/ &&/"${sudoLogFilePath}"/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)") diff --git a/scanners/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh b/scanners/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh old mode 100644 new mode 100755 index d0cf6db..b390daf --- a/scanners/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh +++ b/scanners/logging-and-auditing/2.31-ensure-use-of-privileged-commands-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=true for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do diff --git a/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh b/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh old mode 100644 new mode 100755 index 9409d64..f68e3ac --- a/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh +++ b/scanners/logging-and-auditing/2.32-ensure-discretionary-access-control-permission-modification-events-are-collected.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=true for BIT in b32 b64 ; do diff --git a/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh b/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh old mode 100644 new mode 100755 index ce499d3..af3efd7 --- a/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh +++ b/scanners/logging-and-auditing/2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false log_path=$(dirname "$(awk -F = '/^\s*log_file\s*=\s*\S+/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')") diff --git a/scanners/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh b/scanners/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh old mode 100644 new mode 100755 index 7f13eb0..5c1873c --- a/scanners/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh +++ b/scanners/logging-and-auditing/2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + result=0 for p in `find /etc/audit/rules.d/ -name *.rules ; find /etc/audit/rules.d/ -name *.conf ; find /etc/audit/audit*.rules ; find /etc/audit/audit*.conf` ; do diff --git a/scanners/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh b/scanners/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh old mode 100644 new mode 100755 index 8801597..07d1b29 --- a/scanners/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh +++ b/scanners/logging-and-auditing/2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + result=0 for p in `find /etc/audit/rules.d/ -name *.rules ; find /etc/audit/rules.d/ -name *.conf ; find /etc/audit/audit*.rules ; find /etc/audit/audit*.conf` ; do diff --git a/scanners/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh b/scanners/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh old mode 100644 new mode 100755 index a31d8bf..5061ce8 --- a/scanners/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh +++ b/scanners/logging-and-auditing/2.7-ensure-only-authorized-groups-own-the-audit-configuration-files.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + result=0 for p in `find /etc/audit/rules.d/ -name *.rules ; find /etc/audit/rules.d/ -name *.conf ; find /etc/audit/audit*.rules ; find /etc/audit/audit*.conf` ; do diff --git a/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh b/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh old mode 100644 new mode 100755 index 4b2cec3..2793c3e --- a/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh +++ b/scanners/logging-and-auditing/2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=0 for i in $(stat -c "%a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules) do diff --git a/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh b/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh old mode 100644 new mode 100755 index 2c92a49..9130143 --- a/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh +++ b/scanners/logging-and-auditing/2.9-ensure-audit-tools-are-owned-by-root.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=0 for i in $(stat -c "%U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules) do diff --git a/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh b/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh old mode 100644 new mode 100755 index fd1d6b9..d1ededa --- a/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh +++ b/scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa libselinux)" ]] && [[ "$(rpm -qa selinux-policy-mls)" ]] && [[ "$(rpm -qa selinux-policy-targeted )" ]]; then echo "pass" else diff --git a/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh b/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh index fc7f43e..0fb5cd3 100755 --- a/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh +++ b/scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + export LANG="en_US.UTF-8" SELINUX=`grep -E "^\s*SELINUX=disabled\b" /etc/selinux/config` diff --git a/scanners/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh b/scanners/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh index 9bd97d4..f67418f 100755 --- a/scanners/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh +++ b/scanners/mandatory-access-control/5.3-ensure-the-selinux-mode-is-enabled.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + SElINUX_TYPE=`grep -Ei "^\s*SELINUX=(enforcing|permissive)" /etc/selinux/config` diff --git a/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh b/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh index 957015b..fbe01d3 100755 --- a/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh +++ b/scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + TYPE=`grep -Ei "^\s*SELINUX=enforcing" /etc/selinux/config` TYPE_R=`echo $?` # include 0 diff --git a/scanners/mandatory-access-control/5.5-ensure-no-unconfined-services-exist.sh b/scanners/mandatory-access-control/5.5-ensure-no-unconfined-services-exist.sh index ac16dc2..d8afd79 100755 --- a/scanners/mandatory-access-control/5.5-ensure-no-unconfined-services-exist.sh +++ b/scanners/mandatory-access-control/5.5-ensure-no-unconfined-services-exist.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + result=`ps -eZ | grep unconfined_service_t` if [[ $result == "" ]];then diff --git a/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh b/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh old mode 100644 new mode 100755 index 73f19a0..d82589d --- a/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh +++ b/scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.1-disable-http-server.sh b/scanners/services/3.1-disable-http-server.sh index c4c6f1f..bd70762 100755 --- a/scanners/services/3.1-disable-http-server.sh +++ b/scanners/services/3.1-disable-http-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa httpd)" ]]; then result=$(systemctl is-enabled httpd) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.10-disable-rsync-server.sh b/scanners/services/3.10-disable-rsync-server.sh old mode 100644 new mode 100755 index 7a7125c..1cd649a --- a/scanners/services/3.10-disable-rsync-server.sh +++ b/scanners/services/3.10-disable-rsync-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa rsync-daemon)" ]]; then result=$(systemctl is-enabled rsyncd) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.11-disable-avahi-server.sh b/scanners/services/3.11-disable-avahi-server.sh old mode 100644 new mode 100755 index 4919b1b..070db70 --- a/scanners/services/3.11-disable-avahi-server.sh +++ b/scanners/services/3.11-disable-avahi-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa avahi)" ]]; then result=$(systemctl is-enabled avahi-daemon.socket) result2=$(systemctl is-enabled avahi-daemon) diff --git a/scanners/services/3.12-disable-snmp-server.sh b/scanners/services/3.12-disable-snmp-server.sh old mode 100644 new mode 100755 index 85f1ff2..a0cb104 --- a/scanners/services/3.12-disable-snmp-server.sh +++ b/scanners/services/3.12-disable-snmp-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa net-snmp)" ]]; then result=$(systemctl is-enabled snmpd) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.13-disable-http-proxy-server.sh b/scanners/services/3.13-disable-http-proxy-server.sh old mode 100644 new mode 100755 index 13de594..79d89a6 --- a/scanners/services/3.13-disable-http-proxy-server.sh +++ b/scanners/services/3.13-disable-http-proxy-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa squid)" ]]; then result=$(systemctl is-enabled squid) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.14-disable-samba.sh b/scanners/services/3.14-disable-samba.sh old mode 100644 new mode 100755 index e4bd3fa..fcff5e9 --- a/scanners/services/3.14-disable-samba.sh +++ b/scanners/services/3.14-disable-samba.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa samba)" ]]; then result=$(systemctl is-enabled smb) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.15-disable-imap-and-pop3-server.sh b/scanners/services/3.15-disable-imap-and-pop3-server.sh old mode 100644 new mode 100755 index fd49de5..a9630cf --- a/scanners/services/3.15-disable-imap-and-pop3-server.sh +++ b/scanners/services/3.15-disable-imap-and-pop3-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa dovecot)" ]]; then result=$(systemctl is-enabled dovecot) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.16-disable-smtp-protocol.sh b/scanners/services/3.16-disable-smtp-protocol.sh old mode 100644 new mode 100755 index c77a750..9a06ace --- a/scanners/services/3.16-disable-smtp-protocol.sh +++ b/scanners/services/3.16-disable-smtp-protocol.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa postfix)" ]]; then result=$(systemctl is-enabled postfix.service) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.17-disable-or-uninstall-the-telnet.sh b/scanners/services/3.17-disable-or-uninstall-the-telnet.sh old mode 100644 new mode 100755 index 2994e00..546850f --- a/scanners/services/3.17-disable-or-uninstall-the-telnet.sh +++ b/scanners/services/3.17-disable-or-uninstall-the-telnet.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + if [[ "$(rpm -qa | grep telnet)" ]]; then result=$(systemctl is-enabled telnet.socket) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.18-uninstall-the-avahi-server.sh b/scanners/services/3.18-uninstall-the-avahi-server.sh old mode 100644 new mode 100755 index 32bfe74..2e4755d --- a/scanners/services/3.18-uninstall-the-avahi-server.sh +++ b/scanners/services/3.18-uninstall-the-avahi-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.19-uninstall-the-kexec-tools.sh b/scanners/services/3.19-uninstall-the-kexec-tools.sh old mode 100644 new mode 100755 index 6ebc164..108a66e --- a/scanners/services/3.19-uninstall-the-kexec-tools.sh +++ b/scanners/services/3.19-uninstall-the-kexec-tools.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.2-disable-ftp-server.sh b/scanners/services/3.2-disable-ftp-server.sh old mode 100644 new mode 100755 index ea33f10..40a5dbb --- a/scanners/services/3.2-disable-ftp-server.sh +++ b/scanners/services/3.2-disable-ftp-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa vsftpd)" ]]; then result=$(systemctl is-enabled vsftpd) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.20-uninstall-the-firstboot.sh b/scanners/services/3.20-uninstall-the-firstboot.sh old mode 100644 new mode 100755 index a3a54b2..f4577b5 --- a/scanners/services/3.20-uninstall-the-firstboot.sh +++ b/scanners/services/3.20-uninstall-the-firstboot.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.21-uninstall-the-wpa_supplicant.sh b/scanners/services/3.21-uninstall-the-wpa_supplicant.sh old mode 100644 new mode 100755 index 596dd2c..a809fc1 --- a/scanners/services/3.21-uninstall-the-wpa_supplicant.sh +++ b/scanners/services/3.21-uninstall-the-wpa_supplicant.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh b/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh old mode 100644 new mode 100755 index 34ef540..91d9998 --- a/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh +++ b/scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.23-disable-rsh.sh b/scanners/services/3.23-disable-rsh.sh old mode 100644 new mode 100755 index f5410ba..7c03b52 --- a/scanners/services/3.23-disable-rsh.sh +++ b/scanners/services/3.23-disable-rsh.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa rsh-server)" ]]; then result=$(systemctl is-enabled rsh.socket) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.24-disable-ntalk.sh b/scanners/services/3.24-disable-ntalk.sh old mode 100644 new mode 100755 index 2af51e8..d05c090 --- a/scanners/services/3.24-disable-ntalk.sh +++ b/scanners/services/3.24-disable-ntalk.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa ntalk)" ]]; then result=$(systemctl is-enabled ntalk.socket) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.25-ensure-xinetd-is-not-installed.sh b/scanners/services/3.25-ensure-xinetd-is-not-installed.sh old mode 100644 new mode 100755 index 69c8df1..406de98 --- a/scanners/services/3.25-ensure-xinetd-is-not-installed.sh +++ b/scanners/services/3.25-ensure-xinetd-is-not-installed.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/services/3.26-disable-usb-storage.sh b/scanners/services/3.26-disable-usb-storage.sh old mode 100644 new mode 100755 index 2b00572..afb1268 --- a/scanners/services/3.26-disable-usb-storage.sh +++ b/scanners/services/3.26-disable-usb-storage.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=true echo $(modprobe -n -v usb-storage) | grep -Psq "^install\s+\/bin\/true$" || result=false lsmod | grep -Pq "^usb(_|-)storage\b" && result=false diff --git a/scanners/services/3.27-ensure-time-synchronization-is-installed.sh b/scanners/services/3.27-ensure-time-synchronization-is-installed.sh old mode 100644 new mode 100755 index 59e09c8..c2b40f2 --- a/scanners/services/3.27-ensure-time-synchronization-is-installed.sh +++ b/scanners/services/3.27-ensure-time-synchronization-is-installed.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + result=false rpm -q chrony | grep -Psiq "^chrony\-" && result=true diff --git a/scanners/services/3.28-disable-automounting.sh b/scanners/services/3.28-disable-automounting.sh old mode 100644 new mode 100755 index d4619b6..953dfc2 --- a/scanners/services/3.28-disable-automounting.sh +++ b/scanners/services/3.28-disable-automounting.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" rpmAutofs=$(rpm -qa | grep ^autofs) diff --git a/scanners/services/3.3-disable-dns-server.sh b/scanners/services/3.3-disable-dns-server.sh old mode 100644 new mode 100755 index 9535028..6eb1802 --- a/scanners/services/3.3-disable-dns-server.sh +++ b/scanners/services/3.3-disable-dns-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa bind)" ]]; then result=$(systemctl is-enabled named) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.4-disable-nfs.sh b/scanners/services/3.4-disable-nfs.sh old mode 100644 new mode 100755 index d0c5fa5..a59119a --- a/scanners/services/3.4-disable-nfs.sh +++ b/scanners/services/3.4-disable-nfs.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa nfs-utils)" ]]; then result=$(systemctl is-enabled nfs-server) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.5-disable-rpc.sh b/scanners/services/3.5-disable-rpc.sh old mode 100644 new mode 100755 index b775bc7..c1723ef --- a/scanners/services/3.5-disable-rpc.sh +++ b/scanners/services/3.5-disable-rpc.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa rpcbind)" ]]; then result=$(systemctl is-enabled rpcbind) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.6-disable-ldap-server.sh b/scanners/services/3.6-disable-ldap-server.sh old mode 100644 new mode 100755 index 3f70aa5..3c06520 --- a/scanners/services/3.6-disable-ldap-server.sh +++ b/scanners/services/3.6-disable-ldap-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa openldap-servers)" ]]; then result=$(systemctl is-enabled slapd) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.7-disable-dhcp-server.sh b/scanners/services/3.7-disable-dhcp-server.sh old mode 100644 new mode 100755 index 4309c70..3cfcef6 --- a/scanners/services/3.7-disable-dhcp-server.sh +++ b/scanners/services/3.7-disable-dhcp-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa dhcp-server)" ]]; then result=$(systemctl is-enabled dhcpd) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.8-disable-cups.sh b/scanners/services/3.8-disable-cups.sh old mode 100644 new mode 100755 index 89e4ce3..40cf59e --- a/scanners/services/3.8-disable-cups.sh +++ b/scanners/services/3.8-disable-cups.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa cups)" ]]; then result=$(systemctl is-enabled cups) if [[ $result != enabled ]]; then diff --git a/scanners/services/3.9-disable-nis-server.sh b/scanners/services/3.9-disable-nis-server.sh old mode 100644 new mode 100755 index e3b8dd3..19adda8 --- a/scanners/services/3.9-disable-nis-server.sh +++ b/scanners/services/3.9-disable-nis-server.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if [[ "$(rpm -qa ypserv)" ]]; then result=$(systemctl is-enabled ypserv) if [[ $result != enabled ]]; then diff --git a/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh b/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh old mode 100644 new mode 100755 index 689f983..c07de6b --- a/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh +++ b/scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Eiq "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd || result=true diff --git a/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh b/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh old mode 100644 new mode 100755 index 416b387..6759411 --- a/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh +++ b/scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false if [[ -e /boot/grub2/user.cfg ]]; then diff --git a/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh b/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh old mode 100644 new mode 100755 index 9d6a13c..76748aa --- a/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh +++ b/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh @@ -1,4 +1,5 @@ -#!/usr/bin/env bash +#!/usr/bin/bash + osID=$(cat /etc/os-release | grep -Pi "^ID=" | cut -f2 -d= | sed -rn "s/\"//gp") [[ -f /boot/grub2/grub.cfg ]] && file_path='/boot/grub2/grub.cfg' diff --git a/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh b/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh old mode 100644 new mode 100755 index 892913c..0c4f932 --- a/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh +++ b/scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Pq "^\s*ExecStart=-/usr/lib/systemd/systemd-sulogin-shell(\s+emergency|\s*)\s*(\s+#.*)?$" /usr/lib/systemd/system/emergency.service && grep -Pq "^\s*ExecStart=-/usr/lib/systemd/systemd-sulogin-shell(\s+rescue\s*|\s*)\s*(\s+#.*)?$" /usr/lib/systemd/system/rescue.service && result=true diff --git a/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh b/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh old mode 100644 new mode 100755 index 32bd3aa..336a554 --- a/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh +++ b/scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Pq "^\s*\*\s+hard\s+core\s+0\s*(\s+#.*)?$" /etc/security/limits.conf && grep -Pq "^\s*fs\.suid_dumpable\s*=\s*0\s*(\s+#.*)?$" /etc/sysctl.conf /etc/sysctl.d/* && sysctl fs.suid_dumpable|grep -Pq "fs\.suid\_dumpable\s+=\s+0" && result=true diff --git a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh old mode 100644 new mode 100755 index dc5b1b9..3a3c988 --- a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh +++ b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && [[ -z $(grep -Phs "^kernel\.randomize_va_space\s*=\s*" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | grep -Psv "^kernel\.randomize_va_space\s*=\s*2\b$") ]] && [[ -n $(grep -Phs "^kernel\.randomize_va_space\s*=\s*" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf | grep -Ps "^kernel\.randomize_va_space\s*=\s*2\b$") ]] && result=true diff --git a/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh b/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh old mode 100644 new mode 100755 index da8c820..7ca8df1 --- a/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh +++ b/scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Eiq '^\s*LEGACY\s*(\s+#.*)?$' /etc/crypto-policies/config || result=true diff --git a/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh b/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh old mode 100644 new mode 100755 index adfc90f..9387dfc --- a/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh +++ b/scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null` if [[ -z "$result" ]] ; then diff --git a/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh b/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh old mode 100644 new mode 100755 index 07f1178..051039d --- a/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh +++ b/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/passwd | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh b/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh old mode 100644 new mode 100755 index 10a26c3..b605c7b --- a/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh +++ b/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/shadow | grep -Pq '^[0]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh b/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh old mode 100644 new mode 100755 index 4dae525..6734ee3 --- a/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh +++ b/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/group | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh b/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh old mode 100644 new mode 100755 index bc3ee42..ff6a11a --- a/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh +++ b/scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Eiq "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue || result=true diff --git a/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh b/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh old mode 100644 new mode 100755 index cec1409..0e4461d --- a/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh +++ b/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/gshadow | grep -Pq '^[0]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh b/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh old mode 100644 new mode 100755 index 21944a0..32a8e98 --- a/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh +++ b/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/passwd- | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh b/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh old mode 100644 new mode 100755 index 57c3562..282e775 --- a/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh +++ b/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/shadow- | grep -Pq '^[0]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh b/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh old mode 100644 new mode 100755 index ce4a660..af17fcb --- a/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh +++ b/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/group- | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh b/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh old mode 100644 new mode 100755 index 6935dc9..9e0fbf3 --- a/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh +++ b/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/gshadow- | grep -Pq '^[0]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh b/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh old mode 100644 new mode 100755 index 2767e90..cd4c252 --- a/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh +++ b/scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002` if [[ -z "$result" ]] ; then diff --git a/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh b/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh old mode 100644 new mode 100755 index b30007f..cd7072b --- a/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh +++ b/scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser` if [[ -z "$result" ]] ; then diff --git a/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh b/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh old mode 100644 new mode 100755 index 3367243..5d2cb0a --- a/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh +++ b/scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup` if [[ -z "$result" ]] ; then diff --git a/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh b/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh old mode 100644 new mode 100755 index 19b6df5..114e127 --- a/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh +++ b/scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow` if [[ -z "$result" ]] ; then diff --git a/scanners/system-configurations/4.29-ensure-root-path-integrity.sh b/scanners/system-configurations/4.29-ensure-root-path-integrity.sh old mode 100644 new mode 100755 index 40ff5e5..849a76f --- a/scanners/system-configurations/4.29-ensure-root-path-integrity.sh +++ b/scanners/system-configurations/4.29-ensure-root-path-integrity.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=` RPCV="$(sudo -Hiu root env | grep '^PATH=' | cut -d= -f2)" echo "$RPCV" | grep -q "::" && echo "root's path contains a empty directory (::)" diff --git a/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh b/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh old mode 100644 new mode 100755 index 12f6802..dc5842c --- a/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh +++ b/scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false grep -Eiq "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net || result=true diff --git a/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh b/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh old mode 100644 new mode 100755 index 5164024..7b3972e --- a/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh +++ b/scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=`awk -F: '($3 == 0) { print $1 }' /etc/passwd` if [[ "$result" == "root" ]] ; then diff --git a/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh b/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh old mode 100644 new mode 100755 index 3287317..a8675d4 --- a/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh +++ b/scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh b/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh old mode 100644 new mode 100755 index 222816e..36a6c15 --- a/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh +++ b/scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh b/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh old mode 100644 new mode 100755 index 14fefaa..70a7359 --- a/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh +++ b/scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh b/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh old mode 100644 new mode 100755 index 1bb8ff6..3300233 --- a/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh +++ b/scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh b/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh old mode 100644 new mode 100755 index 3758ea5..d340533 --- a/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh +++ b/scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh b/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh old mode 100644 new mode 100755 index cd38763..9e3d4fd --- a/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh +++ b/scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh b/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh old mode 100644 new mode 100755 index a7ea782..77d4030 --- a/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh +++ b/scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh b/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh old mode 100644 new mode 100755 index d59409d..7791624 --- a/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh +++ b/scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do diff --git a/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh b/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh old mode 100644 new mode 100755 index f73ae43..24817b3 --- a/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh +++ b/scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" for i in $(cut -f3 -d":" /etc/passwd | sort -n | uniq -d); do diff --git a/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh b/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh old mode 100644 new mode 100755 index a227acd..6405b58 --- a/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh +++ b/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false if [[ ! -f /etc/motd ]] ; then diff --git a/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh b/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh old mode 100644 new mode 100755 index 2418ea0..3363a2e --- a/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh +++ b/scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" for i in $(cut -d: -f3 /etc/group | sort | uniq -d); do diff --git a/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh b/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh old mode 100644 new mode 100755 index 8406358..f7ace37 --- a/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh +++ b/scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" for i in $(cut -d: -f1 /etc/passwd | sort | uniq -d); do diff --git a/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh b/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh old mode 100644 new mode 100755 index f1e063a..9a1413b --- a/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh +++ b/scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" for i in $(cut -d: -f1 /etc/group | sort | uniq -d); do diff --git a/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh b/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh old mode 100644 new mode 100755 index e42dd49..3adb045 --- a/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh +++ b/scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" user="" dir="" diff --git a/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh b/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh old mode 100644 new mode 100755 index 691eaa2..512029d --- a/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh +++ b/scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false lsmod | grep -Pq "^sctp\b" || { modprobe -n -q sctp && modprobe -n -v sctp | grep -Pq "^install\s*\/bin\/true\s*$" && result=true; } diff --git a/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh b/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh old mode 100644 new mode 100755 index 134d90d..2be1290 --- a/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh +++ b/scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false modprobe -n -vq dccp && result="" diff --git a/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh b/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh old mode 100644 new mode 100755 index aa1406b..68cabf6 --- a/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh +++ b/scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" if command -v nmcli >/dev/null 2>&1 ; then diff --git a/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh b/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh old mode 100644 new mode 100755 index 56d7533..7f9eddf --- a/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh +++ b/scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv4.ip_forward | grep -Psq "^net\.ipv4\.ip\_forward\s+=\s+0$" && sysctl net.ipv6.conf.all.forwarding | grep -Psq "^net\.ipv6\.conf\.all\.forwarding\s+=\s+0$" && result="" diff --git a/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh b/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh old mode 100644 new mode 100755 index 4819045..aed766d --- a/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh +++ b/scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv4.conf.all.send_redirects | grep -Psq "^net\.ipv4\.conf\.all\.send\_redirects\s+=\s+0$" && sysctl net.ipv4.conf.default.send_redirects | grep -Psq "^net\.ipv4\.conf\.default\.send\_redirects\s+=\s+0$" && grep -Psq "net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -Psq "net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* && result=true diff --git a/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh b/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh old mode 100644 new mode 100755 index 5795b4f..74411d3 --- a/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh +++ b/scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv4.conf.all.accept_source_route | grep -Psq "^net\.ipv4\.conf\.all\.accept_source_route\s+=\s+0$" && sysctl net.ipv4.conf.default.accept_source_route | grep -Psq "^net\.ipv4\.conf\.default\.accept_source_route\s+=\s+0$" && grep -q "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && sysctl net.ipv6.conf.all.accept_source_route | grep -Psq "^net\.ipv6\.conf\.all\.accept_source_route\s+=\s+0$" && sysctl net.ipv6.conf.default.accept_source_route | grep -Psq "^net\.ipv6\.conf\.default\.accept_source_route\s+=\s+0$" && grep -q "net\.ipv6\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv6\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* && result=true diff --git a/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh b/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh old mode 100644 new mode 100755 index 3f24a2a..df03b05 --- a/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh +++ b/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/issue | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh b/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh old mode 100644 new mode 100755 index 9853da2..c333ae1 --- a/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh +++ b/scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv4.conf.all.accept_redirects | grep -Psq "^net\.ipv4\.conf\.all\.accept_redirects\s+=\s+0$" && sysctl net.ipv4.conf.default.accept_redirects | grep -Psq "^net\.ipv4\.conf\.default\.accept_redirects\s+=\s+0$" && grep -q "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && sysctl net.ipv6.conf.all.accept_redirects | grep -Psq "^net\.ipv6\.conf\.all\.accept_redirects\s+=\s+0$" && sysctl net.ipv6.conf.default.accept_redirects | grep -Psq "^net\.ipv6\.conf\.default\.accept_redirects\s+=\s+0$" && grep -q "net\.ipv6\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv6\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* && result=true diff --git a/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh b/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh old mode 100644 new mode 100755 index 29b55a6..ab4604a --- a/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh +++ b/scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv4.conf.all.secure_redirects | grep -Psq "^net\.ipv4\.conf\.all\.secure_redirects\s+=\s+0$" && sysctl net.ipv4.conf.default.secure_redirects | grep -Psq "^net\.ipv4\.conf\.default\.secure_redirects\s+=\s+0$" && grep -q "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* && result=true diff --git a/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh b/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh old mode 100644 new mode 100755 index 40ca3fe..9a50793 --- a/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh +++ b/scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv4.conf.all.log_martians | grep -Psq "^net\.ipv4\.conf\.all\.log_martians\s+=\s+1$" && sysctl net.ipv4.conf.default.log_martians | grep -Psq "^net\.ipv4\.conf\.default\.log_martians\s+=\s+1$" && grep -q "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* && result=true diff --git a/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh b/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh old mode 100644 new mode 100755 index 7986661..0a332ef --- a/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh +++ b/scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false result=$(grep -E -s "^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*[^1]+" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf) diff --git a/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh b/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh old mode 100644 new mode 100755 index 7447b78..b22422a --- a/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh +++ b/scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false result=$(grep -E -s "^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=\s*[^1]+" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf) diff --git a/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh b/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh old mode 100644 new mode 100755 index 7deb0cf..046d175 --- a/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh +++ b/scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false result=`grep -E -s "^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*0" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf` diff --git a/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh b/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh old mode 100644 new mode 100755 index 5601384..cab2bdb --- a/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh +++ b/scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false result=`grep -E -r "^\s*net\.ipv4\.tcp_syncookies\s*=\s*[02]" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf` diff --git a/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh b/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh old mode 100644 new mode 100755 index 6eb6357..7a95e86 --- a/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh +++ b/scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false sysctl net.ipv6.conf.all.accept_ra | grep -Psq "^net\.ipv6\.conf\.all.accept_ra\s+=\s+0$" && sysctl net.ipv6.conf.default.accept_ra | grep -Psq "^net\.ipv6\.conf\.default\.accept_ra\s+=\s+0$" && grep -q "net\.ipv6\.conf\.all\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* && grep -q "net\.ipv6\.conf\.default\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* && result=true diff --git a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh old mode 100644 new mode 100755 index 783c1a2..f1e6fa1 --- a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh +++ b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result="" rpm -qa | grep -Psq "^iptables\-.*" && rpm -qa | grep -Psq "^iptables\-services.*" && result=true diff --git a/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh b/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh old mode 100644 new mode 100755 index 088b094..f332a05 --- a/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh +++ b/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false [[ $(systemctl list-unit-files | grep firewalld) ]] && systemctl is-enabled firewalld | grep -Psq "^enabled$" && firewall-cmd --state -q && result=true diff --git a/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh b/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh old mode 100644 new mode 100755 index 2b18f47..f56007b --- a/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh +++ b/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false stat -c "%a-%U-%G" /etc/issue.net | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true diff --git a/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh b/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh old mode 100644 new mode 100755 index df2ec04..9317c82 --- a/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh +++ b/scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result="" diff --git a/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh b/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh old mode 100644 new mode 100755 index c100d5e..ea73498 --- a/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh +++ b/scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result="" diff --git a/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh b/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh old mode 100644 new mode 100755 index 766737e..0607257 --- a/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh +++ b/scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false rpm -q nftables | grep -Psq "^nftables\-.*" && systemctl is-enabled nftables | grep -Psiq "^enabled$" && result=true diff --git a/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh b/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh old mode 100644 new mode 100755 index 50f6952..5fdbdf5 --- a/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh +++ b/scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false rpm -qa | grep -Psq "^iptables\-.*" && rpm -q iptables-services | grep -Psq "^iptables\-services\-.*" && result=true diff --git a/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh b/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh old mode 100644 new mode 100755 index 7bc4cd0..fefb2dd --- a/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh +++ b/scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result=false diff --git a/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh b/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh old mode 100644 new mode 100755 index de4d417..03d05a8 --- a/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh +++ b/scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + export LANG="en_US.UTF-8" result="" diff --git a/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh b/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh index 6e64dec..85e7980 100755 --- a/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh +++ b/scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + source /etc/profile HIST=$(echo $HISTSIZE | awk '($1 > 100 || $1 == "" ) {print 1}') HIST_FILE=$(grep -P "^HISTSIZE\b\=[0-9]+\b" /etc/profile | grep -Po "\b[0-9]+\b" | awk '($1 > 100 || $1 == "" ) {print 1}') diff --git a/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh b/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh index d425e99..be2d803 100755 --- a/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh +++ b/scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + source /etc/profile HIST=$(echo $HISTFILESIZE | awk '($1 > 100 || $1 == "" ) {print 1}') HIST_FILE=$(grep -P "^HISTFILESIZE\b\=[0-9]+\b" /etc/profile | grep -Po "\b[0-9]+\b" | awk '($1 > 100 || $1 == "" ) {print 1}') diff --git a/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh b/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh old mode 100644 new mode 100755 index 7cfb93d..080de01 --- a/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh +++ b/scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + ls -l / | grep tmp | grep rwt >> /dev/null diff --git a/scanners/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh b/scanners/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh old mode 100644 new mode 100755 index 81dec0a..4c4d3a6 --- a/scanners/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh +++ b/scanners/system-configurations/4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + for i in `stat -c "%a-%U-%G" {/etc/ssh/*key,/etc/ssh/*key.pub}` do diff --git a/scanners/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh b/scanners/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh old mode 100644 new mode 100755 index 0820ab0..ce1b7bf --- a/scanners/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh +++ b/scanners/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result_dnf_conf=false result_yum_repos_d=false diff --git a/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh old mode 100644 new mode 100755 index 14d7931..6f26a2f --- a/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh +++ b/scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh @@ -1,4 +1,5 @@ -#!/bin/bash +#!/usr/bin/bash + result=true diff --git a/scanners/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh b/scanners/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh old mode 100644 new mode 100755 index b941421..814b3a7 --- a/scanners/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh +++ b/scanners/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh @@ -1 +1,3 @@ +#!/usr/bin/bash + [[ -e /etc/fstab ]] && [[ -n $(grep -Ps "\s+\/var\s+.*nosuid" /etc/fstab) ]] && [[ -n $(findmnt --kernel /var | grep nosuid) ]] && echo "pass" || echo "fail" \ No newline at end of file diff --git a/scanners/system-configurations/4.8-ensure-aide-is-installed.sh b/scanners/system-configurations/4.8-ensure-aide-is-installed.sh old mode 100644 new mode 100755 index 6e0624b..8ebde61 --- a/scanners/system-configurations/4.8-ensure-aide-is-installed.sh +++ b/scanners/system-configurations/4.8-ensure-aide-is-installed.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false rpm -q aide | grep -Piq aide-.* && result=true diff --git a/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh b/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh old mode 100644 new mode 100755 index 9f6097f..811c443 --- a/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh +++ b/scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + result=false if [[ -e /var/spool/cron/root ]]; then -- Gitee From c4d74452eef4943594082914b0c0d4e1ceff18ba Mon Sep 17 00:00:00 2001 From: YuQing Yang Date: Tue, 3 Sep 2024 10:51:00 +0800 Subject: [PATCH 3/3] Fix three errors: 1. 3.7 Refine grep query for precision. 2. 3.17 Refine grep query for precision. 3. 4.11 Add support for soft links. Fixes: #IAODNB Signed-off-by: YuQing Yang --- .../services/3.17-disable-or-uninstall-the-telnet.sh | 4 ++-- remediation-kits/services/3.7-disable-dhcp-server.sh | 4 ++-- scanners/services/3.17-disable-or-uninstall-the-telnet.sh | 2 +- ...ure-permissions-on-bootloader-config-are-configured.sh | 8 ++++---- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh b/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh index 7bf6ab0..a1e07a7 100755 --- a/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh +++ b/remediation-kits/services/3.17-disable-or-uninstall-the-telnet.sh @@ -2,10 +2,10 @@ export LANG="en_US.UTF-8" -if [[ $(rpm -qa | grep telnet) ]]; then +if [[ $(rpm -qa | grep telnet-server) ]]; then dnf remove -y telnet telnet-server [[ $? != 0 ]] && result=$(systemctl is-enabled telnet.socket) if [[ $result == enabled ]]; then systemctl --now disable telnet.socket fi -fi \ No newline at end of file +fi diff --git a/remediation-kits/services/3.7-disable-dhcp-server.sh b/remediation-kits/services/3.7-disable-dhcp-server.sh index 07a7673..ac41090 100755 --- a/remediation-kits/services/3.7-disable-dhcp-server.sh +++ b/remediation-kits/services/3.7-disable-dhcp-server.sh @@ -2,9 +2,9 @@ export LANG="en_US.UTF-8" -if [[ $(rpm -qa | grep dhcp) ]]; then +if [[ $(rpm -qa | grep dhcp-server) ]]; then result=$(systemctl is-enabled dhcpd) if [[ $result == enabled ]]; then systemctl --now disable dhcpd fi -fi \ No newline at end of file +fi diff --git a/scanners/services/3.17-disable-or-uninstall-the-telnet.sh b/scanners/services/3.17-disable-or-uninstall-the-telnet.sh index 546850f..9e372f6 100755 --- a/scanners/services/3.17-disable-or-uninstall-the-telnet.sh +++ b/scanners/services/3.17-disable-or-uninstall-the-telnet.sh @@ -1,6 +1,6 @@ #!/usr/bin/bash -if [[ "$(rpm -qa | grep telnet)" ]]; then +if [[ "$(rpm -qa | grep telnet-server)" ]]; then result=$(systemctl is-enabled telnet.socket) if [[ $result != enabled ]]; then echo "pass" diff --git a/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh b/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh index 76748aa..25e143b 100755 --- a/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh +++ b/scanners/system-configurations/4.11-ensure-permissions-on-bootloader-config-are-configured.sh @@ -2,10 +2,10 @@ osID=$(cat /etc/os-release | grep -Pi "^ID=" | cut -f2 -d= | sed -rn "s/\"//gp") -[[ -f /boot/grub2/grub.cfg ]] && file_path='/boot/grub2/grub.cfg' -[[ -f /boot/grub2/grubenv ]] && file_path=$file_path' /boot/grub2/grubenv' -[[ -f /boot/grub2/user.cfg ]] && file_path=$file_path' /boot/grub2/user.cfg' -[[ -f /boot/efi/EFI/$osID/grubenv ]] && file_path=$file_path" /boot/efi/EFI/$osID/grubenv" +[[ -f $(realpath /boot/grub2/grub.cfg) ]] && file_path=$(realpath /boot/grub2/grub.cfg) +[[ -f $(realpath /boot/grub2/grubenv) ]] && file_path=$file_path" $(realpath /boot/grub2/grubenv)" +[[ -f $(realpath /boot/grub2/user.cfg) ]] && file_path=$file_path" $(realpath /boot/grub2/user.cfg)" +[[ -f $(realpath /boot/efi/EFI/$osID/grubenv) ]] && file_path=$file_path" $(realpath /boot/efi/EFI/$osID/grubenv)" result=0 if [[ -n $file_path ]] ; then -- Gitee