a
This commit is contained in:
@@ -0,0 +1,42 @@
|
||||
#!/usr/bin/env bash
|
||||
# Configuration file to check
|
||||
FILE="/etc/dnf/dnf.conf"
|
||||
# Pattern to search for
|
||||
PATTERN="gpgcheck"
|
||||
|
||||
# Check if the configuration file exists
|
||||
if [ ! -f "$FILE" ]; then
|
||||
echo "File $FILE not found."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Search for the pattern, whether it's commented or not
|
||||
grep -E "^[[:space:]]*#?[[:space:]]*$PATTERN\s*=" "$FILE" >/dev/null
|
||||
FOUND=$?
|
||||
|
||||
# If the pattern is found
|
||||
if [ $FOUND -eq 0 ]; then
|
||||
# Check if the pattern is commented
|
||||
grep -E "^[[:space:]]*#[[:space:]]*$PATTERN\s*=" "$FILE" >/dev/null
|
||||
COMMENTED=$?
|
||||
|
||||
if [ $COMMENTED -eq 0 ]; then
|
||||
echo "Pattern $PATTERN is commented."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Extract the value of gpgcheck using grep and sed
|
||||
VALUE=$(grep -E "^[[:space:]]*$PATTERN\s*=\s*(true|yes|[0-9]+)" "$FILE" | sed -E 's/.*=\s*(true|yes|[0-9]+).*/\1/')
|
||||
|
||||
# If the value was found and it's valid (true, yes, or 1)
|
||||
if [[ "$VALUE" == "true" || "$VALUE" == "yes" || "$VALUE" == "1" ]]; then
|
||||
echo "The value of $PATTERN ($VALUE) is valid."
|
||||
exit 0
|
||||
else
|
||||
echo "The value of $PATTERN ($VALUE) is not valid."
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "Pattern $PATTERN not found."
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,7 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
if grubby --info=ALL | grep -Pq '(selinux|enforcing)=0\b'; then
|
||||
exit 1
|
||||
else
|
||||
exit 0
|
||||
fi
|
||||
@@ -0,0 +1,20 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
if grep -Eq '^\s*SELINUXTYPE=(targeted|mls)\b' /etc/selinux/config; then
|
||||
echo "SELinux-Type is configured correctly"
|
||||
exit 0
|
||||
else
|
||||
echo "ERROR: SELinux-Type not configured"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if sestatus | grep -q "Loaded policy name: targeted"; then
|
||||
echo "Policy is'targeted'"
|
||||
exit 0
|
||||
elif sestatus | grep -q "Loaded policy name: mls"; then
|
||||
echo "ERROR: Policy is 'mls'"
|
||||
exit 1
|
||||
else
|
||||
echo "ERROR: policy should be 'targeted'"
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,7 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
if grep -i SELINUX=enforcing /etc/selinux/config; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,12 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
for file in /etc/systemd/coredump.conf /etc/systemd/coredump.conf.d/*.conf; do
|
||||
[ -e "$file" ] || continue
|
||||
|
||||
if grep -Eq '^\s*ProcessSizeMax=0' "$file"; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
exit 1
|
||||
@@ -0,0 +1,12 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
for file in /etc/systemd/coredump.conf /etc/systemd/coredump.conf.d/*.conf; do
|
||||
[ -e "$file" ] || continue
|
||||
|
||||
if grep -Eq '^\s*Storage=none' "$file"; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
exit 1
|
||||
@@ -0,0 +1,3 @@
|
||||
#!/usr/bin/env bash
|
||||
grep -q "^1$" /proc/sys/crypto/fips_enabled && exit 0
|
||||
grep -q "^LEGACY$" /etc/crypto-policies/config && exit 1 || exit 0
|
||||
@@ -0,0 +1,13 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
if [[ -f /etc/sysconfig/sshd ]]; then
|
||||
if grep -Pi '^\s*CRYPTO_POLICY\s*=' /etc/sysconfig/sshd; then
|
||||
echo "CRYPTO_POLICY ist set"
|
||||
exit 1
|
||||
else
|
||||
echo "CRYPTO_POLICY is not set"
|
||||
fi
|
||||
else
|
||||
echo "file /etc/sysconfig/sshd does not exist"
|
||||
fi
|
||||
exit 0
|
||||
@@ -0,0 +1,15 @@
|
||||
#!/usr/bin/env bash
|
||||
# Extract the OS ID from /etc/os-release
|
||||
OS_ID=$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g')
|
||||
|
||||
# Run the grep command with the OS ID incorporated
|
||||
grep -Eis "(\\v|\\r|\\m|\\s|$OS_ID)" /etc/motd
|
||||
|
||||
# Check the exit code of the grep command
|
||||
if [ $? -ne 0 ]; then
|
||||
# Grep did not find any matches, return 0
|
||||
exit 0
|
||||
else
|
||||
# Grep found matches, return 1
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,11 @@
|
||||
#!/usr/bin/env bash
|
||||
TEST_FILE="/etc/motd"
|
||||
if [ -e "$TEST_FILE" ]; then
|
||||
DESIRED_PERM="644"
|
||||
ACTUAL_PERM=$(stat -c "%a" "$TEST_FILE")
|
||||
if [[ "$ACTUAL_PERM" == "$DESIRED_PERM" ]]; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
@@ -0,0 +1,17 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
config_file="/etc/gdm/custom.conf"
|
||||
|
||||
if [[ ! -f "$config_file" || ! -r "$config_file" ]]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
value="Enable"
|
||||
|
||||
if grep -Eq "^\s*$value\s*=\s*true\s*$" "$config_file"; then
|
||||
echo -e " \"$value\" in $config_file is true"
|
||||
exit 1
|
||||
else
|
||||
echo -e "\"$value\" not found or not set "
|
||||
fi
|
||||
exit 0
|
||||
@@ -0,0 +1,52 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
l_pkgoutput=""
|
||||
if command -v dpkg-query > /dev/null 2>&1; then
|
||||
l_pq="dpkg-query -W"
|
||||
elif command -v rpm > /dev/null 2>&1; then
|
||||
l_pq="rpm -q"
|
||||
fi
|
||||
l_pcl="gdm gdm3"
|
||||
for l_pn in $l_pcl; do
|
||||
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
|
||||
done
|
||||
if [ -n "$l_pkgoutput" ]; then
|
||||
l_output="" l_output2=""
|
||||
echo -e "$l_pkgoutput"
|
||||
l_gdmfile="$(grep -Prils '^\h*banner-message-enable\b' /etc/dconf/db/*.d)"
|
||||
if [ -n "$l_gdmfile" ]; then
|
||||
l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_gdmfile")"
|
||||
if grep -Pisq '^\h*banner-message-enable=true\b' "$l_gdmfile"; then
|
||||
l_output="$l_output\n - The \"banner-message-enable\" option is enabled in \"$l_gdmfile\""
|
||||
else
|
||||
l_output2="$l_output2\n - The \"banner-message-enable\" option is not enabled"
|
||||
fi
|
||||
l_lsbt="$(grep -Pios '^\h*banner-message-text=.*$' "$l_gdmfile")"
|
||||
if [ -n "$l_lsbt" ]; then
|
||||
l_output="$l_output\n - The \"banner-message-text\" option is set in \"$l_gdmfile\"\n - banner-message-text is set to:\n - \"$l_lsbt\""
|
||||
else
|
||||
l_output2="$l_output2\n - The \"banner-message-text\" option is not set"
|
||||
fi
|
||||
if grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"; then
|
||||
l_output="$l_output\n - The \"$l_gdmprofile\" profile exists"
|
||||
else
|
||||
l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't exist"
|
||||
fi
|
||||
if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then
|
||||
l_output="$l_output\n - The \"$l_gdmprofile\" profile exists in the dconf database"
|
||||
else
|
||||
l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database"
|
||||
fi
|
||||
else
|
||||
l_output2="$l_output2\n - The \"banner-message-enable\" option isn't configured"
|
||||
fi
|
||||
else
|
||||
echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n *PASS*\n"
|
||||
fi
|
||||
if [ -z "$l_output2" ]; then
|
||||
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
|
||||
else
|
||||
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
|
||||
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
|
||||
fi
|
||||
}
|
||||
@@ -0,0 +1,41 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
l_pkgoutput=""
|
||||
if command -v dpkg-query > /dev/null 2>&1; then
|
||||
l_pq="dpkg-query -W"
|
||||
elif command -v rpm > /dev/null 2>&1; then
|
||||
l_pq="rpm -q"
|
||||
fi
|
||||
l_pcl="gdm gdm3"
|
||||
for l_pn in $l_pcl; do
|
||||
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
|
||||
done
|
||||
if [ -n "$l_pkgoutput" ]; then
|
||||
output="" output2=""
|
||||
l_gdmfile="$(grep -Pril '^\h*disable-user-list\h*=\h*true\b' /etc/dconf/db)"
|
||||
if [ -n "$l_gdmfile" ]; then
|
||||
output="$output\n - The \"disable-user-list\" option is enabled in \"$l_gdmfile\""
|
||||
l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_gdmfile")"
|
||||
if grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"; then
|
||||
output="$output\n - The \"$l_gdmprofile\" exists"
|
||||
else
|
||||
output2="$output2\n - The \"$l_gdmprofile\" doesn't exist"
|
||||
fi
|
||||
if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then
|
||||
output="$output\n - The \"$l_gdmprofile\" profile exists in the dconf database"
|
||||
else
|
||||
output2="$output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database"
|
||||
fi
|
||||
else
|
||||
output2="$output2\n - The \"disable-user-list\" option is not enabled"
|
||||
fi
|
||||
if [ -z "$output2" ]; then
|
||||
echo -e "$l_pkgoutput\n- Audit result:\n PASS:\n$output\n"
|
||||
else
|
||||
echo -e "$l_pkgoutput\n- Audit Result:\n FAIL:\n$output2\n"
|
||||
[ -n "$output" ] && echo -e "$output\n"
|
||||
fi
|
||||
else
|
||||
echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n PASS\n"
|
||||
fi
|
||||
}
|
||||
@@ -0,0 +1,55 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
l_pkgoutput=""
|
||||
if command -v dpkg-query > /dev/null 2>&1; then
|
||||
l_pq="dpkg-query -W"
|
||||
elif command -v rpm > /dev/null 2>&1; then
|
||||
l_pq="rpm -q"
|
||||
fi
|
||||
l_pcl="gdm gdm3"
|
||||
for l_pn in $l_pcl; do
|
||||
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
|
||||
done
|
||||
if [ -n "$l_pkgoutput" ]; then
|
||||
l_output="" l_output2="" l_idmv="900"
|
||||
l_ldmv="5"
|
||||
l_kfile="$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/)"
|
||||
if [ -n "$l_kfile" ]; then
|
||||
l_profile="$(awk -F'/' '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
|
||||
l_pdbdir="/etc/dconf/db/$l_profile.d"
|
||||
l_idv="$(awk -F 'uint32' '/idle-delay/{print $2}' "$l_kfile" | xargs)"
|
||||
if [ -n "$l_idv" ]; then
|
||||
[ "$l_idv" -gt "0" -a "$l_idv" -le "$l_idmv" ] && l_output="$l_output\n - The \"idle-delay\" option is set to \"$l_idv\" seconds in \"$l_kfile\"" [ "$l_idv" = "0" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" (disabled) in \"$l_kfile\"" [ "$l_idv" -gt "$l_idmv" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" seconds (greater than $l_idmv) in \"$l_kfile\""
|
||||
else
|
||||
l_output2="$l_output2\n - The \"idle-delay\" option is not set in \"$l_kfile\""
|
||||
fi
|
||||
l_ldv="$(awk -F 'uint32' '/lock-delay/{print $2}' "$l_kfile" | xargs)"
|
||||
if [ -n "$l_ldv" ]; then
|
||||
[ "$l_ldv" -ge "0" -a "$l_ldv" -le "$l_ldmv" ] && l_output="$l_output\n - The \"lock-delay\" option is set to \"$l_ldv\"seconds in \"$l_kfile\"" [ "$l_ldv" -gt "$l_ldmv" ] && l_output2="$l_output2\n - The \"lock-delay\" option is set to \"$l_ldv\" seconds (greater than $l_ldmv) in \"$l_kfile\""
|
||||
else
|
||||
l_output2="$l_output2\n - The \"lock-delay\" option is not set in \"$l_kfile\""
|
||||
fi
|
||||
if grep -Psq "^\h*system-db:$l_profile" /etc/dconf/profile/*; then
|
||||
l_output="$l_output\n - The \"$l_profile\" profile exists"
|
||||
else
|
||||
l_output2="$l_output2\n - The \"$l_profile\" doesn't exist"
|
||||
fi
|
||||
if [ -f "/etc/dconf/db/$l_profile" ]; then
|
||||
l_output="$l_output\n - The \"$l_profile\" profile exists in the dconf database"
|
||||
else
|
||||
l_output2="$l_output2\n - The \"$l_profile\" profile doesn't exist in the dconf database"
|
||||
fi
|
||||
else
|
||||
l_output2="$l_output2\n - The \"idle-delay\" option doesn't exist, remaining tests skipped"
|
||||
fi
|
||||
else
|
||||
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
|
||||
fi
|
||||
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
|
||||
if [ -z "$l_output2" ]; then
|
||||
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
|
||||
else
|
||||
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
|
||||
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
|
||||
fi
|
||||
}
|
||||
@@ -0,0 +1,45 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
l_pkgoutput=""
|
||||
if command -v dpkg-query > /dev/null 2>&1; then
|
||||
l_pq="dpkg-query -W"
|
||||
elif command -v rpm > /dev/null 2>&1; then
|
||||
l_pq="rpm -q"
|
||||
fi
|
||||
l_pcl="gdm gdm3"
|
||||
for l_pn in $l_pcl; do
|
||||
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
|
||||
done
|
||||
if [ -n "$l_pkgoutput" ]; then
|
||||
l_output="" l_output2=""
|
||||
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
|
||||
l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*lock-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
|
||||
if [ -d "$l_kfd" ]; then
|
||||
if grep -Prilq '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd"; then
|
||||
l_output="$l_output\n - \"idle-delay\" is locked in \"$(grep -Pril '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd")\""
|
||||
else
|
||||
l_output2="$l_output2\n - \"idle-delay\" is not locked"
|
||||
fi
|
||||
else
|
||||
l_output2="$l_output2\n - \"idle-delay\" is not set so it can not be locked"
|
||||
fi
|
||||
if [ -d "$l_kfd2" ]; then
|
||||
if grep -Prilq '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2"; then
|
||||
l_output="$l_output\n - \"lock-delay\" is locked in \"$(grep -Pril '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2")\""
|
||||
else
|
||||
l_output2="$l_output2\n - \"lock-delay\" is not locked"
|
||||
fi
|
||||
else
|
||||
l_output2="$l_output2\n - \"lock-delay\" is not set so it can not be locked"
|
||||
fi
|
||||
else
|
||||
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
|
||||
fi
|
||||
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
|
||||
if [ -z "$l_output2" ]; then
|
||||
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
|
||||
else
|
||||
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
|
||||
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
|
||||
fi
|
||||
}
|
||||
@@ -0,0 +1,61 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
l_pkgoutput="" l_output="" l_output2=""
|
||||
if command -v dpkg-query > /dev/null 2>&1; then
|
||||
l_pq="dpkg-query -W"
|
||||
elif command -v rpm > /dev/null 2>&1; then
|
||||
l_pq="rpm -q"
|
||||
fi
|
||||
l_pcl="gdm gdm3"
|
||||
for l_pn in $l_pcl; do
|
||||
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
|
||||
done
|
||||
if [ -n "$l_pkgoutput" ]; then
|
||||
echo -e "$l_pkgoutput"
|
||||
l_kfile="$(grep -Prils -- '^\h*automount\b' /etc/dconf/db/*.d)"
|
||||
l_kfile2="$(grep -Prils -- '^\h*automount-open\b' /etc/dconf/db/*.d)"
|
||||
if [ -f "$l_kfile" ]; then
|
||||
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
|
||||
elif [ -f "$l_kfile2" ]; then
|
||||
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile2")"
|
||||
fi
|
||||
if [ -n "$l_gpname" ]; then
|
||||
l_gpdir="/etc/dconf/db/$l_gpname.d"
|
||||
if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
|
||||
l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists"
|
||||
else
|
||||
l_output2="$l_output2\n - dconf database profile isn't set"
|
||||
fi
|
||||
if [ -f "/etc/dconf/db/$l_gpname" ]; then
|
||||
l_output="$l_output\n - The dconf database \"$l_gpname\" exists"
|
||||
else
|
||||
l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist"
|
||||
fi
|
||||
if [ -d "$l_gpdir" ]; then
|
||||
l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst"
|
||||
else
|
||||
l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist"
|
||||
fi
|
||||
if grep -Pqrs -- '^\h*automount\h*=\h*false\b' "$l_kfile"; then
|
||||
l_output="$l_output\n - \"automount\" is set to false in: \"$l_kfile\""
|
||||
else
|
||||
l_output2="$l_output2\n - \"automount\" is not set correctly"
|
||||
fi
|
||||
if grep -Pqs -- '^\h*automount-open\h*=\h*false\b' "$l_kfile2"; then
|
||||
l_output="$l_output\n - \"automount-open\" is set to false in: \"$l_kfile2\""
|
||||
else
|
||||
l_output2="$l_output2\n - \"automount-open\" is not set correctly"
|
||||
fi
|
||||
else
|
||||
l_output2="$l_output2\n - neither \"automount\" or \"automount-open\" is set"
|
||||
fi
|
||||
else
|
||||
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
|
||||
fi
|
||||
if [ -z "$l_output2" ]; then
|
||||
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
|
||||
else
|
||||
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
|
||||
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
|
||||
fi
|
||||
}
|
||||
@@ -0,0 +1,45 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
l_pkgoutput=""
|
||||
if command -v dpkg-query > /dev/null 2>&1; then
|
||||
l_pq="dpkg-query -W"
|
||||
elif command -v rpm > /dev/null 2>&1; then
|
||||
l_pq="rpm -q"
|
||||
fi
|
||||
l_pcl="gdm gdm3"
|
||||
for l_pn in $l_pcl; do
|
||||
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
|
||||
done
|
||||
if [ -n "$l_pkgoutput" ]; then
|
||||
l_output="" l_output2=""
|
||||
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*automount\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
|
||||
l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*automount-open\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
|
||||
if [ -d "$l_kfd" ]; then
|
||||
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd"; then
|
||||
l_output="$l_output\n - \"automount\" is locked in \"$(grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd")\""
|
||||
else
|
||||
l_output2="$l_output2\n - \"automount\" is not locked"
|
||||
fi
|
||||
else
|
||||
l_output2="$l_output2\n - \"automount\" is not set so it can not be locked"
|
||||
fi
|
||||
if [ -d "$l_kfd2" ]; then
|
||||
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2"; then
|
||||
l_output="$l_output\n - \"lautomount-open\" is locked in \"$(grep -Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2")\""
|
||||
else
|
||||
l_output2="$l_output2\n - \"automount-open\" is not locked"
|
||||
fi
|
||||
else
|
||||
l_output2="$l_output2\n - \"automount-open\" is not set so it can not be locked"
|
||||
fi
|
||||
else
|
||||
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
|
||||
fi
|
||||
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
|
||||
if [ -z "$l_output2" ]; then
|
||||
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
|
||||
else
|
||||
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
|
||||
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
|
||||
fi
|
||||
}
|
||||
@@ -0,0 +1,53 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
l_pkgoutput="" l_output="" l_output2=""
|
||||
if command -v dpkg-query > /dev/null 2>&1; then
|
||||
l_pq="dpkg-query -W"
|
||||
elif command -v rpm > /dev/null 2>&1; then
|
||||
l_pq="rpm -q"
|
||||
fi
|
||||
l_pcl="gdm gdm3"
|
||||
for l_pn in $l_pcl; do
|
||||
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" echo -e "$l_pkgoutput"
|
||||
done
|
||||
if [ -n "$l_pkgoutput" ]; then
|
||||
echo -e "$l_pkgoutput"
|
||||
l_kfile="$(grep -Prils -- '^\h*autorun-never\b' /etc/dconf/db/*.d)"
|
||||
if [ -f "$l_kfile" ]; then
|
||||
l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")"
|
||||
fi
|
||||
if [ -n "$l_gpname" ]; then
|
||||
l_gpdir="/etc/dconf/db/$l_gpname.d"
|
||||
if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then
|
||||
l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists"
|
||||
else
|
||||
l_output2="$l_output2\n - dconf database profile isn't set"
|
||||
fi
|
||||
if [ -f "/etc/dconf/db/$l_gpname" ]; then
|
||||
l_output="$l_output\n - The dconf database \"$l_gpname\" exists"
|
||||
else
|
||||
l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist"
|
||||
fi
|
||||
if [ -d "$l_gpdir" ]; then
|
||||
l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst"
|
||||
else
|
||||
l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist"
|
||||
fi
|
||||
if grep -Pqrs -- '^\h*autorun-never\h*=\h*true\b' "$l_kfile"; then
|
||||
l_output="$l_output\n - \"autorun-never\" is set to true in: \"$l_kfile\""
|
||||
else
|
||||
l_output2="$l_output2\n - \"autorun-never\" is not set correctly"
|
||||
fi
|
||||
else
|
||||
l_output2="$l_output2\n - \"autorun-never\" is not set"
|
||||
fi
|
||||
else
|
||||
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
|
||||
fi
|
||||
if [ -z "$l_output2" ]; then
|
||||
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
|
||||
else
|
||||
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
|
||||
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
|
||||
fi
|
||||
}
|
||||
@@ -0,0 +1,36 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
l_pkgoutput=""
|
||||
if command -v dpkg-query > /dev/null 2>&1; then
|
||||
l_pq="dpkg-query -W"
|
||||
elif
|
||||
command -v rpm > /dev/null 2>&1; then
|
||||
l_pq="rpm -q"
|
||||
fi
|
||||
l_pcl="gdm gdm3"
|
||||
for l_pn in $l_pcl; do
|
||||
$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration"
|
||||
done
|
||||
if [ -n "$l_pkgoutput" ]; then
|
||||
l_output="" l_output2=""
|
||||
l_kfd="/etc/dconf/db/$(grep -Psril '^\h*autorun-never\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
|
||||
if [ -d "$l_kfd" ]; then
|
||||
if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"; then
|
||||
l_output="$l_output\n - \"autorun-never\" is locked in \"$(grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd")\""
|
||||
else
|
||||
l_output2="$l_output2\n - \"autorun-never\" is not locked"
|
||||
fi
|
||||
else
|
||||
l_output2="$l_output2\n - \"autorun-never\" is not set so it can not be locked"
|
||||
fi
|
||||
else
|
||||
l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
|
||||
fi
|
||||
[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
|
||||
if [ -z "$l_output2" ]; then
|
||||
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
|
||||
else
|
||||
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
|
||||
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
|
||||
fi
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
config_file="/etc/sysconfig/chronyd"
|
||||
|
||||
if [[ ! -f "$config_file" || ! -r "$config_file" ]]; then
|
||||
echo "Configuration file '$config_file' is missing or not readable. Exiting."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
regex_pattern="^\s*OPTIONS=\s*([^#\n\r]+\s+)?-u\s+root\b"
|
||||
value="-u\s+root\b"
|
||||
if grep -Eq "$regex_pattern" "$config_file"; then
|
||||
echo " \"$value\" in $config_file is found"
|
||||
exit 1
|
||||
else
|
||||
echo "\"$value\" not found or not set "
|
||||
fi
|
||||
exit 0
|
||||
@@ -0,0 +1,44 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Define the files to check
|
||||
FILES=("/etc/cron.allow" "/etc/cron.deny")
|
||||
|
||||
# Function to check a file
|
||||
check_file() {
|
||||
local file=$1
|
||||
|
||||
# Check if the file exists
|
||||
if [ ! -e "$file" ]; then
|
||||
echo "File $file does not exist. Ignoring."
|
||||
return 0
|
||||
fi
|
||||
|
||||
# Get the file permissions in numeric format
|
||||
local permissions=$(stat -c "%a" "$file")
|
||||
local owner=$(stat -c "%U" "$file")
|
||||
local group=$(stat -c "%G" "$file")
|
||||
|
||||
# Check if the file permissions are 0640 or more restrictive
|
||||
if [ "$permissions" -gt 640 ]; then
|
||||
echo "File $file permissions are not 0640 or more restrictive."
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Check if the owner is root and group is root
|
||||
if [ "$owner" != "root" ] || [ "$group" != "root" ]; then
|
||||
echo "File $file owner or group is not root."
|
||||
return 1
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# Check each file
|
||||
for file in "${FILES[@]}"; do
|
||||
if ! check_file "$file"; then
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
# If all checks pass, exit with status 0
|
||||
exit 0
|
||||
@@ -0,0 +1,31 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
l_output="" l_output2="" l_mname="tipc"
|
||||
if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]; then
|
||||
l_loadable="$(modprobe -n -v "$l_mname")"
|
||||
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")"
|
||||
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
|
||||
l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
|
||||
else
|
||||
l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
|
||||
fi
|
||||
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
|
||||
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
|
||||
else
|
||||
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
|
||||
fi
|
||||
if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
|
||||
l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
|
||||
else
|
||||
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
|
||||
fi
|
||||
else
|
||||
l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system"
|
||||
fi
|
||||
if [ -z "$l_output2" ]; then
|
||||
echo -e "\n- Audit Result:\n PASS\n$l_output\n"
|
||||
else
|
||||
echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n"
|
||||
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
|
||||
fi
|
||||
}
|
||||
@@ -0,0 +1,26 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
l_output="" l_output2="" l_fwd_status="" l_nft_status="" l_fwutil_status=""
|
||||
rpm -q firewalld > /dev/null 2>&1 && l_fwd_status="$(systemctl is-enabled firewalld.service):$(systemctl is-active firewalld.service)"
|
||||
rpm -q nftables > /dev/null 2>&1 && l_nft_status="$(systemctl is-enabled nftables.service):$(systemctl is-active nftables.service)"
|
||||
l_fwutil_status="$l_fwd_status:$l_nft_status"
|
||||
case $l_fwutil_status in
|
||||
enabled:active:masked:inactive|enabled:active:disabled:inactive)
|
||||
l_output="\n - FirewallD utility is in use, enabled and active\n - NFTables utility is correctly disabled or masked and inactive" ;;
|
||||
masked:inactive:enabled:active|disabled:inactive:enabled:active)
|
||||
l_output="\n - NFTables utility is in use, enabled and active\n - FirewallD utility is correctly disabled or masked and inactive" ;;
|
||||
enabled:active:enabled:active)
|
||||
l_output2="\n - Both FirewallD and NFTables utilities are enabled and active" ;;
|
||||
enabled:*:enabled:*) l_output2="\n - Both FirewallD and NFTables utilities are enabled" ;;
|
||||
*:active:*:active) l_output2="\n - Both FirewallD and NFTables utilities are enabled" ;;
|
||||
:enabled:active) l_output="\n - NFTables utility is in use, enabled, and active\n - FirewallD package is not installed" ;;
|
||||
:) l_output2="\n - Neither FirewallD or NFTables is installed." ;;
|
||||
*:*:) l_output2="\n - NFTables package is not installed on the system" ;;
|
||||
*) l_output2="\n - Unable to determine firewall state" ;;
|
||||
esac
|
||||
if [ -z "$l_output2" ]; then
|
||||
echo -e "\n- Audit Results:\n PASS\n$l_output\n"
|
||||
else
|
||||
echo -e "\n- Audit Results:\n FAIL\n$l_output2\n"
|
||||
fi
|
||||
}
|
||||
@@ -0,0 +1,28 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
parameter_sshd_t=disableforwarding
|
||||
parameter_sshd_config=DisableForwarding
|
||||
desired_value=yes
|
||||
|
||||
if ! command -v sshd &>/dev/null; then
|
||||
echo "sshd command could not be found"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Check using sshd -T output
|
||||
actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}')
|
||||
|
||||
if [ -z "$actual_value" ]; then
|
||||
if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then
|
||||
actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}')
|
||||
else
|
||||
exit 1
|
||||
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$actual_value" = "$desired_value" ]; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,28 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
parameter_sshd_t=gssapiauthentication
|
||||
parameter_sshd_config=GSSAPIAuthentication
|
||||
desired_value=no
|
||||
|
||||
if ! command -v sshd &>/dev/null; then
|
||||
echo "sshd command could not be found"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Check using sshd -T output
|
||||
actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}')
|
||||
|
||||
if [ -z "$actual_value" ]; then
|
||||
if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then
|
||||
actual_value=$(grep "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}')
|
||||
else
|
||||
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$actual_value" = "$desired_value" ]; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,27 @@
|
||||
#!/usr/bin/env bash
|
||||
parameter_sshd_t=hostbasedauthentication
|
||||
parameter_sshd_config=HostbasedAuthentication
|
||||
desired_value=no
|
||||
|
||||
if ! command -v sshd &>/dev/null; then
|
||||
echo "sshd command could not be found"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Check using sshd -T output
|
||||
actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}')
|
||||
|
||||
if [ -z "$actual_value" ]; then
|
||||
if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then
|
||||
actual_value=$(grep "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}')
|
||||
else
|
||||
exit 1
|
||||
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$actual_value" = "$desired_value" ]; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,28 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
parameter_sshd_t=ignorerhosts
|
||||
parameter_sshd_config=IgnoreRhosts
|
||||
desired_value=yes
|
||||
|
||||
if ! command -v sshd &>/dev/null; then
|
||||
echo "sshd command could not be found"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Check using sshd -T output
|
||||
actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}')
|
||||
|
||||
if [ -z "$actual_value" ]; then
|
||||
if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then
|
||||
actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}')
|
||||
else
|
||||
echo "$parameter_sshd_config not set in sshd_config, using default"
|
||||
actual_value=no
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$actual_value" = "$desired_value" ]; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,29 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
#test
|
||||
parameter_sshd_t=logingracetime
|
||||
parameter_sshd_config=LoginGraceTime
|
||||
desired_value=60
|
||||
|
||||
if ! command -v sshd &>/dev/null; then
|
||||
echo "sshd command could not be found"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Check using sshd -T output
|
||||
actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}')
|
||||
|
||||
if [ -z "$actual_value" ]; then
|
||||
if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then
|
||||
actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}')
|
||||
else
|
||||
echo "$parameter_sshd_config not set in sshd_config, using default"
|
||||
actual_value=120
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$actual_value" -le "$desired_value" ]; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,28 @@
|
||||
#!/usr/bin/env bash
|
||||
parameter_sshd_t=loglevel
|
||||
parameter_sshd_config=LogLevel
|
||||
desired_value=INFO
|
||||
desired_value1=VERBOSE
|
||||
|
||||
if ! command -v sshd &>/dev/null; then
|
||||
echo "sshd command could not be found"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Check using sshd -T output
|
||||
actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}')
|
||||
|
||||
if [ -z "$actual_value" ]; then
|
||||
if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then
|
||||
actual_value=$(grep "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}')
|
||||
else
|
||||
echo "$parameter_sshd_config not set in sshd_config, using default"
|
||||
actual_value=INFO
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$actual_value" = "$desired_value" ] || [ "$actual_value" = "$desired_value1" ]; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,27 @@
|
||||
#!/usr/bin/env bash
|
||||
parameter_sshd_t=maxstartups
|
||||
parameter_sshd_config=MaxStartups
|
||||
desired_value="10:30:60"
|
||||
|
||||
if ! command -v sshd &>/dev/null; then
|
||||
echo "sshd command could not be found"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Check using sshd -T output
|
||||
actual_value=$(sshd -T | grep -Ei "^$parameter_sshd_t" | awk '{print $2}')
|
||||
|
||||
if [ -z "$actual_value" ]; then
|
||||
if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then
|
||||
actual_value=$(grep -E "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}')
|
||||
else
|
||||
echo "$parameter_sshd_config not set in sshd_config, using default"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$actual_value" = "$desired_value" ]; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,29 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
parameter_sshd_t=maxsessions
|
||||
parameter_sshd_config=MaxSessions
|
||||
FILE="/etc/ssh/sshd_config"
|
||||
desired_value=10
|
||||
|
||||
if ! command -v sshd &>/dev/null; then
|
||||
echo "sshd command could not be found"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Check using sshd -T output
|
||||
actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}')
|
||||
|
||||
if [ -z "$actual_value" ]; then
|
||||
|
||||
if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then
|
||||
actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}')
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$actual_value" -le "$desired_value" ]; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,34 @@
|
||||
#!/usr/bin/env bash
|
||||
parameter_sshd_t=clientaliveinterval
|
||||
parameter_sshd_config=ClientAliveInterval
|
||||
desired_value=15
|
||||
|
||||
parameter_sshd_t1=clientalivecountmax
|
||||
parameter_sshd_config1=ClientAliveCountMax
|
||||
desired_value1=3
|
||||
|
||||
if ! command -v sshd &>/dev/null; then
|
||||
echo "sshd command could not be found"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Check using sshd -T output
|
||||
actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}')
|
||||
actual_value1=$(sshd -T | grep -i "$parameter_sshd_t1" | awk '{print $2}')
|
||||
|
||||
if [ -z "$actual_value" ] && [ -z "$actual_value1" ]; then
|
||||
if (grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config) && (grep -iq '^$parameter_sshd_config1' /etc/ssh/sshd_config); then
|
||||
actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}')
|
||||
actual_value1=$(grep -i '^$parameter_sshd_config1' /etc/ssh/sshd_config | awk '{print $2}')
|
||||
|
||||
else
|
||||
echo "$parameter_sshd_config not set in sshd_config, using default"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$actual_value" -eq "$desired_value" ] && [ "$actual_value1" -eq "$desired_value1" ]; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,39 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Check if authselect.conf exists
|
||||
if [[ ! -f /etc/authselect/authselect.conf ]]; then
|
||||
echo "/etc/authselect/authselect.conf is missing."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
l_module_name="faillock"
|
||||
l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
|
||||
|
||||
if grep -Pq -- '^custom\/' <<<"$l_pam_profile"; then
|
||||
l_pam_profile_path="/etc/authselect/$l_pam_profile"
|
||||
else
|
||||
l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
|
||||
fi
|
||||
|
||||
for file in "$l_pam_profile_path/password-auth" "$l_pam_profile_path/system-auth"; do
|
||||
if [[ ! -f "$file" ]]; then
|
||||
echo "File $file does not exist. Test failed."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! grep -P -- "\bpam_$l_module_name\.so\b" "$file" >/dev/null; then
|
||||
echo "pam_faillock.so entry not found in $file. Test failed."
|
||||
exit 1
|
||||
else
|
||||
echo "pam_faillock.so entry found in $file."
|
||||
fi
|
||||
|
||||
if ! grep -P -- "\{include if \"with-faillock\"\}" "$file" >/dev/null; then
|
||||
echo "Entry '{include if \"with-faillock\"}' not found in $file. Test failed."
|
||||
exit 1
|
||||
else
|
||||
echo "Entry '{include if \"with-faillock\"}' found in $file. Test passed."
|
||||
fi
|
||||
done
|
||||
|
||||
exit 0
|
||||
@@ -0,0 +1,32 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Check if /etc/authselect/authselect.conf exists
|
||||
if [[ ! -f /etc/authselect/authselect.conf ]]; then
|
||||
echo "/etc/authselect/authselect.conf is missing."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
l_module_name="unix"
|
||||
l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
|
||||
|
||||
if grep -Pq -- '^custom\/' <<<"$l_pam_profile"; then
|
||||
l_pam_profile_path="/etc/authselect/$l_pam_profile"
|
||||
else
|
||||
l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
|
||||
fi
|
||||
|
||||
for file in "$l_pam_profile_path/password-auth" "$l_pam_profile_path/system-auth"; do
|
||||
if [[ ! -f "$file" ]]; then
|
||||
echo "File $file does not exist. Test failed."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! grep -P -- "\bpam_$l_module_name\.so\b" "$file" >/dev/null; then
|
||||
echo "pam_unix.so entry not found in $file. Test failed."
|
||||
exit 1
|
||||
else
|
||||
echo "pam_unix.so entry found in $file. Test passed."
|
||||
fi
|
||||
done
|
||||
|
||||
exit 0
|
||||
@@ -0,0 +1,45 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Check if authselect.conf exists
|
||||
if [[ ! -f /etc/authselect/authselect.conf ]]; then
|
||||
echo "/etc/authselect/authselect.conf is missing."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
l_module_name="pwhistory"
|
||||
l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
|
||||
|
||||
# Check if authselect.conf exists
|
||||
if [[ ! -f /etc/authselect/authselect.conf ]]; then
|
||||
echo "/etc/authselect/authselect.conf is missing."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if grep -Pq -- '^custom\/' <<<"$l_pam_profile"; then
|
||||
l_pam_profile_path="/etc/authselect/$l_pam_profile"
|
||||
else
|
||||
l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
|
||||
fi
|
||||
|
||||
for file in "$l_pam_profile_path/password-auth" "$l_pam_profile_path/system-auth"; do
|
||||
if [[ ! -f "$file" ]]; then
|
||||
echo "File $file does not exist. Test failed."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! grep -P -- "\bpam_$l_module_name\.so\b" "$file" >/dev/null; then
|
||||
echo "pam_pwhistory.so entry not found in $file. Test failed."
|
||||
exit 1
|
||||
else
|
||||
echo "pam_pwhistory.so entry found in $file."
|
||||
fi
|
||||
|
||||
if ! grep -P -- "\{include if \"with-pwhistory\"\}" "$file" >/dev/null; then
|
||||
echo "Entry '{include if \"with-pwhistory\"}' not found in $file. Test failed."
|
||||
exit 1
|
||||
else
|
||||
echo "Entry '{include if \"with-pwhistory\"}' found in $file. Test passed."
|
||||
fi
|
||||
done
|
||||
|
||||
exit 0
|
||||
@@ -0,0 +1,31 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Check if authselect.conf exists
|
||||
if [[ ! -f /etc/authselect/authselect.conf ]]; then
|
||||
echo "/etc/authselect/authselect.conf is missing."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
l_module_name="unix"
|
||||
l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
|
||||
|
||||
if grep -Pq -- '^custom\/' <<<"$l_pam_profile"; then
|
||||
l_pam_profile_path="/etc/authselect/$l_pam_profile"
|
||||
else
|
||||
l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
|
||||
fi
|
||||
|
||||
for file in "$l_pam_profile_path/password-auth" "$l_pam_profile_path/system-auth"; do
|
||||
if [[ ! -f "$file" ]]; then
|
||||
echo "File $file does not exist. Test failed."
|
||||
exit 1
|
||||
fi
|
||||
if ! grep -P -- "\bpam_$l_module_name\.so\b" "$file" >/dev/null; then
|
||||
echo "pam_unix.so entry not found in $file. Test failed."
|
||||
exit 1
|
||||
else
|
||||
echo "pam_unix.so entry found in $file. Test passed."
|
||||
fi
|
||||
done
|
||||
|
||||
exit 0
|
||||
@@ -0,0 +1,30 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# File configuration
|
||||
FILE="/etc/security/pwquality.conf"
|
||||
# what we look for
|
||||
PATTERN="enforce_for_root"
|
||||
|
||||
# Check if the file exists
|
||||
if [ ! -f "$FILE" ]; then
|
||||
echo "File $FILE wa not found."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Search for the pattern, regardless of its case, even if it is commented out
|
||||
grep -Ei "^[[:space:]]*#?[[:space:]]*$PATTERN" "$FILE" >/dev/null
|
||||
FOUND=$?
|
||||
|
||||
# if the pattern is found
|
||||
if [ $FOUND -eq 0 ]; then
|
||||
# check if it is commented
|
||||
grep -Ei "^[[:space:]]*#[[:space:]]*$PATTERN" "$FILE" >/dev/null
|
||||
COMMENTED=$?
|
||||
|
||||
if [ $COMMENTED -eq 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,17 @@
|
||||
#!/usr/bin/env bash
|
||||
pw_file="/etc/security/pwhistory.conf"
|
||||
value="remember"
|
||||
regex_pattern="^\s*${value}\s*=\s*[0-9]+\s*$"
|
||||
expected_value=24
|
||||
if grep -Eq "$regex_pattern" "$pw_file"; then
|
||||
current_value=$(grep -Eo "$regex_pattern" "$pw_file" | awk -F'=' '{print $2}' | tr -d ' ')
|
||||
if ((current_value < expected_value)); then
|
||||
echo "ERROR: $value = $current_value < $expected_value"
|
||||
exit 1
|
||||
else
|
||||
echo "$value = $current_value > $expected_value"
|
||||
exit 0
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,15 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
pw_file="/etc/security/pwhistory.conf"
|
||||
|
||||
value="enfore_for_root"
|
||||
|
||||
regex_pattern="^\s*#*\s*${value}\s*"
|
||||
|
||||
if grep -Eq "^\s*${value}\s*$" "$pw_file"; then
|
||||
echo "$value is correctly set."
|
||||
exit 0
|
||||
else
|
||||
echo "ERROR: $value is either missing or commented out."
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,24 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
if [[ ! -d "/etc/authselect" && ! -d "/usr/share/authselect" ]]; then
|
||||
echo "Authselect is not installed. Exiting."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
pam_profile="$(head -1 /etc/authselect/authselect.conf 2>/dev/null || echo "default")"
|
||||
|
||||
if [[ "$pam_profile" =~ ^custom/ ]]; then
|
||||
pam_profile_path="/etc/authselect/$pam_profile"
|
||||
else
|
||||
pam_profile_path="/usr/share/authselect/default/$pam_profile"
|
||||
fi
|
||||
|
||||
for auth_file in "$pam_profile_path"/{password-auth,system-auth}; do
|
||||
if grep -Eq '^\s*password\s+([^#\n\r]+\s+)?pam_unix\.so\b' $auth_file | grep -Pv '\bremember=\d\b'; then
|
||||
echo "- \"remember\" is set in $auth_file"
|
||||
exit 1
|
||||
else
|
||||
echo "- \"remember\" is not set in $auth_file"
|
||||
fi
|
||||
done
|
||||
exit 0
|
||||
@@ -0,0 +1,29 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
config_file="/etc/authselect/authselect.conf"
|
||||
if [[ ! -f "$config_file" || ! -r "$config_file" ]]; then
|
||||
echo "Configuration file '$config_file' is missing or not readable. Exiting."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if command -v authselect &>/dev/null; then
|
||||
pam_profile="$(head -1 /etc/authselect/authselect.conf 2>/dev/null || echo "default")"
|
||||
|
||||
if [[ "$pam_profile" =~ ^custom/ ]]; then
|
||||
pam_profile_path="/etc/authselect/$pam_profile"
|
||||
else
|
||||
pam_profile_path="/usr/share/authselect/default/$pam_profile"
|
||||
fi
|
||||
else
|
||||
pam_profile_path="/etc/pam.d"
|
||||
fi
|
||||
|
||||
for auth_file in "$pam_profile_path"/{password-auth,system-auth}; do
|
||||
if grep -Eq '^\s*password\s+[^#]*pam_unix\.so\s+.*(sha512|yescrypt)\b' $auth_file; then
|
||||
echo "- strong password hashing algorithm is set in $auth_file"
|
||||
else
|
||||
echo "- strong password hashing algorithm is not set in $auth_file"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
exit 0
|
||||
@@ -0,0 +1,9 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
awk -F: '/^[^:]+:[^!*]/{print $1}' /etc/shadow | while read -r usr; do
|
||||
change=$(date -d "$(chage --list $usr | grep '^Last password change' | cut -d: -f2 | grep -v 'never$')" +%s);
|
||||
if [[ "$change" -gt "$(date +%s)" ]]; then
|
||||
echo "User: \"$usr\" last password change was \"$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\"";
|
||||
fi;
|
||||
done
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
awk -F: '($3 == 0) { print $1 }' /etc/passwd
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
RPCV="$(sudo -Hiu root env | grep '^PATH' | cut -d= -f2)"
|
||||
echo "$RPCV" | grep -q "::" && echo "root's path contains a empty directory (::)"
|
||||
echo "$RPCV" | grep -q ":$" && echo "root's path contains a trailing (:)"
|
||||
for x in $(echo "$RPCV" | tr ":" " "); do
|
||||
if [ -d "$x" ]; then
|
||||
ls -ldH "$x" | awk '$9 == "." {print "PATH contains current working directory (.)"}
|
||||
$3 != "root" {print $9, "is not owned by root"}
|
||||
substr($1,6,1) != "-" {print $9, "is group writable"}
|
||||
substr($1,9,1) != "-" {print $9, "is world writable"}'
|
||||
else
|
||||
echo "$x is not a directory"
|
||||
fi
|
||||
done
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
socket_installed=$(systemctl list-unit-files | grep -q 'systemd-journal-remote.socket' && echo true || echo false)
|
||||
service_installed=$(systemctl list-unit-files | grep -q 'systemd-journal-remote.service' && echo true || echo false)
|
||||
|
||||
if [[ "$socket_installed" == "false" && "$service_installed" == "false" ]]; then
|
||||
exit 0 # True if neither is installed
|
||||
elif [[ "$socket_installed" == "true" && "$(systemctl is-active systemd-journal-remote.socket)" =~ ^(inactive|failed)$ ]] &&
|
||||
[[ "$service_installed" == "true" && "$(systemctl is-active systemd-journal-remote.service)" =~ ^(inactive|failed)$ ]]; then
|
||||
exit 0 # True if both are not active (including failed)
|
||||
else
|
||||
exit 1 # False otherwise
|
||||
fi
|
||||
@@ -0,0 +1,16 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
regex_pattern="^\s*ForwardToSyslog\s*=\s*no"
|
||||
config_files=("/etc/systemd/journald.conf" "/etc/systemd/journald.conf.d/*")
|
||||
|
||||
for config_file in "${config_files[@]}"; do
|
||||
for file in $config_file; do
|
||||
if [[ -f "$file" ]]; then
|
||||
if grep -qE "$regex_pattern" "$file"; then
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
exit 1
|
||||
@@ -0,0 +1,16 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
regex_pattern="^\s*Compress\s*=\s*yes"
|
||||
config_files=("/etc/systemd/journald.conf" "/etc/systemd/journald.conf.d/*")
|
||||
|
||||
for config_file in "${config_files[@]}"; do
|
||||
for file in $config_file; do
|
||||
if [[ -f "$file" ]]; then
|
||||
if grep -qE "$regex_pattern" "$file"; then
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
exit 1
|
||||
@@ -0,0 +1,16 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
regex_pattern="^\s*Storage\s*=\s*persistent"
|
||||
config_files=("/etc/systemd/journald.conf" "/etc/systemd/journald.conf.d/*")
|
||||
|
||||
for config_file in "${config_files[@]}"; do
|
||||
for file in $config_file; do
|
||||
if [[ -f "$file" ]]; then
|
||||
if grep -qE "$regex_pattern" "$file"; then
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
exit 1
|
||||
@@ -0,0 +1,24 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
config_files=("/etc/rsyslog.conf" "/etc/rsyslog.d/*.conf")
|
||||
expected_value=0640
|
||||
|
||||
for file in ${config_files[@]}; do
|
||||
for i in $file; do
|
||||
if grep -qE '^\s*\$FileCreateMode' "$i" 2>/dev/null; then
|
||||
chosen_file=$i
|
||||
fi
|
||||
done
|
||||
done
|
||||
if [[ -n $chosen_file ]]; then
|
||||
current_value=$(grep -E '^\s*\$FileCreateMode' "$chosen_file" | sed -E 's/^\s*\$FileCreateMode\s+//')
|
||||
if [[ -n $current_value && $current_value -le $expected_value ]]; then
|
||||
echo "FileCreateMode is restricted enough"
|
||||
exit 0
|
||||
else
|
||||
echo "FileCreateMode is not restricted enough"
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,23 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
config_files=("/etc/rsyslog.conf" "/etc/rsyslog.d/*.conf")
|
||||
|
||||
for file in "${config_files[@]}"; do
|
||||
for i in $file; do
|
||||
if [[ -f $i ]]; then
|
||||
if grep -qoE '^\s*module\(load="imtcp"\)' "$i" 2>/dev/null; then
|
||||
exit 1
|
||||
fi
|
||||
if grep -qoE '^\s*input\(type="imtcp"\s+port="[0-9]+"\)' "$i" 2>/dev/null; then
|
||||
exit 1
|
||||
fi
|
||||
if grep -qoE '^\s*\$ModLoad\s+imtcp' "$i" 2>/dev/null; then
|
||||
exit 1
|
||||
fi
|
||||
if grep -qoE '^\s*\$InputTCPServerRun' "$i" 2>/dev/null; then
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
exit 0
|
||||
@@ -0,0 +1,15 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
GRUB_CFG="/etc/default/grub"
|
||||
|
||||
if [[ ! -f "$GRUB_CFG" ]]; then
|
||||
echo "Error: $GRUB_CFG does not exist."
|
||||
exit 1
|
||||
fi
|
||||
if grep -q "audit=1" "$GRUB_CFG"; then
|
||||
echo "Found 'audit=1' in $GRUB_CFG."
|
||||
exit 0
|
||||
else
|
||||
echo "'audit=1' not found in $GRUB_CFG."
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,15 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
GRUB_CFG="/etc/default/grub"
|
||||
|
||||
if [[ ! -f "$GRUB_CFG" ]]; then
|
||||
echo "Error: $GRUB_CFG does not exist."
|
||||
exit 1
|
||||
fi
|
||||
if grep -q "audit_backlog_limit" "$GRUB_CFG"; then
|
||||
echo "Found 'audit_backlog_limit=1' in $GRUB_CFG."
|
||||
exit 0
|
||||
else
|
||||
echo "'audit_backlog_limit=1' not found in $GRUB_CFG."
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,17 @@
|
||||
#!/usr/bin/env bash
|
||||
perm_mask="0027"
|
||||
if [ -e "/etc/audit/auditd.conf" ]; then
|
||||
log_dir="$(dirname "$(awk -F= '/^\s*log_file\s*/{print $2}' /etc/audit/auditd.conf | xargs)")"
|
||||
if [ -d "$log_dir" ]; then
|
||||
maxperm="$(printf '%o' $((0777 & ~$perm_mask)))"
|
||||
log_dir_mode="$(stat -Lc '%#a' "$log_dir")"
|
||||
if [ $(($log_dir_mode & $perm_mask)) -gt 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
exit 0
|
||||
@@ -0,0 +1,29 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
l_perm_mask="0137"
|
||||
if [ -e "/etc/audit/auditd.conf" ]; then
|
||||
# Extract the log directory from the configuration file
|
||||
l_audit_log_directory="$(dirname "$(awk -F= '/^\s*log_file\s*/{print $2}' /etc/audit/auditd.conf | xargs)")"
|
||||
|
||||
if [ -d "$l_audit_log_directory" ]; then
|
||||
l_maxperm="$(printf '%o' $((0777 & ~$l_perm_mask)))"
|
||||
|
||||
# Find files matching the permission mask and process them line by line
|
||||
while IFS= read -r l_file; do
|
||||
# Ensure the file exists and get its mode
|
||||
if [ -e "$l_file" ]; then
|
||||
l_file_mode="$(stat -Lc '%#a' "$l_file")"
|
||||
exit 1
|
||||
fi
|
||||
done < <(find "$l_audit_log_directory" -maxdepth 1 -type f -perm /"$l_perm_mask")
|
||||
|
||||
# Check if any files were processed
|
||||
if [ $? -eq 0 ]; then
|
||||
exit 0
|
||||
fi
|
||||
else
|
||||
exit 0
|
||||
fi
|
||||
else
|
||||
exit 0
|
||||
fi
|
||||
@@ -0,0 +1,23 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
l_output="" l_output2=""
|
||||
if [ -e "/etc/audit/auditd.conf" ]; then
|
||||
l_audit_log_directory="$(dirname "$(awk -F= '/^\s*log_file\s*/{print $2}' /etc/audit/auditd.conf | xargs)")"
|
||||
if [ -d "$l_audit_log_directory" ]; then
|
||||
while IFS= read -r l_file; do
|
||||
l_output2="$l_output2\n - File: \"$l_file\" is owned by user: \"$(stat -Lc '%U' "$l_file")\"\n (should be owned by user: \"root\")\n"
|
||||
done < <(find "$l_audit_log_directory" -maxdepth 1 -type f ! -user root)
|
||||
else
|
||||
l_output2="$l_output2\n - Log file directory not set in \"/etc/audit/auditd.conf\" please set log file directory"
|
||||
fi
|
||||
else
|
||||
l_output2="$l_output2\n - File: \"/etc/audit/auditd.conf\" not found.\n - ** Verify auditd is installed **"
|
||||
fi
|
||||
if [ -z "$l_output2" ]; then
|
||||
l_output="$l_output\n - All files in \"$l_audit_log_directory\" are owned by user: \"root\"\n"
|
||||
echo -e "\n- Audit Result:\n ** PASS **\n - * Correctly configured * :$l_output"
|
||||
exit 0
|
||||
else
|
||||
echo -e "\n- Audit Result:\n ** FAIL **\n - * Reasons for auditgfailure * :$l_output2\n"
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1,27 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
audit_conf="/etc/audit/auditd.conf"
|
||||
perm_mask="0177"
|
||||
if [ ! -f "$audit_conf" ]; then
|
||||
exit 1
|
||||
fi
|
||||
audit_log_dir=$(grep -E '^\s*log_file\s*=' "$audit_conf" | cut -d= -f2 | xargs dirname 2>/dev/null)
|
||||
if [ -z "$audit_log_dir" ]; then
|
||||
exit 1
|
||||
fi
|
||||
audit_log_group=$(grep -E '^\s*log_group\s*=' "$audit_conf" | cut -d= -f2 | xargs)
|
||||
if [ -z "$audit_log_group" ]; then
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -d "$audit_log_dir" ]; then
|
||||
exit 1
|
||||
fi
|
||||
for file in "$audit_log_dir"/*; do
|
||||
if [ -f "$file" ]; then
|
||||
group=$(ls -l "$file" | awk '{print $4}')
|
||||
if [[ "$group" != "root" && "$group" != "adm" ]]; then
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
exit 0
|
||||
@@ -0,0 +1,4 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
awk -F: '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
#!/usr/bin/env bash
|
||||
{
|
||||
awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow
|
||||
}
|
||||
Reference in New Issue
Block a user