emily/atap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

a

Browse Source
This commit is contained in:
Emily
2026-05-11 09:15:08 +02:00
parent 9bec2b9e42
commit 404ee3fec4
641 changed files with 416825 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ATAPAuditor/Helpers/AuditGroupFunctions.ps1
+543
View File
@@ -0,0 +1,543 @@
# Begin Helper for version control
function isWindows8OrNewer {
return ([Environment]::OSVersion.Version -ge (New-Object 'Version' 6, 2))
}
function isWindows81OrNewer {
return ([Environment]::OSVersion.Version -ge (New-Object 'Version' 6, 3))
}
function isWindows10OrNewer {
return ([Environment]::OSVersion.Version -ge (New-Object 'Version' 10, 0))
}
function win7NoTPMChipDetected {
return (Get-CimInstance -ClassName Win32_Tpm -Namespace root\cimv2\security\microsofttpm | Select-Object -ExpandProperty IsActivated_InitialValue) -eq $null
}
$sbdIndex = 1
function IncrementSecurityBaseDataCounter {
return $sbdIndex++
}
function hasTPM {
try {
$obj = (Get-Tpm).TpmPresent
}
catch {
return $null
}
return $obj
}
# End Helper for version control
function isWindows10Enterprise {
$os = Get-ComputerInfo OsName
if ($os -match "Windows 10 Enterprise" -or $os -match "Windows 11 Enterprise") {
return $true
}
return $false
}
#Helper function for 'Test-ASRRules'
Function Test-RegistryValue ($regkey, $name) {
if (Get-ItemProperty -Path $regkey -Name $name -ErrorAction Ignore) {
$true
}
else {
$false
}
}
#This function is needed in AuditGroups, which check both paths of ASR-Rules.
function Test-ASRRules {
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[String] $Path,
[Parameter(Mandatory = $true)]
[String] $Value
)
process {
try {
if (Test-Path -Path $Path) {
return Test-RegistryValue $Path $Value
}
else {
return $false
}
}
catch {
}
}
}
function Test-MultiplePaths {
[CmdletBinding()]
[OutputType([Object])]
param (
[Parameter(Mandatory = $True, ValueFromPipeline)]
[String]
$Path,
[Parameter(Mandatory = $True)]
[String]
$Key,
[Parameter(Mandatory = $True)]
[Object]
$ExpectedValue,
[PSCustomObject]
$Result = @{
Message = "Registry value not found."
Status = "False"
}
)
PROCESS {
$regValue = Get-ItemProperty -ErrorAction SilentlyContinue `
-Path $Path `
-Name $Key `
| Select-Object -ExpandProperty "$($Key)"
# if regValue == expectedValue
if (($regValue -eq $ExpectedValue)) {
$Result = @{
Message = "Compliant"
Status = "True"
}
}
# if regValue isnot empty AND regValue isnot expectedValue AND result is not True (yet)
# This result is ranked #2 below "Compliant" and above "Registry value not found"
if (($null -ne $regValue) -and ($regValue -ne $ExpectedValue) -and ($Result.Status -ne "True")) {
$Result = @{
Message = "Registry value is '$regValue'. Expected: $ExpectedValue"
Status = "False"
}
}
}
END {
return $Result
}
}
#Returns Hyper-V status
function CheckHyperVStatus {
return (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State
}
function CheckWindefRunning {
# for systems, won't work if server
try {
$defStatus = (Get-MpComputerStatus -ErrorAction Ignore | Select-Object AMRunningMode)
if ($defStatus.AMRunningMode -eq "Normal") {
return $true
}
}
catch {
<#Do this if a terminating exception happens#>
}
# for standalone systems, won't work if server
try {
$defStatus = (Get-MpComputerStatus -ErrorAction Ignore)
if ($defStatus.AMServiceEnabled -eq $true -and $defStatus.AntispywareEnabled -eq $true -and $defStatus.AntivirusEnabled -eq $true -and $defStatus.NISEnabled -eq $true -and $defStatus.RealTimeProtectionEnabled -eq $true) {
return $true
}
}
catch {
<#Do this if a terminating exception happens#>
}
# for servers, won't work if standalone system
try {
if ((Get-WindowsFeature -Name Windows-Defender -ErrorAction Ignore).installed) {
if ((Get-Service -Name windefend -ErrorAction Ignore).Status -eq "Running") {
return $true
}
}
}
catch {
<#Do this if a terminating exception happens#>
}
return $false
}
function CheckForActiveAV {
$result = $false
$av = Get-AntiVirusStatus
foreach ($a in $av) {
if (($a.'Definition Status') -eq "Enabled") {
$result = $true;
}
}
return $result
}
# only works for desktop workstations, not servers (except Windows XP and older)
function Get-AntiVirusStatus {
try {
$AntiVirusProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct -ComputerName $env:computername -ErrorAction Stop
}
catch [System.Management.ManagementException] {
<#Do this if a terminating exception happens#>
}
$result = @()
foreach ($AntiVirusProduct in $AntiVirusProducts) {
$hex = '0x{0:x}' -f $AntiVirusProduct.productState
$avstatus = $hex.Substring(3, 2)
$defstatus = "Unknown"
if (($avstatus -eq "00") -or ($avstatus -eq "01")) {
$defstatus = "Disabled"
}
if (($avstatus -eq "10") -or ($avstatus -eq "11")) {
$defstatus = "Enabled"
}
$avupdated = $hex.Substring(5, 2)
$avupdatestatus = "Unknown"
if ($avupdated -eq ("10")) {
$avupdatestatus = "Not Up-to-date"
}
if ($avupdated -eq ("00")) {
$avupdatestatus = "Up-to-date"
}
# hashtable for av status
$ht = @{}
$ht.Name = $AntiVirusProduct.displayName
$ht.'Definition Status' = $defstatus
$ht.'Update Status' = $avupdatestatus
# add new hashtable to result
$result += New-Object -TypeName PSObject -Property $ht
}
return $result
}
function getListOfWeakCipherSuites {
$listOfWeakCipherSuites = @(
"TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
"TLS_DH_DSS_WITH_AES_128_CBC_SHA",
"TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
"TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
"TLS_DH_DSS_WITH_AES_256_CBC_SHA",
"TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
"TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
"TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256",
"TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256",
"TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384",
"TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384",
"TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
"TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256",
"TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
"TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
"TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384",
"TLS_DH_DSS_WITH_SEED_CBC_SHA",
"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
"TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384",
"TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384",
"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
"TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384",
"TLS_DHE_DSS_WITH_SEED_CBC_SHA",
"TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
"TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
"TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
"TLS_DHE_PSK_WITH_AES_128_CCM",
"TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
"TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
"TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
"TLS_DHE_PSK_WITH_AES_256_CCM",
"TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
"TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256",
"TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256",
"TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384",
"TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384",
"TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256",
"TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
"TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384",
"TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CCM",
"TLS_DHE_RSA_WITH_AES_128_CCM_8",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_256_CCM",
"TLS_DHE_RSA_WITH_AES_256_CCM_8",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384",
"TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
"TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_SEED_CBC_SHA",
"TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_DH_RSA_WITH_AES_128_CBC_SHA",
"TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DH_RSA_WITH_AES_256_CBC_SHA",
"TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
"TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256",
"TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256",
"TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384",
"TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384",
"TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
"TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
"TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
"TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
"TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
"TLS_DH_RSA_WITH_SEED_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384",
"TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
"TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
"TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256",
"TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384",
"TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
"TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
"TLS_KRB5_WITH_IDEA_CBC_SHA",
"TLS_PSK_DHE_WITH_AES_128_CCM_8",
"TLS_PSK_DHE_WITH_AES_256_CCM_8",
"TLS_PSK_WITH_3DES_EDE_CBC_SHA",
"TLS_PSK_WITH_AES_128_CBC_SHA",
"TLS_PSK_WITH_AES_128_CBC_SHA256",
"TLS_PSK_WITH_AES_128_CCM",
"TLS_PSK_WITH_AES_128_CCM_8",
"TLS_PSK_WITH_AES_128_GCM_SHA256",
"TLS_PSK_WITH_AES_256_CBC_SHA",
"TLS_PSK_WITH_AES_256_CBC_SHA384",
"TLS_PSK_WITH_AES_256_CCM",
"TLS_PSK_WITH_AES_256_CCM_8",
"TLS_PSK_WITH_AES_256_GCM_SHA384",
"TLS_PSK_WITH_ARIA_128_CBC_SHA256",
"TLS_PSK_WITH_ARIA_128_GCM_SHA256",
"TLS_PSK_WITH_ARIA_256_CBC_SHA384",
"TLS_PSK_WITH_ARIA_256_GCM_SHA384",
"TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256",
"TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384",
"TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384",
"TLS_PSK_WITH_CHACHA20_POLY1305_SHA256",
"TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
"TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
"TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
"TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
"TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
"TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
"TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
"TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256",
"TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256",
"TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384",
"TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384",
"TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256",
"TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384",
"TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384",
"TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CCM",
"TLS_RSA_WITH_AES_128_CCM_8",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CCM",
"TLS_RSA_WITH_AES_256_CCM_8",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_ARIA_128_CBC_SHA256",
"TLS_RSA_WITH_ARIA_128_GCM_SHA256",
"TLS_RSA_WITH_ARIA_256_CBC_SHA384",
"TLS_RSA_WITH_ARIA_256_GCM_SHA384",
"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256",
"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
"TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384",
"TLS_RSA_WITH_IDEA_CBC_SHA",
"TLS_RSA_WITH_SEED_CBC_SHA",
"TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
"TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
"TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
"TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
"TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
"TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
"TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
"TLS_SRP_SHA_WITH_AES_256_CBC_SHA"
)
return $listOfWeakCipherSuites
}
function getListOfInsecureCipherSuites {
$listOfInsecureCipherSuites = @(
"TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
"TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
"TLS_DH_anon_WITH_3DES_EDE_CBC_SHA",
"TLS_DH_anon_WITH_AES_128_CBC_SHA",
"TLS_DH_anon_WITH_AES_128_CBC_SHA256",
"TLS_DH_anon_WITH_AES_128_GCM_SHA256",
"TLS_DH_anon_WITH_AES_256_CBC_SHA",
"TLS_DH_anon_WITH_AES_256_CBC_SHA256",
"TLS_DH_anon_WITH_AES_256_GCM_SHA384",
"TLS_DH_anon_WITH_ARIA_128_CBC_SHA256",
"TLS_DH_anon_WITH_ARIA_128_GCM_SHA256",
"TLS_DH_anon_WITH_ARIA_256_CBC_SHA384",
"TLS_DH_anon_WITH_ARIA_256_GCM_SHA384",
"TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",
"TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
"TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256",
"TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
"TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256",
"TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384",
"TLS_DH_anon_WITH_DES_CBC_SHA",
"TLS_DH_anon_WITH_RC4_128_MD5",
"TLS_DH_anon_WITH_SEED_CBC_SHA",
"TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
"TLS_DH_DSS_WITH_DES_CBC_SHA",
"TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
"TLS_DHE_DSS_WITH_DES_CBC_SHA",
"TLS_DHE_PSK_WITH_NULL_SHA",
"TLS_DHE_PSK_WITH_NULL_SHA256",
"TLS_DHE_PSK_WITH_NULL_SHA384",
"TLS_DHE_PSK_WITH_RC4_128_SHA",
"TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"TLS_DHE_RSA_WITH_DES_CBC_SHA",
"TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
"TLS_DH_RSA_WITH_DES_CBC_SHA",
"TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
"TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
"TLS_ECDH_anon_WITH_NULL_SHA",
"TLS_ECDH_anon_WITH_RC4_128_SHA",
"TLS_ECDH_ECDSA_WITH_NULL_SHA",
"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_ECDSA_WITH_NULL_SHA",
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_PSK_WITH_NULL_SHA",
"TLS_ECDHE_PSK_WITH_NULL_SHA256",
"TLS_ECDHE_PSK_WITH_NULL_SHA384",
"TLS_ECDHE_PSK_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_NULL_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"TLS_ECDH_RSA_WITH_NULL_SHA",
"TLS_ECDH_RSA_WITH_RC4_128_SHA",
"TLS_GOSTR341112_256_WITH_28147_CNT_IMIT",
"TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC",
"TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L",
"TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S",
"TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC",
"TLS_GOSTR341112_256_WITH_MAGMA_MGM_L",
"TLS_GOSTR341112_256_WITH_MAGMA_MGM_S",
"TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
"TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
"TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
"TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
"TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
"TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
"TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
"TLS_KRB5_WITH_DES_CBC_MD5",
"TLS_KRB5_WITH_DES_CBC_SHA",
"TLS_KRB5_WITH_IDEA_CBC_MD5",
"TLS_KRB5_WITH_RC4_128_MD5",
"TLS_KRB5_WITH_RC4_128_SHA",
"TLS_NULL_WITH_NULL_NULL",
"TLS_PSK_WITH_NULL_SHA",
"TLS_PSK_WITH_NULL_SHA256",
"TLS_PSK_WITH_NULL_SHA384",
"TLS_PSK_WITH_RC4_128_SHA",
"TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
"TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
"TLS_RSA_EXPORT_WITH_RC4_40_MD5",
"TLS_RSA_PSK_WITH_NULL_SHA",
"TLS_RSA_PSK_WITH_NULL_SHA256",
"TLS_RSA_PSK_WITH_NULL_SHA384",
"TLS_RSA_PSK_WITH_RC4_128_SHA",
"TLS_RSA_WITH_DES_CBC_SHA",
"TLS_RSA_WITH_NULL_MD5",
"TLS_RSA_WITH_NULL_SHA",
"TLS_RSA_WITH_NULL_SHA256",
"TLS_RSA_WITH_RC4_128_MD5",
"TLS_RSA_WITH_RC4_128_SHA",
"TLS_SHA256_SHA256",
"TLS_SHA384_SHA384",
"TLS_SM4_CCM_SM3",
"TLS_SM4_GCM_SM3"
)
return $listOfInsecureCipherSuites
}
ATAPAuditor/Helpers/Firewall.ps1
+83
View File
@@ -0,0 +1,83 @@
function Test-FirewallPaths {
[CmdletBinding()]
[OutputType([Object])]
param (
[Parameter(Mandatory = $True, ValueFromPipeline)]
[String]
$Path,
[Parameter(Mandatory = $True)]
[String]
$Key,
[Parameter(Mandatory = $True)]
[Object]
$ExpectedValue,
[Parameter(Mandatory = $True)]
[String]
$ProfileType,
[PSCustomObject]
$Result = @{
Message = "Registry value not found."
Status = "False"
}
)
BEGIN {
$FirewallProfiles = Get-NetFirewallProfile -ErrorAction SilentlyContinue
}
PROCESS {
$regValue = Get-ItemProperty -ErrorAction SilentlyContinue `
-Path $Path `
-Name $Key `
| Select-Object -ExpandProperty "$($Key)"
# if regValue == expectedValue OR if the LogFilePath ends with .log
if (($regValue -eq $ExpectedValue) -or (($Key -eq "LogFilePath") -and ($regValue -match "[a-z]*.log"))) {
$Result = @{
Message = "Compliant"
Status = "True"
}
}
# if regValue isnot empty AND regValue isnot expectedValue AND result is not True (yet)
# This result is ranked #2 below "Compliant" and above "Registry value not found"
if (($null -ne $regValue) -and ($regValue -ne $ExpectedValue) -and ($Result.Status -ne "True")) {
$Result = @{
Message = "Registry value is '$regValue'. Expected: $ExpectedValue"
Status = "False"
}
}
}
END {
$FirewallProfile = $FirewallProfiles | Where-Object {$_.Name -eq $ProfileType}
$FirewallProfileValue = $FirewallProfile.$Key
# check whether value is a number
if ($FirewallProfileValue -is [int32] -or $FirewallProfileValue -is [uint32] -or $FirewallProfileValue -is [int64] -or $FirewallProfileValue -is [uint64]) {
# if value is a number, the value may also be greater and equals to the expectedvalue
if ($FirewallProfileValue -ge $expectedValue) {
$Result = @{
Message = "Compliant"
Status = "True"
}
}
}
if ($FirewallProfileValue -eq $expectedValue) {
$Result = @{
Message = "Compliant"
Status = "True"
}
}
if ($Key -eq "LogFilePath") {
if ($FirewallProfiles -eq $null -or $FirewallProfiles.Count -lt 3) {
### if profiles are empty, skip comparison and continue with other checks
} else {
if (($FirewallProfiles[0].LogFileName -eq $FirewallProfiles[1].LogFileName) -or
($FirewallProfiles[0].LogFileName -eq $FirewallProfiles[2].LogFileName) -or
($FirewallProfiles[1].LogFileName -eq $FirewallProfiles[2].LogFileName)) {
$Result = @{
Message = "For better organization and identification of specific issues within each profile consider using separate logfiles for each profile."
Status = "Warning"
}
}
}
}
return $Result
}
}
ATAPAuditor/Helpers/HashHelper.ps1
+58
View File
@@ -0,0 +1,58 @@
#Hash functions will be used for hashing results of report
#Based on SHA-256 and SHA-512
function Get-SHA256Hash {
Param (
[Parameter(Mandatory=$true)]
[string]
$ClearString
)
$hasher = [System.Security.Cryptography.HashAlgorithm]::Create('sha256')
$hash = $hasher.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($ClearString))
$hashString = [System.BitConverter]::ToString($hash)
$hashString.Replace('-', '')
}
function GenerateHashTable{
Param (
[Parameter(Mandatory=$true)]
[Report]
$report
)
#hashes for each recommendation
$hashtable_sha256 = @{}
foreach($recommendation in $report.Sections){
$hash_sha256 = ""
foreach($section in $recommendation.SubSections){
foreach($test in $section.AuditInfos){
#hash each test status
$statusHash_sha256 = (Get-SHA256Hash $test.Status)
$hash_sha256 += $statusHash_sha256
#hash combination of tests
$hash_sha256 = (Get-SHA256Hash $hash_sha256)
}
}
#add final hash to hashlist
$hashtable_sha256.add($recommendation.Title, $hash_sha256)
}
#checksum hash for overal check
$overallHash_sha256 = ""
foreach($hash in $hashtable_sha256.values){
#add recommendation hash to overall hash
$overallHash_sha256 += $hash
#hash this value again
try{
$overallHash_sha256 = Get-SHA256Hash $overallHash_sha256 -ErrorAction Stop
}
catch{
Write-Warning "Hash code for report section couldn't be created."
}
}
$hashtable_sha256.add($report.Title, $overallHash_sha256)
return $hashtable_sha256
}
ATAPAuditor/Helpers/LinuxHelper.ps1
+106
View File
@@ -0,0 +1,106 @@
$script:LinuxDistroId = $null
$rcTrue = "True"
$rcCompliant = "Compliant"
$rcFalse = "False"
$rcNone = "None"
$rcNonCompliant = "Non-Compliant"
$rcNonCompliantManualReviewRequired = "Manual review required"
$rcCompliantIPv6isDisabled = "IPv6 is disabled"
if (Test-Path "/etc/os-release") {
$osRelease = @{}
Get-Content "/etc/os-release" | ForEach-Object {
if ($_ -match "^(?<key>\w+)=(?<val>.+)$") {
$osRelease[$matches.key] = $matches.val.Trim('"')
}
}
$script:LinuxDistroId = $osRelease["ID"]
if (-not $script:LinuxDistroId) {
throw "Could not detect Linux distribution from /etc/os-release"
}
switch ($script:LinuxDistroId) {
"ubuntu" {}
"debian" {}
"rhel" {}
"centos" {}
"fedora" {}
"opensuse" {}
default {
throw "Unsupported Linux distribution: $script:LinuxDistroId"
}
}
Write-Verbose "Detected $script:LinuxDistroId"
} else {
throw "/etc/os-release not found. Cannot detect Linux distribution."
}
function Test-PackageInstalled {
param (
[Parameter(Mandatory = $true)]
[string]$PackageName
)
switch ($script:LinuxDistroId) {
"ubuntu"
{
dpkg-query -W -f='${db:Status-Abbrev}' $PackageName 2>/dev/null | Out-Null
return ($LASTEXITCODE -eq 0)
}
"debian"
{
dpkg-query -W -f='${db:Status-Abbrev}' $PackageName 2>/dev/null | Out-Null
return ($LASTEXITCODE -eq 0)
}
"rhel"
{
rpm -q $PackageName >/dev/null 2>&1
return ($LASTEXITCODE -eq 0)
}
"centos"
{
rpm -q $PackageName >/dev/null 2>&1
return ($LASTEXITCODE -eq 0)
}
"fedora"
{
rpm -q $PackageName >/dev/null 2>&1
return ($LASTEXITCODE -eq 0)
}
"opensuse"
{
rpm -q $PackageName >/dev/null 2>&1
return ($LASTEXITCODE -eq 0)
}
default
{ throw "Unexpected distro in module runtime: $script:LinuxDistroId" }
}
}
function Test-ServiceActiveOrEnabled {
param (
[Parameter(Mandatory = $true)]
[string]$ServiceName
)
# Check if the service is active
systemctl is-active --quiet $ServiceName
$isActive = ($LASTEXITCODE -eq 0)
# Check if the service is enabled
systemctl is-enabled --quiet $ServiceName
$isEnabled = ($LASTEXITCODE -eq 0)
return ($isActive -or $isEnabled)
}
ATAPAuditor/Helpers/LogFile.ps1
+94
View File
@@ -0,0 +1,94 @@
function Set-LogFile {
[CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')]
Param(
[Parameter(Mandatory = $true)]
[Alias('LogPath')]
[string]$Path,
[Parameter(Mandatory = $true)]
[Alias('Logname')]
[string]$Name
)
$FullPath = Get-FullPath $Path $Name
# Create file if it does not already exists
if (!(Test-Path -Path $FullPath)) {
# Create file and start logging
New-Item -Path $FullPath -ItemType File -Force | Out-Null
Add-Content -Path $FullPath -Value "***************************************************************************************************"
Add-Content -Path $FullPath -Value " Logfile created at [$([DateTime]::Now)]"
Add-Content -Path $FullPath -Value "***************************************************************************************************"
Add-Content -Path $FullPath -Value ""
Add-Content -Path $FullPath -Value ""
}
}
function Write-LogFile {
[CmdletBinding()]
Param(
[Parameter(Mandatory = $true)]
[Alias('LogMessage')]
[string]$Message,
[Parameter(Mandatory = $true)]
[Alias('LogPath')]
[string]$Path,
[Parameter(Mandatory = $true)]
[Alias('Logname')]
[string]$Name,
[ValidateSet("Error", "Warning", "Info")]
[string]$Level = "Info"
)
Set-LogFile $Path $Name
$FullPath = Get-FullPath $Path $Name
# Format date for log file
$FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
switch ($Level) {
'Error' {
# Write-Error $Message
$LevelText = '[ERROR]:'
}
'Warning' {
# Write-Warning $Message
$LevelText = '[WARNING]:'
}
'Info' {
# Write-Verbose $Message
$LevelText = '[INFO]:'
}
}
Add-Content $FullPath "$FormattedDate $LevelText"
Add-Content $FullPath "$Message"
Add-Content $FullPath "--------------------------"
Add-Content $FullPath ""
}
function Get-FullPath {
[CmdletBinding()]
Param(
[Parameter(Mandatory = $true)]
[string]$Path,
[Parameter(Mandatory = $true)]
[string]$File
)
$FullPath = ""
if ($Path.Length -gt 0) {
if ($Path[$Path.Length - 1] -ne "\") {
$FullPath = $Path + "\" + $File
}
else {
$FullPath = $Path + $File
}
}
return $FullPath
}
ATAPAuditor/Helpers/Menu.ps1
+142
View File
@@ -0,0 +1,142 @@
# Get the report names from the files in the Module folder
function Get-Reports {
# Get the path to the module
$atapFile = (Get-Module -ListAvailable ATAPAuditor).Path
if ($atapFile.Count -gt 1) {
$atapFile = $atapFile[0] # use the first result if there are several
} elseif ($atapFile.Count -eq 0) {
Write-Host "The ATAP module could not be found."
pressAnyKeyToQuit
Exit
}
# find all *.ps1 report files
$atapDir = Split-Path -parent $atapFile
$reportsDir = Join-Path -Path $atapDir -ChildPath "Reports"
$reportFiles = Get-ChildItem -Path "$reportsDir\*.ps1" -Recurse
# Build a dictionary from the file names without the extension
$i = 1
$reports = [ordered]@{}
foreach ($reportName in $reportFiles) {
$reports.add([string]$i, $reportName.BaseName)
$i++
}
return $reports
}
# present a menu based on the dict given as argument
function Show-Menu {
param (
[System.Collections.Specialized.OrderedDictionary]$reports
)
Clear-Host
Write-Host "============== AuditTAP Reports ==============`n"
$padCount = ([string]$reports.Count).Length
foreach ($item in $reports.GetEnumerator()) {
Write-Host (' {0}: {1}' -f $item.Key.PadLeft($padCount, ' '), $item.Value)
}
Write-Host ""
}
function askSelection {
param (
[System.Collections.Specialized.OrderedDictionary]$reports
)
$retry = $false
:loop while ($true) {
# show menu and ask the user for a selection (or multiple)
Show-Menu $reports
if ($retry) {
[string]$selection = Read-Host "Invalid selection. Please try again`nYou can select multiple reports by comma separating the numbers"
} else {
[string]$selection = Read-Host "Please choose a report to run`nYou can select multiple reports by comma separating the numbers"
}
# sanitize input data
$selection = $selection -replace '\s',''
$selection = $selection.Trim(',')
$selectionArray = $selection.Split(",")
$selectionArray = $selectionArray | Select-Object -Unique
# Check if requested reports are valid / actually present
$reportsValid = @()
foreach ($i in $selectionArray) {
if (!$reports.Contains($i)) {
Write-Host "Report $i does not exist"
$retry = $true
Continue loop
} else {
$reportsValid += $reports[$i]
}
}
# return the list of valid reports as an array of strings
return $reportsValid
}
}
function runReports {
param (
[string[]]$report
)
Clear-Host
Import-Module -Name ATAPAuditor -Force
foreach ($i in $report) {
Write-Host "Running report: $i"
Save-ATAPHtmlReport -ReportName $i -Force
Write-Host ""
}
}
function isAdmin {
$unixOS = [System.Environment]::OSVersion.Platform -eq 'Unix'
if ($unixOS) {
return ($(id -u) -eq 0)
} else {
return ([Security.Principal.WindowsIdentity]::GetCurrent().Groups -contains 'S-1-5-32-544')
}
}
function pressAnyKeyToQuit {
if ($psISE) {
Return
}
Write-Host "Press any key to quit"
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown')
}
if (!(isAdmin)) {
Write-Host "Please run as administrator`n"
pressAnyKeyToQuit
} else {
$reports = Get-Reports
Show-Menu $reports
$sel = askSelection $reports
runReports $sel
if ([System.Environment]::OSVersion.Platform -eq 'Unix') {
if (($env:XDG_SESSION_TYPE -eq 'tty') -or ($null -eq $env:SUDO_USER)) {
# 1. reason to return: no graphical environment to open the file explorer
# 2. reason to return: we do not want to open the file explorer as root
Return
}
}
[string]$action = Read-Host "Do you want to open the output directory? (Y/N)"
if ($action -eq 'y' -or $action -eq 'Y') {
if ($null -eq $env:ATAPReportPath) {
$outPath = [Environment]::GetFolderPath('MyDocuments') | Join-Path -ChildPath 'ATAPReports'
} else {
$outPath = $env:ATAPReportPath
}
if (Test-Path -Path $outPath) {
if ([System.Environment]::OSVersion.Platform -eq 'Unix') {
su $env:SUDO_USER -c "xdg-open $outPath"
} else {
explorer.exe $outPath
}
}
}
}
ATAPAuditor/Helpers/ReportUnixOS.ps1
+20
View File
@@ -0,0 +1,20 @@
[SystemInformation]@{
SoftwareInformation = [SoftwareInformation]@{
Hostname = hostname
OperatingSystem = (Get-Content /etc/os-release | Select-String -Pattern '^PRETTY_NAME=\"(.*)\"$').Matches.Groups[1].Value
BuildNumber = 'Version {0} (Build {1}.{2})' -f $v.DisplayVersion, $v.CurrentBuildNumber, $v.UBR
InstallationLanguage = (($(locale) | Where-Object { $_ -match "LANG=" }) -split '=')[1]
SystemUptime = uptime -p
OSArchitecture = lscpu | awk '/Architecture/ {print $2}'
KernelVersion = uname -r
}
HardwareInformation = [HardwareInformation]@{
BIOSVersion = dmidecode -s bios-version
SystemSKU = (dmidecode -t system)[12] | cut -d ':' -f 2 | xargs
SystemSerialnumber = (dmidecode -t system)[9] | cut -d ':' -f 2 | xargs
SystemManufacturer = (dmidecode -t system)[6] | cut -d ':' -f 2 | xargs
SystemModel = dmidecode -s system-product-name
FreeDiskSpace = "{0:N1} GB" -f ((Get-PSDrive | Where-Object { $_.Name -eq '/' }).Free / 1GB)
FreePhysicalMemory = "{0:N1} GB" -f (( -split (Get-Content /proc/meminfo | Where-Object { $_ -match 'MemFree:' }))[1] / 1MB)
}
}
ATAPAuditor/Helpers/ReportWindowsOS.ps1
+41
View File
@@ -0,0 +1,41 @@
$infos = Get-CimInstance Win32_OperatingSystem
$disk = Get-CimInstance Win32_LogicalDisk | Where-Object -Property DeviceID -eq "C:"
$role = Switch ((Get-CimInstance -Class Win32_ComputerSystem).DomainRole) {
"0" { "Standalone Workstation" }
"1" { "Member Workstation" }
"2" { "Standalone Server" }
"3" { "Member Server" }
"4" { "Backup Domain Controller" }
"5" { "Primary Domain Controller" }
}
$freeMemory = ($infos.FreePhysicalMemory / 1024) / 1024;
$totalMemory = ($infos.TotalVirtualMemorySize / 1024) / 1024;
$uptime = (get-date) - (gcim Win32_OperatingSystem).LastBootUpTime
$v = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
[SystemInformation]@{
SoftwareInformation = [SoftwareInformation]@{
Hostname = hostname
DomainRole = $role
OperatingSystem = $infos.Caption
LicenseStatus = $lcStatus
BuildNumber = 'Version {0} (Build {1}.{2})' -f $v.DisplayVersion, $v.CurrentBuildNumber, $v.UBR
InstallationLanguage = ((Get-UICulture).DisplayName)
SystemUptime = '{0:d1}:{1:d2}:{2:d2}:{3:d2}' -f $uptime.Days, $uptime.Hours, $uptime.Minutes, $uptime.Seconds
OSArchitecture = (Get-WmiObject win32_operatingsystem | select osarchitecture).osarchitecture
}
HardwareInformation = [HardwareInformation]@{
BIOSVersion = (Get-WmiObject -Class Win32_BIOS).Version
SystemSKU = (Get-WmiObject -Namespace root\wmi -Class MS_SystemInformation).SystemSKU
SystemSerialnumber = (Get-WmiObject win32_bios).Serialnumber
SystemManufacturer = (Get-WMIObject -class Win32_ComputerSystem).Manufacturer
SystemModel = (Get-WMIObject -class Win32_ComputerSystem).Model
FreeDiskSpace = "{0:N3}" -f "$([math]::Round(($disk.FreeSpace / $disk.Size)*100,1))% " + "{0:N3}" -f "($([math]::Round($disk.FreeSpace / 1GB,1)) GB / $([math]::Round($disk.Size / 1GB,1)) GB)"
FreePhysicalMemory = "{0:N3}" -f "$([math]::Round(($freeMemory/$totalMemory)*100,1))% ($([math]::Round($freeMemory,1)) GB / $([math]::Round($totalMemory,1)) GB)"
}
}
ATAPAuditor/Helpers/SecurityPolicy.psm1
+36
View File
@@ -0,0 +1,36 @@
function ConvertTo-NTAccountUser {
[CmdletBinding()]
[OutputType([hashtable])]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string] $Name
)
process {
try {
# Identity doesn't exist on when Hyper-V isn't installed
if ($Name -eq "NT VIRTUAL MACHINE\Virtual Machines" -and
(Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") {
return $null
}
Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount"
if ($Name -match "^(S-[0-9-]{3,})") {
$sidAccount = [System.Security.Principal.SecurityIdentifier]$Name
}
else {
$sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier])
}
return @{
Account = $sidAccount.Translate([System.Security.Principal.NTAccount])
Sid = $sidAccount.Value
}
}
catch{
return @{
Account = "Orphaned Account"
Sid = $Name
}
}
}
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.1.sh
+32
View File
@@ -0,0 +1,32 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="cramfs" # set module name
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in:
\"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.2.sh
+31
View File
@@ -0,0 +1,31 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="squashfs" # set module name
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.3.sh
+31
View File
@@ -0,0 +1,31 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="udf" # set module name
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.10.sh
+35
View File
@@ -0,0 +1,35 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="usb-storage" # set module name
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable:
\"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable:
\"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in:
\"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit
failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.5.1.sh
+18
View File
@@ -0,0 +1,18 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="kernel.randomize_va_space"
kpvalue="2"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc )"
fafile="$( grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: "
[ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.2.sh
+73
View File
@@ -0,0 +1,73 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -
Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
echo -e "$l_pkgoutput"
# Look for existing settings and set variables if they exist
l_gdmfile="$(
grep -Prils '^\h*banner-message-enable\b'
/etc/dconf/db/*.d
)"
if [ -n "$l_gdmfile" ]; then
# Set profile name based on dconf db directory ({PROFILE_NAME}.d)
l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_gdmfile")"
# Check if banner message is enabled
if grep -Pisq '^\h*banner-message-enable=true\b' "$l_gdmfile"; then
l_output="$l_output\n - The \"banner-message-enable\" option is
enabled in \"$l_gdmfile\""
else
l_output2="$l_output2\n - The \"banner-message-enable\" option is
not enabled"
fi
l_lsbt="$(grep -Pios '^\h*banner-message-text=.*$' "$l_gdmfile")"
if [ -n "$l_lsbt" ]; then
l_output="$l_output\n - The \"banner-message-text\" option is set
in \"$l_gdmfile\"\n - banner-message-text is set to:\n - \"$l_lsbt\""
else
l_output2="$l_output2\n - The \"banner-message-text\" option is
not set"
fi
if
grep -Pq "^\h*system-db:$l_gdmprofile"
/etc/dconf/profile/"$l_gdmprofile"
then
l_output="$l_output\n - The \"$l_gdmprofile\" profile exists"
else
l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't
exist"
fi
if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then
l_output="$l_output\n - The \"$l_gdmprofile\" profile exists in
the dconf database"
else
l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't
exist in the dconf database"
fi
else
l_output2="$l_output2\n - The \"banner-message-enable\" option isn't
configured"
fi
else
echo -e "\n\n - GNOME Desktop Manager isn't installed\n -
Recommendation is Not Applicable\n- Audit result:\n *** PASS ***\n"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit
failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.3.sh
+43
View File
@@ -0,0 +1,43 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
output="" output2=""
l_gdmfile="$(grep -Pril '^\h*disable-user-list\h*=\h*true\b' /etc/dconf/db )"
if [ -n "$l_gdmfile" ]; then
output="$output\n - The \"disable-user-list\" option is enabled in \"$l_gdmfile\""
l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_gdmfile")"
if
grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"
then
output="$output\n - The \"$l_gdmprofile\" exists"
else
output2="$output2\n - The \"$l_gdmprofile\" doesn't exist"
fi
if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then
output="$output\n - The \"$l_gdmprofile\" profile exists in the dconf database"
else
output2="$output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database"
fi
else
output2="$output2\n - The \"disable-user-list\" option is not enabled"
fi
if [ -z "$output2" ]; then
echo -e "$l_pkgoutput\n- Audit result:\n *** PASS: ***\n$output\n"
else
echo -e "$l_pkgoutput\n- Audit Result:\n *** FAIL: ***\n$output2\n"
[ -n "$output" ] && echo -e "$output\n"
fi
else
echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n *** PASS ***\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.4.sh
+70
View File
@@ -0,0 +1,70 @@
#!/usr/bin/env bash
{
# Check if GNMOE Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
# determine system's package manager
l_pkgoutput=""
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
l_idmv="900" # Set for max value for idle-delay in seconds
l_ldmv="5" # Set for max value for lock-delay in seconds
# Look for idle-delay to determine profile in use, needed for remaining tests
l_kfile="$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ )" # Determine file containing idle-delay key
if [ -n "$l_kfile" ]; then
# set profile name (This is the name of a dconf database)
l_profile="$(awk -F'/' '{split($(NF-1),a,".");print a[1]}' <<<"$l_kfile")" #Set the key profile name
l_pdbdir="/etc/dconf/db/$l_profile.d" # Set the key file dconf db directory
# Confirm that idle-delay exists, includes unit32, and value is between 1 and max value for idle-delay
l_idv="$(awk -F 'uint32' '/idle-delay/{print $2}' "$l_kfile" | xargs)"
if [ -n "$l_idv" ]; then
[ "$l_idv" -gt "0" -a "$l_idv" -le "$l_idmv" ] && l_output="$l_output\n - The \"idle-delay\" option is set to \"$l_idv\" seconds in \"$l_kfile\""
[ "$l_idv" = "0" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" (disabled) in \"$l_kfile\""
[ "$l_idv" -gt "$l_idmv" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" seconds (greater than $l_idmv) in \"$l_kfile\""
else
l_output2="$l_output2\n - The \"idle-delay\" option is not set in \"$l_kfile\""
fi
# Confirm that lock-delay exists, includes unit32, and value is between 0 and max value for lock-delay
l_ldv="$(awk -F 'uint32' '/lock-delay/{print $2}' "$l_kfile" |xargs)"
if [ -n "$l_ldv" ]; then
[ "$l_ldv" -ge "0" -a "$l_ldv" -le "$l_ldmv" ] && l_output="$l_output\n - The \"lock-delay\" option is set to \"$l_ldv\" seconds in \"$l_kfile\""
[ "$l_ldv" -gt "$l_ldmv" ] && l_output2="$l_output2\n - The \"lock-delay\" option is set to \"$l_ldv\" seconds (greater than $l_ldmv) in \"$l_kfile\""
else
l_output2="$l_output2\n - The \"lock-delay\" option is not set in \"$l_kfile\""
fi
# Confirm that dconf profile exists
if grep -Psq "^\h*system-db:$l_profile" /etc/dconf/profile/*; then
l_output="$l_output\n - The \"$l_profile\" profile exists"
else
l_output2="$l_output2\n - The \"$l_profile\" doesn't exist"
fi
# Confirm that dconf profile database file exists
if [ -f "/etc/dconf/db/$l_profile" ]; then
l_output="$l_output\n - The \"$l_profile\" profile exists in the dconf database"
else
l_output2="$l_output2\n - The \"$l_profile\" profile doesn't exist in the dconf database"
fi
else
l_output2="$l_output2\n - The \"idle-delay\" option doesn't exist, remaining tests skipped"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
# Report results. If no failures output in l_output2, we pass
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.5.sh
+65
View File
@@ -0,0 +1,65 @@
#!/usr/bin/env bash
{
# Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
# determine system's package manager
l_pkgoutput=""
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
# Look for idle-delay to determine profile in use, needed for remaining tests
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*lock-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
if
grep -Prilq '\/org\/gnome\/desktop\/session\/idle-delay\b'
"$l_kfd"
then
l_output="$l_output\n - \"idle-delay\" is locked in \"$(
grep -Pril '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd"
)\""
else
l_output2="$l_output2\n - \"idle-delay\" is not locked"
fi
else
l_output2="$l_output2\n - \"idle-delay\" is not set so it can not be locked"
fi
if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist, options can't be locked
if
grep -Prilq '\/org\/gnome\/desktop\/screensaver\/lock-delay\b'
"$l_kfd2"
then
l_output="$l_output\n - \"lock-delay\" is locked in \"$(
grep -
Pril '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2"
)\""
else
l_output2="$l_output2\n - \"lock-delay\" is not locked"
fi
else
l_output2="$l_output2\n - \"lock-delay\" is not set so it can not be
locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed
on the system\n - Recommendation is not applicable"
fi
# Report results. If no failures output in l_output2, we pass
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit
failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.6.sh
+75
View File
@@ -0,0 +1,75 @@
#!/usr/bin/env bash
{
l_pkgoutput="" l_output="" l_output2=""
# Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
# determine system's package manager
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
echo -e "$l_pkgoutput"
# Look for existing settings and set variables if they exist
l_kfile="$(grep -Prils -- '^\h*automount\b' /etc/dconf/db/*.d)"
l_kfile2="$(grep -Prils -- '^\h*automount-open\b' /etc/dconf/db/*.d)"
# Set profile name based on dconf db directory ({PROFILE_NAME}.d)
if [ -f "$l_kfile" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_kfile")"
elif [ -f "$l_kfile2" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_kfile2")"
fi
# If the profile name exist, continue checks
if [ -n "$l_gpname" ]; then
l_gpdir="/etc/dconf/db/$l_gpname.d"
# Check if profile file exists
if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists"
else
l_output2="$l_output2\n - dconf database profile isn't set"
fi
# Check if the dconf database file exists
if [ -f "/etc/dconf/db/$l_gpname" ]; then
l_output="$l_output\n - The dconf database \"$l_gpname\" exists"
else
l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist"
fi
# check if the dconf database directory exists
if [ -d "$l_gpdir" ]; then
l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst"
else
l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist"
fi
# check automount setting
if grep -Pqrs -- '^\h*automount\h*=\h*false\b' "$l_kfile"; then
l_output="$l_output\n - \"automount\" is set to false in: \"$l_kfile\""
else
l_output2="$l_output2\n - \"automount\" is not set correctly"
fi
# check automount-open setting
if grep -Pqs -- '^\h*automount-open\h*=\h*false\b' "$l_kfile2"; then
l_output="$l_output\n - \"automount-open\" is set to false in: \"$l_kfile2\""
else
l_output2="$l_output2\n - \"automount-open\" is not set correctly"
fi
else
# Setings don't exist. Nothing further to check
l_output2="$l_output2\n - neither \"automount\" or \"automount-open\" is set"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.7.sh
+65
View File
@@ -0,0 +1,65 @@
#!/usr/bin/env bash
{
# Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
# determine system's package manager
l_pkgoutput=""
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
# Look for idle-delay to determine profile in use, needed for remaining tests
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*automount\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*automount-open\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}' ).d" #set directory of key file to be locked
if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
if
grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount\b'
"$l_kfd"
then
l_output="$l_output\n - \"automount\" is locked in \"$(
grep -Pil
'^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd"
)\""
else
l_output2="$l_output2\n - \"automount\" is not locked"
fi
else
l_output2="$l_output2\n - \"automount\" is not set so it can not be
locked"
fi
if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist, options can't be locked
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount-
open\b' "$l_kfd2"; then
l_output="$l_output\n - \"lautomount-open\" is locked in \"$(
grep
-Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2"
)\""
else
l_output2="$l_output2\n - \"automount-open\" is not locked"
fi
else
l_output2="$l_output2\n - \"automount-open\" is not set so it can
not be locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed
on the system\n - Recommendation is not applicable"
fi
# Report results. If no failures output in l_output2, we pass
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit
failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.8.sh
+76
View File
@@ -0,0 +1,76 @@
#!/usr/bin/env bash
{
l_pkgoutput="" l_output="" l_output2=""
# Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
# determine system's package manager
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space separated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -
Package: \"$l_pn\" exists on the system\n - checking configuration"
echo -e "$l_pkgoutput"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
echo -e "$l_pkgoutput"
# Look for existing settings and set variables if they exist
l_kfile="$(grep -Prils -- '^\h*autorun-never\b' /etc/dconf/db/*.d)"
# Set profile name based on dconf db directory ({PROFILE_NAME}.d)
if [ -f "$l_kfile" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_kfile")"
fi
# If the profile name exist, continue checks
if [ -n "$l_gpname" ]; then
l_gpdir="/etc/dconf/db/$l_gpname.d"
# Check if profile file exists
if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
l_output="$l_output\n - dconf database profile file \"$(
grep -Pl
-- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*
)\" exists"
else
l_output2="$l_output2\n - dconf database profile isn't set"
fi
# Check if the dconf database file exists
if [ -f "/etc/dconf/db/$l_gpname" ]; then
l_output="$l_output\n - The dconf database \"$l_gpname\" exists"
else
l_output2="$l_output2\n - The dconf database \"$l_gpname\"
doesn't exist"
fi
# check if the dconf database directory exists
if [ -d "$l_gpdir" ]; then
l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst"
else
l_output2="$l_output2\n - The dconf directory \"$l_gpdir\"
doesn't exist"
fi
# check autorun-never setting
if grep -Pqrs -- '^\h*autorun-never\h*=\h*true\b' "$l_kfile"; then
l_output="$l_output\n - \"autorun-never\" is set to true in:
\"$l_kfile\""
else
l_output2="$l_output2\n - \"autorun-never\" is not set correctly"
fi
else
# Settings don't exist. Nothing further to check
l_output2="$l_output2\n - \"autorun-never\" is not set"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed
on the system\n - Recommendation is not applicable"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit
failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.9.sh
+43
View File
@@ -0,0 +1,43 @@
#!/usr/bin/env bash
{
# Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
# determine system's package manager
l_pkgoutput=""
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space separated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
# Look for idle-delay to determine profile in use, needed for remaining tests
l_kfd="/etc/dconf/db/$( grep -Psril '^\h*autorun-never\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"; then
l_output="$l_output\n - \"autorun-never\" is locked in \"$(
grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"
)\""
else
l_output2="$l_output2\n - \"autorun-never\" is not locked"
fi
else
l_output2="$l_output2\n - \"autorun-never\" is not set so it can not be locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
# Report results. If no failures output in l_output2, we pass
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-2.1.1.1.sh
+37
View File
@@ -0,0 +1,37 @@
#!/usr/bin/env bash
{
output="" l_tsd="" l_sdtd="" chrony="" l_ntp=""
dpkg-query -W chrony >/dev/null 2>&1 && l_chrony="y"
dpkg-query -W ntp >/dev/null 2>&1 && l_ntp="y" || l_ntp=""
systemctl list-units --all --type=service | grep -q 'systemd-
timesyncd.service' && systemctl is-enabled systemd-timesyncd.service | grep -q 'enabled' && l_sdtd="y"
# ! systemctl is-enabled systemd-timesyncd.service | grep -q 'enabled' &&
l_nsdtd="y" || l_nsdtd=""
if [[ "$l_chrony" = "y" && "$l_ntp" != "y" && "$l_sdtd" != "y" ]]; then
l_tsd="chrony"
output="$output\n- chrony is in use on the system"
elif [[ "$l_chrony" != "y" && "$l_ntp" = "y" && "$l_sdtd" != "y" ]]; then
l_tsd="ntp"
output="$output\n- ntp is in use on the system"
elif [[ "$l_chrony" != "y" && "$l_ntp" != "y" ]]; then
if
systemctl list-units --all --type=service | grep -q 'systemd-
timesyncd.service' && systemctl is-enabled systemd-timesyncd.service | grep -Eq '(enabled|disabled|masked)'
then
l_tsd="sdtd"
output="$output\n- systemd-timesyncd is in use on the system"
fi
else
[[ "$l_chrony" = "y" && "$l_ntp" = "y" ]] && output="$output\n- both
chrony and ntp are in use on the system"
[[ "$l_chrony" = "y" && "$l_sdtd" = "y" ]] && output="$output\n- both
chrony and systemd-timesyncd are in use on the system"
[[ "$l_ntp" = "y" && "$l_sdtd" = "y" ]] && output="$output\n- both ntp
and systemd-timesyncd are in use on the system"
fi
if [ -n "$l_tsd" ]; then
echo -e "\n- PASS:\n$output\n"
else
echo -e "\n- FAIL:\n$output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.1.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
output=""
grubfile=$(find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \; )
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
if [ -s "$grubfile" ]; then
! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && output="IPv6 Disabled in \"$grubfile\""
fi
if
grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$"
then
[ -n "$output" ] && output="$output, and in sysctl config" || output="ipv6 disabled in sysctl config"
fi
[ -n "$output" ] && echo -e "\n$output\n" || echo -e "\nIPv6 is enabled on the system\n"
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.2.sh
+29
View File
@@ -0,0 +1,29 @@
#!/bin/bash
if command -v nmcli >/dev/null 2>&1; then
if nmcli radio all | grep -Eq '\s*\S+\s+disabled\s+\S+\s+disabled\b'; then
echo "Wireless is not enabled"
else
nmcli radio all
fi
elif [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
t=0
mname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless |
xargs -0 dirname); do basename "$(
readlink -f
"$driverdir"/device/driver/module
)"; done | sort -u)
for dm in $mname; do
if
grep -Eq "^\s*install\s+$dm\s+/bin/(true|false)"
/etc/modprobe.d/*.conf
then
/bin/true
else
echo "$dm is not disabled"
t=1
fi
done
[ "$t" -eq 0 ] && echo "Wireless is not enabled"
else
echo "Wireless is not enabled"
fi
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.3.sh
+40
View File
@@ -0,0 +1,40 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="dccp" # set module name
# Check if the module exists on the system
if
[ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]
then
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(
grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable" )"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$(tr '-' '_' <<<"$l_mname" )\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.4.sh
+39
View File
@@ -0,0 +1,39 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="sctp" # set module name
# Check if the module exists on the system
if
[ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory" )" ]
then
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$( grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable" )"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.5.sh
+42
View File
@@ -0,0 +1,42 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="rds" # set module name
# Check if the module exists on the system
if
[ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory" )" ]
then
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(
grep -P --
"(^\h*install|\b$l_mname)\b" <<<"$l_loadable"
)"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.6.sh
+38
View File
@@ -0,0 +1,38 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="tipc" # set module name
# Check if the module exists on the system
if
[ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]
then
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")" [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable" )"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.2.1.sh
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/{print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.2.2.sh
+54
View File
@@ -0,0 +1,54 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.ip_forward=0 net.ipv6.conf.all.forwarding=0"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc)"
l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
ipv6_chk() {
l_ipv6s=""
grubfile=$(find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \; )
if [ -s "$grubfile" ]; then
! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && l_ipv6s="disabled"
fi
if
grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$"
then
l_ipv6s="disabled"
fi
if [ -n "$l_ipv6s" ]; then
l_output="$l_output\n - IPv6 is disabled on the system, \"$l_kpname\" is not applicable"
else
KPC
fi
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
if grep -q '^net.ipv6.' <<<"$l_kpe"; then
ipv6_chk
else
KPC
fi
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.1.sh
+56
View File
@@ -0,0 +1,56 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
ipv6_chk() {
l_ipv6s=""
grubfile=$(
find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \;
)
if [ -s "$grubfile" ]; then
! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && l_ipv6s="disabled"
fi
if
grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$"
then
l_ipv6s="disabled"
fi
if [ -n "$l_ipv6s" ]; then
l_output="$l_output\n - IPv6 is disabled on the system, \"$l_kpname\" is not applicable"
else
KPC
fi
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
if grep -q '^net.ipv6.' <<<"$l_kpe"; then
ipv6_chk
else
KPC
fi
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.2.sh
+56
View File
@@ -0,0 +1,56 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
ipv6_chk() {
l_ipv6s=""
grubfile=$(
find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \;
)
if [ -s "$grubfile" ]; then
! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && l_ipv6s="disabled"
fi
if
grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$"
then
l_ipv6s="disabled"
fi
if [ -n "$l_ipv6s" ]; then
l_output="$l_output\n - IPv6 is disabled on the system, \"$l_kpname\" is not applicable"
else
KPC
fi
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
if grep -q '^net.ipv6.' <<<"$l_kpe"; then
ipv6_chk
else
KPC
fi
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.3.sh
+35
View File
@@ -0,0 +1,35 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.conf.default.secure_redirects=0 net.ipv4.conf.all.secure_redirects=0"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(
grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}'
)"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.4.sh
+35
View File
@@ -0,0 +1,35 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(
grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc
)"
l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.5.sh
+34
View File
@@ -0,0 +1,34 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.icmp_echo_ignore_broadcasts=1"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$( grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(
grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.6.sh
+34
View File
@@ -0,0 +1,34 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.icmp_ignore_bogus_error_responses=1"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(
grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.7.sh
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.8.sh
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.tcp_syncookies=1"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc)"
l_fafile="$( grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.9.sh
+56
View File
@@ -0,0 +1,56 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc)"
l_fafile="$(
grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}'
)"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
ipv6_chk() {
l_ipv6s=""
grubfile=$(find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \; )
if [ -s "$grubfile" ]; then
! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && l_ipv6s="disabled"
fi
if
grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$"
then
l_ipv6s="disabled"
fi
if [ -n "$l_ipv6s" ]; then
l_output="$l_output\n - IPv6 is disabled on the system, \"$l_kpname\" is not applicable"
else
KPC
fi
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
if grep -q '^net.ipv6.' <<<"$l_kpe"; then
ipv6_chk
else
KPC
fi
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.5.1.6.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
ufw_out="$(ufw status verbose)"
ss -tuln | awk '($5!~/%lo:/ && $5!~/127.0.0.1:/ && $5!~/::1/) {split($5, a, ":"); print a[2]}' | sort | uniq | while read -r lpn; do
! grep -Pq "^\h*$lpn\b" <<<"$ufw_out" && echo "- Port: \"$lpn\" is missing a firewall rule"
done
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.3.6-A.sh
+7
View File
@@ -0,0 +1,7 @@
#!/usr/bin/env bash
for PARTITION in $(findmnt -n -l -k -it $(
awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd, ) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do
for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do
grep -qr "${PRIVILEGED}" /etc/audit/rules.d && printf "OK:'${PRIVILEGED}' found in auditing rules.\n" || printf "Warning: '${PRIVILEGED}' not found in on disk configuration.\n"
done
done
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.3.6-B.sh
+10
View File
@@ -0,0 +1,10 @@
#!/usr/bin/env bash
{
RUNNING=$(auditctl -l)
[ -n "${RUNNING}" ] && for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv"noexec|nosuid" | awk '{print $1}'); do
for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do
printf -- "${RUNNING}" | grep -q "${PRIVILEGED}" && printf "OK:'${PRIVILEGED}' found in auditing rules.\n" || printf "Warning:'${PRIVILEGED}' not found in running configuration.\n"
done
done ||
printf "ERROR: Variable 'RUNNING' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.5.sh
+2
View File
@@ -0,0 +1,2 @@
#!/usr/bin/env bash
[ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "="'/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f ! -user root -exec stat -Lc "%n %U" {} +
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.2.3.sh
+68
View File
@@ -0,0 +1,68 @@
#!/usr/bin/env bash
{
echo -e "\n- Start check - logfiles have appropriate permissions and ownership"
output=""
find /var/log -type f | (
while read -r fname; do
bname="$(basename "$fname")"
case "$bname" in lastlog | lastlog.* | wtmp | wtmp.* | btmp | btmp.*)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6][0,4]\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*root\h+(utmp|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
secure | auth.log)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(syslog|root)\h+(adm|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
SSSD | sssd)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Piq -- '^\h*(SSSD|root)\h+(SSSD|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
gdm | gdm3)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(root)\h+(gdm3?|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
*.journal)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(root)\h+(systemd-journal|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
*)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(syslog|root)\h+(adm|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
esac
done
# If all files passed, then we pass
if [ -z "$output" ]; then
echo -e "\n- PASS\n- All files in \"/var/log/\" have appropriate permissions and ownership\n"
else
# print the reason why we are failing
echo -e "\n- FAIL:\n$output"
fi
echo -e "- End check - logfiles have appropriate permissions and ownership\n"
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.2.2.sh
+24
View File
@@ -0,0 +1,24 @@
#!/usr/bin/env bash
{
l_output=""
l_skgn="ssh_keys" # Group designated to own openSSH keys
l_skgid="$(awk -F: '($1 == "'"$l_skgn"'"){print $3}' /etc/group)"
awk '{print}' <<<"$(find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat -L -c "%n %#a %U %G %g" {} +)" | (
while read -r l_file l_mode l_owner l_group l_gid; do
[ -n "$l_skgid" ] && l_cga="$l_skgn" || l_cga="root"
[ "$l_gid" = "$l_skgid" ] && l_pmask="0137" || l_pmask="0177"
l_maxperm="$(printf '%o' $((0777 & ~$l_pmask)))"
[ $(($l_mode & $l_pmask)) -gt 0 ] && l_output="$l_output\n - File: \"$l_file\" is mode \"$l_mode\" should be mode: \"$l_maxperm\" or more restrictive"
[ "$l_owner" != "root" ] && l_output="$l_output\n - File: \"$l_file\" is owned by: \"$l_owner\" should be owned by \"root\""
if [ "$l_group" != "root" ] && [ "$l_gid" != "$l_skgid" ]; then
l_output="$l_output\n - File: \"$l_file\" is owned by group \"$l_group\" should belong to group \"$l_cga\""
fi
done
if [ -z "$l_output" ]; then
echo -e "\n- Audit Result:\n *** PASS ***\n"
else
echo -e "\n- Audit Result:\n *** FAIL ***$l_output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.4.5.sh
+12
View File
@@ -0,0 +1,12 @@
#!/usr/bin/env bash
{
declare -A HASH_MAP=(["y"]="yescrypt" ["1"]="md5" ["2"]="blowfish"
["5"]="SHA256" ["6"]="SHA512" ["g"]="gost-yescrypt")
CONFIGURED_HASH=$(sed -n "s/^\s*ENCRYPT_METHOD\s*\(.*\)\s*$/\1/p" /etc/login.defs )
for MY_USER in $(sed -n "s/^\(.*\):\\$.*/\1/p" /etc/shadow); do
CURRENT_HASH=$(sed -n "s/${MY_USER}:\\$\(.\).*/\1/p" /etc/shadow)
if [[ "${HASH_MAP["${CURRENT_HASH}"]^^}" != "${CONFIGURED_HASH^^}" ]]; then
echo "The password for '${MY_USER}' is using '${HASH_MAP["${CURRENT_HASH}"]}' instead of the configured '${CONFIGURED_HASH}'."
fi
done
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.1.5.sh
+9
View File
@@ -0,0 +1,9 @@
#!/bin/bash
{
awk -F: '/^[^:]+:[^!*]/{print $1}' /etc/shadow | while read -r usr; do
change=$(date -d "$(chage --list $usr | grep '^Last password change' | cut -d: -f2 | grep -v 'never$')" +%s)
if [[ "$change" -gt "$(date +%s)" ]]; then
echo "User: \"$usr\" last password change was \"$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\""
fi
done
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.2.sh
+4
View File
@@ -0,0 +1,4 @@
#!/bin/bash
awk -F: '$1!~/(root|sync|shutdown|halt|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!~/((\/usr)?\/sbin\/nologin)/ && $7!~/(\/bin)?\/false/ {print}' /etc/passwd
awk -F: '($1!~/(root|^\+)/ && $3<'"$( awk '/^\s*UID_MIN/{print $2}' /etc/login.defs )"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!~/LK?/) {print $1}'
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.4.sh
+7
View File
@@ -0,0 +1,7 @@
#!/bin/bash
{
passing=""
grep -Eiq '^\s*UMASK\s+(0[0-7][2-7]7|[0-7][2-7]7)\b' /etc/login.defs && grep -Eqi '^\s*USERGROUPS_ENAB\s*"?no"?\b' /etc/login.defs && grep -Eq '^\s*session\s+(optional|requisite|required)\s+pam_umask\.so\b' /etc/pam.d/common-session && passing=true
grep -REiq '^\s*UMASK\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\b' /etc/profile* /etc/bash.bashrc* && passing=true
[ "$passing" = true ] && echo "Default user umask is set"
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.5.sh
+13
View File
@@ -0,0 +1,13 @@
#!/bin/bash
output1="" output2=""
[ -f /etc/bash.bashrc ] && BRC="/etc/bash.bashrc"
for f in "$BRC" /etc/profile /etc/profile.d/*.sh; do
grep -Pq '^\s*([^#]+\s+)?TMOUT=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9])\b' "$f" && grep -Pq '^\s*([^#]+;\s*)?readonly\s+TMOUT(\s+|\s*;|\s*$|=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9]))\b' "$f" && grep -Pq '^\s*([^#]+;\s*)?export\s+TMOUT(\s+|\s*;|\s*$|=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9]))\b' "$f" && output1="$f"
done
grep -Pq '^\s*([^#]+\s+)?TMOUT=(9[0-9][1-9]|9[1-9][0-9]|0+|[1-9]\d{3,})\b'/etc/profile /etc/profile.d/*.sh "$BRC" && output2=$(grep -Ps '^\s*([^#]+\s+)?TMOUT=(9[0-9][1-9]|9[1-9][0-9]|0+|[1-9]\d{3,})\b' /etc/profile /etc/profile.d/*.sh $BRC)
if [ -n "$output1" ] && [ -z "$output2" ]; then
echo -e "\nPASSED\n\nTMOUT is configured in: \"$output1\"\n"
else
[ -z "$output1" ] && echo -e "\nFAILED\n\nTMOUT is not configured\n"
[ -n "$output2" ] && echo -e "\nFAILED\n\nTMOUT is incorrectly configured in: \"$output2\"\n"
fi
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.11.sh
+13
View File
@@ -0,0 +1,13 @@
#!/usr/bin/env bash
{
output=""
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | ( while read -r user home; do [ ! -d "$home" ] && output="$output\n - User \"$user\" home directory \"$home\" doesn't exist"
done
if [ -z "$output" ]; then
echo -e "\n-PASSED: - All local interactive users have a home directory\n"
else
echo -e "\n- FAILED:\n$output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.12.sh
+13
View File
@@ -0,0 +1,13 @@
#!/usr/bin/env bash
{
output=""
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do owner="$(stat -L -c "%U" "$home")" [ "$owner" != "$user" ] && output="$output\n - User \"$user\" home directory \"$home\" is owned by user \"$owner\""
done
if [ -z "$output" ]; then
echo -e "\n-PASSED: - All local interactive users have a home directory\n"
else
echo -e "\n- FAILED:\n$output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.13.sh
+20
View File
@@ -0,0 +1,20 @@
#!/usr/bin/env bash
{
output=""
perm_mask='0027'
maxperm="$(printf '%o' $((0777 & ~$perm_mask)))"
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (
while read -r user home; do
if [ -d "$home" ]; then
mode=$(stat -L -c '%#a' "$home")
[ $(($mode & $perm_mask)) -gt 0 ] && output="$output\n- User $user home directory: \"$home\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
fi
done
if [ -n "$output" ]; then
echo -e "\n- Failed:$output"
else
echo -e "\n- Passed:\n- All user home directories are mode:\"$maxperm\" or more restrictive"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.14.sh
+29
View File
@@ -0,0 +1,29 @@
#!/usr/bin/env bash
{
output="" output2=""
perm_mask='0177'
maxperm="$(printf '%o' $((0777 & ~$perm_mask)))"
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (
while read -r user home; do
if [ -f "$home/.netrc" ]; then
mode="$(stat -L -c '%#a' "$home/.netrc")"
if [ $(($mode & $perm_mask)) -gt 0 ]; then
output="$output\n - User \"$user\" file: \"$home/.netrc\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
else
output2="$output2\n - User \"$user\" file: \"$home/.netrc\" exists and has file mode: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
fi
fi
done
if [ -z "$output" ]; then
if [ -z "$output2" ]; then
echo -e "\n-PASSED: - No local interactive users have \".netrc\" files in their home directory\n"
else
echo -e "\n- WARNING:\n$output2\n"
fi
else
echo -e "\n- FAILED:\n$output\n"
[ -n "$output2" ] && echo -e "\n- WARNING:\n$output2\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.15.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
output=""
fname=".forward"
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (
while read -r user home; do
[ -f "$home/$fname" ] && output="$output\n - User \"$user\" file: \"$home/$fname\" exists"
done
if [ -z "$output" ]; then
echo -e "\n-PASSED: - No local interactive users have \"$fname\" files in their home directory\n"
else
echo -e "\n- FAILED:\n$output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.16.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
output=""
fname=".rhosts"
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (
while read -r user home; do
[ -f "$home/$fname" ] && output="$output\n - User \"$user\" file: \"$home/$fname\" exists"
done
if [ -z "$output" ]; then
echo -e "\n-PASSED: - No local interactive users have \"$fname\" files in their home directory\n"
else
echo -e "\n- FAILED:\n$output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.17.sh
+20
View File
@@ -0,0 +1,20 @@
#!/usr/bin/env bash
{
output=""
perm_mask='0022'
maxperm="$(printf '%o' $((0777 & ~$perm_mask)))"
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (
while read -r user home; do
for dfile in $(find "$home" -type f -name '.*'); do
mode=$(stat -L -c '%#a' "$dfile")
[ $(($mode & $perm_mask)) -gt 0 ] && output="$output\n- User $user file: \"$dfile\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
done
done
if [ -n "$output" ]; then
echo -e "\n- Failed:$output"
else
echo -e "\n- Passed:\n- All user home dot files are mode: \"$maxperm\" or more restrictive"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.3.sh
+9
View File
@@ -0,0 +1,9 @@
#!/usr/bin/env bash
a_passwd_group_gid=("$(awk -F: '{print $4}' /etc/passwd | sort -u)")
a_group_gid=("$(awk -F: '{print $3}' /etc/group | sort -u)")
a_passwd_group_diff=("$(printf '%s\n' "${a_group_gid[@]}" "${a_passwd_group_gid[@]}" | sort | uniq -u)")
while IFS= read -r l_gid; do
awk -F: '($4 == '"$l_gid"') {print " - User: \"" $1 "\" has GID: \"" $4 "\" which does not exist in /etc/group" }' /etc/passwd
exit 1
done < <(printf '%s\n' "${a_passwd_group_gid[@]}" "${a_passwd_group_diff[@]}" | sort | uniq -D | uniq)
exit 0
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.5.sh
+10
View File
@@ -0,0 +1,10 @@
#!/bin/bash
cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs)
echo "Duplicate UID ($2): $users"
fi
done
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.6.sh
+4
View File
@@ -0,0 +1,4 @@
#!/bin/bash
cut -d: -f3 /etc/group | sort | uniq -d | while read x; do
echo "Duplicate GID ($x) in /etc/group"
done
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.7.sh
+4
View File
@@ -0,0 +1,4 @@
#!/bin/bash
cut -d: -f1 /etc/passwd | sort | uniq -d | while read -r x; do
echo "Duplicate login name $x in /etc/passwd"
done
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.8.sh
+4
View File
@@ -0,0 +1,4 @@
#!/bin/bash
cut -d: -f1 /etc/group | sort | uniq -d | while read -r x; do
echo "Duplicate group name $x in /etc/group"
done
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.9.sh
+9
View File
@@ -0,0 +1,9 @@
#!/bin/bash
awk -F: '($1!~/(root|halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $1 " " $6 }' /etc/passwd | while read -r user dir; do
if [ -d "$dir" ]; then
file="$dir/.forward"
if [ ! -h "$file" ] && [ -f "$file" ]; then
echo "User: \"$user\" file: \"$file\" exists"
fi
fi
done
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_1111.sh
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="squashfs"
test1=$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")
if [ -z "$test1" ]; then
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_1112.sh
+32
View File
@@ -0,0 +1,32 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="udf"
if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]; then
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_119.sh
+32
View File
@@ -0,0 +1,32 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="usb-storage"
if [ -z '$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")' ]; then
l_loadable='$(modprobe -n -v "$l_mname")'
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$(tr '-' '_' <<< "$l_mname")\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_182.sh
+52
View File
@@ -0,0 +1,52 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
echo -e "$l_pkgoutput"
l_gdmfile="$(grep -Prils '^\h*banner-message-enable\b' /etc/dconf/db/*.d)"
if [ -n "$l_gdmfile" ]; then
l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_gdmfile")"
if grep -Pisq '^\h*banner-message-enable=true\b' "$l_gdmfile"; then
l_output="$l_output\n - The \"banner-message-enable\" option is enabled in \"$l_gdmfile\""
else
l_output2="$l_output2\n - The \"banner-message-enable\" option is not enabled"
fi
l_lsbt="$(grep -Pios '^\h*banner-message-text=.*$' "$l_gdmfile")"
if [ -n "$l_lsbt" ]; then
l_output="$l_output\n - The \"banner-message-text\" option is set in \"$l_gdmfile\"\n - banner-message-text is set to:\n - \"$l_lsbt\""
else
l_output2="$l_output2\n - The \"banner-message-text\" option is not set"
fi
if grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"; then
l_output="$l_output\n - The \"$l_gdmprofile\" profile exists"
else
l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't exist"
fi
if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then
l_output="$l_output\n - The \"$l_gdmprofile\" profile exists in the dconf database"
else
l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database"
fi
else
l_output2="$l_output2\n - The \"banner-message-enable\" option isn't configured"
fi
else
echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n *PASS*\n"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_183.sh
+41
View File
@@ -0,0 +1,41 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
output="" output2=""
l_gdmfile="$(grep -Pril '^\h*disable-user-list\h*=\h*true\b' /etc/dconf/db)"
if [ -n "$l_gdmfile" ]; then
output="$output\n - The \"disable-user-list\" option is enabled in \"$l_gdmfile\""
l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_gdmfile")"
if grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"; then
output="$output\n - The \"$l_gdmprofile\" exists"
else
output2="$output2\n - The \"$l_gdmprofile\" doesn't exist"
fi
if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then
output="$output\n - The \"$l_gdmprofile\" profile exists in the dconf database"
else
output2="$output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database"
fi
else
output2="$output2\n - The \"disable-user-list\" option is not enabled"
fi
if [ -z "$output2" ]; then
echo -e "$l_pkgoutput\n- Audit result:\n PASS:\n$output\n"
else
echo -e "$l_pkgoutput\n- Audit Result:\n FAIL:\n$output2\n"
[ -n "$output" ] && echo -e "$output\n"
fi
else
echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n PASS\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_184.sh
+55
View File
@@ -0,0 +1,55 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2="" l_idmv="900"
l_ldmv="5"
l_kfile="$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/)"
if [ -n "$l_kfile" ]; then
l_profile="$(awk -F'/' '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
l_pdbdir="/etc/dconf/db/$l_profile.d"
l_idv="$(awk -F 'uint32' '/idle-delay/{print $2}' "$l_kfile" | xargs)"
if [ -n "$l_idv" ]; then
[ "$l_idv" -gt "0" -a "$l_idv" -le "$l_idmv" ] && l_output="$l_output\n - The \"idle-delay\" option is set to \"$l_idv\" seconds in \"$l_kfile\"" [ "$l_idv" = "0" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" (disabled) in \"$l_kfile\"" [ "$l_idv" -gt "$l_idmv" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" seconds (greater than $l_idmv) in \"$l_kfile\""
else
l_output2="$l_output2\n - The \"idle-delay\" option is not set in \"$l_kfile\""
fi
l_ldv="$(awk -F 'uint32' '/lock-delay/{print $2}' "$l_kfile" | xargs)"
if [ -n "$l_ldv" ]; then
[ "$l_ldv" -ge "0" -a "$l_ldv" -le "$l_ldmv" ] && l_output="$l_output\n - The \"lock-delay\" option is set to \"$l_ldv\"seconds in \"$l_kfile\"" [ "$l_ldv" -gt "$l_ldmv" ] && l_output2="$l_output2\n - The \"lock-delay\" option is set to \"$l_ldv\" seconds (greater than $l_ldmv) in \"$l_kfile\""
else
l_output2="$l_output2\n - The \"lock-delay\" option is not set in \"$l_kfile\""
fi
if grep -Psq "^\h*system-db:$l_profile" /etc/dconf/profile/*; then
l_output="$l_output\n - The \"$l_profile\" profile exists"
else
l_output2="$l_output2\n - The \"$l_profile\" doesn't exist"
fi
if [ -f "/etc/dconf/db/$l_profile" ]; then
l_output="$l_output\n - The \"$l_profile\" profile exists in the dconf database"
else
l_output2="$l_output2\n - The \"$l_profile\" profile doesn't exist in the dconf database"
fi
else
l_output2="$l_output2\n - The \"idle-delay\" option doesn't exist, remaining tests skipped"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_185.sh
+45
View File
@@ -0,0 +1,45 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*lock-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
if [ -d "$l_kfd" ]; then
if grep -Prilq '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd"; then
l_output="$l_output\n - \"idle-delay\" is locked in \"$(grep -Pril '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd")\""
else
l_output2="$l_output2\n - \"idle-delay\" is not locked"
fi
else
l_output2="$l_output2\n - \"idle-delay\" is not set so it can not be locked"
fi
if [ -d "$l_kfd2" ]; then
if grep -Prilq '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2"; then
l_output="$l_output\n - \"lock-delay\" is locked in \"$(grep -Pril '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2")\""
else
l_output2="$l_output2\n - \"lock-delay\" is not locked"
fi
else
l_output2="$l_output2\n - \"lock-delay\" is not set so it can not be locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_186.sh
+61
View File
@@ -0,0 +1,61 @@
#!/usr/bin/env bash
{
l_pkgoutput="" l_output="" l_output2=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
echo -e "$l_pkgoutput"
l_kfile="$(grep -Prils -- '^\h*automount\b' /etc/dconf/db/*.d)"
l_kfile2="$(grep -Prils -- '^\h*automount-open\b' /etc/dconf/db/*.d)"
if [ -f "$l_kfile" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
elif [ -f "$l_kfile2" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile2")"
fi
if [ -n "$l_gpname" ]; then
l_gpdir="/etc/dconf/db/$l_gpname.d"
if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists"
else
l_output2="$l_output2\n - dconf database profile isn't set"
fi
if [ -f "/etc/dconf/db/$l_gpname" ]; then
l_output="$l_output\n - The dconf database \"$l_gpname\" exists"
else
l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist"
fi
if [ -d "$l_gpdir" ]; then
l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst"
else
l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist"
fi
if grep -Pqrs -- '^\h*automount\h*=\h*false\b' "$l_kfile"; then
l_output="$l_output\n - \"automount\" is set to false in: \"$l_kfile\""
else
l_output2="$l_output2\n - \"automount\" is not set correctly"
fi
if grep -Pqs -- '^\h*automount-open\h*=\h*false\b' "$l_kfile2"; then
l_output="$l_output\n - \"automount-open\" is set to false in: \"$l_kfile2\""
else
l_output2="$l_output2\n - \"automount-open\" is not set correctly"
fi
else
l_output2="$l_output2\n - neither \"automount\" or \"automount-open\" is set"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_187.sh
+45
View File
@@ -0,0 +1,45 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*automount\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*automount-open\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
if [ -d "$l_kfd" ]; then
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd"; then
l_output="$l_output\n - \"automount\" is locked in \"$(grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd")\""
else
l_output2="$l_output2\n - \"automount\" is not locked"
fi
else
l_output2="$l_output2\n - \"automount\" is not set so it can not be locked"
fi
if [ -d "$l_kfd2" ]; then
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2"; then
l_output="$l_output\n - \"lautomount-open\" is locked in \"$(grep -Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2")\""
else
l_output2="$l_output2\n - \"automount-open\" is not locked"
fi
else
l_output2="$l_output2\n - \"automount-open\" is not set so it can not be locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_188.sh
+53
View File
@@ -0,0 +1,53 @@
#!/usr/bin/env bash
{
l_pkgoutput="" l_output="" l_output2=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" echo -e "$l_pkgoutput"
done
if [ -n "$l_pkgoutput" ]; then
echo -e "$l_pkgoutput"
l_kfile="$(grep -Prils -- '^\h*autorun-never\b' /etc/dconf/db/*.d)"
if [ -f "$l_kfile" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
fi
if [ -n "$l_gpname" ]; then
l_gpdir="/etc/dconf/db/$l_gpname.d"
if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists"
else
l_output2="$l_output2\n - dconf database profile isn't set"
fi
if [ -f "/etc/dconf/db/$l_gpname" ]; then
l_output="$l_output\n - The dconf database \"$l_gpname\" exists"
else
l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist"
fi
if [ -d "$l_gpdir" ]; then
l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst"
else
l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist"
fi
if grep -Pqrs -- '^\h*autorun-never\h*=\h*true\b' "$l_kfile"; then
l_output="$l_output\n - \"autorun-never\" is set to true in: \"$l_kfile\""
else
l_output2="$l_output2\n - \"autorun-never\" is not set correctly"
fi
else
l_output2="$l_output2\n - \"autorun-never\" is not set"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_189.sh
+36
View File
@@ -0,0 +1,36 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif
command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*autorun-never\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
if [ -d "$l_kfd" ]; then
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"; then
l_output="$l_output\n - \"autorun-never\" is locked in \"$(grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd")\""
else
l_output2="$l_output2\n - \"autorun-never\" is not locked"
fi
else
l_output2="$l_output2\n - \"autorun-never\" is not set so it can not be locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_312.sh
+40
View File
@@ -0,0 +1,40 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
module_chk() {
l_loadable="$(modprobe -n -v "$l_mname")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
}
if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
l_dname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do
basename "$(readlink -f "$driverdir"/device/driver/module)";done | sort -u)
for l_mname in $l_dname; do
module_chk
done
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS"
if [ -z "$l_output" ]; then
echo -e "\n - System has no wireless NICs installed"
else
echo -e "\n$l_output\n"
fi
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_313.sh
+31
View File
@@ -0,0 +1,31 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_mname="tipc"
if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]; then
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_321.sh
+34
View File
@@ -0,0 +1,34 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_kparameters="net.ipv4.ip_forward=0 net.ipv6.conf.all.forwarding=0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
kernel_par_chk()
{
krp="" pafile="" fafile=""
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" [ "$krp" = "$kpvalue" ] && l_output="$l_output\n - \"$kpname\" is set to \"$kpvalue\" in the running configuration"
[ -n "$pafile" ] && l_output="$l_output\n - \"$kpname\" is set to \"$kpvalue\" in \"$pafile\""
[ -z "$fafile" ] && l_output="$l_output\n - \"$kpname\" is not set incorectly in a kernel parameter configuration file" [ "$krp" != "$kpvalue" ] && l_output2="$l_output2\n - \"$kpname\" is incorrectly set to \"$krp\" in the running configuration"
[ -n "$fafile" ] && l_output2="$l_output2\n - \"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && l_output2="$l_output2\n - \"$kpname = $kpvalue\" is not set in a kernel parameter configuration file"
}
for l_kpar in $l_kparameters; do
kpname="$(awk -F"=" '{print $1}' <<< "$l_kpar" | xargs)" kpvalue="$(awk -F"=" '{print $2}' <<< "$l_kpar" | xargs)"
if grep -Pq '^\h*net\.ipv6\.' <<< "$l_kpname"; then
if grep -Pqs '^\h*0\b' /sys/module/ipv6/parameters/disable; then
kernel_par_chk
else
l_output="$l_output\n - IPv6 is not enabled, check for: \"$l_kpar\" is not applicable"
fi
else
kernel_par_chk
fi
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_322_1.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.all.send_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL "
[ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_322_2.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv4.conf.default.send_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_11.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.all.accept_source_route" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_12.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.accept_source_route" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_21.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv6.conf.all.accept_source_route"
kpvalue="0" searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_22.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.accept_source_route" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_11.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.all.accept_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_12.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.accept_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_21.sh
+14
View File
@@ -0,0 +1,14 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv6.conf.all.accept_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_22.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv6.conf.default.accept_redirects"
kpvalue="0" searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_334_1.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.all.log_martians" kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_334_2.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.accept_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_335.sh
+17
View File
@@ -0,0 +1,17 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.icmp_echo_ignore_broadcasts"
kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_336.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.icmp_ignore_bogus_error_responses" kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_337_1.sh
+14
View File
@@ -0,0 +1,14 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv4.conf.all.rp_filter" kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_337_2.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.rp_filter"
kpvalue="1" searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_338.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv4.tcp_syncookies" kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_339_1.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv6.conf.all.accept_ra" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_339_2.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv6.conf.default.accept_ra" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_3412.sh
+26
View File
@@ -0,0 +1,26 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_fwd_status="" l_nft_status="" l_fwutil_status=""
rpm -q firewalld > /dev/null 2>&1 && l_fwd_status="$(systemctl is-enabled firewalld.service):$(systemctl is-active firewalld.service)"
rpm -q nftables > /dev/null 2>&1 && l_nft_status="$(systemctl is-enabled nftables.service):$(systemctl is-active nftables.service)"
l_fwutil_status="$l_fwd_status:$l_nft_status"
case $l_fwutil_status in
enabled:active:masked:inactive|enabled:active:disabled:inactive)
l_output="\n - FirewallD utility is in use, enabled and active\n - NFTables utility is correctly disabled or masked and inactive" ;;
masked:inactive:enabled:active|disabled:inactive:enabled:active)
l_output="\n - NFTables utility is in use, enabled and active\n - FirewallD utility is correctly disabled or masked and inactive" ;;
enabled:active:enabled:active)
l_output2="\n - Both FirewallD and NFTables utilities are enabled and active" ;;
enabled:*:enabled:*) l_output2="\n - Both FirewallD and NFTables utilities are enabled" ;;
*:active:*:active) l_output2="\n - Both FirewallD and NFTables utilities are enabled" ;;
:enabled:active) l_output="\n - NFTables utility is in use, enabled, and active\n - FirewallD package is not installed" ;;
:) l_output2="\n - Neither FirewallD or NFTables is installed." ;;
*:*:) l_output2="\n - NFTables package is not installed on the system" ;;
*) l_output2="\n - Unable to determine firewall state" ;;
esac
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Results:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Results:\n FAIL\n$l_output2\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_3421.sh
+19
View File
@@ -0,0 +1,19 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_zone=""
if systemctl is-enabled firewalld.service | grep -q 'enabled'; then
l_zone="$(firewall-cmd --get-default-zone)"
if [ -n "$l_zone" ]; then
l_output=" - The default zone is set to: \"$l_zone\""
else
l_output2=" - The default zone is not set"
fi
else
l_output=" - FirewallD is not in use on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Results:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Results:\n FAIL\n$l_output2\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41310_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&/mount/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}

Some files were not shown because too many files have changed in this diff Show More