emily/atap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

a

Browse Source
This commit is contained in:
Emily
2026-05-11 09:15:08 +02:00
parent 9bec2b9e42
commit 404ee3fec4
641 changed files with 416825 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_1111.sh
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="squashfs"
test1=$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")
if [ -z "$test1" ]; then
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_1112.sh
+32
View File
@@ -0,0 +1,32 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="udf"
if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]; then
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_119.sh
+32
View File
@@ -0,0 +1,32 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="usb-storage"
if [ -z '$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")' ]; then
l_loadable='$(modprobe -n -v "$l_mname")'
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$(tr '-' '_' <<< "$l_mname")\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_182.sh
+52
View File
@@ -0,0 +1,52 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
echo -e "$l_pkgoutput"
l_gdmfile="$(grep -Prils '^\h*banner-message-enable\b' /etc/dconf/db/*.d)"
if [ -n "$l_gdmfile" ]; then
l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_gdmfile")"
if grep -Pisq '^\h*banner-message-enable=true\b' "$l_gdmfile"; then
l_output="$l_output\n - The \"banner-message-enable\" option is enabled in \"$l_gdmfile\""
else
l_output2="$l_output2\n - The \"banner-message-enable\" option is not enabled"
fi
l_lsbt="$(grep -Pios '^\h*banner-message-text=.*$' "$l_gdmfile")"
if [ -n "$l_lsbt" ]; then
l_output="$l_output\n - The \"banner-message-text\" option is set in \"$l_gdmfile\"\n - banner-message-text is set to:\n - \"$l_lsbt\""
else
l_output2="$l_output2\n - The \"banner-message-text\" option is not set"
fi
if grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"; then
l_output="$l_output\n - The \"$l_gdmprofile\" profile exists"
else
l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't exist"
fi
if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then
l_output="$l_output\n - The \"$l_gdmprofile\" profile exists in the dconf database"
else
l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database"
fi
else
l_output2="$l_output2\n - The \"banner-message-enable\" option isn't configured"
fi
else
echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n *PASS*\n"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_183.sh
+41
View File
@@ -0,0 +1,41 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
output="" output2=""
l_gdmfile="$(grep -Pril '^\h*disable-user-list\h*=\h*true\b' /etc/dconf/db)"
if [ -n "$l_gdmfile" ]; then
output="$output\n - The \"disable-user-list\" option is enabled in \"$l_gdmfile\""
l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_gdmfile")"
if grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"; then
output="$output\n - The \"$l_gdmprofile\" exists"
else
output2="$output2\n - The \"$l_gdmprofile\" doesn't exist"
fi
if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then
output="$output\n - The \"$l_gdmprofile\" profile exists in the dconf database"
else
output2="$output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database"
fi
else
output2="$output2\n - The \"disable-user-list\" option is not enabled"
fi
if [ -z "$output2" ]; then
echo -e "$l_pkgoutput\n- Audit result:\n PASS:\n$output\n"
else
echo -e "$l_pkgoutput\n- Audit Result:\n FAIL:\n$output2\n"
[ -n "$output" ] && echo -e "$output\n"
fi
else
echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n PASS\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_184.sh
+55
View File
@@ -0,0 +1,55 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2="" l_idmv="900"
l_ldmv="5"
l_kfile="$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/)"
if [ -n "$l_kfile" ]; then
l_profile="$(awk -F'/' '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
l_pdbdir="/etc/dconf/db/$l_profile.d"
l_idv="$(awk -F 'uint32' '/idle-delay/{print $2}' "$l_kfile" | xargs)"
if [ -n "$l_idv" ]; then
[ "$l_idv" -gt "0" -a "$l_idv" -le "$l_idmv" ] && l_output="$l_output\n - The \"idle-delay\" option is set to \"$l_idv\" seconds in \"$l_kfile\"" [ "$l_idv" = "0" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" (disabled) in \"$l_kfile\"" [ "$l_idv" -gt "$l_idmv" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" seconds (greater than $l_idmv) in \"$l_kfile\""
else
l_output2="$l_output2\n - The \"idle-delay\" option is not set in \"$l_kfile\""
fi
l_ldv="$(awk -F 'uint32' '/lock-delay/{print $2}' "$l_kfile" | xargs)"
if [ -n "$l_ldv" ]; then
[ "$l_ldv" -ge "0" -a "$l_ldv" -le "$l_ldmv" ] && l_output="$l_output\n - The \"lock-delay\" option is set to \"$l_ldv\"seconds in \"$l_kfile\"" [ "$l_ldv" -gt "$l_ldmv" ] && l_output2="$l_output2\n - The \"lock-delay\" option is set to \"$l_ldv\" seconds (greater than $l_ldmv) in \"$l_kfile\""
else
l_output2="$l_output2\n - The \"lock-delay\" option is not set in \"$l_kfile\""
fi
if grep -Psq "^\h*system-db:$l_profile" /etc/dconf/profile/*; then
l_output="$l_output\n - The \"$l_profile\" profile exists"
else
l_output2="$l_output2\n - The \"$l_profile\" doesn't exist"
fi
if [ -f "/etc/dconf/db/$l_profile" ]; then
l_output="$l_output\n - The \"$l_profile\" profile exists in the dconf database"
else
l_output2="$l_output2\n - The \"$l_profile\" profile doesn't exist in the dconf database"
fi
else
l_output2="$l_output2\n - The \"idle-delay\" option doesn't exist, remaining tests skipped"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_185.sh
+45
View File
@@ -0,0 +1,45 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*lock-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
if [ -d "$l_kfd" ]; then
if grep -Prilq '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd"; then
l_output="$l_output\n - \"idle-delay\" is locked in \"$(grep -Pril '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd")\""
else
l_output2="$l_output2\n - \"idle-delay\" is not locked"
fi
else
l_output2="$l_output2\n - \"idle-delay\" is not set so it can not be locked"
fi
if [ -d "$l_kfd2" ]; then
if grep -Prilq '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2"; then
l_output="$l_output\n - \"lock-delay\" is locked in \"$(grep -Pril '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2")\""
else
l_output2="$l_output2\n - \"lock-delay\" is not locked"
fi
else
l_output2="$l_output2\n - \"lock-delay\" is not set so it can not be locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_186.sh
+61
View File
@@ -0,0 +1,61 @@
#!/usr/bin/env bash
{
l_pkgoutput="" l_output="" l_output2=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
echo -e "$l_pkgoutput"
l_kfile="$(grep -Prils -- '^\h*automount\b' /etc/dconf/db/*.d)"
l_kfile2="$(grep -Prils -- '^\h*automount-open\b' /etc/dconf/db/*.d)"
if [ -f "$l_kfile" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
elif [ -f "$l_kfile2" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile2")"
fi
if [ -n "$l_gpname" ]; then
l_gpdir="/etc/dconf/db/$l_gpname.d"
if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists"
else
l_output2="$l_output2\n - dconf database profile isn't set"
fi
if [ -f "/etc/dconf/db/$l_gpname" ]; then
l_output="$l_output\n - The dconf database \"$l_gpname\" exists"
else
l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist"
fi
if [ -d "$l_gpdir" ]; then
l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst"
else
l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist"
fi
if grep -Pqrs -- '^\h*automount\h*=\h*false\b' "$l_kfile"; then
l_output="$l_output\n - \"automount\" is set to false in: \"$l_kfile\""
else
l_output2="$l_output2\n - \"automount\" is not set correctly"
fi
if grep -Pqs -- '^\h*automount-open\h*=\h*false\b' "$l_kfile2"; then
l_output="$l_output\n - \"automount-open\" is set to false in: \"$l_kfile2\""
else
l_output2="$l_output2\n - \"automount-open\" is not set correctly"
fi
else
l_output2="$l_output2\n - neither \"automount\" or \"automount-open\" is set"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_187.sh
+45
View File
@@ -0,0 +1,45 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*automount\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*automount-open\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
if [ -d "$l_kfd" ]; then
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd"; then
l_output="$l_output\n - \"automount\" is locked in \"$(grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd")\""
else
l_output2="$l_output2\n - \"automount\" is not locked"
fi
else
l_output2="$l_output2\n - \"automount\" is not set so it can not be locked"
fi
if [ -d "$l_kfd2" ]; then
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2"; then
l_output="$l_output\n - \"lautomount-open\" is locked in \"$(grep -Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2")\""
else
l_output2="$l_output2\n - \"automount-open\" is not locked"
fi
else
l_output2="$l_output2\n - \"automount-open\" is not set so it can not be locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_188.sh
+53
View File
@@ -0,0 +1,53 @@
#!/usr/bin/env bash
{
l_pkgoutput="" l_output="" l_output2=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" echo -e "$l_pkgoutput"
done
if [ -n "$l_pkgoutput" ]; then
echo -e "$l_pkgoutput"
l_kfile="$(grep -Prils -- '^\h*autorun-never\b' /etc/dconf/db/*.d)"
if [ -f "$l_kfile" ]; then
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
fi
if [ -n "$l_gpname" ]; then
l_gpdir="/etc/dconf/db/$l_gpname.d"
if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists"
else
l_output2="$l_output2\n - dconf database profile isn't set"
fi
if [ -f "/etc/dconf/db/$l_gpname" ]; then
l_output="$l_output\n - The dconf database \"$l_gpname\" exists"
else
l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist"
fi
if [ -d "$l_gpdir" ]; then
l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst"
else
l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist"
fi
if grep -Pqrs -- '^\h*autorun-never\h*=\h*true\b' "$l_kfile"; then
l_output="$l_output\n - \"autorun-never\" is set to true in: \"$l_kfile\""
else
l_output2="$l_output2\n - \"autorun-never\" is not set correctly"
fi
else
l_output2="$l_output2\n - \"autorun-never\" is not set"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_189.sh
+36
View File
@@ -0,0 +1,36 @@
#!/usr/bin/env bash
{
l_pkgoutput=""
if command -v dpkg-query > /dev/null 2>&1; then
l_pq="dpkg-query -W"
elif
command -v rpm > /dev/null 2>&1; then
l_pq="rpm -q"
fi
l_pcl="gdm gdm3"
for l_pn in $l_pcl; do
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
done
if [ -n "$l_pkgoutput" ]; then
l_output="" l_output2=""
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*autorun-never\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
if [ -d "$l_kfd" ]; then
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"; then
l_output="$l_output\n - \"autorun-never\" is locked in \"$(grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd")\""
else
l_output2="$l_output2\n - \"autorun-never\" is not locked"
fi
else
l_output2="$l_output2\n - \"autorun-never\" is not set so it can not be locked"
fi
else
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
fi
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_312.sh
+40
View File
@@ -0,0 +1,40 @@
#!/usr/bin/env bash
{
l_output="" l_output2=""
module_chk() {
l_loadable="$(modprobe -n -v "$l_mname")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
}
if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
l_dname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do
basename "$(readlink -f "$driverdir"/device/driver/module)";done | sort -u)
for l_mname in $l_dname; do
module_chk
done
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS"
if [ -z "$l_output" ]; then
echo -e "\n - System has no wireless NICs installed"
else
echo -e "\n$l_output\n"
fi
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_313.sh
+31
View File
@@ -0,0 +1,31 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_mname="tipc"
if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]; then
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
else
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_321.sh
+34
View File
@@ -0,0 +1,34 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_kparameters="net.ipv4.ip_forward=0 net.ipv6.conf.all.forwarding=0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
kernel_par_chk()
{
krp="" pafile="" fafile=""
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" [ "$krp" = "$kpvalue" ] && l_output="$l_output\n - \"$kpname\" is set to \"$kpvalue\" in the running configuration"
[ -n "$pafile" ] && l_output="$l_output\n - \"$kpname\" is set to \"$kpvalue\" in \"$pafile\""
[ -z "$fafile" ] && l_output="$l_output\n - \"$kpname\" is not set incorectly in a kernel parameter configuration file" [ "$krp" != "$kpvalue" ] && l_output2="$l_output2\n - \"$kpname\" is incorrectly set to \"$krp\" in the running configuration"
[ -n "$fafile" ] && l_output2="$l_output2\n - \"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && l_output2="$l_output2\n - \"$kpname = $kpvalue\" is not set in a kernel parameter configuration file"
}
for l_kpar in $l_kparameters; do
kpname="$(awk -F"=" '{print $1}' <<< "$l_kpar" | xargs)" kpvalue="$(awk -F"=" '{print $2}' <<< "$l_kpar" | xargs)"
if grep -Pq '^\h*net\.ipv6\.' <<< "$l_kpname"; then
if grep -Pqs '^\h*0\b' /sys/module/ipv6/parameters/disable; then
kernel_par_chk
else
l_output="$l_output\n - IPv6 is not enabled, check for: \"$l_kpar\" is not applicable"
fi
else
kernel_par_chk
fi
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_322_1.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.all.send_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL "
[ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_322_2.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv4.conf.default.send_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_11.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.all.accept_source_route" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_12.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.accept_source_route" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_21.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv6.conf.all.accept_source_route"
kpvalue="0" searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_22.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.accept_source_route" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_11.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.all.accept_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_12.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.accept_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_21.sh
+14
View File
@@ -0,0 +1,14 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv6.conf.all.accept_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_22.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv6.conf.default.accept_redirects"
kpvalue="0" searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_334_1.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.all.log_martians" kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_334_2.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.accept_redirects" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_335.sh
+17
View File
@@ -0,0 +1,17 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.icmp_echo_ignore_broadcasts"
kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_336.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.icmp_ignore_bogus_error_responses" kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_337_1.sh
+14
View File
@@ -0,0 +1,14 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv4.conf.all.rp_filter" kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_337_2.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv4.conf.default.rp_filter"
kpvalue="1" searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_338.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv4.tcp_syncookies" kpvalue="1"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_339_1.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile="" kpname="net.ipv6.conf.all.accept_ra" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_339_2.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="net.ipv6.conf.default.accept_ra" kpvalue="0"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
[ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
[ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_3412.sh
+26
View File
@@ -0,0 +1,26 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_fwd_status="" l_nft_status="" l_fwutil_status=""
rpm -q firewalld > /dev/null 2>&1 && l_fwd_status="$(systemctl is-enabled firewalld.service):$(systemctl is-active firewalld.service)"
rpm -q nftables > /dev/null 2>&1 && l_nft_status="$(systemctl is-enabled nftables.service):$(systemctl is-active nftables.service)"
l_fwutil_status="$l_fwd_status:$l_nft_status"
case $l_fwutil_status in
enabled:active:masked:inactive|enabled:active:disabled:inactive)
l_output="\n - FirewallD utility is in use, enabled and active\n - NFTables utility is correctly disabled or masked and inactive" ;;
masked:inactive:enabled:active|disabled:inactive:enabled:active)
l_output="\n - NFTables utility is in use, enabled and active\n - FirewallD utility is correctly disabled or masked and inactive" ;;
enabled:active:enabled:active)
l_output2="\n - Both FirewallD and NFTables utilities are enabled and active" ;;
enabled:*:enabled:*) l_output2="\n - Both FirewallD and NFTables utilities are enabled" ;;
*:active:*:active) l_output2="\n - Both FirewallD and NFTables utilities are enabled" ;;
:enabled:active) l_output="\n - NFTables utility is in use, enabled, and active\n - FirewallD package is not installed" ;;
:) l_output2="\n - Neither FirewallD or NFTables is installed." ;;
*:*:) l_output2="\n - NFTables package is not installed on the system" ;;
*) l_output2="\n - Unable to determine firewall state" ;;
esac
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Results:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Results:\n FAIL\n$l_output2\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_3421.sh
+19
View File
@@ -0,0 +1,19 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_zone=""
if systemctl is-enabled firewalld.service | grep -q 'enabled'; then
l_zone="$(firewall-cmd --get-default-zone)"
if [ -n "$l_zone" ]; then
l_output=" - The default zone is set to: \"$l_zone\""
else
l_output2=" - The default zone is not set"
fi
else
l_output=" - FirewallD is not in use on the system"
fi
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Results:\n PASS\n$l_output\n"
else
echo -e "\n- Audit Results:\n FAIL\n$l_output2\n"
fi
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41310_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&/mount/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41310_2.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&/mount/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41313_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&(/unlink/||/rename/||/unlinkat/||/renameat/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41313_2.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&(/unlink/||/rename/||/unlinkat/||/renameat/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41314_1.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
awk '/^ *-w/ &&(/\/etc\/selinux/ ||/\/usr\/share\/selinux/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41314_2.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
auditctl -l | awk '/^ *-w/ &&(/\/etc\/selinux/ ||/\/usr\/share\/selinux/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)'
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41315_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chcon/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41315_2.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chcon/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41316_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/setfacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41316_2.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/setfacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41317_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41317_2.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41318_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/sbin\/usermod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41318_2.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/sbin\/usermod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41319_1.sh
+6
View File
@@ -0,0 +1,6 @@
#!/usr/bin/env bash
{
awk '/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F auid!=unset/||/ -F auid!=-1/||/ -F auid!=4294967295/) &&/ -S/ &&(/init_module/ ||/finit_module/ ||/delete_module/ ||/create_module/ ||/query_module/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/kmod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41319_2.sh
+6
View File
@@ -0,0 +1,6 @@
#!/usr/bin/env bash
{
auditctl -l | awk '/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F auid!=unset/||/ -F auid!=-1/||/ -F auid!=4294967295/) &&/ -S/ &&(/init_module/ ||/finit_module/ ||/delete_module/ ||/create_module/ ||/query_module/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)'
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/kmod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4133_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
SUDO_LOG_FILE_ESCAPED=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g' -e 's|/|\\/|g')
[ -n "${SUDO_LOG_FILE_ESCAPED}" ] && awk "/^ *-w/ \ &&/"${SUDO_LOG_FILE_ESCAPED}"/ &&/ +-p *wa/ \ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'SUDO_LOG_FILE_ESCAPED' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4133_2.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
SUDO_LOG_FILE_ESCAPED=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g' -e 's|/|\\/|g')
[ -n "${SUDO_LOG_FILE_ESCAPED}" ] && auditctl -l | awk "/^ *-w/ &&/"${SUDO_LOG_FILE_ESCAPED}"/ \ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" \ || printf "ERROR: Variable 'SUDO_LOG_FILE_ESCAPED' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4136_1.sh
+8
View File
@@ -0,0 +1,8 @@
#!/usr/bin/env bash
{
for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do
for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do
grep -qr "${PRIVILEGED}" /etc/audit/rules.d && printf "OK: '${PRIVILEGED}' found in auditing rules.\n" || printf "Warning: '${PRIVILEGED}' not found in on disk configuration.\n"
done
done
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4136_2.sh
+9
View File
@@ -0,0 +1,9 @@
#!/usr/bin/env bash
{
RUNNING=$(auditctl -l)
[ -n "${RUNNING}" ] && for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do
for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do
printf -- "${RUNNING}" | grep -q "${PRIVILEGED}" && printf "OK: '${PRIVILEGED}' found in auditing rules.\n" || printf "Warning: '${PRIVILEGED}' not found in running configuration.\n"
done
done || printf "ERROR: Variable 'RUNNING' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4137_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&(/ -F *exit=-EACCES/||/ -F *exit=-EPERM/) &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4137_2.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&(/ -F *exit=-EACCES/||/ -F *exit=-EPERM/) &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4139_1.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&(/chmod/||/fchmod/||/fchmodat/ ||/chown/||/fchown/||/fchownat/||/lchown/ ||/setxattr/||/lsetxattr/||/fsetxattr/ ||/removexattr/||/lremovexattr/||/fremovexattr/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4139_2.sh
+5
View File
@@ -0,0 +1,5 @@
#!/usr/bin/env bash
{
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&(/chmod/||/fchmod/||/fchmodat/ ||/chown/||/fchown/||/fchownat/||/lchown/ ||/setxattr/||/lsetxattr/||/fsetxattr/ ||/removexattr/||/lremovexattr/||/fremovexattr/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4141.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
[ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f \( ! -perm 600 -a ! -perm 0400 -a ! -perm 0200 -a ! -perm 0000 -a ! -perm 0640 -a ! -perm 0440 -a ! -perm 0040 \) -exec stat -Lc "%n %#a" {} +
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4142.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
[ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f ! -user root -exec stat -Lc "%n %U" {} +
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4144.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
stat -Lc "%n %a" "$(dirname $( awk -F"=" '/^\s*log_file\s*=\s*/ {print $2}' /etc/audit/auditd.conf))" | grep -Pv -- '^\h*\H+\h+([0,5,7][0,5]0)'
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4145.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) -exec stat -Lc "%n %a" {} + | grep -Pv -- '^\h*\H+\h*([0,2,4,6][0,4]0)\h*$'
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_522.sh
+30
View File
@@ -0,0 +1,30 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_skgn="ssh_keys"
l_skgid="$(awk -F: '($1 == "'"$l_skgn"'"){print $3}' /etc/group)" [ -n "$l_skgid" ] && l_cga="$l_skgn" || l_cga="root" awk '{print}' <<< "$(find -L /etc/ssh -xdev -type f -exec stat -Lc "%n %#a %U %G %g" {} +)" | (while read -r l_file l_mode l_owner l_group l_gid; do
if file "$l_file" | grep -Pq ':\h+OpenSSH\h+private\h+key\b'; then
[ "$l_gid" = "$l_skgid" ] && l_pmask="0137" || l_pmask="0177" l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )"
if [ $(( $l_mode & $l_pmask )) -gt 0 ]; then
l_output2="$l_output2\n - File: \"$l_file\" is mode \"$l_mode\" should be mode: \"$l_maxperm\" or more restrictive"
else
l_output="$l_output\n - File: \"$l_file\" is mode \"$l_mode\" should be mode: \"$l_maxperm\" or more restrictive"
fi
if [ "$l_owner" != "root" ]; then
l_output2="$l_output2\n - File: \"$l_file\" is owned by: \"$l_owner\" should be owned by \"root\""
else
l_output="$l_output\n - File: \"$l_file\" is owned by: \"$l_owner\" should be owned by \"root\""
fi
if [ "$l_group" != "root" ] && [ "$l_gid" != "$l_skgid" ]; then
l_output2="$l_output2\n - File: \"$l_file\" is owned by group \"$l_group\" should belong to group \"$l_cga\""
else
l_output="$l_output\n - File: \"$l_file\" is owned by group \"$l_group\" should belong to group \"$l_cga\""
fi
fi
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n *PASS*\n$l_output"
else
echo -e "\n- Audit Result:\n *FAIL*\n$l_output2\n\n - Correctly set:\n$l_output"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_523.sh
+30
View File
@@ -0,0 +1,30 @@
#!/usr/bin/env bash
{
l_output="" l_output2="" l_pmask="0133"
awk '{print}' <<< "$(find -L /etc/ssh -xdev -type f -exec stat -Lc "%n %#a %U %G" {} +)" | (while read -r l_file l_mode l_owner l_group; do
if file "$l_file" | grep -Pq ':\h+OpenSSH\h+(\H+\h+)?public\h+key\b'; then
l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )"
if [ $(( $l_mode & $l_pmask )) -gt 0 ]; then
l_output2="$l_output2\n - Public key file: \"$l_file\" is mode \"$l_mode\" should be mode: \"$l_maxperm\" or more restrictive"
else
l_output="$l_output\n - Public key file: \"$l_file\" is mode \"$l_mode\" should be mode: \"$l_maxperm\" or more restrictive"
fi
if [ "$l_owner" != "root" ]; then
l_output2="$l_output2\n - Public key file: \"$l_file\" is owned by: \"$l_owner\" should be owned by \"root\""
else
l_output="$l_output\n - Public key file: \"$l_file\" is owned by: \"$l_owner\" should be owned by \"root\""
fi
if [ "$l_group" != "root" ]; then
l_output2="$l_output2\n - Public key file: \"$l_file\" is owned by group \"$l_group\" should belong to group \"root\"\n"
else
l_output="$l_output\n - Public key file: \"$l_file\" is owned by group \"$l_group\" should belong to group \"root\"\n"
fi
fi
done
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n *PASS*\n$l_output"
else
echo -e "\n- Audit Result:\n *FAIL*\n$l_output2\n\n - Correctly set:\n$l_output"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5611_1.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
grep PASS_MAX_DAYS /etc/login.defs | cut -d ' ' -f 2
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5611_2.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
awk -F: '(/^[^:]+:[^!*]/ && ($5>365 || $5~/([0-1]|-1|\s*)/)){print $1 " " $5}' /etc/shadow
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5612_1.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
grep PASS_MIN_DAYS /etc/login.defs | cut -d ' ' -f 2
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5612_2.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
awk -F : '(/^[^:]+:[^!*]/ && $4 < 1){print $1 " " $4}' /etc/shadow
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5613_1.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
grep PASS_WARN_AGE /etc/login.defs | cut -d ' ' -f 2
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5613_2.sh
+9
View File
@@ -0,0 +1,9 @@
#!/usr/bin/env bash
{
for var in $(grep -E ^[^:]+:[^\!*] /etc/shadow | cut -d: -f6)
do
if [ $var -le 7 ]; then
echo "FAIL"
fi
done
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5614_1.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
useradd -D | grep INACTIVE | cut -d '=' -f 2
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5614_2.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
awk -F: '/^[^#:]+:[^!\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\s*$/ {print $1":"$7}' /etc/shadow
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5615.sh
+9
View File
@@ -0,0 +1,9 @@
#!/usr/bin/env bash
{
awk -F: '/^[^:]+:[^!*]/{print $1}' /etc/shadow | while read -r usr; do
change=$(date -d "$(chage --list $usr | grep '^Last password change' | cut -d: -f2 | grep -v 'never$')" +%s);
if [[ "$change" -gt "$(date +%s)" ]]; then
echo "User: \"$usr\" last password change was \"$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\"";
fi;
done
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_562_1.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
awk -F: '($1!~/^(root|halt|sync|shutdown|nfsnobody)$/ && ($3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' || $3 == 65534) && $7!~/^(\/usr)?\/sbin\/nologin$/) { print $1 }' /etc/passwd
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_562_2.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
awk -F: '/nologin/ {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}'
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_565_1.sh
+6
View File
@@ -0,0 +1,6 @@
#!/usr/bin/env bash
{
passing=""
grep -Eiq '^\s*UMASK\s+(0[0-7][2-7]7|[0-7][2-7]7)\b' /etc/login.defs && grep -Eqi '^\s*USERGROUPS_ENAB\s*"?no"?\b' /etc/login.defs && grep -Eq '^\s*session\s+(optional|requisite|required)\s+pam_umask\.so\b' /etc/pam.d/common-session && passing=true grep -REiq '^\s*UMASK\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\b' /etc/profile* /etc/bashrc* && passing=true
[ "$passing" = true ] && echo "Default user umask is set"
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_565_2.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
grep -RPi '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/profile* /etc/bashrc*
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_621.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
awk -F: '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6210.sh
+14
View File
@@ -0,0 +1,14 @@
#!/usr/bin/env bash
{
output=""
valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
[ ! -d "$home" ] && output="$output\n - User \"$user\" home directory \"$home\" doesn't exist"
done
if [ -z "$output" ]; then
echo -e "\n-PASSED: - All local interactive users have a home directory\n"
else
echo -e "\n- FAILED:\n$output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6211.sh
+14
View File
@@ -0,0 +1,14 @@
#!/usr/bin/env bash
{
output=""
valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
owner="$(stat -L -c "%U" "$home")" [ "$owner" != "$user" ] && output="$output\n - User \"$user\" home directory \"$home\" is owned by user \"$owner\""
done
if [ -z "$output" ]; then
echo -e "\n-PASSED: - All local interactive users have a home directory\n"
else
echo -e "\n- FAILED:\n$output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6212.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
output=""
perm_mask='0027'
maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )" valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
mode=$( stat -L -c '%#a' "$home" )
[ $(( $mode & $perm_mask )) -gt 0 ] && output="$output\n- User $user home directory: \"$home\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
done
if [ -n "$output" ]; then
echo -e "\n- Failed:$output"
else
echo -e "\n- Passed:\n- All user home directories are mode: \"$maxperm\" or more restrictive"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6213.sh
+25
View File
@@ -0,0 +1,25 @@
#!/usr/bin/env bash
{
output="" output2="" perm_mask='0177'
maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
if [ -f "$home/.netrc" ]; then mode="$( stat -L -c '%#a' "$home/.netrc" )"
if [ $(( $mode & $perm_mask )) -gt 0 ]; then
output="$output\n - User \"$user\" file: \"$home/.netrc\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
else
output2="$output2\n - User \"$user\" file: \"$home/.netrc\" exists and has file mode: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
fi
fi
done
if [ -z "$output" ]; then
if [ -z "$output2" ]; then
echo -e "\n-PASSED: - No local interactive users have \".netrc\" files in their home directory\n"
else
echo -e "\n- WARNING:\n$output2\n"
fi
else
echo -e "\n- FAILED:\n$output\n" [ -n "$output2" ] && echo -e "\n- WARNING:\n$output2\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6214.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
output=""
fname=".forward"
valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
[ -f "$home/$fname" ] && output="$output\n - User \"$user\" file: \"$home/$fname\" exists"
done
if [ -z "$output" ]; then
echo -e "\n-PASSED: - No local interactive users have \"$fname\" files in their home directory\n"
else
echo -e "\n- FAILED:\n$output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6215.sh
+15
View File
@@ -0,0 +1,15 @@
#!/usr/bin/env bash
{
output=""
fname=".rhosts"
valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
[ -f "$home/$fname" ] && output="$output\n - User \"$user\" file: \"$home/$fname\" exists"
done
if [ -z "$output" ]; then
echo -e "\n-PASSED: - No local interactive users have \"$fname\" files in their home directory\n"
else
echo -e "\n- FAILED:\n$output\n"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6216.sh
+19
View File
@@ -0,0 +1,19 @@
#!/usr/bin/env bash
{
output=""
perm_mask='0022'
maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
for dfile in $(find "$home" -type f -name '.*'); do
mode=$( stat -L -c '%#a' "$dfile" )
[ $(( $mode & $perm_mask )) -gt 0 ] && output="$output\n- User $user file: \"$dfile\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
done
done
if [ -n "$output" ]; then
echo -e "\n- Failed:$output"
else
echo -e "\n- Passed:\n- All user home dot files are mode: \"$maxperm\" or more restrictive"
fi
)
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_622.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_628.sh
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/env bash
{
RPCV="$(sudo -Hiu root env | grep '^PATH' | cut -d= -f2)"
echo "$RPCV" | grep -q "::" && echo "root's path contains a empty directory (::)"
echo "$RPCV" | grep -q ":$" && echo "root's path contains a trailing (:)"
for x in $(echo "$RPCV" | tr ":" " "); do
if [ -d "$x" ]; then
ls -ldH "$x" | awk '$9 == "." {print "PATH contains current working directory (.)"}
$3 != "root" {print $9, "is not owned by root"}
substr($1,6,1) != "-" {print $9, "is group writable"}
substr($1,9,1) != "-" {print $9, "is world writable"}'
else
echo "$x is not a directory"
fi
done
}
ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_629.sh
+4
View File
@@ -0,0 +1,4 @@
#!/usr/bin/env bash
{
awk -F: '($3 == 0) { print $1 }' /etc/passwd
}