emily/atap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

a

Browse Source
This commit is contained in:
Emily
2026-05-11 09:15:08 +02:00
parent 9bec2b9e42
commit 404ee3fec4
641 changed files with 416825 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.1.sh
+32
View File
@@ -0,0 +1,32 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="cramfs" # set module name
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in:
\"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.2.sh
+31
View File
@@ -0,0 +1,31 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="squashfs" # set module name
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.3.sh
+31
View File
@@ -0,0 +1,31 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="udf" # set module name
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.10.sh
+35
View File
@@ -0,0 +1,35 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="usb-storage" # set module name
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable:
\"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable:
\"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in:
\"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit
failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.5.1.sh
+18
View File
@@ -0,0 +1,18 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="kernel.randomize_va_space"
kpvalue="2"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc )"
fafile="$( grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: "
[ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.2.sh
+73
View File
@@ -0,0 +1,73 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -
Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
echo -e "$l_pkgoutput"
# Look for existing settings and set variables if they exist
l_gdmfile="$(
grep -Prils '^\h*banner-message-enable\b'
/etc/dconf/db/*.d
)"
if [ -n "$l_gdmfile" ]; then
# Set profile name based on dconf db directory ({PROFILE_NAME}.d)
l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_gdmfile")"
# Check if banner message is enabled
if grep -Pisq '^\h*banner-message-enable=true\b' "$l_gdmfile"; then
l_output="$l_output\n - The \"banner-message-enable\" option is
enabled in \"$l_gdmfile\""
else
l_output2="$l_output2\n - The \"banner-message-enable\" option is
not enabled"
fi
l_lsbt="$(grep -Pios '^\h*banner-message-text=.*$' "$l_gdmfile")"
if [ -n "$l_lsbt" ]; then
l_output="$l_output\n - The \"banner-message-text\" option is set
in \"$l_gdmfile\"\n - banner-message-text is set to:\n - \"$l_lsbt\""
else
l_output2="$l_output2\n - The \"banner-message-text\" option is
not set"
fi
if
grep -Pq "^\h*system-db:$l_gdmprofile"
/etc/dconf/profile/"$l_gdmprofile"
then
l_output="$l_output\n - The \"$l_gdmprofile\" profile exists"
else
l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't
exist"
fi
if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then
l_output="$l_output\n - The \"$l_gdmprofile\" profile exists in
the dconf database"
else
l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't
exist in the dconf database"
fi
else
l_output2="$l_output2\n - The \"banner-message-enable\" option isn't
configured"
fi
else
echo -e "\n\n - GNOME Desktop Manager isn't installed\n -
Recommendation is Not Applicable\n- Audit result:\n *** PASS ***\n"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit
failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.3.sh
+43
View File
@@ -0,0 +1,43 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
output="" output2=""
l_gdmfile="$(grep -Pril '^\h*disable-user-list\h*=\h*true\b' /etc/dconf/db )"
if [ -n "$l_gdmfile" ]; then
output="$output\n - The \"disable-user-list\" option is enabled in \"$l_gdmfile\""
l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_gdmfile")"
if
grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"
then
output="$output\n - The \"$l_gdmprofile\" exists"
else
output2="$output2\n - The \"$l_gdmprofile\" doesn't exist"
fi
if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then
output="$output\n - The \"$l_gdmprofile\" profile exists in the dconf database"
else
output2="$output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database"
fi
else
output2="$output2\n - The \"disable-user-list\" option is not enabled"
fi
if [ -z "$output2" ]; then
echo -e "$l_pkgoutput\n- Audit result:\n *** PASS: ***\n$output\n"
else
echo -e "$l_pkgoutput\n- Audit Result:\n *** FAIL: ***\n$output2\n"
[ -n "$output" ] && echo -e "$output\n"
fi
else
echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n *** PASS ***\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.4.sh
+70
View File
@@ -0,0 +1,70 @@
#!/usr/bin/env bash
{
# Check if GNMOE Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
# determine system's package manager
l_pkgoutput=""
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
l_idmv="900" # Set for max value for idle-delay in seconds
l_ldmv="5" # Set for max value for lock-delay in seconds
# Look for idle-delay to determine profile in use, needed for remaining tests
l_kfile="$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ )" # Determine file containing idle-delay key
if [ -n "$l_kfile" ]; then
# set profile name (This is the name of a dconf database)
l_profile="$(awk -F'/' '{split($(NF-1),a,".");print a[1]}' <<<"$l_kfile")" #Set the key profile name
l_pdbdir="/etc/dconf/db/$l_profile.d" # Set the key file dconf db directory
# Confirm that idle-delay exists, includes unit32, and value is between 1 and max value for idle-delay
l_idv="$(awk -F 'uint32' '/idle-delay/{print $2}' "$l_kfile" | xargs)"
if [ -n "$l_idv" ]; then
[ "$l_idv" -gt "0" -a "$l_idv" -le "$l_idmv" ] && l_output="$l_output\n - The \"idle-delay\" option is set to \"$l_idv\" seconds in \"$l_kfile\""
[ "$l_idv" = "0" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" (disabled) in \"$l_kfile\""
[ "$l_idv" -gt "$l_idmv" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" seconds (greater than $l_idmv) in \"$l_kfile\""
else
l_output2="$l_output2\n - The \"idle-delay\" option is not set in \"$l_kfile\""
fi
# Confirm that lock-delay exists, includes unit32, and value is between 0 and max value for lock-delay
l_ldv="$(awk -F 'uint32' '/lock-delay/{print $2}' "$l_kfile" |xargs)"
if [ -n "$l_ldv" ]; then
[ "$l_ldv" -ge "0" -a "$l_ldv" -le "$l_ldmv" ] && l_output="$l_output\n - The \"lock-delay\" option is set to \"$l_ldv\" seconds in \"$l_kfile\""
[ "$l_ldv" -gt "$l_ldmv" ] && l_output2="$l_output2\n - The \"lock-delay\" option is set to \"$l_ldv\" seconds (greater than $l_ldmv) in \"$l_kfile\""
else
l_output2="$l_output2\n - The \"lock-delay\" option is not set in \"$l_kfile\""
fi
# Confirm that dconf profile exists
if grep -Psq "^\h*system-db:$l_profile" /etc/dconf/profile/*; then
l_output="$l_output\n - The \"$l_profile\" profile exists"
else
l_output2="$l_output2\n - The \"$l_profile\" doesn't exist"
fi
# Confirm that dconf profile database file exists
if [ -f "/etc/dconf/db/$l_profile" ]; then
l_output="$l_output\n - The \"$l_profile\" profile exists in the dconf database"
else
l_output2="$l_output2\n - The \"$l_profile\" profile doesn't exist in the dconf database"
fi
else
l_output2="$l_output2\n - The \"idle-delay\" option doesn't exist, remaining tests skipped"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
# Report results. If no failures output in l_output2, we pass
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.5.sh
+65
View File
@@ -0,0 +1,65 @@
#!/usr/bin/env bash
{
# Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
# determine system's package manager
l_pkgoutput=""
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
# Look for idle-delay to determine profile in use, needed for remaining tests
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*lock-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
if
grep -Prilq '\/org\/gnome\/desktop\/session\/idle-delay\b'
"$l_kfd"
then
l_output="$l_output\n - \"idle-delay\" is locked in \"$(
grep -Pril '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd"
)\""
else
l_output2="$l_output2\n - \"idle-delay\" is not locked"
fi
else
l_output2="$l_output2\n - \"idle-delay\" is not set so it can not be locked"
fi
if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist, options can't be locked
if
grep -Prilq '\/org\/gnome\/desktop\/screensaver\/lock-delay\b'
"$l_kfd2"
then
l_output="$l_output\n - \"lock-delay\" is locked in \"$(
grep -
Pril '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2"
)\""
else
l_output2="$l_output2\n - \"lock-delay\" is not locked"
fi
else
l_output2="$l_output2\n - \"lock-delay\" is not set so it can not be
locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed
on the system\n - Recommendation is not applicable"
fi
# Report results. If no failures output in l_output2, we pass
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit
failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.6.sh
+75
View File
@@ -0,0 +1,75 @@
#!/usr/bin/env bash
{
l_pkgoutput="" l_output="" l_output2=""
# Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
# determine system's package manager
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
echo -e "$l_pkgoutput"
# Look for existing settings and set variables if they exist
l_kfile="$(grep -Prils -- '^\h*automount\b' /etc/dconf/db/*.d)"
l_kfile2="$(grep -Prils -- '^\h*automount-open\b' /etc/dconf/db/*.d)"
# Set profile name based on dconf db directory ({PROFILE_NAME}.d)
if [ -f "$l_kfile" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_kfile")"
elif [ -f "$l_kfile2" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_kfile2")"
fi
# If the profile name exist, continue checks
if [ -n "$l_gpname" ]; then
l_gpdir="/etc/dconf/db/$l_gpname.d"
# Check if profile file exists
if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists"
else
l_output2="$l_output2\n - dconf database profile isn't set"
fi
# Check if the dconf database file exists
if [ -f "/etc/dconf/db/$l_gpname" ]; then
l_output="$l_output\n - The dconf database \"$l_gpname\" exists"
else
l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist"
fi
# check if the dconf database directory exists
if [ -d "$l_gpdir" ]; then
l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst"
else
l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist"
fi
# check automount setting
if grep -Pqrs -- '^\h*automount\h*=\h*false\b' "$l_kfile"; then
l_output="$l_output\n - \"automount\" is set to false in: \"$l_kfile\""
else
l_output2="$l_output2\n - \"automount\" is not set correctly"
fi
# check automount-open setting
if grep -Pqs -- '^\h*automount-open\h*=\h*false\b' "$l_kfile2"; then
l_output="$l_output\n - \"automount-open\" is set to false in: \"$l_kfile2\""
else
l_output2="$l_output2\n - \"automount-open\" is not set correctly"
fi
else
# Setings don't exist. Nothing further to check
l_output2="$l_output2\n - neither \"automount\" or \"automount-open\" is set"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.7.sh
+65
View File
@@ -0,0 +1,65 @@
#!/usr/bin/env bash
{
# Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
# determine system's package manager
l_pkgoutput=""
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space seporated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
# Look for idle-delay to determine profile in use, needed for remaining tests
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*automount\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*automount-open\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}' ).d" #set directory of key file to be locked
if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
if
grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount\b'
"$l_kfd"
then
l_output="$l_output\n - \"automount\" is locked in \"$(
grep -Pil
'^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd"
)\""
else
l_output2="$l_output2\n - \"automount\" is not locked"
fi
else
l_output2="$l_output2\n - \"automount\" is not set so it can not be
locked"
fi
if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist, options can't be locked
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount-
open\b' "$l_kfd2"; then
l_output="$l_output\n - \"lautomount-open\" is locked in \"$(
grep
-Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2"
)\""
else
l_output2="$l_output2\n - \"automount-open\" is not locked"
fi
else
l_output2="$l_output2\n - \"automount-open\" is not set so it can
not be locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed
on the system\n - Recommendation is not applicable"
fi
# Report results. If no failures output in l_output2, we pass
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit
failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.8.sh
+76
View File
@@ -0,0 +1,76 @@
#!/usr/bin/env bash
{
l_pkgoutput="" l_output="" l_output2=""
# Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
# determine system's package manager
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space separated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -
Package: \"$l_pn\" exists on the system\n - checking configuration"
echo -e "$l_pkgoutput"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
echo -e "$l_pkgoutput"
# Look for existing settings and set variables if they exist
l_kfile="$(grep -Prils -- '^\h*autorun-never\b' /etc/dconf/db/*.d)"
# Set profile name based on dconf db directory ({PROFILE_NAME}.d)
if [ -f "$l_kfile" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_kfile")"
fi
# If the profile name exist, continue checks
if [ -n "$l_gpname" ]; then
l_gpdir="/etc/dconf/db/$l_gpname.d"
# Check if profile file exists
if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
l_output="$l_output\n - dconf database profile file \"$(
grep -Pl
-- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*
)\" exists"
else
l_output2="$l_output2\n - dconf database profile isn't set"
fi
# Check if the dconf database file exists
if [ -f "/etc/dconf/db/$l_gpname" ]; then
l_output="$l_output\n - The dconf database \"$l_gpname\" exists"
else
l_output2="$l_output2\n - The dconf database \"$l_gpname\"
doesn't exist"
fi
# check if the dconf database directory exists
if [ -d "$l_gpdir" ]; then
l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst"
else
l_output2="$l_output2\n - The dconf directory \"$l_gpdir\"
doesn't exist"
fi
# check autorun-never setting
if grep -Pqrs -- '^\h*autorun-never\h*=\h*true\b' "$l_kfile"; then
l_output="$l_output\n - \"autorun-never\" is set to true in:
\"$l_kfile\""
else
l_output2="$l_output2\n - \"autorun-never\" is not set correctly"
fi
else
# Settings don't exist. Nothing further to check
l_output2="$l_output2\n - \"autorun-never\" is not set"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed
on the system\n - Recommendation is not applicable"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit
failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.9.sh
+43
View File
@@ -0,0 +1,43 @@
#!/usr/bin/env bash
{
# Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n
# determine system's package manager
l_pkgoutput=""
if command -v dpkg-query >/dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm >/dev/null 2>&1; then
l_pq="rpm -q"
fi
# Check if GDM is installed
l_pcl="gdm gdm3" # Space separated list of packages to check
for l_pn in $l_pcl; do
$l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration"
done
# Check configuration (If applicable)
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
# Look for idle-delay to determine profile in use, needed for remaining tests
l_kfd="/etc/dconf/db/$( grep -Psril '^\h*autorun-never\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked
if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"; then
l_output="$l_output\n - \"autorun-never\" is locked in \"$(
grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"
)\""
else
l_output2="$l_output2\n - \"autorun-never\" is not locked"
fi
else
l_output2="$l_output2\n - \"autorun-never\" is not set so it can not be locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
# Report results. If no failures output in l_output2, we pass
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-2.1.1.1.sh
+37
View File
@@ -0,0 +1,37 @@
#!/usr/bin/env bash
{
output="" l_tsd="" l_sdtd="" chrony="" l_ntp=""
dpkg-query -W chrony >/dev/null 2>&1 && l_chrony="y"
dpkg-query -W ntp >/dev/null 2>&1 && l_ntp="y" || l_ntp=""
systemctl list-units --all --type=service | grep -q 'systemd-
timesyncd.service' && systemctl is-enabled systemd-timesyncd.service | grep -q 'enabled' && l_sdtd="y"
# ! systemctl is-enabled systemd-timesyncd.service | grep -q 'enabled' &&
l_nsdtd="y" || l_nsdtd=""
if [[ "$l_chrony" = "y" && "$l_ntp" != "y" && "$l_sdtd" != "y" ]]; then
l_tsd="chrony"
output="$output\n- chrony is in use on the system"
elif [[ "$l_chrony" != "y" && "$l_ntp" = "y" && "$l_sdtd" != "y" ]]; then
l_tsd="ntp"
output="$output\n- ntp is in use on the system"
elif [[ "$l_chrony" != "y" && "$l_ntp" != "y" ]]; then
if
systemctl list-units --all --type=service | grep -q 'systemd-
timesyncd.service' && systemctl is-enabled systemd-timesyncd.service | grep -Eq '(enabled|disabled|masked)'
then
l_tsd="sdtd"
output="$output\n- systemd-timesyncd is in use on the system"
fi
else
[[ "$l_chrony" = "y" && "$l_ntp" = "y" ]] && output="$output\n- both
chrony and ntp are in use on the system"
[[ "$l_chrony" = "y" && "$l_sdtd" = "y" ]] && output="$output\n- both
chrony and systemd-timesyncd are in use on the system"
[[ "$l_ntp" = "y" && "$l_sdtd" = "y" ]] && output="$output\n- both ntp
and systemd-timesyncd are in use on the system"
fi
if [ -n "$l_tsd" ]; then
echo -e "\n- PASS:\n$output\n"
else
echo -e "\n- FAIL:\n$output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.1.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
output=""
grubfile=$(find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \; )
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
if [ -s "$grubfile" ]; then
! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && output="IPv6 Disabled in \"$grubfile\""
fi
if
grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$"
then
[ -n "$output" ] && output="$output, and in sysctl config" || output="ipv6 disabled in sysctl config"
fi
[ -n "$output" ] && echo -e "\n$output\n" || echo -e "\nIPv6 is enabled on the system\n"
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.2.sh
+29
View File
@@ -0,0 +1,29 @@
#!/bin/bash
if command -v nmcli >/dev/null 2>&1; then
if nmcli radio all | grep -Eq '\s*\S+\s+disabled\s+\S+\s+disabled\b'; then
echo "Wireless is not enabled"
else
nmcli radio all
fi
elif [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
t=0
mname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless |
xargs -0 dirname); do basename "$(
readlink -f
"$driverdir"/device/driver/module
)"; done | sort -u)
for dm in $mname; do
if
grep -Eq "^\s*install\s+$dm\s+/bin/(true|false)"
/etc/modprobe.d/*.conf
then
/bin/true
else
echo "$dm is not disabled"
t=1
fi
done
[ "$t" -eq 0 ] && echo "Wireless is not enabled"
else
echo "Wireless is not enabled"
fi
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.3.sh
+40
View File
@@ -0,0 +1,40 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="dccp" # set module name
# Check if the module exists on the system
if
[ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]
then
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(
grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable" )"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$(tr '-' '_' <<<"$l_mname" )\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.4.sh
+39
View File
@@ -0,0 +1,39 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="sctp" # set module name
# Check if the module exists on the system
if
[ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory" )" ]
then
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$( grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable" )"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.5.sh
+42
View File
@@ -0,0 +1,42 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="rds" # set module name
# Check if the module exists on the system
if
[ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory" )" ]
then
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(
grep -P --
"(^\h*install|\b$l_mname)\b" <<<"$l_loadable"
)"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.6.sh
+38
View File
@@ -0,0 +1,38 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="tipc" # set module name
# Check if the module exists on the system
if
[ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]
then
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")" [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable" )"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.2.1.sh
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/{print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.2.2.sh
+54
View File
@@ -0,0 +1,54 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.ip_forward=0 net.ipv6.conf.all.forwarding=0"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc)"
l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
ipv6_chk() {
l_ipv6s=""
grubfile=$(find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \; )
if [ -s "$grubfile" ]; then
! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && l_ipv6s="disabled"
fi
if
grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$"
then
l_ipv6s="disabled"
fi
if [ -n "$l_ipv6s" ]; then
l_output="$l_output\n - IPv6 is disabled on the system, \"$l_kpname\" is not applicable"
else
KPC
fi
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
if grep -q '^net.ipv6.' <<<"$l_kpe"; then
ipv6_chk
else
KPC
fi
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.1.sh
+56
View File
@@ -0,0 +1,56 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
ipv6_chk() {
l_ipv6s=""
grubfile=$(
find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \;
)
if [ -s "$grubfile" ]; then
! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && l_ipv6s="disabled"
fi
if
grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$"
then
l_ipv6s="disabled"
fi
if [ -n "$l_ipv6s" ]; then
l_output="$l_output\n - IPv6 is disabled on the system, \"$l_kpname\" is not applicable"
else
KPC
fi
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
if grep -q '^net.ipv6.' <<<"$l_kpe"; then
ipv6_chk
else
KPC
fi
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.2.sh
+56
View File
@@ -0,0 +1,56 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
ipv6_chk() {
l_ipv6s=""
grubfile=$(
find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \;
)
if [ -s "$grubfile" ]; then
! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && l_ipv6s="disabled"
fi
if
grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$"
then
l_ipv6s="disabled"
fi
if [ -n "$l_ipv6s" ]; then
l_output="$l_output\n - IPv6 is disabled on the system, \"$l_kpname\" is not applicable"
else
KPC
fi
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
if grep -q '^net.ipv6.' <<<"$l_kpe"; then
ipv6_chk
else
KPC
fi
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.3.sh
+35
View File
@@ -0,0 +1,35 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.conf.default.secure_redirects=0 net.ipv4.conf.all.secure_redirects=0"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(
grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}'
)"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.4.sh
+35
View File
@@ -0,0 +1,35 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(
grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc
)"
l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.5.sh
+34
View File
@@ -0,0 +1,34 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.icmp_echo_ignore_broadcasts=1"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$( grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(
grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.6.sh
+34
View File
@@ -0,0 +1,34 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.icmp_ignore_bogus_error_responses=1"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(
grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.7.sh
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )"
l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.8.sh
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv4.tcp_syncookies=1"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc)"
l_fafile="$( grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
KPC
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.9.sh
+56
View File
@@ -0,0 +1,56 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_parlist="net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
KPC() {
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc)"
l_fafile="$(
grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}'
)"
if [ "$l_krp" = "$l_kpvalue" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration"
else
l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration"
fi
if [ -n "$l_pafile" ]; then
l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\""
else
l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file"
fi
[ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\""
}
ipv6_chk() {
l_ipv6s=""
grubfile=$(find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \; )
if [ -s "$grubfile" ]; then
! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && l_ipv6s="disabled"
fi
if
grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$"
then
l_ipv6s="disabled"
fi
if [ -n "$l_ipv6s" ]; then
l_output="$l_output\n - IPv6 is disabled on the system, \"$l_kpname\" is not applicable"
else
KPC
fi
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")"
if grep -q '^net.ipv6.' <<<"$l_kpe"; then
ipv6_chk
else
KPC
fi
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.5.1.6.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
ufw_out="$(ufw status verbose)"
ss -tuln | awk '($5!~/%lo:/ && $5!~/127.0.0.1:/ && $5!~/::1/) {split($5, a, ":"); print a[2]}' | sort | uniq | while read -r lpn; do
! grep -Pq "^\h*$lpn\b" <<<"$ufw_out" && echo "- Port: \"$lpn\" is missing a firewall rule"
done
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.3.6-A.sh
+7
View File
@@ -0,0 +1,7 @@
#!/usr/bin/env bash
for PARTITION in $(findmnt -n -l -k -it $(
awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd, ) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do
for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do
grep -qr "${PRIVILEGED}" /etc/audit/rules.d && printf "OK:'${PRIVILEGED}' found in auditing rules.\n" || printf "Warning: '${PRIVILEGED}' not found in on disk configuration.\n"
done
done
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.3.6-B.sh
+10
View File
@@ -0,0 +1,10 @@
#!/usr/bin/env bash
{
RUNNING=$(auditctl -l)
[ -n "${RUNNING}" ] && for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv"noexec|nosuid" | awk '{print $1}'); do
for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do
printf -- "${RUNNING}" | grep -q "${PRIVILEGED}" && printf "OK:'${PRIVILEGED}' found in auditing rules.\n" || printf "Warning:'${PRIVILEGED}' not found in running configuration.\n"
done
done ||
printf "ERROR: Variable 'RUNNING' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.5.sh
+2
View File
@@ -0,0 +1,2 @@
#!/usr/bin/env bash
[ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "="'/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f ! -user root -exec stat -Lc "%n %U" {} +
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.2.3.sh
+68
View File
@@ -0,0 +1,68 @@
#!/usr/bin/env bash
{
echo -e "\n- Start check - logfiles have appropriate permissions and ownership"
output=""
find /var/log -type f | (
while read -r fname; do
bname="$(basename "$fname")"
case "$bname" in lastlog | lastlog.* | wtmp | wtmp.* | btmp | btmp.*)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6][0,4]\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*root\h+(utmp|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
secure | auth.log)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(syslog|root)\h+(adm|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
SSSD | sssd)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Piq -- '^\h*(SSSD|root)\h+(SSSD|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
gdm | gdm3)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(root)\h+(gdm3?|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
*.journal)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(root)\h+(systemd-journal|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
*)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(syslog|root)\h+(adm|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
esac
done
# If all files passed, then we pass
if [ -z "$output" ]; then
echo -e "\n- PASS\n- All files in \"/var/log/\" have appropriate permissions and ownership\n"
else
# print the reason why we are failing
echo -e "\n- FAIL:\n$output"
fi
echo -e "- End check - logfiles have appropriate permissions and ownership\n"
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.2.2.sh
+24
View File
@@ -0,0 +1,24 @@
#!/usr/bin/env bash
{
l_output=""
l_skgn="ssh_keys" # Group designated to own openSSH keys
l_skgid="$(awk -F: '($1 == "'"$l_skgn"'"){print $3}' /etc/group)"
awk '{print}' <<<"$(find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat -L -c "%n %#a %U %G %g" {} +)" | (
while read -r l_file l_mode l_owner l_group l_gid; do
[ -n "$l_skgid" ] && l_cga="$l_skgn" || l_cga="root"
[ "$l_gid" = "$l_skgid" ] && l_pmask="0137" || l_pmask="0177"
l_maxperm="$(printf '%o' $((0777 & ~$l_pmask)))"
[ $(($l_mode & $l_pmask)) -gt 0 ] && l_output="$l_output\n - File: \"$l_file\" is mode \"$l_mode\" should be mode: \"$l_maxperm\" or more restrictive"
[ "$l_owner" != "root" ] && l_output="$l_output\n - File: \"$l_file\" is owned by: \"$l_owner\" should be owned by \"root\""
if [ "$l_group" != "root" ] && [ "$l_gid" != "$l_skgid" ]; then
l_output="$l_output\n - File: \"$l_file\" is owned by group \"$l_group\" should belong to group \"$l_cga\""
fi
done
if [ -z "$l_output" ]; then
echo -e "\n- Audit Result:\n *** PASS ***\n"
else
echo -e "\n- Audit Result:\n *** FAIL ***$l_output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.4.5.sh
+12
View File
@@ -0,0 +1,12 @@
#!/usr/bin/env bash
{
declare -A HASH_MAP=(["y"]="yescrypt" ["1"]="md5" ["2"]="blowfish"
["5"]="SHA256" ["6"]="SHA512" ["g"]="gost-yescrypt")
CONFIGURED_HASH=$(sed -n "s/^\s*ENCRYPT_METHOD\s*\(.*\)\s*$/\1/p" /etc/login.defs )
for MY_USER in $(sed -n "s/^\(.*\):\\$.*/\1/p" /etc/shadow); do
CURRENT_HASH=$(sed -n "s/${MY_USER}:\\$\(.\).*/\1/p" /etc/shadow)
if [[ "${HASH_MAP["${CURRENT_HASH}"]^^}" != "${CONFIGURED_HASH^^}" ]]; then
echo "The password for '${MY_USER}' is using '${HASH_MAP["${CURRENT_HASH}"]}' instead of the configured '${CONFIGURED_HASH}'."
fi
done
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.1.5.sh
+9
View File
@@ -0,0 +1,9 @@
#!/bin/bash
{
awk -F: '/^[^:]+:[^!*]/{print $1}' /etc/shadow | while read -r usr; do
change=$(date -d "$(chage --list $usr | grep '^Last password change' | cut -d: -f2 | grep -v 'never$')" +%s)
if [[ "$change" -gt "$(date +%s)" ]]; then
echo "User: \"$usr\" last password change was \"$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\""
fi
done
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.2.sh
+4
View File
@@ -0,0 +1,4 @@
#!/bin/bash
awk -F: '$1!~/(root|sync|shutdown|halt|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!~/((\/usr)?\/sbin\/nologin)/ && $7!~/(\/bin)?\/false/ {print}' /etc/passwd
awk -F: '($1!~/(root|^\+)/ && $3<'"$( awk '/^\s*UID_MIN/{print $2}' /etc/login.defs )"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!~/LK?/) {print $1}'
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.4.sh
+7
View File
@@ -0,0 +1,7 @@
#!/bin/bash
{
passing=""
grep -Eiq '^\s*UMASK\s+(0[0-7][2-7]7|[0-7][2-7]7)\b' /etc/login.defs && grep -Eqi '^\s*USERGROUPS_ENAB\s*"?no"?\b' /etc/login.defs && grep -Eq '^\s*session\s+(optional|requisite|required)\s+pam_umask\.so\b' /etc/pam.d/common-session && passing=true
grep -REiq '^\s*UMASK\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\b' /etc/profile* /etc/bash.bashrc* && passing=true
[ "$passing" = true ] && echo "Default user umask is set"
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.5.sh
+13
View File
@@ -0,0 +1,13 @@
#!/bin/bash
output1="" output2=""
[ -f /etc/bash.bashrc ] && BRC="/etc/bash.bashrc"
for f in "$BRC" /etc/profile /etc/profile.d/*.sh; do
grep -Pq '^\s*([^#]+\s+)?TMOUT=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9])\b' "$f" && grep -Pq '^\s*([^#]+;\s*)?readonly\s+TMOUT(\s+|\s*;|\s*$|=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9]))\b' "$f" && grep -Pq '^\s*([^#]+;\s*)?export\s+TMOUT(\s+|\s*;|\s*$|=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9]))\b' "$f" && output1="$f"
done
grep -Pq '^\s*([^#]+\s+)?TMOUT=(9[0-9][1-9]|9[1-9][0-9]|0+|[1-9]\d{3,})\b'/etc/profile /etc/profile.d/*.sh "$BRC" && output2=$(grep -Ps '^\s*([^#]+\s+)?TMOUT=(9[0-9][1-9]|9[1-9][0-9]|0+|[1-9]\d{3,})\b' /etc/profile /etc/profile.d/*.sh $BRC)
if [ -n "$output1" ] && [ -z "$output2" ]; then
echo -e "\nPASSED\n\nTMOUT is configured in: \"$output1\"\n"
else
[ -z "$output1" ] && echo -e "\nFAILED\n\nTMOUT is not configured\n"
[ -n "$output2" ] && echo -e "\nFAILED\n\nTMOUT is incorrectly configured in: \"$output2\"\n"
fi
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.11.sh
+13
View File
@@ -0,0 +1,13 @@
#!/usr/bin/env bash
{
output=""
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | ( while read -r user home; do [ ! -d "$home" ] && output="$output\n - User \"$user\" home directory \"$home\" doesn't exist"
done
if [ -z "$output" ]; then
echo -e "\n-PASSED: - All local interactive users have a home directory\n"
else
echo -e "\n- FAILED:\n$output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.12.sh
+13
View File
@@ -0,0 +1,13 @@
#!/usr/bin/env bash
{
output=""
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do owner="$(stat -L -c "%U" "$home")" [ "$owner" != "$user" ] && output="$output\n - User \"$user\" home directory \"$home\" is owned by user \"$owner\""
done
if [ -z "$output" ]; then
echo -e "\n-PASSED: - All local interactive users have a home directory\n"
else
echo -e "\n- FAILED:\n$output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.13.sh
+20
View File
@@ -0,0 +1,20 @@
#!/usr/bin/env bash
{
output=""
perm_mask='0027'
maxperm="$(printf '%o' $((0777 & ~$perm_mask)))"
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (
while read -r user home; do
if [ -d "$home" ]; then
mode=$(stat -L -c '%#a' "$home")
[ $(($mode & $perm_mask)) -gt 0 ] && output="$output\n- User $user home directory: \"$home\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
fi
done
if [ -n "$output" ]; then
echo -e "\n- Failed:$output"
else
echo -e "\n- Passed:\n- All user home directories are mode:\"$maxperm\" or more restrictive"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.14.sh
+29
View File
@@ -0,0 +1,29 @@
#!/usr/bin/env bash
{
output="" output2=""
perm_mask='0177'
maxperm="$(printf '%o' $((0777 & ~$perm_mask)))"
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (
while read -r user home; do
if [ -f "$home/.netrc" ]; then
mode="$(stat -L -c '%#a' "$home/.netrc")"
if [ $(($mode & $perm_mask)) -gt 0 ]; then
output="$output\n - User \"$user\" file: \"$home/.netrc\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
else
output2="$output2\n - User \"$user\" file: \"$home/.netrc\" exists and has file mode: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
fi
fi
done
if [ -z "$output" ]; then
if [ -z "$output2" ]; then
echo -e "\n-PASSED: - No local interactive users have \".netrc\" files in their home directory\n"
else
echo -e "\n- WARNING:\n$output2\n"
fi
else
echo -e "\n- FAILED:\n$output\n"
[ -n "$output2" ] && echo -e "\n- WARNING:\n$output2\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.15.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
output=""
fname=".forward"
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (
while read -r user home; do
[ -f "$home/$fname" ] && output="$output\n - User \"$user\" file: \"$home/$fname\" exists"
done
if [ -z "$output" ]; then
echo -e "\n-PASSED: - No local interactive users have \"$fname\" files in their home directory\n"
else
echo -e "\n- FAILED:\n$output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.16.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
output=""
fname=".rhosts"
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (
while read -r user home; do
[ -f "$home/$fname" ] && output="$output\n - User \"$user\" file: \"$home/$fname\" exists"
done
if [ -z "$output" ]; then
echo -e "\n-PASSED: - No local interactive users have \"$fname\" files in their home directory\n"
else
echo -e "\n- FAILED:\n$output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.17.sh
+20
View File
@@ -0,0 +1,20 @@
#!/usr/bin/env bash
{
output=""
perm_mask='0022'
maxperm="$(printf '%o' $((0777 & ~$perm_mask)))"
valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (
while read -r user home; do
for dfile in $(find "$home" -type f -name '.*'); do
mode=$(stat -L -c '%#a' "$dfile")
[ $(($mode & $perm_mask)) -gt 0 ] && output="$output\n- User $user file: \"$dfile\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
done
done
if [ -n "$output" ]; then
echo -e "\n- Failed:$output"
else
echo -e "\n- Passed:\n- All user home dot files are mode: \"$maxperm\" or more restrictive"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.3.sh
+9
View File
@@ -0,0 +1,9 @@
#!/usr/bin/env bash
a_passwd_group_gid=("$(awk -F: '{print $4}' /etc/passwd | sort -u)")
a_group_gid=("$(awk -F: '{print $3}' /etc/group | sort -u)")
a_passwd_group_diff=("$(printf '%s\n' "${a_group_gid[@]}" "${a_passwd_group_gid[@]}" | sort | uniq -u)")
while IFS= read -r l_gid; do
awk -F: '($4 == '"$l_gid"') {print " - User: \"" $1 "\" has GID: \"" $4 "\" which does not exist in /etc/group" }' /etc/passwd
exit 1
done < <(printf '%s\n' "${a_passwd_group_gid[@]}" "${a_passwd_group_diff[@]}" | sort | uniq -D | uniq)
exit 0
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.5.sh
+10
View File
@@ -0,0 +1,10 @@
#!/bin/bash
cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs)
echo "Duplicate UID ($2): $users"
fi
done
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.6.sh
+4
View File
@@ -0,0 +1,4 @@
#!/bin/bash
cut -d: -f3 /etc/group | sort | uniq -d | while read x; do
echo "Duplicate GID ($x) in /etc/group"
done
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.7.sh
+4
View File
@@ -0,0 +1,4 @@
#!/bin/bash
cut -d: -f1 /etc/passwd | sort | uniq -d | while read -r x; do
echo "Duplicate login name $x in /etc/passwd"
done
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.8.sh
+4
View File
@@ -0,0 +1,4 @@
#!/bin/bash
cut -d: -f1 /etc/group | sort | uniq -d | while read -r x; do
echo "Duplicate group name $x in /etc/group"
done
ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.9.sh
+9
View File
@@ -0,0 +1,9 @@
#!/bin/bash
awk -F: '($1!~/(root|halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $1 " " $6 }' /etc/passwd | while read -r user dir; do
if [ -d "$dir" ]; then
file="$dir/.forward"
if [ ! -h "$file" ] && [ -f "$file" ]; then
echo "User: \"$user\" file: \"$file\" exists"
fi
fi
done
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_1111.sh
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="squashfs"
test1=$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")
if [ -z "$test1" ]; then
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_1112.sh
+32
View File
@@ -0,0 +1,32 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="udf"
if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]; then
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_119.sh
+32
View File
@@ -0,0 +1,32 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="usb-storage"
if [ -z '$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")' ]; then
l_loadable='$(modprobe -n -v "$l_mname")'
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$(tr '-' '_' <<< "$l_mname")\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_182.sh
+52
View File
@@ -0,0 +1,52 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
echo -e "$l_pkgoutput"
l_gdmfile="$(grep -Prils '^\h*banner-message-enable\b' /etc/dconf/db/*.d)"
if [ -n "$l_gdmfile" ]; then
l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_gdmfile")"
if grep -Pisq '^\h*banner-message-enable=true\b' "$l_gdmfile"; then
l_output="$l_output\n - The \"banner-message-enable\" option is enabled in \"$l_gdmfile\""
else
l_output2="$l_output2\n - The \"banner-message-enable\" option is not enabled"
fi
l_lsbt="$(grep -Pios '^\h*banner-message-text=.*$' "$l_gdmfile")"
if [ -n "$l_lsbt" ]; then
l_output="$l_output\n - The \"banner-message-text\" option is set in \"$l_gdmfile\"\n - banner-message-text is set to:\n - \"$l_lsbt\""
else
l_output2="$l_output2\n - The \"banner-message-text\" option is not set"
fi
if grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"; then
l_output="$l_output\n - The \"$l_gdmprofile\" profile exists"
else
l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't exist"
fi
if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then
l_output="$l_output\n - The \"$l_gdmprofile\" profile exists in the dconf database"
else
l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database"
fi
else
l_output2="$l_output2\n - The \"banner-message-enable\" option isn't configured"
fi
else
echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n *PASS*\n"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_183.sh
+41
View File
@@ -0,0 +1,41 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
output="" output2=""
l_gdmfile="$(grep -Pril '^\h*disable-user-list\h*=\h*true\b' /etc/dconf/db)"
if [ -n "$l_gdmfile" ]; then
output="$output\n - The \"disable-user-list\" option is enabled in \"$l_gdmfile\""
l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_gdmfile")"
if grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"; then
output="$output\n - The \"$l_gdmprofile\" exists"
else
output2="$output2\n - The \"$l_gdmprofile\" doesn't exist"
fi
if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then
output="$output\n - The \"$l_gdmprofile\" profile exists in the dconf database"
else
output2="$output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database"
fi
else
output2="$output2\n - The \"disable-user-list\" option is not enabled"
fi
if [ -z "$output2" ]; then
echo -e "$l_pkgoutput\n- Audit result:\n PASS:\n$output\n"
else
echo -e "$l_pkgoutput\n- Audit Result:\n FAIL:\n$output2\n"
[ -n "$output" ] && echo -e "$output\n"
fi
else
echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n PASS\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_184.sh
+55
View File
@@ -0,0 +1,55 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2="" l_idmv="900"
l_ldmv="5"
l_kfile="$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/)"
if [ -n "$l_kfile" ]; then
l_profile="$(awk -F'/' '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
l_pdbdir="/etc/dconf/db/$l_profile.d"
l_idv="$(awk -F 'uint32' '/idle-delay/{print $2}' "$l_kfile" | xargs)"
if [ -n "$l_idv" ]; then
[ "$l_idv" -gt "0" -a "$l_idv" -le "$l_idmv" ] && l_output="$l_output\n - The \"idle-delay\" option is set to \"$l_idv\" seconds in \"$l_kfile\"" [ "$l_idv" = "0" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" (disabled) in \"$l_kfile\"" [ "$l_idv" -gt "$l_idmv" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" seconds (greater than $l_idmv) in \"$l_kfile\""
else
l_output2="$l_output2\n - The \"idle-delay\" option is not set in \"$l_kfile\""
fi
l_ldv="$(awk -F 'uint32' '/lock-delay/{print $2}' "$l_kfile" | xargs)"
if [ -n "$l_ldv" ]; then
[ "$l_ldv" -ge "0" -a "$l_ldv" -le "$l_ldmv" ] && l_output="$l_output\n - The \"lock-delay\" option is set to \"$l_ldv\"seconds in \"$l_kfile\"" [ "$l_ldv" -gt "$l_ldmv" ] && l_output2="$l_output2\n - The \"lock-delay\" option is set to \"$l_ldv\" seconds (greater than $l_ldmv) in \"$l_kfile\""
else
l_output2="$l_output2\n - The \"lock-delay\" option is not set in \"$l_kfile\""
fi
if grep -Psq "^\h*system-db:$l_profile" /etc/dconf/profile/*; then
l_output="$l_output\n - The \"$l_profile\" profile exists"
else
l_output2="$l_output2\n - The \"$l_profile\" doesn't exist"
fi
if [ -f "/etc/dconf/db/$l_profile" ]; then
l_output="$l_output\n - The \"$l_profile\" profile exists in the dconf database"
else
l_output2="$l_output2\n - The \"$l_profile\" profile doesn't exist in the dconf database"
fi
else
l_output2="$l_output2\n - The \"idle-delay\" option doesn't exist, remaining tests skipped"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_185.sh
+45
View File
@@ -0,0 +1,45 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*lock-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
if [ -d "$l_kfd" ]; then
if grep -Prilq '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd"; then
l_output="$l_output\n - \"idle-delay\" is locked in \"$(grep -Pril '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd")\""
else
l_output2="$l_output2\n - \"idle-delay\" is not locked"
fi
else
l_output2="$l_output2\n - \"idle-delay\" is not set so it can not be locked"
fi
if [ -d "$l_kfd2" ]; then
if grep -Prilq '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2"; then
l_output="$l_output\n - \"lock-delay\" is locked in \"$(grep -Pril '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2")\""
else
l_output2="$l_output2\n - \"lock-delay\" is not locked"
fi
else
l_output2="$l_output2\n - \"lock-delay\" is not set so it can not be locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_186.sh
+61
View File
@@ -0,0 +1,61 @@
#!/usr/bin/env bash
{
l_pkgoutput="" l_output="" l_output2=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
echo -e "$l_pkgoutput"
l_kfile="$(grep -Prils -- '^\h*automount\b' /etc/dconf/db/*.d)"
l_kfile2="$(grep -Prils -- '^\h*automount-open\b' /etc/dconf/db/*.d)"
if [ -f "$l_kfile" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
elif [ -f "$l_kfile2" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile2")"
fi
if [ -n "$l_gpname" ]; then
l_gpdir="/etc/dconf/db/$l_gpname.d"
if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists"
else
l_output2="$l_output2\n - dconf database profile isn't set"
fi
if [ -f "/etc/dconf/db/$l_gpname" ]; then
l_output="$l_output\n - The dconf database \"$l_gpname\" exists"
else
l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist"
fi
if [ -d "$l_gpdir" ]; then
l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst"
else
l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist"
fi
if grep -Pqrs -- '^\h*automount\h*=\h*false\b' "$l_kfile"; then
l_output="$l_output\n - \"automount\" is set to false in: \"$l_kfile\""
else
l_output2="$l_output2\n - \"automount\" is not set correctly"
fi
if grep -Pqs -- '^\h*automount-open\h*=\h*false\b' "$l_kfile2"; then
l_output="$l_output\n - \"automount-open\" is set to false in: \"$l_kfile2\""
else
l_output2="$l_output2\n - \"automount-open\" is not set correctly"
fi
else
l_output2="$l_output2\n - neither \"automount\" or \"automount-open\" is set"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_187.sh
+45
View File
@@ -0,0 +1,45 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*automount\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*automount-open\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
if [ -d "$l_kfd" ]; then
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd"; then
l_output="$l_output\n - \"automount\" is locked in \"$(grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd")\""
else
l_output2="$l_output2\n - \"automount\" is not locked"
fi
else
l_output2="$l_output2\n - \"automount\" is not set so it can not be locked"
fi
if [ -d "$l_kfd2" ]; then
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2"; then
l_output="$l_output\n - \"lautomount-open\" is locked in \"$(grep -Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2")\""
else
l_output2="$l_output2\n - \"automount-open\" is not locked"
fi
else
l_output2="$l_output2\n - \"automount-open\" is not set so it can not be locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_188.sh
+53
View File
@@ -0,0 +1,53 @@
#!/usr/bin/env bash
{
l_pkgoutput="" l_output="" l_output2=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" echo -e "$l_pkgoutput"
done
if [ -n "$l_pkgoutput" ]; then
echo -e "$l_pkgoutput"
l_kfile="$(grep -Prils -- '^\h*autorun-never\b' /etc/dconf/db/*.d)"
if [ -f "$l_kfile" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
fi
if [ -n "$l_gpname" ]; then
l_gpdir="/etc/dconf/db/$l_gpname.d"
if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists"
else
l_output2="$l_output2\n - dconf database profile isn't set"
fi
if [ -f "/etc/dconf/db/$l_gpname" ]; then
l_output="$l_output\n - The dconf database \"$l_gpname\" exists"
else
l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist"
fi
if [ -d "$l_gpdir" ]; then
l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst"
else
l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist"
fi
if grep -Pqrs -- '^\h*autorun-never\h*=\h*true\b' "$l_kfile"; then
l_output="$l_output\n - \"autorun-never\" is set to true in: \"$l_kfile\""
else
l_output2="$l_output2\n - \"autorun-never\" is not set correctly"
fi
else
l_output2="$l_output2\n - \"autorun-never\" is not set"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_189.sh
+36
View File
@@ -0,0 +1,36 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif
command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*autorun-never\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
if [ -d "$l_kfd" ]; then
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"; then
l_output="$l_output\n - \"autorun-never\" is locked in \"$(grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd")\""
else
l_output2="$l_output2\n - \"autorun-never\" is not locked"
fi
else
l_output2="$l_output2\n - \"autorun-never\" is not set so it can not be locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_312.sh
+40
View File
@@ -0,0 +1,40 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
module_chk() {
l_loadable="$(modprobe -n -v "$l_mname")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
}
if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
l_dname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do
basename "$(readlink -f "$driverdir"/device/driver/module)";done | sort -u)
for l_mname in $l_dname; do
module_chk
done
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS"
if [ -z "$l_output" ]; then
echo -e "\n - System has no wireless NICs installed"
else
echo -e "\n$l_output\n"
fi
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_313.sh
+31
View File
@@ -0,0 +1,31 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_mname="tipc"
if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]; then
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_321.sh
+34
View File
@@ -0,0 +1,34 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_kparameters="net.ipv4.ip_forward=0 net.ipv6.conf.all.forwarding=0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
kernel_par_chk()
{
krp="" pafile="" fafile=""
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" [ "$krp" = "$kpvalue" ] && l_output="$l_output\n - \"$kpname\" is set to \"$kpvalue\" in the running configuration"
[ -n "$pafile" ] && l_output="$l_output\n - \"$kpname\" is set to \"$kpvalue\" in \"$pafile\""
[ -z "$fafile" ] && l_output="$l_output\n - \"$kpname\" is not set incorectly in a kernel parameter configuration file" [ "$krp" != "$kpvalue" ] && l_output2="$l_output2\n - \"$kpname\" is incorrectly set to \"$krp\" in the running configuration"
[ -n "$fafile" ] && l_output2="$l_output2\n - \"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && l_output2="$l_output2\n - \"$kpname = $kpvalue\" is not set in a kernel parameter configuration file"
}
for l_kpar in $l_kparameters; do
kpname="$(awk -F"=" '{print $1}' <<< "$l_kpar" | xargs)" kpvalue="$(awk -F"=" '{print $2}' <<< "$l_kpar" | xargs)"
if grep -Pq '^\h*net\.ipv6\.' <<< "$l_kpname"; then
if grep -Pqs '^\h*0\b' /sys/module/ipv6/parameters/disable; then
kernel_par_chk
else
l_output="$l_output\n - IPv6 is not enabled, check for: \"$l_kpar\" is not applicable"
fi
else
kernel_par_chk
fi
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_322_1.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.all.send_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL "
[ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_322_2.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv4.conf.default.send_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_11.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.all.accept_source_route" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_12.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.accept_source_route" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_21.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv6.conf.all.accept_source_route"
kpvalue="0" searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_22.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.accept_source_route" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_11.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.all.accept_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_12.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.accept_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_21.sh
+14
View File
@@ -0,0 +1,14 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv6.conf.all.accept_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_22.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv6.conf.default.accept_redirects"
kpvalue="0" searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_334_1.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.all.log_martians" kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_334_2.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.accept_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_335.sh
+17
View File
@@ -0,0 +1,17 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.icmp_echo_ignore_broadcasts"
kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_336.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.icmp_ignore_bogus_error_responses" kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_337_1.sh
+14
View File
@@ -0,0 +1,14 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv4.conf.all.rp_filter" kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_337_2.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.rp_filter"
kpvalue="1" searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_338.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv4.tcp_syncookies" kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_339_1.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv6.conf.all.accept_ra" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_339_2.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv6.conf.default.accept_ra" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_3412.sh
+26
View File
@@ -0,0 +1,26 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_fwd_status="" l_nft_status="" l_fwutil_status=""
rpm -q firewalld > /dev/null 2>&1 && l_fwd_status="$(systemctl is-enabled firewalld.service):$(systemctl is-active firewalld.service)"
rpm -q nftables > /dev/null 2>&1 && l_nft_status="$(systemctl is-enabled nftables.service):$(systemctl is-active nftables.service)"
l_fwutil_status="$l_fwd_status:$l_nft_status"
case $l_fwutil_status in
enabled:active:masked:inactive|enabled:active:disabled:inactive)
l_output="\n - FirewallD utility is in use, enabled and active\n - NFTables utility is correctly disabled or masked and inactive" ;;
masked:inactive:enabled:active|disabled:inactive:enabled:active)
l_output="\n - NFTables utility is in use, enabled and active\n - FirewallD utility is correctly disabled or masked and inactive" ;;
enabled:active:enabled:active)
l_output2="\n - Both FirewallD and NFTables utilities are enabled and active" ;;
enabled:*:enabled:*) l_output2="\n - Both FirewallD and NFTables utilities are enabled" ;;
*:active:*:active) l_output2="\n - Both FirewallD and NFTables utilities are enabled" ;;
:enabled:active) l_output="\n - NFTables utility is in use, enabled, and active\n - FirewallD package is not installed" ;;
:) l_output2="\n - Neither FirewallD or NFTables is installed." ;;
*:*:) l_output2="\n - NFTables package is not installed on the system" ;;
*) l_output2="\n - Unable to determine firewall state" ;;
esac
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Results:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Results:\n FAIL\n$l_output2\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_3421.sh
+19
View File
@@ -0,0 +1,19 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_zone=""
if systemctl is-enabled firewalld.service | grep -q 'enabled'; then
l_zone="$(firewall-cmd --get-default-zone)"
if [ -n "$l_zone" ]; then
l_output=" - The default zone is set to: \"$l_zone\""
else
l_output2=" - The default zone is not set"
fi
else
l_output=" - FirewallD is not in use on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Results:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Results:\n FAIL\n$l_output2\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41310_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&/mount/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41310_2.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&/mount/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41313_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&(/unlink/||/rename/||/unlinkat/||/renameat/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41313_2.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&(/unlink/||/rename/||/unlinkat/||/renameat/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41314_1.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
awk '/^ *-w/ &&(/\/etc\/selinux/ ||/\/usr\/share\/selinux/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41314_2.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
auditctl -l | awk '/^ *-w/ &&(/\/etc\/selinux/ ||/\/usr\/share\/selinux/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)'
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41315_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chcon/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41315_2.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chcon/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41316_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/setfacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41316_2.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/setfacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}

Some files were not shown because too many files have changed in this diff Show More