fervidus · hb0nes · May 22, 2023 · May 22, 2023 · May 22, 2023 · May 22, 2023
diff --git a/data/common.yaml b/data/common.yaml
@@ -1,7 +1,7 @@
 ---
 secure_linux_cis::banner: >
   Authorized uses only. All activity may be monitored and reported.
-  
+
 
 secure_linux_cis::motd: 🐉 Module by Fervid 🐉
 
@@ -33,8 +33,8 @@ secure_linux_cis::pass_min_days: 7
 secure_linux_cis::pass_warn_days: 7
 secure_linux_cis::pass_inactive_days: 30
 secure_linux_cis::timeout: 600
-
 secure_linux_cis::auto_restart: false
+secure_linux_cis::manage_sshd_service: false
 secure_linux_cis::logging_host: ''
 secure_linux_cis::is_logging_host: false
 secure_linux_cis::exclude_logs: []
@@ -96,4 +96,4 @@ secure_linux_cis::approved_ciphers:
   - [email protected]
   - aes256-ctr
   - aes192-ctr
-  - aes128-ctr
+  - aes128-ctr
diff --git a/data/os/Debian/version/11.yaml b/data/os/Debian/version/11.yaml
@@ -20,7 +20,6 @@ secure_linux_cis::server_level_1:
 - ensure_automatic_error_reporting_is_not_enabled
 - ensure_core_dumps_are_restricted
 - ensure_apparmor_is_installed
-- ensure_apparmor_is_enabled_in_the_bootloader_configuration
 - ensure_all_apparmor_profiles_are_in_enforce_or_complain_mode
 - ensure_message_of_the_day_is_configured_properly
 - ensure_local_login_warning_banner_is_configured_properly
@@ -77,7 +76,7 @@ secure_linux_cis::server_level_1:
 - ensure_reverse_path_filtering_is_enabled
 - ensure_tcp_syn_cookies_is_enabled
 - ensure_a_nftables_table_exists
-- ensure_iptables_packages_are_installed
+- ensure_iptables_package_is_installed
 - ensure_nftables_is_not_installed_with_iptables
 - ensure_ufw_is_uninstalled_or_disabled_with_iptables
 - ensure_iptables_default_deny_firewall_policy
@@ -201,7 +200,6 @@ secure_linux_cis::server_level_2:
 - ensure_automatic_error_reporting_is_not_enabled
 - ensure_core_dumps_are_restricted
 - ensure_apparmor_is_installed
-- ensure_apparmor_is_enabled_in_the_bootloader_configuration
 - ensure_all_apparmor_profiles_are_enforcing
 - ensure_message_of_the_day_is_configured_properly
 - ensure_local_login_warning_banner_is_configured_properly
@@ -263,7 +261,7 @@ secure_linux_cis::server_level_2:
 - ensure_reverse_path_filtering_is_enabled
 - ensure_tcp_syn_cookies_is_enabled
 - ensure_a_nftables_table_exists
-- ensure_iptables_packages_are_installed
+- ensure_iptables_package_is_installed
 - ensure_nftables_is_not_installed_with_iptables
 - ensure_ufw_is_uninstalled_or_disabled_with_iptables
 - ensure_iptables_default_deny_firewall_policy
@@ -471,7 +469,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_reverse_path_filtering_is_enabled
 - ensure_tcp_syn_cookies_is_enabled
 - ensure_a_nftables_table_exists
-- ensure_iptables_packages_are_installed
+- ensure_iptables_package_is_installed
 - ensure_nftables_is_not_installed_with_iptables
 - ensure_ufw_is_uninstalled_or_disabled_with_iptables
 - ensure_iptables_default_deny_firewall_policy
@@ -657,7 +655,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_reverse_path_filtering_is_enabled
 - ensure_tcp_syn_cookies_is_enabled
 - ensure_a_nftables_table_exists
-- ensure_iptables_packages_are_installed
+- ensure_iptables_package_is_installed
 - ensure_nftables_is_not_installed_with_iptables
 - ensure_ufw_is_uninstalled_or_disabled_with_iptables
 - ensure_iptables_default_deny_firewall_policy

diff --git a/files/aidecheck.service b/files/aidecheck.service
@@ -3,7 +3,7 @@ Description=Aide Check
 
 [Service]
 Type=simple
-ExecStart=/usr/sbin/aide --check
+ExecStart=/usr/bin/aide --check --config /etc/aide/aide.conf
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
diff --git a/files/audit_all_logfiles_have_appropriate_permissions_and_ownership.sh b/files/audit_all_logfiles_have_appropriate_permissions_and_ownership.sh
@@ -2,16 +2,16 @@
 {
   echo -e "\n- Start check - logfiles have appropriate permissions and ownership"
   output=""
-  
-  find /var/log -type f | (while read -r fname; do
+
+  find /var/log -type f | while read -r fname; do
     bname="$(basename "$fname")"
 
     case "$bname" in
       lastlog | lastlog.* | wtmp | wtmp.* | btmp | btmp.*)
           if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6][0,4]\h*$'; then
               output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
           fi
-              
+
           if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*root\h+(utmp|root)\h*$'; then
               output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
           fi
@@ -64,7 +64,7 @@
   else
     # print the reason why we are failing
     echo -e "\n- FAIL:\n$output"
+    exit 1
   fi
   echo -e "- End check - logfiles have appropriate permissions and ownership\n"
-  )
-}
+}
diff --git a/files/audit_local_interactive_user_dot_files_are_not_group_or_world_writable.sh b/files/audit_local_interactive_user_dot_files_are_not_group_or_world_writable.sh
@@ -3,17 +3,16 @@
   output=""
   perm_mask='0022'
   maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
-  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$"
-  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
+  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
+  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do
     for dfile in $(find "$home" -type f -name '.*'); do
       mode=$( stat -L -c '%#a' "$dfile" )
       [ $(( $mode & $perm_mask )) -gt 0 ] && output="$output\n- User $user file: \"$dfile\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
     done
   done
   if [ -n "$output" ]; then
-    echo -e "\n- Failed:$output"
-  else
-    echo -e "\n- Passed:\n- All user home dot files are mode: \"$maxperm\" or more restrictive"
+    echo -e "\n- FAIL:$output"
+    exit 1
   fi
-  )
-}
+  echo -e "\n- PASS:\n- All user home dot files are mode: \"$maxperm\" or more restrictive"
+}
diff --git a/files/audit_local_interactive_user_home_directories_exist.sh b/files/audit_local_interactive_user_home_directories_exist.sh
@@ -1,16 +1,15 @@
 #!/usr/bin/env bash
 {
   output=""
-  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$"
+  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
 
-  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
+  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do
     [ ! -d "$home" ] && output="$output\n - User \"$user\" home directory \"$home\" doesn't exist"
   done
 
-  if [ -z "$output" ]; then
-    echo -e "\n-PASSED: - All local interactive users have a home directory\n"
-  else
-    echo -e "\n- FAILED:\n$output\n"
+  if [ -n "$output" ]; then
+    echo -e "\n- FAIL:\n${output}\n"
+    exit 1
   fi
-  ) 
-}
+  echo -e "\n-PASS: - All local interactive users have a home directory\n"
+}
diff --git a/files/audit_local_interactive_users_home_directories_are_mode_750_or_more_restrictive.sh b/files/audit_local_interactive_users_home_directories_are_mode_750_or_more_restrictive.sh
@@ -3,18 +3,17 @@
   output=""
   perm_mask='0027'
   maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
-  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$"
-  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
+  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
+  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do
     if [ -d "$home" ]; then
       mode=$( stat -L -c '%#a' "$home" )
       [ $(( $mode & $perm_mask )) -gt 0 ] && output="$output\n- User $user home directory: \"$home\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)"
     fi
   done
-  
+
   if [ -n "$output" ]; then
-    echo -e "\n- Failed:$output"
-  else
-    echo -e "\n- Passed:\n- All user home directories are mode: \"$maxperm\" or more restrictive"
+    echo -e "\n- FAIL:\n${output}\n"
+    exit 1
   fi
-  )
-}
+  echo -e "\n- PASS:\n- All user home directories are mode: \"$maxperm\" or more restrictive"
+}
diff --git a/files/audit_local_interactive_users_own_their_home_directories.sh b/files/audit_local_interactive_users_own_their_home_directories.sh
@@ -1,15 +1,15 @@
 #!/usr/bin/env bash
 {
   output=""
-  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$"
-  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
+  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
+  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do
         owner="$(stat -L -c "%U" "$home")"
         [ "$owner" != "$user" ] && output="$output\n - User \"$user\" home directory \"$home\" is owned by user \"$owner\""
   done
   if [ -z "$output" ]; then
-    echo -e "\n-PASSED: - All local interactive users have a home directory\n"
+    echo -e "\n- PASS: - All local interactive users have a home directory\n"
   else
-    echo -e "\n- FAILED:\n$output\n"
+    echo -e "\n- FAIL:\n$output\n"
+    exit 1
   fi
-  )
-}
+}
diff --git a/files/audit_no_local_interactive_user_has_forward_files.sh b/files/audit_no_local_interactive_user_has_forward_files.sh
@@ -2,14 +2,14 @@
 {
   output=""
   fname=".forward"
-  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$"
-  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
+  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
+  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do
     [ -f "$home/$fname" ] && output="$output\n - User \"$user\" file: \"$home/$fname\" exists"
   done
   if [ -z "$output" ]; then
-    echo -e "\n-PASSED: - No local interactive users have \"$fname\" files in their home directory\n"
+    echo -e "\n-PASS: - No local interactive users have \"$fname\" files in their home directory\n"
   else
-    echo -e "\n- FAILED:\n$output\n"
+    echo -e "\n- FAIL:\n$output\n"
+    exit 1
   fi
-  )
-}
+}
diff --git a/files/audit_no_local_interactive_user_has_netrc_files.sh b/files/audit_no_local_interactive_user_has_netrc_files.sh
@@ -4,7 +4,7 @@
   perm_mask='0177'
   maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
   valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
-  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
+  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do
     if [ -f "$home/.netrc" ]; then
       mode="$( stat -L -c '%#a' "$home/.netrc" )"
       if [ $(( $mode & $perm_mask )) -gt 0 ]; then
@@ -14,15 +14,8 @@
       fi
     fi
   done
-  if [ -z "$output" ]; then
-    if [ -z "$output2" ]; then
-      echo -e "\n-PASSED: - No local interactive users have \".netrc\" files in their home directory\n"
-    else
-      echo -e "\n- WARNING:\n$output2\n"
-    fi
-  else
-    echo -e "\n- FAILED:\n$output\n"
-    [ -n "$output2" ] && echo -e "\n- WARNING:\n$output2\n"
-  fi
-  )
-}
+  [[ "${output}" ]] && echo -e "\n- FAIL:\n${output}\n"
+  [[ "${output2}" ]] && echo -e "\n- WARN:\n${output2}\n"
+  [[ "${output}" || "${output2}" ]] && exit 1
+  echo -e "\n-PASSED: - No local interactive users have \".netrc\" files in their home directory\n"
+}
diff --git a/files/audit_no_local_interactive_user_has_rhosts_files.sh b/files/audit_no_local_interactive_user_has_rhosts_files.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+interactive_user_dirs=( $(awk -F: '($7 !~ "nologin" && $7!="/bin/false" && $7!="/usr/bin/false") {print $6}' /etc/passwd) )
+for interactive_user_dir in "${interactive_user_dirs[@]}"; do
+  rhosts_files+=( $(find "${interactive_user_dir}" -name .rhosts) )
+done
+if [ -n "${rhosts_files}" ]; then
+  echo "FAIL: found .rhosts files: ${rhosts_files[@]}"
+  exit 1
+fi
+echo "PASS: no .rhosts files found."
diff --git a/files/audit_nologin_system_accounts.sh b/files/audit_nologin_system_accounts.sh
@@ -1 +1 @@
-awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print}' /etc/passwd  
+awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print}' /etc/passwd
diff --git a/files/audit_priv.sh b/files/audit_priv.sh
@@ -1,4 +1,4 @@
 #!/bin/sh
 
 df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null | \
-  awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }' | sort
+  awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }' | grep -v docker | sort
diff --git a/files/audit_use_of_privileged_commands_are_collected.sh b/files/audit_use_of_privileged_commands_are_collected.sh
@@ -1,5 +1,9 @@
 for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do
   for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do
-    grep -qr "${PRIVILEGED}" /etc/audit/rules.d && printf "OK: '${PRIVILEGED}' found in auditing rules.\n" || printf "Warning: '${PRIVILEGED}' not found in on disk configuration.\n"
+    if ! grep -qr "${PRIVILEGED}" /etc/audit/rules.d; then
+      printf "WARN: '${PRIVILEGED}' not found in on disk configuration.\n"
+      exit 1
+    fi
+    printf "PASS: '${PRIVILEGED}' found in auditing rules.\n" \
   done
-done
+done
diff --git a/files/ensure_local_interactive_user_home_directories_exist.sh b/files/ensure_local_interactive_user_home_directories_exist.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 {
-valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$"
+valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
 awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do
     if [ ! -d "$home" ]; then
       echo -e "\n- User \"$user\" home directory \"$home\" doesn't exist\n- creating home directory \"$home\"\n"
@@ -9,4 +9,4 @@ awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passw
         chown "$user" "$home"
     fi
   done
-}
+}
diff --git a/files/ensure_local_interactive_users_home_directories_are_mode_750_or_more_restrictive.sh b/files/ensure_local_interactive_users_home_directories_are_mode_750_or_more_restrictive.sh
@@ -2,13 +2,12 @@
 {
   perm_mask='0027'
   maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
-  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$"
-  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
+  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
+  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do
     mode=$( stat -L -c '%#a' "$home" )
     if [ $(( $mode & $perm_mask )) -gt 0 ]; then
       echo -e "- modifying User $user home directory: \"$home\"\n- removing excessive permissions from current mode of \"$mode\""
       chmod g-w,o-rwx "$home"
     fi
   done
-  )
-}
+}
diff --git a/files/ensure_local_interactive_users_own_their_home_directories.sh b/files/ensure_local_interactive_users_own_their_home_directories.sh
@@ -1,12 +1,12 @@
 #!/usr/bin/env bash
 {
   output=""
-  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$"
+  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
   awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do
     owner="$(stat -L -c "%U" "$home")"
     if [ "$owner" != "$user" ]; then
       echo -e "\n- User \"$user\" home directory \"$home\" is owned by user \"$owner\"\n - changing ownership to \"$user\"\n"
       chown "$user" "$home"
     fi
   done
-}
+}
diff --git a/files/ensure_no_local_interactive_user_has_forward_files.sh b/files/ensure_no_local_interactive_user_has_forward_files.sh
@@ -3,11 +3,10 @@
   output=""
   fname=".forward"
   valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
-  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do
+  awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do
     if [ -f "$home/$fname" ]; then
       echo -e "$output\n- User \"$user\" file: \"$home/$fname\" exists\n - removing file: \"$home/$fname\"\n"
       rm -r "$home/$fname"
     fi
   done
-  )
-}
+}
diff --git a/files/ensure_no_local_interactive_user_has_netrc_files.sh b/files/ensure_no_local_interactive_user_has_netrc_files.sh
@@ -1,11 +1,11 @@
 #!/usr/bin/env bash
 {
   perm_mask='0177'
-  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$"
+  valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$"
   awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do
   if [ -f "$home/.netrc" ]; then
     echo -e "\n- User \"$user\" file: \"$home/.netrc\" exists\n - removing file: \"$home/.netrc\"\n"
     rm -f "$home/.netrc"
   fi
  done
-}
+}
diff --git a/files/ensure_no_local_interactive_user_has_rhosts_files.sh b/files/ensure_no_local_interactive_user_has_rhosts_files.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+interactive_user_dirs=( $(awk -F: '($7 !~ "nologin" && $7!="/bin/false" && $7!="/usr/bin/false") {print $6}' /etc/passwd) )
+for interactive_user_dir in "${interactive_user_dirs[@]}"; do
+  find "${interactive_user_dir}" -name .rhosts -exec rm -v {} \;
+done
+
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print}' /etc/passwd
		awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print}' /etc/passwd