#!/usr/bin/env bash ############################################################################### # # Bash Remediation Script for CIS Ubuntu Linux 22.04 LTS Benchmark for Level 1 - Workstation # # Profile Description: # This profile defines a baseline that aligns to the "Level 1 - Workstation" # configuration from the Center for Internet Security® # Ubuntu Linux 22.04 LTS Benchmark™, v2.0.0, released 2024-03-28. # This profile includes Center for Internet Security® # Ubuntu Linux 22.04 LTS Benchmark™ content. # # Profile ID: xccdf_org.ssgproject.content_profile_cis_level1_workstation # Benchmark ID: xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04 # Benchmark Version: 0.1.80 # XCCDF Version: 1.2 # # This file can be generated by OpenSCAP using: # $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis_level1_workstation --fix-type bash ssg-ubuntu2204-ds.xml # # This Bash Remediation Script is generated from an XCCDF profile without preliminary evaluation. # It attempts to fix every selected rule, even if the system is already compliant. # # How to apply this Bash Remediation Script: # $ sudo ./remediation-script.sh # ############################################################################### ############################################################################### # BEGIN fix (1 / 386) for 'xccdf_org.ssgproject.content_rule_package_prelink_removed' ############################################################################### (>&2 echo "Remediating rule 1/386: 'xccdf_org.ssgproject.content_rule_package_prelink_removed'") if [[ -f /usr/sbin/prelink ]]; then prelink -ua fi DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "prelink" # END fix for 'xccdf_org.ssgproject.content_rule_package_prelink_removed' ############################################################################### # BEGIN fix (2 / 386) for 'xccdf_org.ssgproject.content_rule_package_aide_installed' ############################################################################### (>&2 echo "Remediating rule 2/386: 'xccdf_org.ssgproject.content_rule_package_aide_installed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "aide" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_aide_installed' ############################################################################### # BEGIN fix (3 / 386) for 'xccdf_org.ssgproject.content_rule_aide_build_database' ############################################################################### (>&2 echo "Remediating rule 3/386: 'xccdf_org.ssgproject.content_rule_aide_build_database'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "aide" AIDE_CONFIG=/etc/aide/aide.conf DEFAULT_DB_PATH=/var/lib/aide/aide.db # Fix db path in the config file, if necessary if ! grep -q '^database=file:' ${AIDE_CONFIG}; then # replace_or_append gets confused by 'database=file' as a key, so should not be used. #replace_or_append "${AIDE_CONFIG}" '^database=file' "${DEFAULT_DB_PATH}" '@CCENUM@' '%s:%s' echo "database=file:${DEFAULT_DB_PATH}" >> ${AIDE_CONFIG} fi # Fix db out path in the config file, if necessary if ! grep -q '^database_out=file:' ${AIDE_CONFIG}; then echo "database_out=file:${DEFAULT_DB_PATH}.new" >> ${AIDE_CONFIG} fi /usr/sbin/aideinit -y -f else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_aide_build_database' ############################################################################### # BEGIN fix (4 / 386) for 'xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking' ############################################################################### (>&2 echo "Remediating rule 4/386: 'xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "aide" # AiDE usually adds its own cron jobs to /etc/cron.daily. If script is there, this rule is # compliant. Otherwise, we copy the script to the /etc/cron.weekly if ! grep -Eq '^(\/usr\/bin\/)?aide(\.wrapper)?\s+' /etc/cron.*/*; then cp -f /usr/share/aide/config/cron.daily/aide /etc/cron.weekly/ fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking' ############################################################################### # BEGIN fix (5 / 386) for 'xccdf_org.ssgproject.content_rule_partition_for_dev_shm' ############################################################################### (>&2 echo "Remediating rule 5/386: 'xccdf_org.ssgproject.content_rule_partition_for_dev_shm'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_partition_for_dev_shm' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_partition_for_dev_shm' ############################################################################### # BEGIN fix (6 / 386) for 'xccdf_org.ssgproject.content_rule_partition_for_tmp' ############################################################################### (>&2 echo "Remediating rule 6/386: 'xccdf_org.ssgproject.content_rule_partition_for_tmp'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_partition_for_tmp' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_partition_for_tmp' ############################################################################### # BEGIN fix (7 / 386) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list' ############################################################################### (>&2 echo "Remediating rule 7/386: 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'gdm3' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/user [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:local" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:local\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/local.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/gdm [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:gdm" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:gdm\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/gdm.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" DBDIR="/etc/dconf/db/gdm.d" mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}" then sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" then printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} fi escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*disable-user-list\\s*=" "${DCONFFILE}" then sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${DCONFFILE}" else sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${DCONFFILE}" fi # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/db (umask 0022 && dconf update) # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then sed -i -E "s|^/org/gnome/login-screen/disable-user-list$|#&|" "${LOCKFILES[@]}" fi if ! grep -qr "^/org/gnome/login-screen/disable-user-list$" /etc/dconf/db/gdm.d/ then echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" fi # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/db (umask 0022 && dconf update) else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list' ############################################################################### # BEGIN fix (8 / 386) for 'xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp' ############################################################################### (>&2 echo "Remediating rule 8/386: 'xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'gdm3' 2>/dev/null | grep -q '^installed$'; then # Try find '[xdmcp]' and 'Enable' in '/etc/gdm3/custom.conf', if it exists, set # to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there if grep -qzosP '[[:space:]]*\[xdmcp]([^\n\[]*\n+)+?[[:space:]]*Enable' '/etc/gdm3/custom.conf'; then sed -i "s/Enable[^(\n)]*/Enable=false/" '/etc/gdm3/custom.conf' elif grep -qs '[[:space:]]*\[xdmcp]' '/etc/gdm3/custom.conf'; then sed -i "/[[:space:]]*\[xdmcp]/a Enable=false" '/etc/gdm3/custom.conf' else if test -d "/etc/gdm3"; then printf '%s\n' '[xdmcp]' "Enable=false" >> '/etc/gdm3/custom.conf' else echo "Config file directory '/etc/gdm3' doesnt exist, not remediating, assuming non-applicability." >&2 fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp' ############################################################################### # BEGIN fix (9 / 386) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun' ############################################################################### (>&2 echo "Remediating rule 9/386: 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'gdm3' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/user [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:local" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:local\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/local.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/gdm [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:gdm" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:gdm\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/gdm.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then if grep -q "^\\s*autorun-never\\s*=" "${SETTINGSFILES[@]}" then sed -Ei "s/(^\s*)autorun-never(\s*=)/#\1autorun-never\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}" then printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} fi escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*autorun-never\\s*=" "${DCONFFILE}" then sed -i "s/\\s*autorun-never\\s*=\\s*.*/autorun-never=${escaped_value}/g" "${DCONFFILE}" else sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\autorun-never=${escaped_value}" "${DCONFFILE}" fi # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/db (umask 0022 && dconf update) # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/autorun-never$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then sed -i -E "s|^/org/gnome/desktop/media-handling/autorun-never$|#&|" "${LOCKFILES[@]}" fi if ! grep -qr "^/org/gnome/desktop/media-handling/autorun-never$" /etc/dconf/db/local.d/ then echo "/org/gnome/desktop/media-handling/autorun-never" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/db (umask 0022 && dconf update) else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun' ############################################################################### # BEGIN fix (10 / 386) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' ############################################################################### (>&2 echo "Remediating rule 10/386: 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'gdm3' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/user [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:local" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:local\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/local.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/gdm [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:gdm" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:gdm\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/gdm.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then sed -i -E "s|^/org/gnome/desktop/session/idle-delay$|#&|" "${LOCKFILES[@]}" fi if ! grep -qr "^/org/gnome/desktop/session/idle-delay$" /etc/dconf/db/local.d/ then echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/db (umask 0022 && dconf update) inactivity_timeout_value='900' # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then if grep -q "^\\s*idle-delay\\s*=" "${SETTINGSFILES[@]}" then sed -Ei "s/(^\s*)idle-delay(\s*=)/#\1idle-delay\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" if ! grep -q "\\[org/gnome/desktop/session\\]" "${DCONFFILE}" then printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE} fi escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")" if grep -q "^\\s*idle-delay\\s*=" "${DCONFFILE}" then sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${DCONFFILE}" else sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${DCONFFILE}" fi # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/db (umask 0022 && dconf update) else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' ############################################################################### # BEGIN fix (11 / 386) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay' ############################################################################### (>&2 echo "Remediating rule 11/386: 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'gdm3' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/user [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:local" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:local\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/local.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/gdm [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:gdm" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:gdm\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/gdm.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then sed -i -E "s|^/org/gnome/desktop/screensaver/lock-delay$|#&|" "${LOCKFILES[@]}" fi if ! grep -qr "^/org/gnome/desktop/screensaver/lock-delay$" /etc/dconf/db/local.d/ then echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/db (umask 0022 && dconf update) var_screensaver_lock_delay='5' # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then if grep -q "^\\s*lock-delay\\s*=" "${SETTINGSFILES[@]}" then sed -Ei "s/(^\s*)lock-delay(\s*=)/#\1lock-delay\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" then printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} fi escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")" if grep -q "^\\s*lock-delay\\s*=" "${DCONFFILE}" then sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${DCONFFILE}" else sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${DCONFFILE}" fi # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/db (umask 0022 && dconf update) else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay' ############################################################################### # BEGIN fix (12 / 386) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' ############################################################################### (>&2 echo "Remediating rule 12/386: 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'gdm3' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/user [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:local" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:local\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/local.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/gdm [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:gdm" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:gdm\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/gdm.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then if grep -q "^\\s*lock-enabled\\s*=" "${SETTINGSFILES[@]}" then sed -Ei "s/(^\s*)lock-enabled(\s*=)/#\1lock-enabled\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}" then printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} fi escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*lock-enabled\\s*=" "${DCONFFILE}" then sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${DCONFFILE}" else sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${DCONFFILE}" fi # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/db (umask 0022 && dconf update) # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}" fi if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/ then echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/db (umask 0022 && dconf update) else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' ############################################################################### # BEGIN fix (13 / 386) for 'xccdf_org.ssgproject.content_rule_package_sudo_installed' ############################################################################### (>&2 echo "Remediating rule 13/386: 'xccdf_org.ssgproject.content_rule_package_sudo_installed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "sudo" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_sudo_installed' ############################################################################### # BEGIN fix (14 / 386) for 'xccdf_org.ssgproject.content_rule_sudo_add_use_pty' ############################################################################### (>&2 echo "Remediating rule 14/386: 'xccdf_org.ssgproject.content_rule_sudo_add_use_pty'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'sudo' 2>/dev/null | grep -q '^installed$'; }; then if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak if ! grep -P '^[\s]*Defaults\b[^!\n]*\buse_pty.*$' /etc/sudoers; then # sudoers file doesn't define Option use_pty echo "Defaults use_pty" >> /etc/sudoers fi # Check validity of sudoers and cleanup bak if /usr/sbin/visudo -qcf /etc/sudoers; then rm -f /etc/sudoers.bak else echo "Fail to validate remediated /etc/sudoers, reverting to original file." mv /etc/sudoers.bak /etc/sudoers false fi else echo "Skipping remediation, /etc/sudoers failed to validate" false fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sudo_add_use_pty' ############################################################################### # BEGIN fix (15 / 386) for 'xccdf_org.ssgproject.content_rule_sudo_custom_logfile' ############################################################################### (>&2 echo "Remediating rule 15/386: 'xccdf_org.ssgproject.content_rule_sudo_custom_logfile'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'sudo' 2>/dev/null | grep -q '^installed$'; }; then var_sudo_logfile='/var/log/sudo.log' if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak if ! grep -P '^[\s]*Defaults\b[^!\n]*\blogfile\s*=\s*(?:"?([^",\s]+)"?).*$' /etc/sudoers; then # sudoers file doesn't define Option logfile echo "Defaults logfile=${var_sudo_logfile}" >> /etc/sudoers else # sudoers file defines Option logfile, remediate if appropriate value is not set if ! grep -P "^[\s]*Defaults.*\blogfile=${var_sudo_logfile}\b.*$" /etc/sudoers; then escaped_variable=${var_sudo_logfile//$'/'/$'\/'} sed -Ei "s/(^[\s]*Defaults.*\blogfile=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers fi fi # Check validity of sudoers and cleanup bak if /usr/sbin/visudo -qcf /etc/sudoers; then rm -f /etc/sudoers.bak else echo "Fail to validate remediated /etc/sudoers, reverting to original file." mv /etc/sudoers.bak /etc/sudoers false fi else echo "Skipping remediation, /etc/sudoers failed to validate" false fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sudo_custom_logfile' ############################################################################### # BEGIN fix (16 / 386) for 'xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate' ############################################################################### (>&2 echo "Remediating rule 16/386: 'xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then for f in /etc/sudoers /etc/sudoers.d/* ; do if [ ! -e "$f" ] ; then continue fi matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do # comment out "!authenticate" matches to preserve user data sed -i "s|^${entry}$|# &|g" $f done <<< "$matching_list" /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" fi done else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate' ############################################################################### # BEGIN fix (17 / 386) for 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication' ############################################################################### (>&2 echo "Remediating rule 17/386: 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'sudo' 2>/dev/null | grep -q '^installed$'; }; then var_sudo_timestamp_timeout='15' if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \; fi if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak if ! grep -P '^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*[-]?\w+.*$' /etc/sudoers; then # sudoers file doesn't define Option timestamp_timeout echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers else # sudoers file defines Option timestamp_timeout, remediate wrong values if present if grep -qP "^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=[\s]*(?!${var_sudo_timestamp_timeout}\b)[-]?\w+\b.*$" /etc/sudoers; then sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers fi fi # Check validity of sudoers and cleanup bak if /usr/sbin/visudo -qcf /etc/sudoers; then rm -f /etc/sudoers.bak else echo "Fail to validate remediated /etc/sudoers, reverting to original file." mv /etc/sudoers.bak /etc/sudoers false fi else echo "Skipping remediation, /etc/sudoers failed to validate" false fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication' ############################################################################### # BEGIN fix (18 / 386) for 'xccdf_org.ssgproject.content_rule_banner_etc_issue_cis' ############################################################################### (>&2 echo "Remediating rule 18/386: 'xccdf_org.ssgproject.content_rule_banner_etc_issue_cis'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then cis_banner_text='Authorized users only. All activity may be monitored and reported.' echo "$cis_banner_text" > "/etc/issue" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_banner_etc_issue_cis' ############################################################################### # BEGIN fix (19 / 386) for 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis' ############################################################################### (>&2 echo "Remediating rule 19/386: 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then cis_banner_text='Authorized users only. All activity may be monitored and reported.' echo "$cis_banner_text" > "/etc/issue.net" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net_cis' ############################################################################### # BEGIN fix (20 / 386) for 'xccdf_org.ssgproject.content_rule_banner_etc_motd_cis' ############################################################################### (>&2 echo "Remediating rule 20/386: 'xccdf_org.ssgproject.content_rule_banner_etc_motd_cis'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then cis_banner_text='Authorized users only. All activity may be monitored and reported.' echo "$cis_banner_text" > "/etc/motd" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_banner_etc_motd_cis' ############################################################################### # BEGIN fix (21 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue' ############################################################################### (>&2 echo "Remediating rule 21/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue'") newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/issue" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/issue fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue' ############################################################################### # BEGIN fix (22 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net' ############################################################################### (>&2 echo "Remediating rule 22/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net'") newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/issue.net" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/issue.net fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net' ############################################################################### # BEGIN fix (23 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_motd' ############################################################################### (>&2 echo "Remediating rule 23/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_motd'") newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/motd" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/motd fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_motd' ############################################################################### # BEGIN fix (24 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue' ############################################################################### (>&2 echo "Remediating rule 24/386: 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/issue" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/issue fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue' ############################################################################### # BEGIN fix (25 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net' ############################################################################### (>&2 echo "Remediating rule 25/386: 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/issue.net" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/issue.net fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net' ############################################################################### # BEGIN fix (26 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_etc_motd' ############################################################################### (>&2 echo "Remediating rule 26/386: 'xccdf_org.ssgproject.content_rule_file_owner_etc_motd'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/motd" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/motd fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_etc_motd' ############################################################################### # BEGIN fix (27 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue' ############################################################################### (>&2 echo "Remediating rule 27/386: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue'") chmod u-xs,g-xws,o-xwt /etc/issue # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue' ############################################################################### # BEGIN fix (28 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net' ############################################################################### (>&2 echo "Remediating rule 28/386: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net'") chmod u-xs,g-xws,o-xwt /etc/issue.net # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net' ############################################################################### # BEGIN fix (29 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_motd' ############################################################################### (>&2 echo "Remediating rule 29/386: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_motd'") chmod u-xs,g-xws,o-xwt /etc/motd # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_motd' ############################################################################### # BEGIN fix (30 / 386) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled' ############################################################################### (>&2 echo "Remediating rule 30/386: 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'gdm3' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/user [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:local" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:local\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/local.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/gdm [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:gdm" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:gdm\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/gdm.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) # Duplicate the setting also in 'greeter.dconf-defaults' for consistency with # 'dconf_gnome_login_banner_text' and better alignment with STIG V1R1. if [ -e "/etc/gdm3/greeter.dconf-defaults" ] ; then LC_ALL=C sed -i "/^\s*banner\-message\-enable/Id" "/etc/gdm3/greeter.dconf-defaults" else touch "/etc/gdm3/greeter.dconf-defaults" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/gdm3/greeter.dconf-defaults" cp "/etc/gdm3/greeter.dconf-defaults" "/etc/gdm3/greeter.dconf-defaults.bak" # Insert after the line matching the regex '\[org/gnome/login-screen\]' line_number="$(LC_ALL=C grep -n "\[org/gnome/login-screen\]" "/etc/gdm3/greeter.dconf-defaults.bak" | LC_ALL=C sed 's/:.*//g')" if [ -z "$line_number" ]; then # There was no match of '\[org/gnome/login-screen\]', insert at # the end of the file. printf '%s\n' "banner-message-enable=true" >> "/etc/gdm3/greeter.dconf-defaults" else head -n "$(( line_number ))" "/etc/gdm3/greeter.dconf-defaults.bak" > "/etc/gdm3/greeter.dconf-defaults" printf '%s\n' "banner-message-enable=true" >> "/etc/gdm3/greeter.dconf-defaults" tail -n "+$(( line_number + 1 ))" "/etc/gdm3/greeter.dconf-defaults.bak" >> "/etc/gdm3/greeter.dconf-defaults" fi # Clean up after ourselves. rm "/etc/gdm3/greeter.dconf-defaults.bak" # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" DBDIR="/etc/dconf/db/gdm.d" mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then if grep -q "^\\s*banner-message-enable\\s*=" "${SETTINGSFILES[@]}" then sed -Ei "s/(^\s*)banner-message-enable(\s*=)/#\1banner-message-enable\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" then printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} fi escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*banner-message-enable\\s*=" "${DCONFFILE}" then sed -i "s/\\s*banner-message-enable\\s*=\\s*.*/banner-message-enable=${escaped_value}/g" "${DCONFFILE}" else sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-enable=${escaped_value}" "${DCONFFILE}" fi # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/db (umask 0022 && dconf update) # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-enable$" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" mkdir -p "${LOCKSFOLDER}" # Comment out the configurations in databases different from the target one if [[ ! -z "${LOCKFILES}" ]] then sed -i -E "s|^/org/gnome/login-screen/banner-message-enable$|#&|" "${LOCKFILES[@]}" fi if ! grep -qr "^/org/gnome/login-screen/banner-message-enable$" /etc/dconf/db/gdm.d/ then echo "/org/gnome/login-screen/banner-message-enable" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" fi # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/db (umask 0022 && dconf update) else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled' ############################################################################### # BEGIN fix (31 / 386) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' ############################################################################### (>&2 echo "Remediating rule 31/386: 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'gdm3' 2>/dev/null | grep -q '^installed$'; then login_banner_text='^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$' # Multiple regexes transform the banner regex into a usable banner # 0 - Remove anchors around the banner text login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g') # 1 - Keep only the first banners if there are multiple # (dod_banners contains the long and short banner) login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g') # 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g') # 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/(n)*/g') # 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g') # 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). # ( Needs to be done after 4, otherwise the escapce sequence will become just "n". login_banner_text=$(echo "$login_banner_text" | sed 's/(n)\*/\\n/g') mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/user [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:local" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:local\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/local.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) mkdir -p /etc/dconf/profile dconf_profile_path=/etc/dconf/profile/gdm [[ -s "${dconf_profile_path}" ]] || echo > "${dconf_profile_path}" if ! grep -Pzq "(?s)^\s*user-db:user.*\n\s*system-db:gdm" "${dconf_profile_path}"; then sed -i --follow-symlinks "1s/^/user-db:user\nsystem-db:gdm\n/" "${dconf_profile_path}" fi # Make sure the corresponding directories exist mkdir -p /etc/dconf/db/gdm.d # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/profile (umask 0022 && dconf update) # Will do both approach, since we plan to migrate to checks over dconf db. That way, future updates of the tool # will pass the check even if we decide to check only for the dconf db path. if [ -e "/etc/gdm3/greeter.dconf-defaults" ] ; then LC_ALL=C sed -i "/^\s*banner\-message\-text/Id" "/etc/gdm3/greeter.dconf-defaults" else touch "/etc/gdm3/greeter.dconf-defaults" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/gdm3/greeter.dconf-defaults" cp "/etc/gdm3/greeter.dconf-defaults" "/etc/gdm3/greeter.dconf-defaults.bak" # Insert after the line matching the regex '\[org/gnome/login-screen\]' line_number="$(LC_ALL=C grep -n "\[org/gnome/login-screen\]" "/etc/gdm3/greeter.dconf-defaults.bak" | LC_ALL=C sed 's/:.*//g')" if [ -z "$line_number" ]; then # There was no match of '\[org/gnome/login-screen\]', insert at # the end of the file. printf '%s\n' "banner-message-text='${login_banner_text}'" >> "/etc/gdm3/greeter.dconf-defaults" else head -n "$(( line_number ))" "/etc/gdm3/greeter.dconf-defaults.bak" > "/etc/gdm3/greeter.dconf-defaults" printf '%s\n' "banner-message-text='${login_banner_text}'" >> "/etc/gdm3/greeter.dconf-defaults" tail -n "+$(( line_number + 1 ))" "/etc/gdm3/greeter.dconf-defaults.bak" >> "/etc/gdm3/greeter.dconf-defaults" fi # Clean up after ourselves. rm "/etc/gdm3/greeter.dconf-defaults.bak" # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \ | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" DBDIR="/etc/dconf/db/gdm.d" mkdir -p "${DBDIR}" # Comment out the configurations in databases different from the target one if [ "${#SETTINGSFILES[@]}" -ne 0 ] then if grep -q "^\\s*banner-message-text\\s*=" "${SETTINGSFILES[@]}" then sed -Ei "s/(^\s*)banner-message-text(\s*=)/#\1banner-message-text\2/g" "${SETTINGSFILES[@]}" fi fi [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}" then printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} fi escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${login_banner_text}'")" if grep -q "^\\s*banner-message-text\\s*=" "${DCONFFILE}" then sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${DCONFFILE}" else sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-text=${escaped_value}" "${DCONFFILE}" fi # Make sure permissions allow regular users to read dconf settings. # Also define the umask to avoid `dconf update` changing permissions. chmod -R u=rwX,go=rX /etc/dconf/db (umask 0022 && dconf update) # No need to use dconf update, since bash_dconf_settings does that already else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' ############################################################################### # BEGIN fix (32 / 386) for 'xccdf_org.ssgproject.content_rule_package_pam_modules_installed' ############################################################################### (>&2 echo "Remediating rule 32/386: 'xccdf_org.ssgproject.content_rule_package_pam_modules_installed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "libpam-modules" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_pam_modules_installed' ############################################################################### # BEGIN fix (33 / 386) for 'xccdf_org.ssgproject.content_rule_package_pam_pwquality_installed' ############################################################################### (>&2 echo "Remediating rule 33/386: 'xccdf_org.ssgproject.content_rule_package_pam_pwquality_installed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "libpam-pwquality" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_pam_pwquality_installed' ############################################################################### # BEGIN fix (34 / 386) for 'xccdf_org.ssgproject.content_rule_package_pam_runtime_installed' ############################################################################### (>&2 echo "Remediating rule 34/386: 'xccdf_org.ssgproject.content_rule_package_pam_runtime_installed'") DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "libpam-runtime" # END fix for 'xccdf_org.ssgproject.content_rule_package_pam_runtime_installed' ############################################################################### # BEGIN fix (35 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_enabled' ############################################################################### (>&2 echo "Remediating rule 35/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_enabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; then conf_name=cac_unix conf_path="/usr/share/pam-configs" if [ ! -f "$conf_path"/"$conf_name" ]; then if [ -f "$conf_path"/unix ]; then if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then cp "$conf_path"/unix "$conf_path"/"$conf_name" sed -i 's/Priority: [0-9]\+/Priority: 257\ Conflicts: unix/' "$conf_path"/"$conf_name" DEBIAN_FRONTEND=noninteractive pam-auth-update else echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2 fi else echo "Not applicable - $conf_path/unix does not exist" >&2 fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_enabled' ############################################################################### # BEGIN fix (36 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_enabled' ############################################################################### (>&2 echo "Remediating rule 36/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_enabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; }; then if [ -f /usr/bin/authselect ]; then if authselect list-features sssd | grep -q with-pwhistory; then if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi authselect enable-feature with-pwhistory authselect apply-changes -b else if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') # If not already in use, a custom profile is created preserving the enabled features. if [[ ! $CURRENT_PROFILE == custom/* ]]; then ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') # The "local" profile does not contain essential security features required by multiple Benchmarks. # If currently used, it is replaced by "sssd", which is the best option in this case. if [[ $CURRENT_PROFILE == local ]]; then CURRENT_PROFILE="sssd" fi authselect create-profile hardening -b $CURRENT_PROFILE CURRENT_PROFILE="custom/hardening" authselect apply-changes -b --backup=before-hardening-custom-profile authselect select $CURRENT_PROFILE for feature in $ENABLED_FEATURES; do authselect enable-feature $feature; done authselect apply-changes -b --backup=after-hardening-custom-profile fi PAM_FILE_NAME=$(basename "cac_pwhistory") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH" else echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH" fi fi fi else conf_name=cac_pwhistory conf_path="/usr/share/pam-configs" if [ ! -f "$conf_path"/"$conf_name" ]; then cat << EOF > "$conf_path"/"$conf_name" Name: pwhistory password history checking Default: yes Priority: 1024 Password-Type: Primary Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok Password-Initial: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass EOF fi DEBIAN_FRONTEND=noninteractive pam-auth-update fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_enabled' ############################################################################### # BEGIN fix (37 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_enforce_root' ############################################################################### (>&2 echo "Remediating rule 37/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_enforce_root'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; }; then if [ -f /usr/bin/authselect ]; then if authselect list-features sssd | grep -q with-pwhistory; then if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi authselect enable-feature with-pwhistory authselect apply-changes -b else if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') # If not already in use, a custom profile is created preserving the enabled features. if [[ ! $CURRENT_PROFILE == custom/* ]]; then ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') # The "local" profile does not contain essential security features required by multiple Benchmarks. # If currently used, it is replaced by "sssd", which is the best option in this case. if [[ $CURRENT_PROFILE == local ]]; then CURRENT_PROFILE="sssd" fi authselect create-profile hardening -b $CURRENT_PROFILE CURRENT_PROFILE="custom/hardening" authselect apply-changes -b --backup=before-hardening-custom-profile authselect select $CURRENT_PROFILE for feature in $ENABLED_FEATURES; do authselect enable-feature $feature; done authselect apply-changes -b --backup=after-hardening-custom-profile fi PAM_FILE_NAME=$(basename "cac_pwhistory") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH" else echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH" fi fi fi else conf_name=cac_pwhistory conf_path="/usr/share/pam-configs" if [ ! -f "$conf_path"/"$conf_name" ]; then cat << EOF > "$conf_path"/"$conf_name" Name: pwhistory password history checking Default: yes Priority: 1024 Password-Type: Primary Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok Password-Initial: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass EOF fi DEBIAN_FRONTEND=noninteractive pam-auth-update fi conf_file=/usr/share/pam-configs/cac_pwhistory if ! grep -qE 'pam_pwhistory\.so\s+[^#\n]*\benforce_for_root\b' "$conf_file"; then sed -i -E '/^Password:/,/^[^[:space:]]/ { /pam_pwhistory\.so/ { s/$/ enforce_for_root/g } }' "$conf_file" sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ { /pam_pwhistory\.so/ { s/$/ enforce_for_root/g } }' "$conf_file" fi DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_enforce_root' ############################################################################### # BEGIN fix (38 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember' ############################################################################### (>&2 echo "Remediating rule 38/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; }; then if [ -f /usr/bin/authselect ]; then if authselect list-features sssd | grep -q with-pwhistory; then if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi authselect enable-feature with-pwhistory authselect apply-changes -b else if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') # If not already in use, a custom profile is created preserving the enabled features. if [[ ! $CURRENT_PROFILE == custom/* ]]; then ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') # The "local" profile does not contain essential security features required by multiple Benchmarks. # If currently used, it is replaced by "sssd", which is the best option in this case. if [[ $CURRENT_PROFILE == local ]]; then CURRENT_PROFILE="sssd" fi authselect create-profile hardening -b $CURRENT_PROFILE CURRENT_PROFILE="custom/hardening" authselect apply-changes -b --backup=before-hardening-custom-profile authselect select $CURRENT_PROFILE for feature in $ENABLED_FEATURES; do authselect enable-feature $feature; done authselect apply-changes -b --backup=after-hardening-custom-profile fi PAM_FILE_NAME=$(basename "cac_pwhistory") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH" else echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH" fi fi fi else conf_name=cac_pwhistory conf_path="/usr/share/pam-configs" if [ ! -f "$conf_path"/"$conf_name" ]; then cat << EOF > "$conf_path"/"$conf_name" Name: pwhistory password history checking Default: yes Priority: 1024 Password-Type: Primary Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok Password-Initial: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass EOF fi DEBIAN_FRONTEND=noninteractive pam-auth-update fi var_password_pam_remember='24' sed -i -E '/^Password:/,/^[^[:space:]]/ { /pam_pwhistory\.so/ { s/\s*remember=[^[:space:]]*//g s/$/ remember='"$var_password_pam_remember"'/g } }' /usr/share/pam-configs/cac_pwhistory sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ { /pam_pwhistory\.so/ { s/\s*remember=[^[:space:]]*//g s/$/ remember='"$var_password_pam_remember"'/g } }' /usr/share/pam-configs/cac_pwhistory DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember' ############################################################################### # BEGIN fix (39 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_use_authtok' ############################################################################### (>&2 echo "Remediating rule 39/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_use_authtok'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; }; then if [ -f /usr/bin/authselect ]; then if authselect list-features sssd | grep -q with-pwhistory; then if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi authselect enable-feature with-pwhistory authselect apply-changes -b else if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }') # If not already in use, a custom profile is created preserving the enabled features. if [[ ! $CURRENT_PROFILE == custom/* ]]; then ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }') # The "local" profile does not contain essential security features required by multiple Benchmarks. # If currently used, it is replaced by "sssd", which is the best option in this case. if [[ $CURRENT_PROFILE == local ]]; then CURRENT_PROFILE="sssd" fi authselect create-profile hardening -b $CURRENT_PROFILE CURRENT_PROFILE="custom/hardening" authselect apply-changes -b --backup=before-hardening-custom-profile authselect select $CURRENT_PROFILE for feature in $ENABLED_FEATURES; do authselect enable-feature $feature; done authselect apply-changes -b --backup=after-hardening-custom-profile fi PAM_FILE_NAME=$(basename "cac_pwhistory") PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME" authselect apply-changes -b if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then # Line matching group + control + module was not found. Check group + module. if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then # The control is updated only if one single line matches. sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH" else echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH" fi fi fi else conf_name=cac_pwhistory conf_path="/usr/share/pam-configs" if [ ! -f "$conf_path"/"$conf_name" ]; then cat << EOF > "$conf_path"/"$conf_name" Name: pwhistory password history checking Default: yes Priority: 1024 Password-Type: Primary Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok Password-Initial: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass EOF fi DEBIAN_FRONTEND=noninteractive pam-auth-update fi conf_file=/usr/share/pam-configs/cac_pwhistory if ! grep -qE 'pam_pwhistory\.so\s+[^#]*\buse_authtok\b' "$conf_file"; then sed -i -E '/^Password:/,/^[^[:space:]]/ { /pam_pwhistory\.so/ { s/$/ use_authtok/g } }' "$conf_file" fi DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_use_authtok' ############################################################################### # BEGIN fix (40 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_authtok' ############################################################################### (>&2 echo "Remediating rule 40/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_authtok'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; }; then config_file="/usr/share/pam-configs/cac_unix" conf_name=cac_unix conf_path="/usr/share/pam-configs" if [ ! -f "$conf_path"/"$conf_name" ]; then if [ -f "$conf_path"/unix ]; then if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then cp "$conf_path"/unix "$conf_path"/"$conf_name" sed -i 's/Priority: [0-9]\+/Priority: 257\ Conflicts: unix/' "$conf_path"/"$conf_name" DEBIAN_FRONTEND=noninteractive pam-auth-update else echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2 fi else echo "Not applicable - $conf_path/unix does not exist" >&2 fi fi sed -i -E '/^Password:/,/^[^[:space:]]/ { /pam_unix\.so/ { /use_authtok/! s/$/ use_authtok/g } }' "$config_file" DEBIAN_FRONTEND=noninteractive pam-auth-update --remove unix --enable cac_unix else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_authtok' ############################################################################### # BEGIN fix (41 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' ############################################################################### (>&2 echo "Remediating rule 41/386: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; }; then var_accounts_passwords_pam_faillock_deny='4' if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi authselect enable-feature with-faillock authselect apply-changes -b else conf_name=cac_faillock if [ ! -f /usr/share/pam-configs/"$conf_name" ]; then cat << EOF > /usr/share/pam-configs/"$conf_name" Name: Enable pam_faillock to deny access Default: yes Conflicts: faillock Priority: 0 Auth-Type: Primary Auth: [default=die] pam_faillock.so authfail sufficient pam_faillock.so authsucc EOF fi if [ ! -f /usr/share/pam-configs/"$conf_name"_notify ]; then cat << EOF > /usr/share/pam-configs/"$conf_name"_notify Name: Notify of failed login attempts and reset count upon success Default: yes Conflicts: faillock_notify Priority: 1025 Auth-Type: Primary Auth: requisite pam_faillock.so preauth Account-Type: Primary Account: required pam_faillock.so EOF fi DEBIAN_FRONTEND=noninteractive pam-auth-update fi AUTH_FILES=("/etc/pam.d/common-auth") SKIP_FAILLOCK_CHECK=true FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ] || [ "$SKIP_FAILLOCK_CHECK" = "true" ]; then regex="^\s*deny\s*=" line="deny = $var_accounts_passwords_pam_faillock_deny" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF else sed -i --follow-symlinks 's|^\s*\(deny\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF fi else for pam_file in "${AUTH_FILES[@]}" do if ! grep -qE '^\s*auth.*pam_faillock\.so\s+(preauth|authfail).*deny' "$pam_file"; then sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" else sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*\)\('"deny"'=\)\S\+\b\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)\S\+\b\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file" fi done fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' ############################################################################### # BEGIN fix (42 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enabled' ############################################################################### (>&2 echo "Remediating rule 42/386: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; }; then if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi authselect enable-feature with-faillock authselect apply-changes -b else conf_name=cac_faillock if [ ! -f /usr/share/pam-configs/"$conf_name" ]; then cat << EOF > /usr/share/pam-configs/"$conf_name" Name: Enable pam_faillock to deny access Default: yes Conflicts: faillock Priority: 0 Auth-Type: Primary Auth: [default=die] pam_faillock.so authfail sufficient pam_faillock.so authsucc EOF fi if [ ! -f /usr/share/pam-configs/"$conf_name"_notify ]; then cat << EOF > /usr/share/pam-configs/"$conf_name"_notify Name: Notify of failed login attempts and reset count upon success Default: yes Conflicts: faillock_notify Priority: 1025 Auth-Type: Primary Auth: requisite pam_faillock.so preauth Account-Type: Primary Account: required pam_faillock.so EOF fi DEBIAN_FRONTEND=noninteractive pam-auth-update fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enabled' ############################################################################### # BEGIN fix (43 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' ############################################################################### (>&2 echo "Remediating rule 43/386: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; }; then var_accounts_passwords_pam_faillock_unlock_time='900' if [ -f /usr/bin/authselect ]; then if ! authselect check; then echo " authselect integrity check failed. Remediation aborted! This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. It is not recommended to manually edit the PAM files when authselect tool is available. In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." exit 1 fi authselect enable-feature with-faillock authselect apply-changes -b else conf_name=cac_faillock if [ ! -f /usr/share/pam-configs/"$conf_name" ]; then cat << EOF > /usr/share/pam-configs/"$conf_name" Name: Enable pam_faillock to deny access Default: yes Conflicts: faillock Priority: 0 Auth-Type: Primary Auth: [default=die] pam_faillock.so authfail sufficient pam_faillock.so authsucc EOF fi if [ ! -f /usr/share/pam-configs/"$conf_name"_notify ]; then cat << EOF > /usr/share/pam-configs/"$conf_name"_notify Name: Notify of failed login attempts and reset count upon success Default: yes Conflicts: faillock_notify Priority: 1025 Auth-Type: Primary Auth: requisite pam_faillock.so preauth Account-Type: Primary Account: required pam_faillock.so EOF fi DEBIAN_FRONTEND=noninteractive pam-auth-update fi AUTH_FILES=("/etc/pam.d/common-auth") SKIP_FAILLOCK_CHECK=true FAILLOCK_CONF="/etc/security/faillock.conf" if [ -f $FAILLOCK_CONF ] || [ "$SKIP_FAILLOCK_CHECK" = "true" ]; then regex="^\s*unlock_time\s*=" line="unlock_time = $var_accounts_passwords_pam_faillock_unlock_time" if ! grep -q $regex $FAILLOCK_CONF; then echo $line >> $FAILLOCK_CONF else sed -i --follow-symlinks 's|^\s*\(unlock_time\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_unlock_time"'|g' $FAILLOCK_CONF fi else for pam_file in "${AUTH_FILES[@]}" do if ! grep -qE '^\s*auth.*pam_faillock\.so\s+(preauth|authfail).*unlock_time' "$pam_file"; then sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" else sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*\)\('"unlock_time"'=\)\S\+\b\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)\S\+\b\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file" fi done fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' ############################################################################### # BEGIN fix (44 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit' ############################################################################### (>&2 echo "Remediating rule 44/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpwquality1' 2>/dev/null | grep -q '^installed$'; }; then var_password_pam_dcredit='-1' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dcredit") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dcredit" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^dcredit\\>" "/etc/security/pwquality.conf"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" else if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" fi printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit' ############################################################################### # BEGIN fix (45 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck' ############################################################################### (>&2 echo "Remediating rule 45/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpwquality1' 2>/dev/null | grep -q '^installed$'; }; then var_password_pam_dictcheck='1' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dictcheck") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dictcheck" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^dictcheck\\>" "/etc/security/pwquality.conf"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^dictcheck\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" else if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" fi printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck' ############################################################################### # BEGIN fix (46 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok' ############################################################################### (>&2 echo "Remediating rule 46/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpwquality1' 2>/dev/null | grep -q '^installed$'; }; then var_password_pam_difok='2' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^difok") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_difok" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^difok\\>" "/etc/security/pwquality.conf"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^difok\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" else if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" fi printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok' ############################################################################### # BEGIN fix (47 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root' ############################################################################### (>&2 echo "Remediating rule 47/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpwquality1' 2>/dev/null | grep -q '^installed$'; }; then if [ -e "/etc/security/pwquality.conf" ] ; then LC_ALL=C sed -i "/^\s*enforce_for_root/Id" "/etc/security/pwquality.conf" else touch "/etc/security/pwquality.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/security/pwquality.conf" cp "/etc/security/pwquality.conf" "/etc/security/pwquality.conf.bak" # Insert at the end of the file printf '%s\n' "enforce_for_root" >> "/etc/security/pwquality.conf" # Clean up after ourselves. rm "/etc/security/pwquality.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root' ############################################################################### # BEGIN fix (48 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforcing' ############################################################################### (>&2 echo "Remediating rule 48/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforcing'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpwquality1' 2>/dev/null | grep -q '^installed$'; }; then if [ -e "/etc/security/pwquality.conf" ] ; then LC_ALL=C sed -i "/^\s*enforcing = 1/Id" "/etc/security/pwquality.conf" else touch "/etc/security/pwquality.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/security/pwquality.conf" cp "/etc/security/pwquality.conf" "/etc/security/pwquality.conf.bak" # Insert at the end of the file printf '%s\n' "enforcing = 1" >> "/etc/security/pwquality.conf" # Clean up after ourselves. rm "/etc/security/pwquality.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforcing' ############################################################################### # BEGIN fix (49 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit' ############################################################################### (>&2 echo "Remediating rule 49/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpwquality1' 2>/dev/null | grep -q '^installed$'; }; then var_password_pam_lcredit='-1' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^lcredit") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_lcredit" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^lcredit\\>" "/etc/security/pwquality.conf"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" else if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" fi printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit' ############################################################################### # BEGIN fix (50 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat' ############################################################################### (>&2 echo "Remediating rule 50/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpwquality1' 2>/dev/null | grep -q '^installed$'; }; then var_password_pam_maxrepeat='3' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxrepeat") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxrepeat" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^maxrepeat\\>" "/etc/security/pwquality.conf"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^maxrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" else if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" fi printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat' ############################################################################### # BEGIN fix (51 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxsequence' ############################################################################### (>&2 echo "Remediating rule 51/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxsequence'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpwquality1' 2>/dev/null | grep -q '^installed$'; }; then var_password_pam_maxsequence='3' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^maxsequence") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_maxsequence" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^maxsequence\\>" "/etc/security/pwquality.conf"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^maxsequence\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" else if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" fi printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxsequence' ############################################################################### # BEGIN fix (52 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass' ############################################################################### (>&2 echo "Remediating rule 52/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpwquality1' 2>/dev/null | grep -q '^installed$'; }; then var_password_pam_minclass='4' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minclass") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minclass" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^minclass\\>" "/etc/security/pwquality.conf"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" else if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" fi printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass' ############################################################################### # BEGIN fix (53 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen' ############################################################################### (>&2 echo "Remediating rule 53/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpwquality1' 2>/dev/null | grep -q '^installed$'; }; then var_password_pam_minlen='14' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^minlen") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minlen" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^minlen\\>" "/etc/security/pwquality.conf"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" else if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" fi printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen' ############################################################################### # BEGIN fix (54 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit' ############################################################################### (>&2 echo "Remediating rule 54/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpwquality1' 2>/dev/null | grep -q '^installed$'; }; then var_password_pam_ocredit='-1' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ocredit") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ocredit" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^ocredit\\>" "/etc/security/pwquality.conf"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^ocredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" else if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" fi printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit' ############################################################################### # BEGIN fix (55 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_enabled' ############################################################################### (>&2 echo "Remediating rule 55/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_enabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; }; then conf_name=cac_pwquality if [ ! -f /usr/share/pam-configs/"$conf_name" ]; then cat << EOF > /usr/share/pam-configs/"$conf_name" Name: Pwquality password strength checking Default: yes Priority: 1025 Conflicts: cracklib, pwquality Password-Type: Primary Password: requisite pam_pwquality.so EOF fi DEBIAN_FRONTEND=noninteractive pam-auth-update else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_enabled' ############################################################################### # BEGIN fix (56 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit' ############################################################################### (>&2 echo "Remediating rule 56/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpwquality1' 2>/dev/null | grep -q '^installed$'; }; then var_password_pam_ucredit='-1' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ucredit") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_ucredit" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^ucredit\\>" "/etc/security/pwquality.conf"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf" else if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf" fi printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit' ############################################################################### # BEGIN fix (57 / 386) for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs' ############################################################################### (>&2 echo "Remediating rule 57/386: 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'login' 2>/dev/null | grep -q '^installed$'; }; then var_password_hashing_algorithm='SHA512|YESCRYPT' # Allow multiple algorithms, but choose the first one for remediation # var_password_hashing_algorithm="$(echo $var_password_hashing_algorithm | cut -d \| -f 1)" # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^ENCRYPT_METHOD") # shellcheck disable=SC2059 printf -v formatted_output "%s %s" "$stripped_key" "$var_password_hashing_algorithm" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^ENCRYPT_METHOD\\>" "/etc/login.defs"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^ENCRYPT_METHOD\\>.*/$escaped_formatted_output/gi" "/etc/login.defs" else if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs" fi printf '%s\n' "$formatted_output" >> "/etc/login.defs" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs' ############################################################################### # BEGIN fix (58 / 386) for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' ############################################################################### (>&2 echo "Remediating rule 58/386: 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; }; then var_password_hashing_algorithm_pam='yescrypt' conf_name=cac_unix conf_path="/usr/share/pam-configs" if [ ! -f "$conf_path"/"$conf_name" ]; then if [ -f "$conf_path"/unix ]; then if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then cp "$conf_path"/unix "$conf_path"/"$conf_name" sed -i 's/Priority: [0-9]\+/Priority: 257\ Conflicts: unix/' "$conf_path"/"$conf_name" DEBIAN_FRONTEND=noninteractive pam-auth-update else echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2 fi else echo "Not applicable - $conf_path/unix does not exist" >&2 fi fi PAM_FILE_PATH=/usr/share/pam-configs/cac_unix # Ensure all the hashing algorithm option is removed. declare -a HASHING_ALGORITHMS_OPTIONS=("sha512" "yescrypt" "gost_yescrypt" "blowfish" "sha256" "md5" "bigcrypt") for hash_option in "${HASHING_ALGORITHMS_OPTIONS[@]}"; do sed -i -E '/^Password:/,/^[^[:space:]]/ { /pam_unix\.so/ { s/\s*\b'"$hash_option"'\b//g } }' "$PAM_FILE_PATH" sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ { /pam_unix\.so/ { s/\s*\b'"$hash_option"'\b//g } }' "$PAM_FILE_PATH" DEBIAN_FRONTEND=noninteractive pam-auth-update done if ! grep -qzP "Password:\s*\n\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then sed -i -E '/^Password:/,/^[^[:space:]]/ { /pam_unix\.so/ { s/$/ '"$var_password_hashing_algorithm_pam"'/g } }' "$PAM_FILE_PATH" fi if ! grep -qzP "Password-Initial:\s*\n\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ { /pam_unix\.so/ { s/$/ '"$var_password_hashing_algorithm_pam"'/g } }' "$PAM_FILE_PATH" fi DEBIAN_FRONTEND=noninteractive pam-auth-update else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' ############################################################################### # BEGIN fix (59 / 386) for 'xccdf_org.ssgproject.content_rule_account_unique_id' ############################################################################### (>&2 echo "Remediating rule 59/386: 'xccdf_org.ssgproject.content_rule_account_unique_id'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_account_unique_id' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_account_unique_id' ############################################################################### # BEGIN fix (60 / 386) for 'xccdf_org.ssgproject.content_rule_group_unique_id' ############################################################################### (>&2 echo "Remediating rule 60/386: 'xccdf_org.ssgproject.content_rule_group_unique_id'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_group_unique_id' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_group_unique_id' ############################################################################### # BEGIN fix (61 / 386) for 'xccdf_org.ssgproject.content_rule_group_unique_name' ############################################################################### (>&2 echo "Remediating rule 61/386: 'xccdf_org.ssgproject.content_rule_group_unique_name'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_group_unique_name' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_group_unique_name' ############################################################################### # BEGIN fix (62 / 386) for 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration' ############################################################################### (>&2 echo "Remediating rule 62/386: 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'login' 2>/dev/null | grep -q '^installed$'; }; then var_account_disable_post_pw_expiration='45' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^INACTIVE") # shellcheck disable=SC2059 printf -v formatted_output "%s=%s" "$stripped_key" "$var_account_disable_post_pw_expiration" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^INACTIVE\\>" "/etc/default/useradd"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^INACTIVE\\>.*/$escaped_formatted_output/gi" "/etc/default/useradd" else if [[ -s "/etc/default/useradd" ]] && [[ -n "$(tail -c 1 -- "/etc/default/useradd" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/default/useradd" fi printf '%s\n' "$formatted_output" >> "/etc/default/useradd" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration' ############################################################################### # BEGIN fix (63 / 386) for 'xccdf_org.ssgproject.content_rule_account_unique_name' ############################################################################### (>&2 echo "Remediating rule 63/386: 'xccdf_org.ssgproject.content_rule_account_unique_name'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_account_unique_name' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_account_unique_name' ############################################################################### # BEGIN fix (64 / 386) for 'xccdf_org.ssgproject.content_rule_ensure_shadow_group_empty' ############################################################################### (>&2 echo "Remediating rule 64/386: 'xccdf_org.ssgproject.content_rule_ensure_shadow_group_empty'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_ensure_shadow_group_empty' ############################################################################### # BEGIN fix (65 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs' ############################################################################### (>&2 echo "Remediating rule 65/386: 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'login' 2>/dev/null | grep -q '^installed$'; }; then var_accounts_maximum_age_login_defs='365' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^PASS_MAX_DAYS") # shellcheck disable=SC2059 printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_maximum_age_login_defs" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^PASS_MAX_DAYS\\>" "/etc/login.defs"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^PASS_MAX_DAYS\\>.*/$escaped_formatted_output/gi" "/etc/login.defs" else if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs" fi printf '%s\n' "$formatted_output" >> "/etc/login.defs" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs' ############################################################################### # BEGIN fix (66 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing' ############################################################################### (>&2 echo "Remediating rule 66/386: 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then var_accounts_maximum_age_login_defs='365' while IFS= read -r i; do chage -M $var_accounts_maximum_age_login_defs $i done < <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == "")) {print $1}' /etc/shadow) else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing' ############################################################################### # BEGIN fix (67 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs' ############################################################################### (>&2 echo "Remediating rule 67/386: 'xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'login' 2>/dev/null | grep -q '^installed$'; }; then var_accounts_password_warn_age_login_defs='7' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^PASS_WARN_AGE") # shellcheck disable=SC2059 printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_password_warn_age_login_defs" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^PASS_WARN_AGE\\>" "/etc/login.defs"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^PASS_WARN_AGE\\>.*/$escaped_formatted_output/gi" "/etc/login.defs" else if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs" fi printf '%s\n' "$formatted_output" >> "/etc/login.defs" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs' ############################################################################### # BEGIN fix (68 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_set_post_pw_existing' ############################################################################### (>&2 echo "Remediating rule 68/386: 'xccdf_org.ssgproject.content_rule_accounts_set_post_pw_existing'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then var_account_disable_post_pw_expiration='45' while IFS= read -r i; do chage --inactive $var_account_disable_post_pw_expiration $i done < <(awk -v var="$var_account_disable_post_pw_expiration" -F: '(($7 > var || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow) else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_set_post_pw_existing' ############################################################################### # BEGIN fix (69 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed' ############################################################################### (>&2 echo "Remediating rule 69/386: 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed' ############################################################################### # BEGIN fix (70 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past' ############################################################################### (>&2 echo "Remediating rule 70/386: 'xccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_last_change_is_in_past' ############################################################################### # BEGIN fix (71 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_no_remember' ############################################################################### (>&2 echo "Remediating rule 71/386: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_no_remember'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; then conf_name=cac_unix conf_path="/usr/share/pam-configs" if [ ! -f "$conf_path"/"$conf_name" ]; then if [ -f "$conf_path"/unix ]; then if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then cp "$conf_path"/unix "$conf_path"/"$conf_name" sed -i 's/Priority: [0-9]\+/Priority: 257\ Conflicts: unix/' "$conf_path"/"$conf_name" DEBIAN_FRONTEND=noninteractive pam-auth-update else echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2 fi else echo "Not applicable - $conf_path/unix does not exist" >&2 fi fi config_file="/usr/share/pam-configs/cac_unix" sed -i -E '/^Password(-Initial)?:/,/^[^[:space:]]/ { /pam_unix\.so/ { s/\s*\bremember=\d+\b//g } }' "$config_file" DEBIAN_FRONTEND=noninteractive pam-auth-update else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_no_remember' ############################################################################### # BEGIN fix (72 / 386) for 'xccdf_org.ssgproject.content_rule_gid_passwd_group_same' ############################################################################### (>&2 echo "Remediating rule 72/386: 'xccdf_org.ssgproject.content_rule_gid_passwd_group_same'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_gid_passwd_group_same' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_gid_passwd_group_same' ############################################################################### # BEGIN fix (73 / 386) for 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' ############################################################################### (>&2 echo "Remediating rule 73/386: 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow) for user_with_empty_pass in "${users_with_empty_pass[@]}" do passwd -l $user_with_empty_pass done else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' ############################################################################### # BEGIN fix (74 / 386) for 'xccdf_org.ssgproject.content_rule_no_empty_passwords_unix' ############################################################################### (>&2 echo "Remediating rule 74/386: 'xccdf_org.ssgproject.content_rule_no_empty_passwords_unix'") # Remediation is applicable only in certain platforms if ( dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$' && dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' ); then conf_name=cac_unix conf_path="/usr/share/pam-configs" if [ ! -f "$conf_path"/"$conf_name" ]; then if [ -f "$conf_path"/unix ]; then if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then cp "$conf_path"/unix "$conf_path"/"$conf_name" sed -i 's/Priority: [0-9]\+/Priority: 257\ Conflicts: unix/' "$conf_path"/"$conf_name" DEBIAN_FRONTEND=noninteractive pam-auth-update else echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2 fi else echo "Not applicable - $conf_path/unix does not exist" >&2 fi fi config_file="/usr/share/pam-configs/cac_unix" sed -i '/pam_unix\.so/s/nullok//g' "$config_file" DEBIAN_FRONTEND=noninteractive pam-auth-update else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_no_empty_passwords_unix' ############################################################################### # BEGIN fix (75 / 386) for 'xccdf_org.ssgproject.content_rule_no_forward_files' ############################################################################### (>&2 echo "Remediating rule 75/386: 'xccdf_org.ssgproject.content_rule_no_forward_files'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_no_forward_files' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_no_forward_files' ############################################################################### # BEGIN fix (76 / 386) for 'xccdf_org.ssgproject.content_rule_no_netrc_files' ############################################################################### (>&2 echo "Remediating rule 76/386: 'xccdf_org.ssgproject.content_rule_no_netrc_files'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_no_netrc_files' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_no_netrc_files' ############################################################################### # BEGIN fix (77 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero' ############################################################################### (>&2 echo "Remediating rule 77/386: 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --no-run-if-empty --max-lines=1 passwd -l else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero' ############################################################################### # BEGIN fix (78 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_root_gid_zero' ############################################################################### (>&2 echo "Remediating rule 78/386: 'xccdf_org.ssgproject.content_rule_accounts_root_gid_zero'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_accounts_root_gid_zero' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_accounts_root_gid_zero' ############################################################################### # BEGIN fix (79 / 386) for 'xccdf_org.ssgproject.content_rule_ensure_pam_wheel_group_empty' ############################################################################### (>&2 echo "Remediating rule 79/386: 'xccdf_org.ssgproject.content_rule_ensure_pam_wheel_group_empty'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then var_pam_wheel_group_for_su='sugroup' # Workaround for https://github.com/OpenSCAP/openscap/issues/2242: Use full # path to groupadd command to avoid the issue with the command not being found. if ! grep -q "^${var_pam_wheel_group_for_su}:[^:]*:[^:]*:[^:]*" /etc/group; then /usr/sbin/groupadd ${var_pam_wheel_group_for_su} fi # group must be empty gpasswd -M '' ${var_pam_wheel_group_for_su} else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_ensure_pam_wheel_group_empty' ############################################################################### # BEGIN fix (80 / 386) for 'xccdf_org.ssgproject.content_rule_ensure_root_access_controlled' ############################################################################### (>&2 echo "Remediating rule 80/386: 'xccdf_org.ssgproject.content_rule_ensure_root_access_controlled'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_ensure_root_access_controlled' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_ensure_root_access_controlled' ############################################################################### # BEGIN fix (81 / 386) for 'xccdf_org.ssgproject.content_rule_groups_no_zero_gid_except_root' ############################################################################### (>&2 echo "Remediating rule 81/386: 'xccdf_org.ssgproject.content_rule_groups_no_zero_gid_except_root'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_groups_no_zero_gid_except_root' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_groups_no_zero_gid_except_root' ############################################################################### # BEGIN fix (82 / 386) for 'xccdf_org.ssgproject.content_rule_no_invalid_shell_accounts_unlocked' ############################################################################### (>&2 echo "Remediating rule 82/386: 'xccdf_org.ssgproject.content_rule_no_invalid_shell_accounts_unlocked'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_no_invalid_shell_accounts_unlocked' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_no_invalid_shell_accounts_unlocked' ############################################################################### # BEGIN fix (83 / 386) for 'xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts' ############################################################################### (>&2 echo "Remediating rule 83/386: 'xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then readarray -t systemaccounts < <(awk -F: '($3 < 1000 && $3 != root \ && $7 != "\/sbin\/shutdown" && $7 != "\/sbin\/halt" && $7 != "\/bin\/sync") \ { print $1 }' /etc/passwd) for systemaccount in "${systemaccounts[@]}"; do usermod -s /sbin/nologin "$systemaccount" done else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts' ############################################################################### # BEGIN fix (84 / 386) for 'xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su' ############################################################################### (>&2 echo "Remediating rule 84/386: 'xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; then var_pam_wheel_group_for_su='sugroup' PAM_CONF=/etc/pam.d/su pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF}) if [ -z "$pamstr" ]; then sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth required pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF} else group_val=$(echo -n "$pamstr" | grep -Eo '\bgroup=[_a-z][-0-9_a-z]*' | cut -d '=' -f 2) if [ -z "${group_val}" ] || [ ${group_val} != ${var_pam_wheel_group_for_su} ]; then sed -Ei "s/(^auth\s+required\s+pam_wheel.so\s+[^#]*group=)[_a-z][-0-9_a-z]*/\1${var_pam_wheel_group_for_su}/" ${PAM_CONF} fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su' ############################################################################### # BEGIN fix (85 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_tmout' ############################################################################### (>&2 echo "Remediating rule 85/386: 'xccdf_org.ssgproject.content_rule_accounts_tmout'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then var_accounts_tmout='900' # if 0, no occurrence of tmout found, if 1, occurrence found tmout_found=0 for f in /etc/bash.bashrc /etc/profile /etc/profile.d/*.sh; do if grep --silent '^\s*TMOUT' $f; then sed -i -E "s/^(\s*)TMOUT\s*=\s*(\w|\$)*(.*)$/\1TMOUT=$var_accounts_tmout\3/g" $f tmout_found=1 if ! grep --silent '^\s*readonly TMOUT' $f ; then echo "readonly TMOUT" >> $f fi if ! grep --silent '^\s*export TMOUT' $f ; then echo "export TMOUT" >> $f fi fi done OLD_UMASK=$(umask) umask u=rw,go=r if [ $tmout_found -eq 0 ]; then echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile.d/tmout.sh echo "TMOUT=$var_accounts_tmout" >> /etc/profile.d/tmout.sh echo "readonly TMOUT" >> /etc/profile.d/tmout.sh echo "export TMOUT" >> /etc/profile.d/tmout.sh fi umask $OLD_UMASK else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_tmout' ############################################################################### # BEGIN fix (86 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership' ############################################################################### (>&2 echo "Remediating rule 86/386: 'xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then awk -F: '{if ($4 >= 1000 && $4 != 65534) print $4":"$6}' /etc/passwd | while IFS=: read -r gid home; do find -P "$home" -maxdepth 1 -type f -name "\.[^.]*" -exec chgrp -f --no-dereference -- $gid "{}" \;; done else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership' ############################################################################### # BEGIN fix (87 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership' ############################################################################### (>&2 echo "Remediating rule 87/386: 'xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then awk -F: '{if ($3 >= 1000 && $3 != 65534) print $3":"$6}' /etc/passwd | while IFS=: read -r uid home; do find -P "$home" -maxdepth 1 -type f -name "\.[^.]*" -exec chown -f --no-dereference -- $uid "{}" \;; done else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership' ############################################################################### # BEGIN fix (88 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists' ############################################################################### (>&2 echo "Remediating rule 88/386: 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1}' /etc/passwd); do mkhomedir_helper $user 0077; done else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists' ############################################################################### # BEGIN fix (89 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupownership_home_directories' ############################################################################### (>&2 echo "Remediating rule 89/386: 'xccdf_org.ssgproject.content_rule_file_groupownership_home_directories'") awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$6) }' /etc/passwd # END fix for 'xccdf_org.ssgproject.content_rule_file_groupownership_home_directories' ############################################################################### # BEGIN fix (90 / 386) for 'xccdf_org.ssgproject.content_rule_file_ownership_home_directories' ############################################################################### (>&2 echo "Remediating rule 90/386: 'xccdf_org.ssgproject.content_rule_file_ownership_home_directories'") awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$6) }' /etc/passwd # END fix for 'xccdf_org.ssgproject.content_rule_file_ownership_home_directories' ############################################################################### # BEGIN fix (91 / 386) for 'xccdf_org.ssgproject.content_rule_file_permission_user_bash_history' ############################################################################### (>&2 echo "Remediating rule 91/386: 'xccdf_org.ssgproject.content_rule_file_permission_user_bash_history'") readarray -t interactive_users < <(awk -F: '$3>=1000 {print $1}' /etc/passwd) readarray -t interactive_users_home < <(awk -F: '$3>=1000 {print $6}' /etc/passwd) readarray -t interactive_users_shell < <(awk -F: '$3>=1000 {print $7}' /etc/passwd) USERS_IGNORED_REGEX='nobody|nfsnobody' for (( i=0; i<"${#interactive_users[@]}"; i++ )); do if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \ [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then chmod u-sx,go= "${interactive_users_home[$i]}/.bash_history" fi done # END fix for 'xccdf_org.ssgproject.content_rule_file_permission_user_bash_history' ############################################################################### # BEGIN fix (92 / 386) for 'xccdf_org.ssgproject.content_rule_file_permission_user_init_files' ############################################################################### (>&2 echo "Remediating rule 92/386: 'xccdf_org.ssgproject.content_rule_file_permission_user_init_files'") var_user_initialization_files_regex='^\.[\w\- ]+$' readarray -t interactive_users < <(awk -F: '$3>=1000 {print $1}' /etc/passwd) readarray -t interactive_users_home < <(awk -F: '$3>=1000 {print $6}' /etc/passwd) readarray -t interactive_users_shell < <(awk -F: '$3>=1000 {print $7}' /etc/passwd) USERS_IGNORED_REGEX='nobody|nfsnobody' for (( i=0; i<"${#interactive_users[@]}"; i++ )); do if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \ [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then readarray -t init_files < <(find "${interactive_users_home[$i]}" -maxdepth 1 \ -exec basename {} \; | grep -P "$var_user_initialization_files_regex") for file in "${init_files[@]}"; do chmod u-s,g-wxs,o= "${interactive_users_home[$i]}/$file" done fi done # END fix for 'xccdf_org.ssgproject.content_rule_file_permission_user_init_files' ############################################################################### # BEGIN fix (93 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_home_directories' ############################################################################### (>&2 echo "Remediating rule 93/386: 'xccdf_org.ssgproject.content_rule_file_permissions_home_directories'") for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534 && $6 != "/") print $6 }' /etc/passwd); do # Only update the permissions when necessary. This will avoid changing the inode timestamp when # the permission is already defined as expected, therefore not impacting in possible integrity # check systems that also check inodes timestamps. find "$home_dir" -maxdepth 0 -perm /7027 \! -type l -exec chmod u-s,g-w-s,o=- {} \; done # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_home_directories' ############################################################################### # BEGIN fix (94 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write' ############################################################################### (>&2 echo "Remediating rule 94/386: 'xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write' ############################################################################### # BEGIN fix (95 / 386) for 'xccdf_org.ssgproject.content_rule_no_dirs_unowned_by_root' ############################################################################### (>&2 echo "Remediating rule 95/386: 'xccdf_org.ssgproject.content_rule_no_dirs_unowned_by_root'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_no_dirs_unowned_by_root' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_no_dirs_unowned_by_root' ############################################################################### # BEGIN fix (96 / 386) for 'xccdf_org.ssgproject.content_rule_root_path_all_dirs' ############################################################################### (>&2 echo "Remediating rule 96/386: 'xccdf_org.ssgproject.content_rule_root_path_all_dirs'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_root_path_all_dirs' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_root_path_all_dirs' ############################################################################### # BEGIN fix (97 / 386) for 'xccdf_org.ssgproject.content_rule_root_path_no_dot' ############################################################################### (>&2 echo "Remediating rule 97/386: 'xccdf_org.ssgproject.content_rule_root_path_no_dot'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_root_path_no_dot' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_root_path_no_dot' ############################################################################### # BEGIN fix (98 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc' ############################################################################### (>&2 echo "Remediating rule 98/386: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'bash' 2>/dev/null | grep -q '^installed$'; }; then var_accounts_user_umask='027' grep -q "^[^#]*\bumask" /etc/bash.bashrc && \ sed -i -E -e "s/^([^#]*\bumask)[[:space:]]+[[:digit:]]+/\1 $var_accounts_user_umask/g" /etc/bash.bashrc if ! [ $? -eq 0 ]; then echo "umask $var_accounts_user_umask" >> /etc/bash.bashrc fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc' ############################################################################### # BEGIN fix (99 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs' ############################################################################### (>&2 echo "Remediating rule 99/386: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'login' 2>/dev/null | grep -q '^installed$'; }; then var_accounts_user_umask='027' # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^UMASK") # shellcheck disable=SC2059 printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_user_umask" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^UMASK\\>" "/etc/login.defs"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs" else if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs" fi printf '%s\n' "$formatted_output" >> "/etc/login.defs" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs' ############################################################################### # BEGIN fix (100 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile' ############################################################################### (>&2 echo "Remediating rule 100/386: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then var_accounts_user_umask='027' readarray -t profile_files < <(find /etc/profile.d/ -type f -name '*.sh' -or -name 'sh.local') for file in "${profile_files[@]}" /etc/profile; do grep -qE '^[^#]*umask' "$file" && sed -i -E "s/^(\s*umask\s*)[0-7]+/\1$var_accounts_user_umask/g" "$file" done if ! grep -qrE '^[^#]*umask' /etc/profile*; then echo "umask $var_accounts_user_umask" >> /etc/profile fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile' ############################################################################### # BEGIN fix (101 / 386) for 'xccdf_org.ssgproject.content_rule_accounts_umask_root' ############################################################################### (>&2 echo "Remediating rule 101/386: 'xccdf_org.ssgproject.content_rule_accounts_umask_root'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'bash' 2>/dev/null | grep -q '^installed$'; }; then for file in /root/.bashrc /root/.profile; do if [ -f "$file" ]; then sed -i -E -e "s/^([^#]*\bumask)[[:space:]]+[[:digit:]]+/\1 0027/g" "$file" fi done else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_umask_root' ############################################################################### # BEGIN fix (102 / 386) for 'xccdf_org.ssgproject.content_rule_package_apparmor-utils_installed' ############################################################################### (>&2 echo "Remediating rule 102/386: 'xccdf_org.ssgproject.content_rule_package_apparmor-utils_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "apparmor-utils" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_apparmor-utils_installed' ############################################################################### # BEGIN fix (103 / 386) for 'xccdf_org.ssgproject.content_rule_package_apparmor_installed' ############################################################################### (>&2 echo "Remediating rule 103/386: 'xccdf_org.ssgproject.content_rule_package_apparmor_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "apparmor" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_apparmor_installed' ############################################################################### # BEGIN fix (104 / 386) for 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode' ############################################################################### (>&2 echo "Remediating rule 104/386: 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}' 'apparmor' 2>/dev/null | grep -q '^installed$' ); }; then var_apparmor_mode='enforce' # make sure apparmor-utils is installed for aa-complain and aa-enforce DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "apparmor-utils" # Reload all AppArmor profiles apparmor_parser -q -r /etc/apparmor.d/ # Set the mode APPARMOR_MODE="$var_apparmor_mode" if [ "$APPARMOR_MODE" = "enforce" ] then # Set all profiles to enforce mode except disabled profiles find /etc/apparmor.d -maxdepth 1 ! -type d -exec bash -c '[[ -e "/etc/apparmor.d/disable/$(basename "$1")" ]] || aa-enforce "$1"' _ {} \; fi if [ "$APPARMOR_MODE" = "complain" ] then # Load all not-loaded profiles into complain mode apparmor_parser -a --Complain /etc/apparmor.d/ echo "***WARNING***: This remediation will not downgrade any existing AppArmor profiles." fi if [ "$APPARMOR_MODE" = "keep_existing_mode" ] then echo "***WARNING***: This remediation will not modify any existing AppArmor profiles." fi UNCONFINED=$(aa-status | grep "processes are unconfined" | awk '{print $1;}') if [ $UNCONFINED -ne 0 ]; then echo -e "***WARNING***: There are some unconfined processes:" echo -e "----------------------------" echo "The may need to have a profile created or activated for them and then be restarted." for PROCESS in "${UNCONFINED[@]}" do echo "$PROCESS" done echo -e "----------------------------" echo "The may need to have a profile created or activated for them and then be restarted." fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode' ############################################################################### # BEGIN fix (105 / 386) for 'xccdf_org.ssgproject.content_rule_grub2_enable_apparmor' ############################################################################### (>&2 echo "Remediating rule 105/386: 'xccdf_org.ssgproject.content_rule_grub2_enable_apparmor'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then # Correct the form of default kernel command line in GRUB if grep -q '^\s*GRUB_CMDLINE_LINUX=.*apparmor=.*"' '/etc/default/grub' ; then # modify the GRUB command-line if an apparmor= arg already exists sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)apparmor=[^[:space:]]\+\(.*\"\)/\1apparmor=1\2/" '/etc/default/grub' # Add to already existing GRUB_CMDLINE_LINUX parameters elif grep -q '^\s*GRUB_CMDLINE_LINUX=' '/etc/default/grub' ; then # no apparmor=arg is present, append it sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 apparmor=1\"/" '/etc/default/grub' # Add GRUB_CMDLINE_LINUX parameters line else echo "GRUB_CMDLINE_LINUX=\"apparmor=1\"" >> '/etc/default/grub' fi # Correct the form of default kernel command line in GRUB if grep -q '^\s*GRUB_CMDLINE_LINUX=.*security=.*"' '/etc/default/grub' ; then # modify the GRUB command-line if an security= arg already exists sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)security=[^[:space:]]\+\(.*\"\)/\1security=apparmor\2/" '/etc/default/grub' # Add to already existing GRUB_CMDLINE_LINUX parameters elif grep -q '^\s*GRUB_CMDLINE_LINUX=' '/etc/default/grub' ; then # no security=arg is present, append it sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 security=apparmor\"/" '/etc/default/grub' # Add GRUB_CMDLINE_LINUX parameters line else echo "GRUB_CMDLINE_LINUX=\"security=apparmor\"" >> '/etc/default/grub' fi update-grub else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_grub2_enable_apparmor' ############################################################################### # BEGIN fix (106 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg' ############################################################################### (>&2 echo "Remediating rule 106/386: 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg'") # Remediation is applicable only in certain platforms if ( dpkg-query --show --showformat='${db:Status-Status}' 'grub2-common' 2>/dev/null | grep -q '^installed$' && dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' ) && { ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ); }; then newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/boot/grub/grub.cfg" | grep -E -w -q "0"; then chown --no-dereference "$newown" /boot/grub/grub.cfg fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg' ############################################################################### # BEGIN fix (107 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg' ############################################################################### (>&2 echo "Remediating rule 107/386: 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg'") # Remediation is applicable only in certain platforms if ( dpkg-query --show --showformat='${db:Status-Status}' 'grub2-common' 2>/dev/null | grep -q '^installed$' && dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' ) && { ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ); }; then chmod u-xs,g-xwrs,o-xwrt /boot/grub/grub.cfg else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg' ############################################################################### # BEGIN fix (108 / 386) for 'xccdf_org.ssgproject.content_rule_grub2_password' ############################################################################### (>&2 echo "Remediating rule 108/386: 'xccdf_org.ssgproject.content_rule_grub2_password'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_grub2_password' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_grub2_password' ############################################################################### # BEGIN fix (109 / 386) for 'xccdf_org.ssgproject.content_rule_grub2_uefi_password' ############################################################################### (>&2 echo "Remediating rule 109/386: 'xccdf_org.ssgproject.content_rule_grub2_uefi_password'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_grub2_uefi_password' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_grub2_uefi_password' ############################################################################### # BEGIN fix (110 / 386) for 'xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed' ############################################################################### (>&2 echo "Remediating rule 110/386: 'xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { ! (systemctl is-active rsyslog &>/dev/null); }; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "systemd-journal-remote" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_systemd-journal-remote_installed' ############################################################################### # BEGIN fix (111 / 386) for 'xccdf_org.ssgproject.content_rule_service_systemd-journal-upload_enabled' ############################################################################### (>&2 echo "Remediating rule 111/386: 'xccdf_org.ssgproject.content_rule_service_systemd-journal-upload_enabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}' 'systemd-journal-remote' 2>/dev/null | grep -q '^installed$' ); }; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" unmask 'systemd-journal-upload.service' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" start 'systemd-journal-upload.service' fi "$SYSTEMCTL_EXEC" enable 'systemd-journal-upload.service' else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_systemd-journal-upload_enabled' ############################################################################### # BEGIN fix (112 / 386) for 'xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled' ############################################################################### (>&2 echo "Remediating rule 112/386: 'xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" unmask 'systemd-journald.service' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" start 'systemd-journald.service' fi "$SYSTEMCTL_EXEC" enable 'systemd-journald.service' else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled' ############################################################################### # BEGIN fix (113 / 386) for 'xccdf_org.ssgproject.content_rule_journald_compress' ############################################################################### (>&2 echo "Remediating rule 113/386: 'xccdf_org.ssgproject.content_rule_journald_compress'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { ! (systemctl is-active rsyslog &>/dev/null); }; then if [ -e "/etc/systemd/journald.conf" ] ; then LC_ALL=C sed -i "/^\s*Compress\s*=\s*/d" "/etc/systemd/journald.conf" else touch "/etc/systemd/journald.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/systemd/journald.conf" cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak" # Insert before the line matching the regex '^#\s*Compress'. line_number="$(LC_ALL=C grep -n "^#\s*Compress" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" if [ -z "$line_number" ]; then # There was no match of '^#\s*Compress', insert at # the end of the file. printf '%s\n' "Compress=yes" >> "/etc/systemd/journald.conf" else head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf" printf '%s\n' "Compress=yes" >> "/etc/systemd/journald.conf" tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf" fi # Clean up after ourselves. rm "/etc/systemd/journald.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_journald_compress' ############################################################################### # BEGIN fix (114 / 386) for 'xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog' ############################################################################### (>&2 echo "Remediating rule 114/386: 'xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'systemd' 2>/dev/null | grep -q '^installed$'; }; then if [ -e "/etc/systemd/journald.conf" ] ; then LC_ALL=C sed -i "/^\s*ForwardToSyslog\s*=\s*/d" "/etc/systemd/journald.conf" else touch "/etc/systemd/journald.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/systemd/journald.conf" cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak" # Insert before the line matching the regex '^#\s*ForwardToSyslog'. line_number="$(LC_ALL=C grep -n "^#\s*ForwardToSyslog" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" if [ -z "$line_number" ]; then # There was no match of '^#\s*ForwardToSyslog', insert at # the end of the file. printf '%s\n' "ForwardToSyslog=no" >> "/etc/systemd/journald.conf" else head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf" printf '%s\n' "ForwardToSyslog=no" >> "/etc/systemd/journald.conf" tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf" fi # Clean up after ourselves. rm "/etc/systemd/journald.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_journald_disable_forward_to_syslog' ############################################################################### # BEGIN fix (115 / 386) for 'xccdf_org.ssgproject.content_rule_journald_storage' ############################################################################### (>&2 echo "Remediating rule 115/386: 'xccdf_org.ssgproject.content_rule_journald_storage'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { ! (systemctl is-active rsyslog &>/dev/null); }; then if [ -e "/etc/systemd/journald.conf" ] ; then LC_ALL=C sed -i "/^\s*Storage\s*=\s*/d" "/etc/systemd/journald.conf" else touch "/etc/systemd/journald.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/systemd/journald.conf" cp "/etc/systemd/journald.conf" "/etc/systemd/journald.conf.bak" # Insert before the line matching the regex '^#\s*Storage'. line_number="$(LC_ALL=C grep -n "^#\s*Storage" "/etc/systemd/journald.conf.bak" | LC_ALL=C sed 's/:.*//g')" if [ -z "$line_number" ]; then # There was no match of '^#\s*Storage', insert at # the end of the file. printf '%s\n' "Storage=persistent" >> "/etc/systemd/journald.conf" else head -n "$(( line_number - 1 ))" "/etc/systemd/journald.conf.bak" > "/etc/systemd/journald.conf" printf '%s\n' "Storage=persistent" >> "/etc/systemd/journald.conf" tail -n "+$(( line_number ))" "/etc/systemd/journald.conf.bak" >> "/etc/systemd/journald.conf" fi # Clean up after ourselves. rm "/etc/systemd/journald.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_journald_storage' ############################################################################### # BEGIN fix (116 / 386) for 'xccdf_org.ssgproject.content_rule_socket_systemd-journal-remote_disabled' ############################################################################### (>&2 echo "Remediating rule 116/386: 'xccdf_org.ssgproject.content_rule_socket_systemd-journal-remote_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SOCKET_NAME="systemd-journal-remote.socket" SYSTEMCTL_EXEC='/usr/bin/systemctl' if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME" fi "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_socket_systemd-journal-remote_disabled' ############################################################################### # BEGIN fix (117 / 386) for 'xccdf_org.ssgproject.content_rule_systemd_journal_upload_server_tls' ############################################################################### (>&2 echo "Remediating rule 117/386: 'xccdf_org.ssgproject.content_rule_systemd_journal_upload_server_tls'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { ! (systemctl is-active rsyslog &>/dev/null); }; then dropin_conf=/etc/systemd/journal-upload.conf.d/60-journald_upload.conf mkdir -p /etc/systemd/journal-upload.conf.d touch "${dropin_conf}" for conf in /etc/systemd/journal-upload.conf /etc/systemd/journal-upload.conf.d/*; do [[ -e "${conf}" ]] || continue sed -i --follow-symlinks \ -e 's/^ServerKeyFile\>/#&/g' \ -e 's/^ServerCertificateFile\>/#&/g' \ -e 's/^TrustedCertificateFile\>/#&/g' "${conf}" done var_journal_upload_server_key_file='/etc/pki/systemd/private/journal-upload.pem' var_journal_upload_server_certificate_file='/etc/pki/systemd/certs/journal-upload.pem' var_journal_upload_server_trusted_certificate_file='/etc/pki/systemd/ca/trusted.pem' found=false # set value in all files if they contain section or key for f in $(echo -n "${dropin_conf}"); do if [ ! -e "$f" ]; then continue fi # find key in section and change value if grep -qzosP "[[:space:]]*\[Upload\]([^\n\[]*\n+)+?[[:space:]]*ServerKeyFile" "$f"; then if ! grep -qPz "ServerKeyFile=$var_journal_upload_server_key_file" "$f"; then sed -i "s/ServerKeyFile[^(\n)]*/ServerKeyFile=$var_journal_upload_server_key_file/" "$f" fi found=true # find section and add key = value to it elif grep -qs "[[:space:]]*\[Upload\]" "$f"; then sed -i "/[[:space:]]*\[Upload\]/a ServerKeyFile=$var_journal_upload_server_key_file" "$f" found=true fi done # if section not in any file, append section with key = value to FIRST file in files parameter if ! $found ; then file=$(echo "${dropin_conf}" | cut -f1 -d ' ') mkdir -p "$(dirname "$file")" echo -e "[Upload]\nServerKeyFile=$var_journal_upload_server_key_file" >> "$file" fi found=false # set value in all files if they contain section or key for f in $(echo -n "${dropin_conf}"); do if [ ! -e "$f" ]; then continue fi # find key in section and change value if grep -qzosP "[[:space:]]*\[Upload\]([^\n\[]*\n+)+?[[:space:]]*ServerCertificateFile" "$f"; then if ! grep -qPz "ServerCertificateFile=$var_journal_upload_server_certificate_file" "$f"; then sed -i "s/ServerCertificateFile[^(\n)]*/ServerCertificateFile=$var_journal_upload_server_certificate_file/" "$f" fi found=true # find section and add key = value to it elif grep -qs "[[:space:]]*\[Upload\]" "$f"; then sed -i "/[[:space:]]*\[Upload\]/a ServerCertificateFile=$var_journal_upload_server_certificate_file" "$f" found=true fi done # if section not in any file, append section with key = value to FIRST file in files parameter if ! $found ; then file=$(echo "${dropin_conf}" | cut -f1 -d ' ') mkdir -p "$(dirname "$file")" echo -e "[Upload]\nServerCertificateFile=$var_journal_upload_server_certificate_file" >> "$file" fi found=false # set value in all files if they contain section or key for f in $(echo -n "${dropin_conf}"); do if [ ! -e "$f" ]; then continue fi # find key in section and change value if grep -qzosP "[[:space:]]*\[Upload\]([^\n\[]*\n+)+?[[:space:]]*TrustedCertificateFile" "$f"; then if ! grep -qPz "TrustedCertificateFile=$var_journal_upload_server_trusted_certificate_file" "$f"; then sed -i "s/TrustedCertificateFile[^(\n)]*/TrustedCertificateFile=$var_journal_upload_server_trusted_certificate_file/" "$f" fi found=true # find section and add key = value to it elif grep -qs "[[:space:]]*\[Upload\]" "$f"; then sed -i "/[[:space:]]*\[Upload\]/a TrustedCertificateFile=$var_journal_upload_server_trusted_certificate_file" "$f" found=true fi done # if section not in any file, append section with key = value to FIRST file in files parameter if ! $found ; then file=$(echo "${dropin_conf}" | cut -f1 -d ' ') mkdir -p "$(dirname "$file")" echo -e "[Upload]\nTrustedCertificateFile=$var_journal_upload_server_trusted_certificate_file" >> "$file" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_systemd_journal_upload_server_tls' ############################################################################### # BEGIN fix (118 / 386) for 'xccdf_org.ssgproject.content_rule_systemd_journal_upload_url' ############################################################################### (>&2 echo "Remediating rule 118/386: 'xccdf_org.ssgproject.content_rule_systemd_journal_upload_url'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { ! (systemctl is-active rsyslog &>/dev/null); }; then dropin_conf=/etc/systemd/journal-upload.conf.d/60-journald_upload.conf mkdir -p /etc/systemd/journal-upload.conf.d touch "${dropin_conf}" for conf in /etc/systemd/journal-upload.conf /etc/systemd/journal-upload.conf.d/*; do [[ -e "${conf}" ]] || continue sed -i --follow-symlinks 's/^URL\>/#&/g' "${conf}" done var_journal_upload_url='remotelogserver' found=false # set value in all files if they contain section or key for f in $(echo -n "${dropin_conf}"); do if [ ! -e "$f" ]; then continue fi # find key in section and change value if grep -qzosP "[[:space:]]*\[Upload\]([^\n\[]*\n+)+?[[:space:]]*URL" "$f"; then if ! grep -qPz "URL=$var_journal_upload_url" "$f"; then sed -i "s/URL[^(\n)]*/URL=$var_journal_upload_url/" "$f" fi found=true # find section and add key = value to it elif grep -qs "[[:space:]]*\[Upload\]" "$f"; then sed -i "/[[:space:]]*\[Upload\]/a URL=$var_journal_upload_url" "$f" found=true fi done # if section not in any file, append section with key = value to FIRST file in files parameter if ! $found ; then file=$(echo "${dropin_conf}" | cut -f1 -d ' ') mkdir -p "$(dirname "$file")" echo -e "[Upload]\nURL=$var_journal_upload_url" >> "$file" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_systemd_journal_upload_url' ############################################################################### # BEGIN fix (119 / 386) for 'xccdf_org.ssgproject.content_rule_package_iptables-persistent_installed' ############################################################################### (>&2 echo "Remediating rule 119/386: 'xccdf_org.ssgproject.content_rule_package_iptables-persistent_installed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'iptables' 2>/dev/null | grep -q '^installed$'; then var_network_filtering_service='nftables' if [ $var_network_filtering_service == iptables ]; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "iptables-persistent" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_iptables-persistent_installed' ############################################################################### # BEGIN fix (120 / 386) for 'xccdf_org.ssgproject.content_rule_package_iptables_installed' ############################################################################### (>&2 echo "Remediating rule 120/386: 'xccdf_org.ssgproject.content_rule_package_iptables_installed'") # Remediation is applicable only in certain platforms if ( ! (systemctl is-active nftables &>/dev/null) && ! (systemctl is-active ufw &>/dev/null) && dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' ); then var_network_filtering_service='nftables' if [ $var_network_filtering_service == iptables ]; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "iptables" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_iptables_installed' ############################################################################### # BEGIN fix (121 / 386) for 'xccdf_org.ssgproject.content_rule_package_iptables-persistent_removed' ############################################################################### (>&2 echo "Remediating rule 121/386: 'xccdf_org.ssgproject.content_rule_package_iptables-persistent_removed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'ufw' 2>/dev/null | grep -q '^installed$'; then # CAUTION: This remediation script will remove iptables-persistent # from the system, and may remove any packages # that depend on iptables-persistent. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "iptables-persistent" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_iptables-persistent_removed' ############################################################################### # BEGIN fix (122 / 386) for 'xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule' ############################################################################### (>&2 echo "Remediating rule 122/386: 'xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule' ############################################################################### # BEGIN fix (123 / 386) for 'xccdf_org.ssgproject.content_rule_set_ipv6_loopback_traffic' ############################################################################### (>&2 echo "Remediating rule 123/386: 'xccdf_org.ssgproject.content_rule_set_ipv6_loopback_traffic'") # Remediation is applicable only in certain platforms if ( ! ( dpkg-query --show --showformat='${db:Status-Status}' 'nftables' 2>/dev/null | grep -q '^installed$' ) && ! ( dpkg-query --show --showformat='${db:Status-Status}' 'ufw' 2>/dev/null | grep -q '^installed$' ) && dpkg-query --show --showformat='${db:Status-Status}' 'iptables' 2>/dev/null | grep -q '^installed$' ); then if [ "$(sysctl -n net.ipv6.conf.all.disable_ipv6)" -eq 0 ]; then # IPv6 is not disabled, so run the script ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT ip6tables -A INPUT -s ::1 -j DROP fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_set_ipv6_loopback_traffic' ############################################################################### # BEGIN fix (124 / 386) for 'xccdf_org.ssgproject.content_rule_set_loopback_traffic' ############################################################################### (>&2 echo "Remediating rule 124/386: 'xccdf_org.ssgproject.content_rule_set_loopback_traffic'") # Remediation is applicable only in certain platforms if ( ! ( dpkg-query --show --showformat='${db:Status-Status}' 'nftables' 2>/dev/null | grep -q '^installed$' ) && ! ( dpkg-query --show --showformat='${db:Status-Status}' 'ufw' 2>/dev/null | grep -q '^installed$' ) && dpkg-query --show --showformat='${db:Status-Status}' 'iptables' 2>/dev/null | grep -q '^installed$' ); then iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -s 127.0.0.0/8 -j DROP else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_set_loopback_traffic' ############################################################################### # BEGIN fix (125 / 386) for 'xccdf_org.ssgproject.content_rule_ip6tables_rules_for_open_ports' ############################################################################### (>&2 echo "Remediating rule 125/386: 'xccdf_org.ssgproject.content_rule_ip6tables_rules_for_open_ports'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_ip6tables_rules_for_open_ports' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_ip6tables_rules_for_open_ports' ############################################################################### # BEGIN fix (126 / 386) for 'xccdf_org.ssgproject.content_rule_iptables_rules_for_open_ports' ############################################################################### (>&2 echo "Remediating rule 126/386: 'xccdf_org.ssgproject.content_rule_iptables_rules_for_open_ports'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_iptables_rules_for_open_ports' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_iptables_rules_for_open_ports' ############################################################################### # BEGIN fix (127 / 386) for 'xccdf_org.ssgproject.content_rule_set_iptables_default_rule' ############################################################################### (>&2 echo "Remediating rule 127/386: 'xccdf_org.ssgproject.content_rule_set_iptables_default_rule'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_set_iptables_default_rule' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_set_iptables_default_rule' ############################################################################### # BEGIN fix (128 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' ############################################################################### (>&2 echo "Remediating rule 128/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv6.conf.all.accept_ra from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv6.conf.all.accept_ra" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv6_conf_all_accept_ra_value='0' # # Set runtime for net.ipv6.conf.all.accept_ra # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra="$sysctl_net_ipv6_conf_all_accept_ra_value" fi # # If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_ra") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_ra_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_ra\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' ############################################################################### # BEGIN fix (129 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' ############################################################################### (>&2 echo "Remediating rule 129/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_redirects.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv6.conf.all.accept_redirects" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv6_conf_all_accept_redirects_value='0' # # Set runtime for net.ipv6.conf.all.accept_redirects # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects="$sysctl_net_ipv6_conf_all_accept_redirects_value" fi # # If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.all.accept_redirects = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_redirects") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_redirects_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' ############################################################################### # BEGIN fix (130 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' ############################################################################### (>&2 echo "Remediating rule 130/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_source_route.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv6.conf.all.accept_source_route" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv6_conf_all_accept_source_route_value='0' # # Set runtime for net.ipv6.conf.all.accept_source_route # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route="$sysctl_net_ipv6_conf_all_accept_source_route_value" fi # # If net.ipv6.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.all.accept_source_route = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.accept_source_route") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_accept_source_route_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' ############################################################################### # BEGIN fix (131 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' ############################################################################### (>&2 echo "Remediating rule 131/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv6.conf.all.forwarding from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.forwarding.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv6.conf.all.forwarding" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv6_conf_all_forwarding_value='0' # # Set runtime for net.ipv6.conf.all.forwarding # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding="$sysctl_net_ipv6_conf_all_forwarding_value" fi # # If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.all.forwarding = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.forwarding") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_all_forwarding_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.forwarding\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' ############################################################################### # BEGIN fix (132 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra' ############################################################################### (>&2 echo "Remediating rule 132/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv6.conf.default.accept_ra from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv6.conf.default.accept_ra" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv6_conf_default_accept_ra_value='0' # # Set runtime for net.ipv6.conf.default.accept_ra # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra="$sysctl_net_ipv6_conf_default_accept_ra_value" fi # # If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_ra") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_ra_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_ra\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_ra\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra' ############################################################################### # BEGIN fix (133 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects' ############################################################################### (>&2 echo "Remediating rule 133/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv6.conf.default.accept_redirects from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_redirects.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv6.conf.default.accept_redirects" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv6_conf_default_accept_redirects_value='0' # # Set runtime for net.ipv6.conf.default.accept_redirects # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects="$sysctl_net_ipv6_conf_default_accept_redirects_value" fi # # If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_redirects") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_redirects_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects' ############################################################################### # BEGIN fix (134 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route' ############################################################################### (>&2 echo "Remediating rule 134/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv6.conf.default.accept_source_route from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_source_route.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv6.conf.default.accept_source_route" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv6_conf_default_accept_source_route_value='0' # # Set runtime for net.ipv6.conf.default.accept_source_route # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route="$sysctl_net_ipv6_conf_default_accept_source_route_value" fi # # If net.ipv6.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.default.accept_source_route = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.accept_source_route") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_accept_source_route_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route' ############################################################################### # BEGIN fix (135 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects' ############################################################################### (>&2 echo "Remediating rule 135/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_redirects.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.conf.all.accept_redirects" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv4_conf_all_accept_redirects_value='0' # # Set runtime for net.ipv4.conf.all.accept_redirects # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects="$sysctl_net_ipv4_conf_all_accept_redirects_value" fi # # If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_redirects") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_redirects_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_redirects\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects' ############################################################################### # BEGIN fix (136 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route' ############################################################################### (>&2 echo "Remediating rule 136/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_source_route.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.conf.all.accept_source_route" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv4_conf_all_accept_source_route_value='0' # # Set runtime for net.ipv4.conf.all.accept_source_route # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route="$sysctl_net_ipv4_conf_all_accept_source_route_value" fi # # If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_source_route") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_accept_source_route_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_source_route\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route' ############################################################################### # BEGIN fix (137 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians' ############################################################################### (>&2 echo "Remediating rule 137/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.conf.all.log_martians from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.log_martians.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.conf.all.log_martians" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv4_conf_all_log_martians_value='1' # # Set runtime for net.ipv4.conf.all.log_martians # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians="$sysctl_net_ipv4_conf_all_log_martians_value" fi # # If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.log_martians = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.log_martians") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_log_martians_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.log_martians\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.log_martians\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians' ############################################################################### # BEGIN fix (138 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter' ############################################################################### (>&2 echo "Remediating rule 138/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.rp_filter.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.conf.all.rp_filter" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv4_conf_all_rp_filter_value='1' # # Set runtime for net.ipv4.conf.all.rp_filter # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter="$sysctl_net_ipv4_conf_all_rp_filter_value" fi # # If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.rp_filter") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_rp_filter_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.rp_filter\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter' ############################################################################### # BEGIN fix (139 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects' ############################################################################### (>&2 echo "Remediating rule 139/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.conf.all.secure_redirects from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.secure_redirects.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.conf.all.secure_redirects" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv4_conf_all_secure_redirects_value='0' # # Set runtime for net.ipv4.conf.all.secure_redirects # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects="$sysctl_net_ipv4_conf_all_secure_redirects_value" fi # # If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.secure_redirects") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_secure_redirects_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.secure_redirects\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects' ############################################################################### # BEGIN fix (140 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects' ############################################################################### (>&2 echo "Remediating rule 140/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_redirects.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.conf.default.accept_redirects" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv4_conf_default_accept_redirects_value='0' # # Set runtime for net.ipv4.conf.default.accept_redirects # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects="$sysctl_net_ipv4_conf_default_accept_redirects_value" fi # # If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_redirects") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_redirects_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_redirects\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects' ############################################################################### # BEGIN fix (141 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route' ############################################################################### (>&2 echo "Remediating rule 141/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.conf.default.accept_source_route from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_source_route.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.conf.default.accept_source_route" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv4_conf_default_accept_source_route_value='0' # # Set runtime for net.ipv4.conf.default.accept_source_route # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route="$sysctl_net_ipv4_conf_default_accept_source_route_value" fi # # If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.accept_source_route") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_accept_source_route_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept_source_route\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept_source_route\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route' ############################################################################### # BEGIN fix (142 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians' ############################################################################### (>&2 echo "Remediating rule 142/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.conf.default.log_martians from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.log_martians.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.conf.default.log_martians" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv4_conf_default_log_martians_value='1' # # Set runtime for net.ipv4.conf.default.log_martians # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians="$sysctl_net_ipv4_conf_default_log_martians_value" fi # # If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.log_martians = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.log_martians") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_log_martians_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.log_martians\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.log_martians\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians' ############################################################################### # BEGIN fix (143 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter' ############################################################################### (>&2 echo "Remediating rule 143/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.conf.default.rp_filter from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.rp_filter.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.conf.default.rp_filter" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv4_conf_default_rp_filter_value='1' # # Set runtime for net.ipv4.conf.default.rp_filter # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter="$sysctl_net_ipv4_conf_default_rp_filter_value" fi # # If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.rp_filter") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_rp_filter_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.rp_filter\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.rp_filter\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter' ############################################################################### # BEGIN fix (144 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects' ############################################################################### (>&2 echo "Remediating rule 144/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.conf.default.secure_redirects from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.secure_redirects.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.conf.default.secure_redirects" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv4_conf_default_secure_redirects_value='0' # # Set runtime for net.ipv4.conf.default.secure_redirects # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects="$sysctl_net_ipv4_conf_default_secure_redirects_value" fi # # If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.secure_redirects") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_secure_redirects_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.secure_redirects\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.secure_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects' ############################################################################### # BEGIN fix (145 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts' ############################################################################### (>&2 echo "Remediating rule 145/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.icmp_echo_ignore_broadcasts" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value='1' # # Set runtime for net.ipv4.icmp_echo_ignore_broadcasts # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts="$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" fi # # If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_echo_ignore_broadcasts") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_echo_ignore_broadcasts\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_echo_ignore_broadcasts\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts' ############################################################################### # BEGIN fix (146 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses' ############################################################################### (>&2 echo "Remediating rule 146/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.icmp_ignore_bogus_error_responses" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value='1' # # Set runtime for net.ipv4.icmp_ignore_bogus_error_responses # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses="$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" fi # # If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.icmp_ignore_bogus_error_responses") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.icmp_ignore_bogus_error_responses\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.icmp_ignore_bogus_error_responses\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses' ############################################################################### # BEGIN fix (147 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies' ############################################################################### (>&2 echo "Remediating rule 147/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.tcp_syncookies from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_syncookies.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.tcp_syncookies" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv4_tcp_syncookies_value='1' # # Set runtime for net.ipv4.tcp_syncookies # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.tcp_syncookies="$sysctl_net_ipv4_tcp_syncookies_value" fi # # If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.tcp_syncookies") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_tcp_syncookies_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.tcp_syncookies\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.tcp_syncookies\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies' ############################################################################### # BEGIN fix (148 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects' ############################################################################### (>&2 echo "Remediating rule 148/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.send_redirects.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.conf.all.send_redirects" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" # # Set runtime for net.ipv4.conf.all.send_redirects # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects="0" fi # # If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0" # else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.send_redirects") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "0" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.send_redirects\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.all.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects' ############################################################################### # BEGIN fix (149 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects' ############################################################################### (>&2 echo "Remediating rule 149/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.conf.default.send_redirects from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.send_redirects.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.conf.default.send_redirects" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" # # Set runtime for net.ipv4.conf.default.send_redirects # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects="0" fi # # If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0" # else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.send_redirects") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "0" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.send_redirects\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.send_redirects\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects' ############################################################################### # BEGIN fix (150 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward' ############################################################################### (>&2 echo "Remediating rule 150/386: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of net.ipv4.ip_forward from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_forward.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv4.ip_forward" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" # # Set runtime for net.ipv4.ip_forward # if ! /bin/false ; then /sbin/sysctl -q -n -w net.ipv4.ip_forward="0" fi # # If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0" # else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_forward") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "0" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.ip_forward\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv4.ip_forward\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward' ############################################################################### # BEGIN fix (151 / 386) for 'xccdf_org.ssgproject.content_rule_package_nftables_installed' ############################################################################### (>&2 echo "Remediating rule 151/386: 'xccdf_org.ssgproject.content_rule_package_nftables_installed'") # Remediation is applicable only in certain platforms if ( ! (systemctl is-active iptables &>/dev/null) && ! (systemctl is-active ufw &>/dev/null) && dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' ); then var_network_filtering_service='nftables' if [ $var_network_filtering_service == nftables ]; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "nftables" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_nftables_installed' ############################################################################### # BEGIN fix (152 / 386) for 'xccdf_org.ssgproject.content_rule_service_nftables_enabled' ############################################################################### (>&2 echo "Remediating rule 152/386: 'xccdf_org.ssgproject.content_rule_service_nftables_enabled'") # Remediation is applicable only in certain platforms if ( dpkg-query --show --showformat='${db:Status-Status}' 'nftables' 2>/dev/null | grep -q '^installed$' && ! (systemctl is-active firewalld &>/dev/null) && dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' ); then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" unmask 'nftables.service' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" start 'nftables.service' fi "$SYSTEMCTL_EXEC" enable 'nftables.service' else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_nftables_enabled' ############################################################################### # BEGIN fix (153 / 386) for 'xccdf_org.ssgproject.content_rule_service_nftables_disabled' ############################################################################### (>&2 echo "Remediating rule 153/386: 'xccdf_org.ssgproject.content_rule_service_nftables_disabled'") # Remediation is applicable only in certain platforms if ( dpkg-query --show --showformat='${db:Status-Status}' 'nftables' 2>/dev/null | grep -q '^installed$' && dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' ); then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'nftables.service' fi "$SYSTEMCTL_EXEC" disable 'nftables.service' "$SYSTEMCTL_EXEC" mask 'nftables.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files nftables.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'nftables.socket' fi "$SYSTEMCTL_EXEC" mask 'nftables.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'nftables.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_nftables_disabled' ############################################################################### # BEGIN fix (154 / 386) for 'xccdf_org.ssgproject.content_rule_nftables_ensure_default_deny_policy' ############################################################################### (>&2 echo "Remediating rule 154/386: 'xccdf_org.ssgproject.content_rule_nftables_ensure_default_deny_policy'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_nftables_ensure_default_deny_policy' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_nftables_ensure_default_deny_policy' ############################################################################### # BEGIN fix (155 / 386) for 'xccdf_org.ssgproject.content_rule_nftables_rules_permanent' ############################################################################### (>&2 echo "Remediating rule 155/386: 'xccdf_org.ssgproject.content_rule_nftables_rules_permanent'") # Remediation is applicable only in certain platforms if ( dpkg-query --show --showformat='${db:Status-Status}' 'nftables' 2>/dev/null | grep -q '^installed$' && ! (systemctl is-active firewalld &>/dev/null) ); then var_nftables_master_config_file='/etc/nftables.conf' var_nftables_family='inet' if [ ! -f "${var_nftables_master_config_file}" ]; then touch "${var_nftables_master_config_file}" fi nft list ruleset > "/etc/${var_nftables_family}-filter.rules" grep -qxF 'include "/etc/'"${var_nftables_family}"'-filter.rules"' "${var_nftables_master_config_file}" \ || echo 'include "/etc/'"${var_nftables_family}"'-filter.rules"' >> "${var_nftables_master_config_file}" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_nftables_rules_permanent' ############################################################################### # BEGIN fix (156 / 386) for 'xccdf_org.ssgproject.content_rule_set_nftables_base_chain' ############################################################################### (>&2 echo "Remediating rule 156/386: 'xccdf_org.ssgproject.content_rule_set_nftables_base_chain'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'nftables' 2>/dev/null | grep -q '^installed$'; then #Name of the table var_nftables_table='filter' #Family of the table var_nftables_family='inet' #Name(s) of base chain var_nftables_base_chain_names='input,forward,output' #Type(s) of base chain var_nftables_base_chain_types='filter,filter,filter' # Hooks for base chain var_nftables_base_chain_hooks='input,forward,output' #Priority var_nftables_base_chain_priorities='0,0,0' #Policy var_nftables_base_chain_policies='accept,accept,accept' #Transfer some of strings to arrays IFS="," read -r -a names <<< "$var_nftables_base_chain_names" IFS="," read -r -a types <<< "$var_nftables_base_chain_types" IFS="," read -r -a hooks <<< "$var_nftables_base_chain_hooks" IFS="," read -r -a priorities <<< "$var_nftables_base_chain_priorities" IFS="," read -r -a policies <<< "$var_nftables_base_chain_policies" my_cmd="nft list tables | grep '$var_nftables_family $var_nftables_table'" eval IS_TABLE_EXIST=\$\($my_cmd\) if [ -z "$IS_TABLE_EXIST" ] then # We create a table and add chains to it nft create table "$var_nftables_family" "$var_nftables_table" num_of_chains=${#names[@]} for ((i=0; i < num_of_chains; i++)) do chain_to_add="add chain $var_nftables_family $var_nftables_table ${names[$i]} { type ${types[$i]} hook ${hooks[$i]} priority ${priorities[$i]} ; policy ${policies[$i]} ; }" my_cmd="nft '$chain_to_add'" eval $my_cmd done else # We add missing chains to the existing table num_of_chains=${#names[@]} for ((i=0; i < num_of_chains; i++)) do IS_CHAIN_EXIST=$(nft list table "$var_nftables_family" "$var_nftables_table" | grep "hook ${hooks[$i]}") if [ -z "$IS_CHAIN_EXIST" ] then chain_to_add="add chain '$var_nftables_family' '$var_nftables_table' ${names[$i]} { type ${types[$i]} hook ${hooks[$i]} priority ${priorities[$i]} ; policy ${policies[$i]} ; }" my_cmd="nft '$chain_to_add'" eval $my_cmd fi done fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_set_nftables_base_chain' ############################################################################### # BEGIN fix (157 / 386) for 'xccdf_org.ssgproject.content_rule_set_nftables_loopback_traffic' ############################################################################### (>&2 echo "Remediating rule 157/386: 'xccdf_org.ssgproject.content_rule_set_nftables_loopback_traffic'") # Remediation is applicable only in certain platforms if ( dpkg-query --show --showformat='${db:Status-Status}' 'nftables' 2>/dev/null | grep -q '^installed$' && ! (systemctl is-active firewalld &>/dev/null) ); then var_nftables_family='inet' grubfile="/boot/grub/grub.cfg" # Implement the loopback rules: nft add rule inet filter input iif lo accept nft add rule inet filter input ip saddr 127.0.0.0/8 counter drop # Check IPv6 is disabled, if false implement IPv6 loopback rules disabled="false" [ -f "$grubfile" ] && ! grep "^\s*linux" "$grubfile" | grep -vq "ipv6.disable=1" && disabled="true" grep -Eq "^\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" \ /etc/sysctl.conf /etc/sysctl.d/*.conf && \ grep -Eq "^\s*net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" \ /etc/sysctl.conf /etc/sysctl.d/*.conf && sysctl net.ipv6.conf.all.disable_ipv6 | \ grep -Eq "^\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" && \ sysctl net.ipv6.conf.default.disable_ipv6 | \ grep -Eq "^\s*net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" && disabled="true" # Is IPv6 Disabled? (true/false) if [ "$disabled" = false ] ; then nft add rule inet filter input ip6 saddr ::1 counter drop fi nft list ruleset > "/etc/${var_nftables_family}-filter.rules" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_set_nftables_loopback_traffic' ############################################################################### # BEGIN fix (158 / 386) for 'xccdf_org.ssgproject.content_rule_set_nftables_table' ############################################################################### (>&2 echo "Remediating rule 158/386: 'xccdf_org.ssgproject.content_rule_set_nftables_table'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'nftables' 2>/dev/null | grep -q '^installed$'; then var_nftables_family='inet' var_nftables_table='filter' if ! nft list table $var_nftables_family $var_nftables_table; then nft create table "$var_nftables_family" "$var_nftables_table" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_set_nftables_table' ############################################################################### # BEGIN fix (159 / 386) for 'xccdf_org.ssgproject.content_rule_package_ufw_installed' ############################################################################### (>&2 echo "Remediating rule 159/386: 'xccdf_org.ssgproject.content_rule_package_ufw_installed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then var_network_filtering_service='nftables' if [[ "ufw" =~ $var_network_filtering_service ]]; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "ufw" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_ufw_installed' ############################################################################### # BEGIN fix (160 / 386) for 'xccdf_org.ssgproject.content_rule_package_ufw_removed' ############################################################################### (>&2 echo "Remediating rule 160/386: 'xccdf_org.ssgproject.content_rule_package_ufw_removed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # CAUTION: This remediation script will remove ufw # from the system, and may remove any packages # that depend on ufw. Execute this # remediation AFTER testing on a non-production # system! var_network_filtering_service='nftables' if [ $var_network_filtering_service != ufw ]; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "ufw" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_ufw_removed' ############################################################################### # BEGIN fix (161 / 386) for 'xccdf_org.ssgproject.content_rule_service_ufw_enabled' ############################################################################### (>&2 echo "Remediating rule 161/386: 'xccdf_org.ssgproject.content_rule_service_ufw_enabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { ( dpkg-query --show --showformat='${db:Status-Status}' 'ufw' 2>/dev/null | grep -q '^installed$' && dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' ); }; then var_network_filtering_service='nftables' SYSTEMCTL_EXEC='/usr/bin/systemctl' if [ $var_network_filtering_service == ufw ]; then "$SYSTEMCTL_EXEC" unmask 'ufw.service' "$SYSTEMCTL_EXEC" start 'ufw.service' "$SYSTEMCTL_EXEC" enable 'ufw.service' fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_ufw_enabled' ############################################################################### # BEGIN fix (162 / 386) for 'xccdf_org.ssgproject.content_rule_check_ufw_active' ############################################################################### (>&2 echo "Remediating rule 162/386: 'xccdf_org.ssgproject.content_rule_check_ufw_active'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_check_ufw_active' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_check_ufw_active' ############################################################################### # BEGIN fix (163 / 386) for 'xccdf_org.ssgproject.content_rule_set_ufw_default_rule' ############################################################################### (>&2 echo "Remediating rule 163/386: 'xccdf_org.ssgproject.content_rule_set_ufw_default_rule'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_set_ufw_default_rule' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_set_ufw_default_rule' ############################################################################### # BEGIN fix (164 / 386) for 'xccdf_org.ssgproject.content_rule_set_ufw_loopback_traffic' ############################################################################### (>&2 echo "Remediating rule 164/386: 'xccdf_org.ssgproject.content_rule_set_ufw_loopback_traffic'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'ufw' 2>/dev/null | grep -q '^installed$'; }; then ufw allow in on lo ufw allow out on lo ufw deny in from 127.0.0.0/8 ufw deny in from ::1 else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_set_ufw_loopback_traffic' ############################################################################### # BEGIN fix (165 / 386) for 'xccdf_org.ssgproject.content_rule_ufw_rules_for_open_ports' ############################################################################### (>&2 echo "Remediating rule 165/386: 'xccdf_org.ssgproject.content_rule_ufw_rules_for_open_ports'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_ufw_rules_for_open_ports' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_ufw_rules_for_open_ports' ############################################################################### # BEGIN fix (166 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable' ############################################################################### (>&2 echo "Remediating rule 166/386: 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable'") FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) # Do not consider /sysroot partition because it contains only the physical # read-only root on bootable containers. PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | awk '{ print $1 }' | grep -v "/sysroot") for PARTITION in $PARTITIONS; do find "${PARTITION}" -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null done # Ensure /tmp is also fixed when tmpfs is used. if grep "^tmpfs /tmp" /proc/mounts; then find /tmp -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable' ############################################################################### # BEGIN fix (167 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned' ############################################################################### (>&2 echo "Remediating rule 167/386: 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned' ############################################################################### # BEGIN fix (168 / 386) for 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user' ############################################################################### (>&2 echo "Remediating rule 168/386: 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user' ############################################################################### # BEGIN fix (169 / 386) for 'xccdf_org.ssgproject.content_rule_permissions_local_var_log' ############################################################################### (>&2 echo "Remediating rule 169/386: 'xccdf_org.ssgproject.content_rule_permissions_local_var_log'") find -P /var/log/ -perm /u+xs,g+xws,o+xwrt ! -name 'history.log*' ! -name 'eipp.log.xz*' ! -name '[bw]tmp' ! -name '[bw]tmp.*' ! -name '[bw]tmp-*' ! -name 'lastlog' ! -name 'lastlog.*' -type f -regextype posix-extended -regex '.*' -exec chmod u-xs,g-xws,o-xwrt {} \; # END fix for 'xccdf_org.ssgproject.content_rule_permissions_local_var_log' ############################################################################### # BEGIN fix (170 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group' ############################################################################### (>&2 echo "Remediating rule 170/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group'") newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/group-" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/group- fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group' ############################################################################### # BEGIN fix (171 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow' ############################################################################### (>&2 echo "Remediating rule 171/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow'") newgroup="" if getent group "42" >/dev/null 2>&1; then newgroup="42" fi if [[ -z "${newgroup}" ]]; then >&2 echo "42 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/gshadow-" | grep -E -w -q "42"; then chgrp --no-dereference "$newgroup" /etc/gshadow- fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow' ############################################################################### # BEGIN fix (172 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd' ############################################################################### (>&2 echo "Remediating rule 172/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd'") newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/passwd-" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/passwd- fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd' ############################################################################### # BEGIN fix (173 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow' ############################################################################### (>&2 echo "Remediating rule 173/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow'") newgroup="" if getent group "42" >/dev/null 2>&1; then newgroup="42" fi if [[ -z "${newgroup}" ]]; then >&2 echo "42 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/shadow-" | grep -E -w -q "42"; then chgrp --no-dereference "$newgroup" /etc/shadow- fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow' ############################################################################### # BEGIN fix (174 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_group' ############################################################################### (>&2 echo "Remediating rule 174/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_group'") newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/group" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/group fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_group' ############################################################################### # BEGIN fix (175 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow' ############################################################################### (>&2 echo "Remediating rule 175/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow'") newgroup="" if getent group "42" >/dev/null 2>&1; then newgroup="42" fi if [[ -z "${newgroup}" ]]; then >&2 echo "42 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/gshadow" | grep -E -w -q "42"; then chgrp --no-dereference "$newgroup" /etc/gshadow fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow' ############################################################################### # BEGIN fix (176 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd' ############################################################################### (>&2 echo "Remediating rule 176/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd'") newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/passwd" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/passwd fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd' ############################################################################### # BEGIN fix (177 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_security_opasswd' ############################################################################### (>&2 echo "Remediating rule 177/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_security_opasswd'") newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/security/opasswd" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/security/opasswd fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_security_opasswd' ############################################################################### # BEGIN fix (178 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_security_opasswd_old' ############################################################################### (>&2 echo "Remediating rule 178/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_security_opasswd_old'") newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/security/opasswd.old" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/security/opasswd.old fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_security_opasswd_old' ############################################################################### # BEGIN fix (179 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow' ############################################################################### (>&2 echo "Remediating rule 179/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow'") newgroup="" if getent group "42" >/dev/null 2>&1; then newgroup="42" fi if [[ -z "${newgroup}" ]]; then >&2 echo "42 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/shadow" | grep -E -w -q "42"; then chgrp --no-dereference "$newgroup" /etc/shadow fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow' ############################################################################### # BEGIN fix (180 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_shells' ############################################################################### (>&2 echo "Remediating rule 180/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_shells'") newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/shells" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/shells fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_shells' ############################################################################### # BEGIN fix (181 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group' ############################################################################### (>&2 echo "Remediating rule 181/386: 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/group-" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/group- fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group' ############################################################################### # BEGIN fix (182 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow' ############################################################################### (>&2 echo "Remediating rule 182/386: 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/gshadow-" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/gshadow- fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow' ############################################################################### # BEGIN fix (183 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd' ############################################################################### (>&2 echo "Remediating rule 183/386: 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/passwd-" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/passwd- fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd' ############################################################################### # BEGIN fix (184 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow' ############################################################################### (>&2 echo "Remediating rule 184/386: 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/shadow-" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/shadow- fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow' ############################################################################### # BEGIN fix (185 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_etc_group' ############################################################################### (>&2 echo "Remediating rule 185/386: 'xccdf_org.ssgproject.content_rule_file_owner_etc_group'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/group" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/group fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_etc_group' ############################################################################### # BEGIN fix (186 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow' ############################################################################### (>&2 echo "Remediating rule 186/386: 'xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/gshadow" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/gshadow fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow' ############################################################################### # BEGIN fix (187 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_etc_passwd' ############################################################################### (>&2 echo "Remediating rule 187/386: 'xccdf_org.ssgproject.content_rule_file_owner_etc_passwd'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/passwd" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/passwd fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_etc_passwd' ############################################################################### # BEGIN fix (188 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_etc_security_opasswd' ############################################################################### (>&2 echo "Remediating rule 188/386: 'xccdf_org.ssgproject.content_rule_file_owner_etc_security_opasswd'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/security/opasswd" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/security/opasswd fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_etc_security_opasswd' ############################################################################### # BEGIN fix (189 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_etc_security_opasswd_old' ############################################################################### (>&2 echo "Remediating rule 189/386: 'xccdf_org.ssgproject.content_rule_file_owner_etc_security_opasswd_old'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/security/opasswd.old" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/security/opasswd.old fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_etc_security_opasswd_old' ############################################################################### # BEGIN fix (190 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_etc_shadow' ############################################################################### (>&2 echo "Remediating rule 190/386: 'xccdf_org.ssgproject.content_rule_file_owner_etc_shadow'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/shadow" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/shadow fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_etc_shadow' ############################################################################### # BEGIN fix (191 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_etc_shells' ############################################################################### (>&2 echo "Remediating rule 191/386: 'xccdf_org.ssgproject.content_rule_file_owner_etc_shells'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/shells" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/shells fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_etc_shells' ############################################################################### # BEGIN fix (192 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group' ############################################################################### (>&2 echo "Remediating rule 192/386: 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group'") chmod u-xs,g-xws,o-xwt /etc/group- # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group' ############################################################################### # BEGIN fix (193 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow' ############################################################################### (>&2 echo "Remediating rule 193/386: 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow'") chmod u-xs,g-xws,o-xwrt /etc/gshadow- # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow' ############################################################################### # BEGIN fix (194 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd' ############################################################################### (>&2 echo "Remediating rule 194/386: 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd'") chmod u-xs,g-xws,o-xwt /etc/passwd- # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd' ############################################################################### # BEGIN fix (195 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow' ############################################################################### (>&2 echo "Remediating rule 195/386: 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow'") chmod u-xs,g-xws,o-xwrt /etc/shadow- # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow' ############################################################################### # BEGIN fix (196 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_group' ############################################################################### (>&2 echo "Remediating rule 196/386: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_group'") chmod u-xs,g-xws,o-xwt /etc/group # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_group' ############################################################################### # BEGIN fix (197 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow' ############################################################################### (>&2 echo "Remediating rule 197/386: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow'") chmod u-xs,g-xws,o-xwrt /etc/gshadow # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow' ############################################################################### # BEGIN fix (198 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd' ############################################################################### (>&2 echo "Remediating rule 198/386: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd'") chmod u-xs,g-xws,o-xwt /etc/passwd # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd' ############################################################################### # BEGIN fix (199 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_security_opasswd' ############################################################################### (>&2 echo "Remediating rule 199/386: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_security_opasswd'") chmod u-xs,g-xwrs,o-xwrt /etc/security/opasswd # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_security_opasswd' ############################################################################### # BEGIN fix (200 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_security_opasswd_old' ############################################################################### (>&2 echo "Remediating rule 200/386: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_security_opasswd_old'") chmod u-xs,g-xwrs,o-xwrt /etc/security/opasswd.old # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_security_opasswd_old' ############################################################################### # BEGIN fix (201 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow' ############################################################################### (>&2 echo "Remediating rule 201/386: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow'") chmod u-xs,g-xws,o-xwrt /etc/shadow # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow' ############################################################################### # BEGIN fix (202 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shells' ############################################################################### (>&2 echo "Remediating rule 202/386: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shells'") chmod u-xs,g-xws,o-xwt /etc/shells # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shells' ############################################################################### # BEGIN fix (203 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_auth' ############################################################################### (>&2 echo "Remediating rule 203/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_auth'") newgroup="" if getent group "adm" >/dev/null 2>&1; then newgroup="adm" elif getent group "root" >/dev/null 2>&1; then newgroup="root" fi if [[ -z "${newgroup}" ]]; then >&2 echo "adm and root is not a defined group on the system" else if ! stat -c "%g %G" "/var/log/auth.log" | grep -E -w -q "adm|root"; then chgrp --no-dereference "$newgroup" /var/log/auth.log fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_auth' ############################################################################### # BEGIN fix (204 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_cloud_init' ############################################################################### (>&2 echo "Remediating rule 204/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_cloud_init'") newgroup="" if getent group "adm" >/dev/null 2>&1; then newgroup="adm" elif getent group "root" >/dev/null 2>&1; then newgroup="root" fi if [[ -z "${newgroup}" ]]; then >&2 echo "adm and root is not a defined group on the system" else find -P /var/log/ -maxdepth 1 -type f ! -group adm ! -group root -regextype posix-extended -regex '.*cloud-init\.log.*' -exec chgrp --no-dereference "$newgroup" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_cloud_init' ############################################################################### # BEGIN fix (205 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_journal' ############################################################################### (>&2 echo "Remediating rule 205/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_journal'") newgroup="" if getent group "systemd-journal" >/dev/null 2>&1; then newgroup="systemd-journal" elif getent group "root" >/dev/null 2>&1; then newgroup="root" fi if [[ -z "${newgroup}" ]]; then >&2 echo "systemd-journal and root is not a defined group on the system" else find -P /var/log/ -type f ! -group systemd-journal ! -group root -regextype posix-extended -regex '.*\.journal[~]?' -exec chgrp --no-dereference "$newgroup" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_journal' ############################################################################### # BEGIN fix (206 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_lastlog' ############################################################################### (>&2 echo "Remediating rule 206/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_lastlog'") newgroup="" if getent group "utmp" >/dev/null 2>&1; then newgroup="utmp" elif getent group "root" >/dev/null 2>&1; then newgroup="root" fi if [[ -z "${newgroup}" ]]; then >&2 echo "utmp and root is not a defined group on the system" else find -P /var/log/ -maxdepth 1 -type f ! -group utmp ! -group root -regextype posix-extended -regex '.*lastlog(\.[^\/]+)?' -exec chgrp --no-dereference "$newgroup" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_lastlog' ############################################################################### # BEGIN fix (207 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_localmessages' ############################################################################### (>&2 echo "Remediating rule 207/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_localmessages'") newgroup="" if getent group "adm" >/dev/null 2>&1; then newgroup="adm" elif getent group "root" >/dev/null 2>&1; then newgroup="root" fi if [[ -z "${newgroup}" ]]; then >&2 echo "adm and root is not a defined group on the system" else find -P /var/log/ -maxdepth 1 -type f ! -group adm ! -group root -regextype posix-extended -regex '.*localmessages.*' -exec chgrp --no-dereference "$newgroup" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_localmessages' ############################################################################### # BEGIN fix (208 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages' ############################################################################### (>&2 echo "Remediating rule 208/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages'") newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/var/log/messages" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /var/log/messages fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages' ############################################################################### # BEGIN fix (209 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_secure' ############################################################################### (>&2 echo "Remediating rule 209/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_secure'") newgroup="" if getent group "adm" >/dev/null 2>&1; then newgroup="adm" elif getent group "root" >/dev/null 2>&1; then newgroup="root" fi if [[ -z "${newgroup}" ]]; then >&2 echo "adm and root is not a defined group on the system" else find -P /var/log/ -maxdepth 1 -type f ! -group adm ! -group root -regextype posix-extended -regex '.*secure(.*[-\.].*)?' -exec chgrp --no-dereference "$newgroup" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_secure' ############################################################################### # BEGIN fix (210 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog' ############################################################################### (>&2 echo "Remediating rule 210/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'rsyslog' 2>/dev/null | grep -q '^installed$'; then newgroup="" if getent group "4" >/dev/null 2>&1; then newgroup="4" fi if [[ -z "${newgroup}" ]]; then >&2 echo "4 is not a defined group on the system" else if ! stat -c "%g %G" "/var/log/syslog" | grep -E -w -q "4"; then chgrp --no-dereference "$newgroup" /var/log/syslog fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog' ############################################################################### # BEGIN fix (211 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_waagent' ############################################################################### (>&2 echo "Remediating rule 211/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_waagent'") newgroup="" if getent group "adm" >/dev/null 2>&1; then newgroup="adm" elif getent group "root" >/dev/null 2>&1; then newgroup="root" fi if [[ -z "${newgroup}" ]]; then >&2 echo "adm and root is not a defined group on the system" else find -P /var/log/ -maxdepth 1 -type f ! -group adm ! -group root -regextype posix-extended -regex '.*waagent.log.*' -exec chgrp --no-dereference "$newgroup" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_waagent' ############################################################################### # BEGIN fix (212 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_wbtmp' ############################################################################### (>&2 echo "Remediating rule 212/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_wbtmp'") newgroup="" if getent group "utmp" >/dev/null 2>&1; then newgroup="utmp" elif getent group "root" >/dev/null 2>&1; then newgroup="root" fi if [[ -z "${newgroup}" ]]; then >&2 echo "utmp and root is not a defined group on the system" else find -P /var/log/ -maxdepth 1 -type f ! -group utmp ! -group root -regextype posix-extended -regex '.*(b|w)tmp((\.|-)[^\/]+)?' -exec chgrp --no-dereference "$newgroup" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_wbtmp' ############################################################################### # BEGIN fix (213 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log' ############################################################################### (>&2 echo "Remediating rule 213/386: 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log'") # see https://workbench.cisecurity.org/benchmarks/18959/tickets/23964 # regarding sssd and gdm exclusions find -P /var/log/ -type f -regextype posix-extended \ ! -group root ! -group adm \ ! -name 'gdm' ! -name 'gdm3' \ ! -name 'sssd' ! -name 'SSSD' \ ! -name 'auth.log' \ ! -name 'messages' \ ! -name 'syslog' \ ! -path '/var/log/apt/*' \ ! -path '/var/log/landscape/*' \ ! -path '/var/log/gdm/*' \ ! -path '/var/log/gdm3/*' \ ! -path '/var/log/sssd/*' \ ! -path '/var/log/[bw]tmp*' \ ! -path '/var/log/cloud-init.log*' \ ! -regex '.*\.journal[~]?' \ ! -regex '.*/lastlog(\.[^\/]+)?$' \ ! -regex '.*/localmessages(.*)' \ ! -regex '.*/secure(.*)' \ ! -regex '.*/waagent.log(.*)' \ -regex '.*' -exec chgrp --no-dereference root {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log' ############################################################################### # BEGIN fix (214 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_apt' ############################################################################### (>&2 echo "Remediating rule 214/386: 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_apt'") newgroup="" if getent group "adm" >/dev/null 2>&1; then newgroup="adm" elif getent group "root" >/dev/null 2>&1; then newgroup="root" fi if [[ -z "${newgroup}" ]]; then >&2 echo "adm and root is not a defined group on the system" else find -P /var/log/apt/ -maxdepth 1 -type f ! -group adm ! -group root -regextype posix-extended -regex '.*' -exec chgrp --no-dereference "$newgroup" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_apt' ############################################################################### # BEGIN fix (215 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_gdm' ############################################################################### (>&2 echo "Remediating rule 215/386: 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_gdm'") newgroup="" if getent group "gdm" >/dev/null 2>&1; then newgroup="gdm" elif getent group "root" >/dev/null 2>&1; then newgroup="root" fi if [[ -z "${newgroup}" ]]; then >&2 echo "gdm and root is not a defined group on the system" else find -P /var/log/gdm/ -type f ! -group gdm ! -group root -regextype posix-extended -regex '.*' -exec chgrp --no-dereference "$newgroup" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_gdm' ############################################################################### # BEGIN fix (216 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_gdm3' ############################################################################### (>&2 echo "Remediating rule 216/386: 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_gdm3'") newgroup="" if getent group "gdm" >/dev/null 2>&1; then newgroup="gdm" elif getent group "gdm3" >/dev/null 2>&1; then newgroup="gdm3" elif getent group "root" >/dev/null 2>&1; then newgroup="root" fi if [[ -z "${newgroup}" ]]; then >&2 echo "gdm and gdm3 and root is not a defined group on the system" else find -P /var/log/gdm3/ -type f ! -group gdm ! -group gdm3 ! -group root -regextype posix-extended -regex '.*' -exec chgrp --no-dereference "$newgroup" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_gdm3' ############################################################################### # BEGIN fix (217 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_landscape' ############################################################################### (>&2 echo "Remediating rule 217/386: 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_landscape'") newgroup="" if getent group "root" >/dev/null 2>&1; then newgroup="root" elif getent group "landscape" >/dev/null 2>&1; then newgroup="landscape" fi if [[ -z "${newgroup}" ]]; then >&2 echo "root and landscape is not a defined group on the system" else find -P /var/log/landscape/ -maxdepth 1 -type f ! -group root ! -group landscape -regextype posix-extended -regex '^.*$' -exec chgrp --no-dereference "$newgroup" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_landscape' ############################################################################### # BEGIN fix (218 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_sssd' ############################################################################### (>&2 echo "Remediating rule 218/386: 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_sssd'") newgroup="" if getent group "sssd" >/dev/null 2>&1; then newgroup="sssd" elif getent group "root" >/dev/null 2>&1; then newgroup="root" fi if [[ -z "${newgroup}" ]]; then >&2 echo "sssd and root is not a defined group on the system" else find -P /var/log/sssd/ -type f ! -group sssd ! -group root -regextype posix-extended -regex '.*' -exec chgrp --no-dereference "$newgroup" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupownerships_var_log_sssd' ############################################################################### # BEGIN fix (219 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_auth' ############################################################################### (>&2 echo "Remediating rule 219/386: 'xccdf_org.ssgproject.content_rule_file_owner_var_log_auth'") newown="" if id "syslog" >/dev/null 2>&1; then newown="syslog" elif id "root" >/dev/null 2>&1; then newown="root" fi if [[ -z "$newown" ]]; then >&2 echo "syslog and root is not a defined user on the system" else if ! stat -c "%u %U" "/var/log/auth.log" | grep -E -w -q "syslog|root"; then chown --no-dereference "$newown" /var/log/auth.log fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_auth' ############################################################################### # BEGIN fix (220 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_cloud_init' ############################################################################### (>&2 echo "Remediating rule 220/386: 'xccdf_org.ssgproject.content_rule_file_owner_var_log_cloud_init'") newown="" if id "syslog" >/dev/null 2>&1; then newown="syslog" elif id "root" >/dev/null 2>&1; then newown="root" fi if [[ -z "$newown" ]]; then >&2 echo "syslog and root is not a defined user on the system" else find -P /var/log/ -maxdepth 1 -type f ! -user syslog ! -user root -regextype posix-extended -regex '.*cloud-init\.log.*' -exec chown --no-dereference "$newown" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_cloud_init' ############################################################################### # BEGIN fix (221 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_journal' ############################################################################### (>&2 echo "Remediating rule 221/386: 'xccdf_org.ssgproject.content_rule_file_owner_var_log_journal'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else find -P /var/log/ -type f ! -user 0 -regextype posix-extended -regex '.*\.journal(~)?$' -exec chown --no-dereference "$newown" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_journal' ############################################################################### # BEGIN fix (222 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_lastlog' ############################################################################### (>&2 echo "Remediating rule 222/386: 'xccdf_org.ssgproject.content_rule_file_owner_var_log_lastlog'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else find -P /var/log/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '.*lastlog(\.[^\/]+)?$' -exec chown --no-dereference "$newown" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_lastlog' ############################################################################### # BEGIN fix (223 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_localmessages' ############################################################################### (>&2 echo "Remediating rule 223/386: 'xccdf_org.ssgproject.content_rule_file_owner_var_log_localmessages'") newown="" if id "syslog" >/dev/null 2>&1; then newown="syslog" elif id "root" >/dev/null 2>&1; then newown="root" fi if [[ -z "$newown" ]]; then >&2 echo "syslog and root is not a defined user on the system" else find -P /var/log/ -maxdepth 1 -type f ! -user syslog ! -user root -regextype posix-extended -regex '.*localmessages.*' -exec chown --no-dereference "$newown" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_localmessages' ############################################################################### # BEGIN fix (224 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_messages' ############################################################################### (>&2 echo "Remediating rule 224/386: 'xccdf_org.ssgproject.content_rule_file_owner_var_log_messages'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/var/log/messages" | grep -E -w -q "0"; then chown --no-dereference "$newown" /var/log/messages fi fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_messages' ############################################################################### # BEGIN fix (225 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_secure' ############################################################################### (>&2 echo "Remediating rule 225/386: 'xccdf_org.ssgproject.content_rule_file_owner_var_log_secure'") newown="" if id "syslog" >/dev/null 2>&1; then newown="syslog" elif id "root" >/dev/null 2>&1; then newown="root" fi if [[ -z "$newown" ]]; then >&2 echo "syslog and root is not a defined user on the system" else find -P /var/log/ -maxdepth 1 -type f ! -user syslog ! -user root -regextype posix-extended -regex '.*secure(.*[-\.].*)?' -exec chown --no-dereference "$newown" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_secure' ############################################################################### # BEGIN fix (226 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog' ############################################################################### (>&2 echo "Remediating rule 226/386: 'xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'rsyslog' 2>/dev/null | grep -q '^installed$'; then newown="" if id "syslog" >/dev/null 2>&1; then newown="syslog" fi if [[ -z "$newown" ]]; then >&2 echo "syslog is not a defined user on the system" else if ! stat -c "%u %U" "/var/log/syslog" | grep -E -w -q "syslog"; then chown --no-dereference "$newown" /var/log/syslog fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog' ############################################################################### # BEGIN fix (227 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_waagent' ############################################################################### (>&2 echo "Remediating rule 227/386: 'xccdf_org.ssgproject.content_rule_file_owner_var_log_waagent'") newown="" if id "syslog" >/dev/null 2>&1; then newown="syslog" elif id "root" >/dev/null 2>&1; then newown="root" fi if [[ -z "$newown" ]]; then >&2 echo "syslog and root is not a defined user on the system" else find -P /var/log/ -maxdepth 1 -type f ! -user syslog ! -user root -regextype posix-extended -regex '.*waagent.log.*' -exec chown --no-dereference "$newown" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_waagent' ############################################################################### # BEGIN fix (228 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_wbtmp' ############################################################################### (>&2 echo "Remediating rule 228/386: 'xccdf_org.ssgproject.content_rule_file_owner_var_log_wbtmp'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else find -P /var/log/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '.*(b|w)tmp((\.|-)[^\/]+)?$' -exec chown --no-dereference "$newown" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_wbtmp' ############################################################################### # BEGIN fix (229 / 386) for 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log' ############################################################################### (>&2 echo "Remediating rule 229/386: 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log'") # see https://workbench.cisecurity.org/benchmarks/18959/tickets/23964 # regarding sssd and gdm exclusions find -P /var/log/ -type f -regextype posix-extended \ ! -user root ! -user syslog \ ! -name 'gdm' ! -name 'gdm3' \ ! -name 'sssd' ! -name 'SSSD' \ ! -name 'auth.log' \ ! -name 'messages' \ ! -name 'syslog' \ ! -path '/var/log/apt/*' \ ! -path '/var/log/landscape/*' \ ! -path '/var/log/gdm/*' \ ! -path '/var/log/gdm3/*' \ ! -path '/var/log/sssd/*' \ ! -path '/var/log/[bw]tmp*' \ ! -path '/var/log/cloud-init.log*' \ ! -regex '.*\.journal[~]?' \ ! -regex '.*/lastlog(\.[^\/]+)?$' \ ! -regex '.*/localmessages(.*)' \ ! -regex '.*/secure(.*)' \ ! -regex '.*/waagent.log(.*)' \ -regex '.*' -exec chown --no-dereference root {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log' ############################################################################### # BEGIN fix (230 / 386) for 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_apt' ############################################################################### (>&2 echo "Remediating rule 230/386: 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_apt'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else find -P /var/log/apt/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown --no-dereference "$newown" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_apt' ############################################################################### # BEGIN fix (231 / 386) for 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_gdm' ############################################################################### (>&2 echo "Remediating rule 231/386: 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_gdm'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else find -P /var/log/gdm/ -type f ! -user 0 -regextype posix-extended -regex '.*' -exec chown --no-dereference "$newown" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_gdm' ############################################################################### # BEGIN fix (232 / 386) for 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_gdm3' ############################################################################### (>&2 echo "Remediating rule 232/386: 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_gdm3'") newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else find -P /var/log/gdm3/ -type f ! -user 0 -regextype posix-extended -regex '.*' -exec chown --no-dereference "$newown" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_gdm3' ############################################################################### # BEGIN fix (233 / 386) for 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_landscape' ############################################################################### (>&2 echo "Remediating rule 233/386: 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_landscape'") newown="" if id "root" >/dev/null 2>&1; then newown="root" elif id "landscape" >/dev/null 2>&1; then newown="landscape" fi if [[ -z "$newown" ]]; then >&2 echo "root and landscape is not a defined user on the system" else find -P /var/log/landscape/ -maxdepth 1 -type f ! -user root ! -user landscape -regextype posix-extended -regex '^.*$' -exec chown --no-dereference "$newown" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_landscape' ############################################################################### # BEGIN fix (234 / 386) for 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_sssd' ############################################################################### (>&2 echo "Remediating rule 234/386: 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_sssd'") newown="" if id "sssd" >/dev/null 2>&1; then newown="sssd" elif id "root" >/dev/null 2>&1; then newown="root" fi if [[ -z "$newown" ]]; then >&2 echo "sssd and root is not a defined user on the system" else find -P /var/log/sssd/ -type f ! -user sssd ! -user root -regextype posix-extended -regex '.*' -exec chown --no-dereference "$newown" {} \; fi # END fix for 'xccdf_org.ssgproject.content_rule_file_ownerships_var_log_sssd' ############################################################################### # BEGIN fix (235 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_apt' ############################################################################### (>&2 echo "Remediating rule 235/386: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_apt'") find -P /var/log/apt/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regextype posix-extended -regex '^.*$' -exec chmod u-xs,g-xws,o-xwt {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_apt' ############################################################################### # BEGIN fix (236 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_auth' ############################################################################### (>&2 echo "Remediating rule 236/386: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_auth'") chmod u-xs,g-xws,o-xwrt /var/log/auth.log # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_auth' ############################################################################### # BEGIN fix (237 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_cloud-init' ############################################################################### (>&2 echo "Remediating rule 237/386: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_cloud-init'") find -P /var/log/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regextype posix-extended -regex '.*cloud-init.log([^\/]+)?$' -exec chmod u-xs,g-xws,o-xwt {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_cloud-init' ############################################################################### # BEGIN fix (238 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_gdm' ############################################################################### (>&2 echo "Remediating rule 238/386: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_gdm'") find -P /var/log/gdm/ -perm /u+xs,g+xs,o+xwrt -type f -regextype posix-extended -regex '.*' -exec chmod u-xs,g-xs,o-xwrt {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_gdm' ############################################################################### # BEGIN fix (239 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_gdm3' ############################################################################### (>&2 echo "Remediating rule 239/386: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_gdm3'") find -P /var/log/gdm3/ -perm /u+xs,g+xs,o+xwrt -type f -regextype posix-extended -regex '.*' -exec chmod u-xs,g-xs,o-xwrt {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_gdm3' ############################################################################### # BEGIN fix (240 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_lastlog' ############################################################################### (>&2 echo "Remediating rule 240/386: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_lastlog'") find -P /var/log/ -maxdepth 1 -perm /u+xs,g+xs,o+xwt -type f -regextype posix-extended -regex '.*lastlog(\.[^\/]+)?$' -exec chmod u-xs,g-xs,o-xwt {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_lastlog' ############################################################################### # BEGIN fix (241 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_localmessages' ############################################################################### (>&2 echo "Remediating rule 241/386: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_localmessages'") find -P /var/log/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regextype posix-extended -regex '.*localmessages([^\/]+)?$' -exec chmod u-xs,g-xws,o-xwt {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_localmessages' ############################################################################### # BEGIN fix (242 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages' ############################################################################### (>&2 echo "Remediating rule 242/386: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages'") chmod u-xs,g-xwrs,o-xwrt /var/log/messages # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages' ############################################################################### # BEGIN fix (243 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_secure' ############################################################################### (>&2 echo "Remediating rule 243/386: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_secure'") chmod u-xs,g-xws,o-xwrt /var/log/secure # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_secure' ############################################################################### # BEGIN fix (244 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_sssd' ############################################################################### (>&2 echo "Remediating rule 244/386: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_sssd'") find -P /var/log/sssd/ -maxdepth 1 -perm /u+xs,g+xs,o+xwrt -type f -regextype posix-extended -regex '.*' -exec chmod u-xs,g-xs,o-xwrt {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_sssd' ############################################################################### # BEGIN fix (245 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_syslog' ############################################################################### (>&2 echo "Remediating rule 245/386: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_syslog'") chmod u-xs,g-xws,o-xwrt /var/log/syslog # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_syslog' ############################################################################### # BEGIN fix (246 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_waagent' ############################################################################### (>&2 echo "Remediating rule 246/386: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_waagent'") find -P /var/log/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regextype posix-extended -regex '.*waagent.log([^\/]+)?$' -exec chmod u-xs,g-xws,o-xwt {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_waagent' ############################################################################### # BEGIN fix (247 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_wbtmp' ############################################################################### (>&2 echo "Remediating rule 247/386: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_wbtmp'") find -P /var/log/ -maxdepth 1 -perm /u+xs,g+xs,o+xwt -type f -regextype posix-extended -regex '.*(b|w)tmp((\.|-)[^\/]+)?$' -exec chmod u-xs,g-xs,o-xwt {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_wbtmp' ############################################################################### # BEGIN fix (248 / 386) for 'xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled' ############################################################################### (>&2 echo "Remediating rule 248/386: 'xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then sed -i 's#^install cramfs.*#install cramfs /bin/false#g' /etc/modprobe.d/cramfs.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf echo "install cramfs /bin/false" >> /etc/modprobe.d/cramfs.conf fi if ! LC_ALL=C grep -q -m 1 "^blacklist cramfs$" /etc/modprobe.d/cramfs.conf ; then echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled' ############################################################################### # BEGIN fix (249 / 386) for 'xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled' ############################################################################### (>&2 echo "Remediating rule 249/386: 'xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then if LC_ALL=C grep -q -m 1 "^install freevxfs" /etc/modprobe.d/freevxfs.conf ; then sed -i 's#^install freevxfs.*#install freevxfs /bin/false#g' /etc/modprobe.d/freevxfs.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/freevxfs.conf echo "install freevxfs /bin/false" >> /etc/modprobe.d/freevxfs.conf fi if ! LC_ALL=C grep -q -m 1 "^blacklist freevxfs$" /etc/modprobe.d/freevxfs.conf ; then echo "blacklist freevxfs" >> /etc/modprobe.d/freevxfs.conf fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled' ############################################################################### # BEGIN fix (250 / 386) for 'xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled' ############################################################################### (>&2 echo "Remediating rule 250/386: 'xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then if LC_ALL=C grep -q -m 1 "^install hfs" /etc/modprobe.d/hfs.conf ; then sed -i 's#^install hfs.*#install hfs /bin/false#g' /etc/modprobe.d/hfs.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfs.conf echo "install hfs /bin/false" >> /etc/modprobe.d/hfs.conf fi if ! LC_ALL=C grep -q -m 1 "^blacklist hfs$" /etc/modprobe.d/hfs.conf ; then echo "blacklist hfs" >> /etc/modprobe.d/hfs.conf fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled' ############################################################################### # BEGIN fix (251 / 386) for 'xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled' ############################################################################### (>&2 echo "Remediating rule 251/386: 'xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then if LC_ALL=C grep -q -m 1 "^install hfsplus" /etc/modprobe.d/hfsplus.conf ; then sed -i 's#^install hfsplus.*#install hfsplus /bin/false#g' /etc/modprobe.d/hfsplus.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfsplus.conf echo "install hfsplus /bin/false" >> /etc/modprobe.d/hfsplus.conf fi if ! LC_ALL=C grep -q -m 1 "^blacklist hfsplus$" /etc/modprobe.d/hfsplus.conf ; then echo "blacklist hfsplus" >> /etc/modprobe.d/hfsplus.conf fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled' ############################################################################### # BEGIN fix (252 / 386) for 'xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled' ############################################################################### (>&2 echo "Remediating rule 252/386: 'xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then if LC_ALL=C grep -q -m 1 "^install jffs2" /etc/modprobe.d/jffs2.conf ; then sed -i 's#^install jffs2.*#install jffs2 /bin/false#g' /etc/modprobe.d/jffs2.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/jffs2.conf echo "install jffs2 /bin/false" >> /etc/modprobe.d/jffs2.conf fi if ! LC_ALL=C grep -q -m 1 "^blacklist jffs2$" /etc/modprobe.d/jffs2.conf ; then echo "blacklist jffs2" >> /etc/modprobe.d/jffs2.conf fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled' ############################################################################### # BEGIN fix (253 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' ############################################################################### (>&2 echo "Remediating rule 253/386: 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ); then function perform_remediation { mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="tmpfs" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab fi if mkdir -p "/dev/shm"; then if mountpoint -q "/dev/shm"; then mount -o remount --target "/dev/shm" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' ############################################################################### # BEGIN fix (254 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' ############################################################################### (>&2 echo "Remediating rule 254/386: 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ); then function perform_remediation { mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="tmpfs" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab fi if mkdir -p "/dev/shm"; then if mountpoint -q "/dev/shm"; then mount -o remount --target "/dev/shm" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' ############################################################################### # BEGIN fix (255 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' ############################################################################### (>&2 echo "Remediating rule 255/386: 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ); then function perform_remediation { mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /dev/shm)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="tmpfs" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab fi if mkdir -p "/dev/shm"; then if mountpoint -q "/dev/shm"; then mount -o remount --target "/dev/shm" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' ############################################################################### # BEGIN fix (256 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' ############################################################################### (>&2 echo "Remediating rule 256/386: 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then function perform_remediation { # the mount point /home has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /home defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab fi if mkdir -p "/home"; then if mountpoint -q "/home"; then mount -o remount --target "/home" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_home_nodev' ############################################################################### # BEGIN fix (257 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' ############################################################################### (>&2 echo "Remediating rule 257/386: 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then function perform_remediation { # the mount point /home has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /home defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab fi if mkdir -p "/home"; then if mountpoint -q "/home"; then mount -o remount --target "/home" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' ############################################################################### # BEGIN fix (258 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev' ############################################################################### (>&2 echo "Remediating rule 258/386: 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null; }; then function perform_remediation { # the mount point /tmp has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /tmp defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab fi if mkdir -p "/tmp"; then if mountpoint -q "/tmp"; then mount -o remount --target "/tmp" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev' ############################################################################### # BEGIN fix (259 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec' ############################################################################### (>&2 echo "Remediating rule 259/386: 'xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null; }; then function perform_remediation { # the mount point /tmp has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab fi if mkdir -p "/tmp"; then if mountpoint -q "/tmp"; then mount -o remount --target "/tmp" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec' ############################################################################### # BEGIN fix (260 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid' ############################################################################### (>&2 echo "Remediating rule 260/386: 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null; }; then function perform_remediation { # the mount point /tmp has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/tmp")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /tmp)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab fi if mkdir -p "/tmp"; then if mountpoint -q "/tmp"; then mount -o remount --target "/tmp" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid' ############################################################################### # BEGIN fix (261 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev' ############################################################################### (>&2 echo "Remediating rule 261/386: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null; }; then function perform_remediation { # the mount point /var/log/audit has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /var/log/audit defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab fi if mkdir -p "/var/log/audit"; then if mountpoint -q "/var/log/audit"; then mount -o remount --target "/var/log/audit" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev' ############################################################################### # BEGIN fix (262 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec' ############################################################################### (>&2 echo "Remediating rule 262/386: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null; }; then function perform_remediation { # the mount point /var/log/audit has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /var/log/audit defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab fi if mkdir -p "/var/log/audit"; then if mountpoint -q "/var/log/audit"; then mount -o remount --target "/var/log/audit" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec' ############################################################################### # BEGIN fix (263 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid' ############################################################################### (>&2 echo "Remediating rule 263/386: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null; }; then function perform_remediation { # the mount point /var/log/audit has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log/audit")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log/audit)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /var/log/audit defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab fi if mkdir -p "/var/log/audit"; then if mountpoint -q "/var/log/audit"; then mount -o remount --target "/var/log/audit" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid' ############################################################################### # BEGIN fix (264 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev' ############################################################################### (>&2 echo "Remediating rule 264/386: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null; }; then function perform_remediation { # the mount point /var/log has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /var/log defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab fi if mkdir -p "/var/log"; then if mountpoint -q "/var/log"; then mount -o remount --target "/var/log" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev' ############################################################################### # BEGIN fix (265 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec' ############################################################################### (>&2 echo "Remediating rule 265/386: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null; }; then function perform_remediation { # the mount point /var/log has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /var/log defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab fi if mkdir -p "/var/log"; then if mountpoint -q "/var/log"; then mount -o remount --target "/var/log" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec' ############################################################################### # BEGIN fix (266 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid' ############################################################################### (>&2 echo "Remediating rule 266/386: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null; }; then function perform_remediation { # the mount point /var/log has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/log")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/log)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /var/log defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab fi if mkdir -p "/var/log"; then if mountpoint -q "/var/log"; then mount -o remount --target "/var/log" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid' ############################################################################### # BEGIN fix (267 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_var_nodev' ############################################################################### (>&2 echo "Remediating rule 267/386: 'xccdf_org.ssgproject.content_rule_mount_option_var_nodev'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null; }; then function perform_remediation { # the mount point /var has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /var defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab fi if mkdir -p "/var"; then if mountpoint -q "/var"; then mount -o remount --target "/var" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_nodev' ############################################################################### # BEGIN fix (268 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_var_nosuid' ############################################################################### (>&2 echo "Remediating rule 268/386: 'xccdf_org.ssgproject.content_rule_mount_option_var_nosuid'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/var" > /dev/null || findmnt --fstab "/var" > /dev/null; }; then function perform_remediation { # the mount point /var has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /var defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab fi if mkdir -p "/var"; then if mountpoint -q "/var"; then mount -o remount --target "/var" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_nosuid' ############################################################################### # BEGIN fix (269 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev' ############################################################################### (>&2 echo "Remediating rule 269/386: 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null; }; then function perform_remediation { # the mount point /var/tmp has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/tmp")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/tmp)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /var/tmp defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nodev"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab fi if mkdir -p "/var/tmp"; then if mountpoint -q "/var/tmp"; then mount -o remount --target "/var/tmp" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev' ############################################################################### # BEGIN fix (270 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec' ############################################################################### (>&2 echo "Remediating rule 270/386: 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null; }; then function perform_remediation { # the mount point /var/tmp has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/tmp")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/tmp)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /var/tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab fi if mkdir -p "/var/tmp"; then if mountpoint -q "/var/tmp"; then mount -o remount --target "/var/tmp" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec' ############################################################################### # BEGIN fix (271 / 386) for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid' ############################################################################### (>&2 echo "Remediating rule 271/386: 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid'") # Remediation is applicable only in certain platforms if ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) && { findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null; }; then function perform_remediation { # the mount point /var/tmp has to be defined in /etc/fstab # before this remediation can be executed. In case it is not defined, the # remediation aborts and no changes regarding the mount point are done. mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/var/tmp")" grep "$mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2; echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /var/tmp)" # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab if ! grep -q "$mount_point_match_regexp" /etc/fstab; then # runtime opts without some automatic kernel/userspace-added defaults previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//") [ "$previous_mount_opts" ] && previous_mount_opts+="," # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in # fstab as "block". The next variable is to satisfy shellcheck SC2050. fs_type="" if [ "$fs_type" == "iso9660" ] ; then previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts") fi echo " /var/tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "nosuid"; then previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab fi if mkdir -p "/var/tmp"; then if mountpoint -q "/var/tmp"; then mount -o remount --target "/var/tmp" fi fi } perform_remediation else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid' ############################################################################### # BEGIN fix (272 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope' ############################################################################### (>&2 echo "Remediating rule 272/386: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of kernel.yama.ptrace_scope from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*kernel.yama.ptrace_scope.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "kernel.yama.ptrace_scope" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" # # Set runtime for kernel.yama.ptrace_scope # if ! /bin/false ; then /sbin/sysctl -q -n -w kernel.yama.ptrace_scope="1" fi # # If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1" # else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.yama.ptrace_scope") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "1" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^kernel.yama.ptrace_scope\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^kernel.yama.ptrace_scope\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope' ############################################################################### # BEGIN fix (273 / 386) for 'xccdf_org.ssgproject.content_rule_disable_users_coredumps' ############################################################################### (>&2 echo "Remediating rule 273/386: 'xccdf_org.ssgproject.content_rule_disable_users_coredumps'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; }; then SECURITY_LIMITS_FILE="/etc/security/limits.conf" DROPIN_DIR="/etc/security/limits.d" DROPIN_FILE="$DROPIN_DIR/10-ssg-hardening.conf" REGEX_CORRECT_VALUE="^\s*\*\s+hard\s+core\s+0\s*$" # Remove bad configuration in drop-ins if [ -d "$DROPIN_DIR" ]; then for override in "$DROPIN_DIR"/*.conf; do if [ -f "$override" ] && ! grep -qE "$REGEX_CORRECT_VALUE" "$override"; then sed -ir -E '/^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+/ s/^/#/' "$override" fi done fi if [ -d "$DROPIN_DIR" ] && grep -qEr "$REGEX_CORRECT_VALUE" "$DROPIN_DIR"; then exit 0 elif [ ! -d "$DROPIN_DIR" ] && grep -qE "$REGEX_CORRECT_VALUE" "$SECURITY_LIMITS_FILE"; then exit 0 else mkdir -p "$DROPIN_DIR" echo "* hard core 0" >> $DROPIN_FILE fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_disable_users_coredumps' ############################################################################### # BEGIN fix (274 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable' ############################################################################### (>&2 echo "Remediating rule 274/386: 'xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of fs.suid_dumpable from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*fs.suid_dumpable.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "fs.suid_dumpable" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" # # Set runtime for fs.suid_dumpable # if ! /bin/false ; then /sbin/sysctl -q -n -w fs.suid_dumpable="0" fi # # If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0" # else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.suid_dumpable") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "0" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^fs.suid_dumpable\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^fs.suid_dumpable\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable' ############################################################################### # BEGIN fix (275 / 386) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space' ############################################################################### (>&2 echo "Remediating rule 275/386: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /etc/ufw/sysctl.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*kernel.randomize_va_space.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "kernel.randomize_va_space" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" # # Set runtime for kernel.randomize_va_space # if ! /bin/false ; then /sbin/sysctl -q -n -w kernel.randomize_va_space="2" fi # # If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2" # else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.randomize_va_space") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "2" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^kernel.randomize_va_space\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^kernel.randomize_va_space\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space' ############################################################################### # BEGIN fix (276 / 386) for 'xccdf_org.ssgproject.content_rule_service_apport_disabled' ############################################################################### (>&2 echo "Remediating rule 276/386: 'xccdf_org.ssgproject.content_rule_service_apport_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'apport' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'apport.service' fi "$SYSTEMCTL_EXEC" disable 'apport.service' "$SYSTEMCTL_EXEC" mask 'apport.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files apport.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'apport.socket' fi "$SYSTEMCTL_EXEC" mask 'apport.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'apport.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_apport_disabled' ############################################################################### # BEGIN fix (277 / 386) for 'xccdf_org.ssgproject.content_rule_package_cron_installed' ############################################################################### (>&2 echo "Remediating rule 277/386: 'xccdf_org.ssgproject.content_rule_package_cron_installed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "cron" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_cron_installed' ############################################################################### # BEGIN fix (278 / 386) for 'xccdf_org.ssgproject.content_rule_service_cron_enabled' ############################################################################### (>&2 echo "Remediating rule 278/386: 'xccdf_org.ssgproject.content_rule_service_cron_enabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" unmask 'cron.service' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" start 'cron.service' fi "$SYSTEMCTL_EXEC" enable 'cron.service' else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_cron_enabled' ############################################################################### # BEGIN fix (279 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_d' ############################################################################### (>&2 echo "Remediating rule 279/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_d'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else find -P /etc/cron.d/ -maxdepth 0 -type d ! -group 0 -exec chgrp --no-dereference "$newgroup" {} \; fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_d' ############################################################################### # BEGIN fix (280 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily' ############################################################################### (>&2 echo "Remediating rule 280/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else find -P /etc/cron.daily/ -maxdepth 0 -type d ! -group 0 -exec chgrp --no-dereference "$newgroup" {} \; fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily' ############################################################################### # BEGIN fix (281 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly' ############################################################################### (>&2 echo "Remediating rule 281/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else find -P /etc/cron.hourly/ -maxdepth 0 -type d ! -group 0 -exec chgrp --no-dereference "$newgroup" {} \; fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly' ############################################################################### # BEGIN fix (282 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly' ############################################################################### (>&2 echo "Remediating rule 282/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else find -P /etc/cron.monthly/ -maxdepth 0 -type d ! -group 0 -exec chgrp --no-dereference "$newgroup" {} \; fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly' ############################################################################### # BEGIN fix (283 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly' ############################################################################### (>&2 echo "Remediating rule 283/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else find -P /etc/cron.weekly/ -maxdepth 0 -type d ! -group 0 -exec chgrp --no-dereference "$newgroup" {} \; fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly' ############################################################################### # BEGIN fix (284 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_crontab' ############################################################################### (>&2 echo "Remediating rule 284/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_crontab'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/crontab" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/crontab fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_crontab' ############################################################################### # BEGIN fix (285 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_cron_d' ############################################################################### (>&2 echo "Remediating rule 285/386: 'xccdf_org.ssgproject.content_rule_file_owner_cron_d'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else find -P /etc/cron.d/ -maxdepth 0 -type d ! -user 0 -exec chown --no-dereference "$newown" {} \; fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_cron_d' ############################################################################### # BEGIN fix (286 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_cron_daily' ############################################################################### (>&2 echo "Remediating rule 286/386: 'xccdf_org.ssgproject.content_rule_file_owner_cron_daily'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else find -P /etc/cron.daily/ -maxdepth 0 -type d ! -user 0 -exec chown --no-dereference "$newown" {} \; fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_cron_daily' ############################################################################### # BEGIN fix (287 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_cron_hourly' ############################################################################### (>&2 echo "Remediating rule 287/386: 'xccdf_org.ssgproject.content_rule_file_owner_cron_hourly'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else find -P /etc/cron.hourly/ -maxdepth 0 -type d ! -user 0 -exec chown --no-dereference "$newown" {} \; fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_cron_hourly' ############################################################################### # BEGIN fix (288 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_cron_monthly' ############################################################################### (>&2 echo "Remediating rule 288/386: 'xccdf_org.ssgproject.content_rule_file_owner_cron_monthly'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else find -P /etc/cron.monthly/ -maxdepth 0 -type d ! -user 0 -exec chown --no-dereference "$newown" {} \; fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_cron_monthly' ############################################################################### # BEGIN fix (289 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_cron_weekly' ############################################################################### (>&2 echo "Remediating rule 289/386: 'xccdf_org.ssgproject.content_rule_file_owner_cron_weekly'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else find -P /etc/cron.weekly/ -maxdepth 0 -type d ! -user 0 -exec chown --no-dereference "$newown" {} \; fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_cron_weekly' ############################################################################### # BEGIN fix (290 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_crontab' ############################################################################### (>&2 echo "Remediating rule 290/386: 'xccdf_org.ssgproject.content_rule_file_owner_crontab'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/crontab" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/crontab fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_crontab' ############################################################################### # BEGIN fix (291 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_cron_d' ############################################################################### (>&2 echo "Remediating rule 291/386: 'xccdf_org.ssgproject.content_rule_file_permissions_cron_d'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then find -H /etc/cron.d/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_cron_d' ############################################################################### # BEGIN fix (292 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_cron_daily' ############################################################################### (>&2 echo "Remediating rule 292/386: 'xccdf_org.ssgproject.content_rule_file_permissions_cron_daily'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then find -H /etc/cron.daily/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_cron_daily' ############################################################################### # BEGIN fix (293 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly' ############################################################################### (>&2 echo "Remediating rule 293/386: 'xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then find -H /etc/cron.hourly/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly' ############################################################################### # BEGIN fix (294 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly' ############################################################################### (>&2 echo "Remediating rule 294/386: 'xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then find -H /etc/cron.monthly/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly' ############################################################################### # BEGIN fix (295 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly' ############################################################################### (>&2 echo "Remediating rule 295/386: 'xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then find -H /etc/cron.weekly/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \; else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly' ############################################################################### # BEGIN fix (296 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_crontab' ############################################################################### (>&2 echo "Remediating rule 296/386: 'xccdf_org.ssgproject.content_rule_file_permissions_crontab'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then chmod u-xs,g-xwrs,o-xwrt /etc/crontab else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_crontab' ############################################################################### # BEGIN fix (297 / 386) for 'xccdf_org.ssgproject.content_rule_file_at_allow_exists' ############################################################################### (>&2 echo "Remediating rule 297/386: 'xccdf_org.ssgproject.content_rule_file_at_allow_exists'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then touch /etc/at.allow chown 0 /etc/at.allow chmod 0640 /etc/at.allow else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_at_allow_exists' ############################################################################### # BEGIN fix (298 / 386) for 'xccdf_org.ssgproject.content_rule_file_cron_allow_exists' ############################################################################### (>&2 echo "Remediating rule 298/386: 'xccdf_org.ssgproject.content_rule_file_cron_allow_exists'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then touch /etc/cron.allow chown 0 /etc/cron.allow chmod 0640 /etc/cron.allow else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_cron_allow_exists' ############################################################################### # BEGIN fix (299 / 386) for 'xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist' ############################################################################### (>&2 echo "Remediating rule 299/386: 'xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then if [[ -f /etc/cron.deny ]]; then rm /etc/cron.deny fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist' ############################################################################### # BEGIN fix (300 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_at_allow' ############################################################################### (>&2 echo "Remediating rule 300/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_at_allow'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/at.allow" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/at.allow fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_at_allow' ############################################################################### # BEGIN fix (301 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_at_deny' ############################################################################### (>&2 echo "Remediating rule 301/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_at_deny'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/at.deny" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/at.deny fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_at_deny' ############################################################################### # BEGIN fix (302 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow' ############################################################################### (>&2 echo "Remediating rule 302/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newgroup="" if getent group "crontab" >/dev/null 2>&1; then newgroup="crontab" fi if [[ -z "${newgroup}" ]]; then >&2 echo "crontab is not a defined group on the system" else if ! stat -c "%g %G" "/etc/cron.allow" | grep -E -w -q "crontab"; then chgrp --no-dereference "$newgroup" /etc/cron.allow fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow' ############################################################################### # BEGIN fix (303 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_at_allow' ############################################################################### (>&2 echo "Remediating rule 303/386: 'xccdf_org.ssgproject.content_rule_file_owner_at_allow'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/at.allow" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/at.allow fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_at_allow' ############################################################################### # BEGIN fix (304 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_at_deny' ############################################################################### (>&2 echo "Remediating rule 304/386: 'xccdf_org.ssgproject.content_rule_file_owner_at_deny'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/at.deny" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/at.deny fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_at_deny' ############################################################################### # BEGIN fix (305 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_cron_allow' ############################################################################### (>&2 echo "Remediating rule 305/386: 'xccdf_org.ssgproject.content_rule_file_owner_cron_allow'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/cron.allow" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/cron.allow fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_cron_allow' ############################################################################### # BEGIN fix (306 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_at_allow' ############################################################################### (>&2 echo "Remediating rule 306/386: 'xccdf_org.ssgproject.content_rule_file_permissions_at_allow'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then chmod u-xs,g-xws,o-xwrt /etc/at.allow else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_at_allow' ############################################################################### # BEGIN fix (307 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_at_deny' ############################################################################### (>&2 echo "Remediating rule 307/386: 'xccdf_org.ssgproject.content_rule_file_permissions_at_deny'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then chmod u-xs,g-xws,o-xwrt /etc/at.deny else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_at_deny' ############################################################################### # BEGIN fix (308 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_cron_allow' ############################################################################### (>&2 echo "Remediating rule 308/386: 'xccdf_org.ssgproject.content_rule_file_permissions_cron_allow'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then chmod u-xs,g-xws,o-xwrt /etc/cron.allow else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_cron_allow' ############################################################################### # BEGIN fix (309 / 386) for 'xccdf_org.ssgproject.content_rule_package_nis_removed' ############################################################################### (>&2 echo "Remediating rule 309/386: 'xccdf_org.ssgproject.content_rule_package_nis_removed'") # CAUTION: This remediation script will remove nis # from the system, and may remove any packages # that depend on nis. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "nis" # END fix for 'xccdf_org.ssgproject.content_rule_package_nis_removed' ############################################################################### # BEGIN fix (310 / 386) for 'xccdf_org.ssgproject.content_rule_package_dhcp_removed' ############################################################################### (>&2 echo "Remediating rule 310/386: 'xccdf_org.ssgproject.content_rule_package_dhcp_removed'") # CAUTION: This remediation script will remove isc-dhcp-server # from the system, and may remove any packages # that depend on isc-dhcp-server. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "isc-dhcp-server" # END fix for 'xccdf_org.ssgproject.content_rule_package_dhcp_removed' ############################################################################### # BEGIN fix (311 / 386) for 'xccdf_org.ssgproject.content_rule_service_dhcpd6_disabled' ############################################################################### (>&2 echo "Remediating rule 311/386: 'xccdf_org.ssgproject.content_rule_service_dhcpd6_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'dhcpd6.service' fi "$SYSTEMCTL_EXEC" disable 'dhcpd6.service' "$SYSTEMCTL_EXEC" mask 'dhcpd6.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files dhcpd6.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'dhcpd6.socket' fi "$SYSTEMCTL_EXEC" mask 'dhcpd6.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'dhcpd6.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_dhcpd6_disabled' ############################################################################### # BEGIN fix (312 / 386) for 'xccdf_org.ssgproject.content_rule_service_dhcpd_disabled' ############################################################################### (>&2 echo "Remediating rule 312/386: 'xccdf_org.ssgproject.content_rule_service_dhcpd_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'dhcpd.service' fi "$SYSTEMCTL_EXEC" disable 'dhcpd.service' "$SYSTEMCTL_EXEC" mask 'dhcpd.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files dhcpd.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'dhcpd.socket' fi "$SYSTEMCTL_EXEC" mask 'dhcpd.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'dhcpd.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_dhcpd_disabled' ############################################################################### # BEGIN fix (313 / 386) for 'xccdf_org.ssgproject.content_rule_package_dnsmasq_removed' ############################################################################### (>&2 echo "Remediating rule 313/386: 'xccdf_org.ssgproject.content_rule_package_dnsmasq_removed'") # CAUTION: This remediation script will remove dnsmasq # from the system, and may remove any packages # that depend on dnsmasq. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "dnsmasq" # END fix for 'xccdf_org.ssgproject.content_rule_package_dnsmasq_removed' ############################################################################### # BEGIN fix (314 / 386) for 'xccdf_org.ssgproject.content_rule_service_dnsmasq_disabled' ############################################################################### (>&2 echo "Remediating rule 314/386: 'xccdf_org.ssgproject.content_rule_service_dnsmasq_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'dnsmasq.service' fi "$SYSTEMCTL_EXEC" disable 'dnsmasq.service' "$SYSTEMCTL_EXEC" mask 'dnsmasq.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files dnsmasq.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'dnsmasq.socket' fi "$SYSTEMCTL_EXEC" mask 'dnsmasq.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'dnsmasq.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_dnsmasq_disabled' ############################################################################### # BEGIN fix (315 / 386) for 'xccdf_org.ssgproject.content_rule_package_bind_removed' ############################################################################### (>&2 echo "Remediating rule 315/386: 'xccdf_org.ssgproject.content_rule_package_bind_removed'") # CAUTION: This remediation script will remove bind9 # from the system, and may remove any packages # that depend on bind9. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "bind9" # END fix for 'xccdf_org.ssgproject.content_rule_package_bind_removed' ############################################################################### # BEGIN fix (316 / 386) for 'xccdf_org.ssgproject.content_rule_package_ftp_removed' ############################################################################### (>&2 echo "Remediating rule 316/386: 'xccdf_org.ssgproject.content_rule_package_ftp_removed'") # CAUTION: This remediation script will remove ftp # from the system, and may remove any packages # that depend on ftp. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "ftp" # END fix for 'xccdf_org.ssgproject.content_rule_package_ftp_removed' ############################################################################### # BEGIN fix (317 / 386) for 'xccdf_org.ssgproject.content_rule_package_vsftpd_removed' ############################################################################### (>&2 echo "Remediating rule 317/386: 'xccdf_org.ssgproject.content_rule_package_vsftpd_removed'") # CAUTION: This remediation script will remove vsftpd # from the system, and may remove any packages # that depend on vsftpd. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "vsftpd" # END fix for 'xccdf_org.ssgproject.content_rule_package_vsftpd_removed' ############################################################################### # BEGIN fix (318 / 386) for 'xccdf_org.ssgproject.content_rule_service_vsftpd_disabled' ############################################################################### (>&2 echo "Remediating rule 318/386: 'xccdf_org.ssgproject.content_rule_service_vsftpd_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'vsftpd.service' fi "$SYSTEMCTL_EXEC" disable 'vsftpd.service' "$SYSTEMCTL_EXEC" mask 'vsftpd.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files vsftpd.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'vsftpd.socket' fi "$SYSTEMCTL_EXEC" mask 'vsftpd.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'vsftpd.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_vsftpd_disabled' ############################################################################### # BEGIN fix (319 / 386) for 'xccdf_org.ssgproject.content_rule_package_httpd_removed' ############################################################################### (>&2 echo "Remediating rule 319/386: 'xccdf_org.ssgproject.content_rule_package_httpd_removed'") # CAUTION: This remediation script will remove apache2 # from the system, and may remove any packages # that depend on apache2. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "apache2" # END fix for 'xccdf_org.ssgproject.content_rule_package_httpd_removed' ############################################################################### # BEGIN fix (320 / 386) for 'xccdf_org.ssgproject.content_rule_service_httpd_disabled' ############################################################################### (>&2 echo "Remediating rule 320/386: 'xccdf_org.ssgproject.content_rule_service_httpd_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'apache2.service' fi "$SYSTEMCTL_EXEC" disable 'apache2.service' "$SYSTEMCTL_EXEC" mask 'apache2.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files apache2.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'apache2.socket' fi "$SYSTEMCTL_EXEC" mask 'apache2.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'apache2.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_httpd_disabled' ############################################################################### # BEGIN fix (321 / 386) for 'xccdf_org.ssgproject.content_rule_package_nginx_removed' ############################################################################### (>&2 echo "Remediating rule 321/386: 'xccdf_org.ssgproject.content_rule_package_nginx_removed'") # CAUTION: This remediation script will remove nginx # from the system, and may remove any packages # that depend on nginx. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "nginx" # END fix for 'xccdf_org.ssgproject.content_rule_package_nginx_removed' ############################################################################### # BEGIN fix (322 / 386) for 'xccdf_org.ssgproject.content_rule_service_nginx_disabled' ############################################################################### (>&2 echo "Remediating rule 322/386: 'xccdf_org.ssgproject.content_rule_service_nginx_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'nginx.service' fi "$SYSTEMCTL_EXEC" disable 'nginx.service' "$SYSTEMCTL_EXEC" mask 'nginx.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files nginx.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'nginx.socket' fi "$SYSTEMCTL_EXEC" mask 'nginx.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'nginx.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_nginx_disabled' ############################################################################### # BEGIN fix (323 / 386) for 'xccdf_org.ssgproject.content_rule_package_dovecot_removed' ############################################################################### (>&2 echo "Remediating rule 323/386: 'xccdf_org.ssgproject.content_rule_package_dovecot_removed'") # CAUTION: This remediation script will remove dovecot-core # from the system, and may remove any packages # that depend on dovecot-core. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "dovecot-core" # END fix for 'xccdf_org.ssgproject.content_rule_package_dovecot_removed' ############################################################################### # BEGIN fix (324 / 386) for 'xccdf_org.ssgproject.content_rule_service_dovecot_disabled' ############################################################################### (>&2 echo "Remediating rule 324/386: 'xccdf_org.ssgproject.content_rule_service_dovecot_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'dovecot.service' fi "$SYSTEMCTL_EXEC" disable 'dovecot.service' "$SYSTEMCTL_EXEC" mask 'dovecot.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files dovecot.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'dovecot.socket' fi "$SYSTEMCTL_EXEC" mask 'dovecot.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'dovecot.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_dovecot_disabled' ############################################################################### # BEGIN fix (325 / 386) for 'xccdf_org.ssgproject.content_rule_package_openldap-clients_removed' ############################################################################### (>&2 echo "Remediating rule 325/386: 'xccdf_org.ssgproject.content_rule_package_openldap-clients_removed'") # CAUTION: This remediation script will remove ldap-utils # from the system, and may remove any packages # that depend on ldap-utils. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "ldap-utils" # END fix for 'xccdf_org.ssgproject.content_rule_package_openldap-clients_removed' ############################################################################### # BEGIN fix (326 / 386) for 'xccdf_org.ssgproject.content_rule_package_openldap-servers_removed' ############################################################################### (>&2 echo "Remediating rule 326/386: 'xccdf_org.ssgproject.content_rule_package_openldap-servers_removed'") # CAUTION: This remediation script will remove slapd # from the system, and may remove any packages # that depend on slapd. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "slapd" # END fix for 'xccdf_org.ssgproject.content_rule_package_openldap-servers_removed' ############################################################################### # BEGIN fix (327 / 386) for 'xccdf_org.ssgproject.content_rule_service_slapd_disabled' ############################################################################### (>&2 echo "Remediating rule 327/386: 'xccdf_org.ssgproject.content_rule_service_slapd_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'slapd.service' fi "$SYSTEMCTL_EXEC" disable 'slapd.service' "$SYSTEMCTL_EXEC" mask 'slapd.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files slapd.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'slapd.socket' fi "$SYSTEMCTL_EXEC" mask 'slapd.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'slapd.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_slapd_disabled' ############################################################################### # BEGIN fix (328 / 386) for 'xccdf_org.ssgproject.content_rule_has_nonlocal_mta' ############################################################################### (>&2 echo "Remediating rule 328/386: 'xccdf_org.ssgproject.content_rule_has_nonlocal_mta'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_has_nonlocal_mta' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_has_nonlocal_mta' ############################################################################### # BEGIN fix (329 / 386) for 'xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled' ############################################################################### (>&2 echo "Remediating rule 329/386: 'xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'postfix' 2>/dev/null | grep -q '^installed$'; }; then var_postfix_inet_interfaces='loopback-only' if [ -e "/etc/postfix/main.cf" ] ; then LC_ALL=C sed -i "/^\s*inet_interfaces\s\+=\s\+/Id" "/etc/postfix/main.cf" else touch "/etc/postfix/main.cf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/postfix/main.cf" cp "/etc/postfix/main.cf" "/etc/postfix/main.cf.bak" # Insert at the end of the file printf '%s\n' "inet_interfaces=$var_postfix_inet_interfaces" >> "/etc/postfix/main.cf" # Clean up after ourselves. rm "/etc/postfix/main.cf.bak" systemctl restart postfix else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled' ############################################################################### # BEGIN fix (330 / 386) for 'xccdf_org.ssgproject.content_rule_package_nfs-kernel-server_removed' ############################################################################### (>&2 echo "Remediating rule 330/386: 'xccdf_org.ssgproject.content_rule_package_nfs-kernel-server_removed'") # CAUTION: This remediation script will remove nfs-kernel-server # from the system, and may remove any packages # that depend on nfs-kernel-server. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "nfs-kernel-server" # END fix for 'xccdf_org.ssgproject.content_rule_package_nfs-kernel-server_removed' ############################################################################### # BEGIN fix (331 / 386) for 'xccdf_org.ssgproject.content_rule_package_rpcbind_removed' ############################################################################### (>&2 echo "Remediating rule 331/386: 'xccdf_org.ssgproject.content_rule_package_rpcbind_removed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # CAUTION: This remediation script will remove rpcbind # from the system, and may remove any packages # that depend on rpcbind. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "rpcbind" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_rpcbind_removed' ############################################################################### # BEGIN fix (332 / 386) for 'xccdf_org.ssgproject.content_rule_service_rpcbind_disabled' ############################################################################### (>&2 echo "Remediating rule 332/386: 'xccdf_org.ssgproject.content_rule_service_rpcbind_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'rpcbind.service' fi "$SYSTEMCTL_EXEC" disable 'rpcbind.service' "$SYSTEMCTL_EXEC" mask 'rpcbind.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files rpcbind.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'rpcbind.socket' fi "$SYSTEMCTL_EXEC" mask 'rpcbind.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rpcbind.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_rpcbind_disabled' ############################################################################### # BEGIN fix (333 / 386) for 'xccdf_org.ssgproject.content_rule_service_nfs_disabled' ############################################################################### (>&2 echo "Remediating rule 333/386: 'xccdf_org.ssgproject.content_rule_service_nfs_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'nfs-server.service' fi "$SYSTEMCTL_EXEC" disable 'nfs-server.service' "$SYSTEMCTL_EXEC" mask 'nfs-server.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files nfs-server.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'nfs-server.socket' fi "$SYSTEMCTL_EXEC" mask 'nfs-server.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'nfs-server.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_nfs_disabled' ############################################################################### # BEGIN fix (334 / 386) for 'xccdf_org.ssgproject.content_rule_package_chrony_installed' ############################################################################### (>&2 echo "Remediating rule 334/386: 'xccdf_org.ssgproject.content_rule_package_chrony_installed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then var_timesync_service='systemd-timesyncd' if [ $var_timesync_service == chronyd ]; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "chrony" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_chrony_installed' ############################################################################### # BEGIN fix (335 / 386) for 'xccdf_org.ssgproject.content_rule_package_timesyncd_installed' ############################################################################### (>&2 echo "Remediating rule 335/386: 'xccdf_org.ssgproject.content_rule_package_timesyncd_installed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then var_timesync_service='systemd-timesyncd' if [ $var_timesync_service == systemd-timesyncd ]; then DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y "systemd-timesyncd" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_timesyncd_installed' ############################################################################### # BEGIN fix (336 / 386) for 'xccdf_org.ssgproject.content_rule_service_chronyd_enabled' ############################################################################### (>&2 echo "Remediating rule 336/386: 'xccdf_org.ssgproject.content_rule_service_chronyd_enabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'chrony' 2>/dev/null | grep -q '^installed$'; }; then var_timesync_service='systemd-timesyncd' SYSTEMCTL_EXEC='/usr/bin/systemctl' if [ $var_timesync_service == chronyd ]; then "$SYSTEMCTL_EXEC" unmask 'chrony.service' "$SYSTEMCTL_EXEC" start 'chrony.service' "$SYSTEMCTL_EXEC" enable 'chrony.service' fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_chronyd_enabled' ############################################################################### # BEGIN fix (337 / 386) for 'xccdf_org.ssgproject.content_rule_service_timesyncd_enabled' ############################################################################### (>&2 echo "Remediating rule 337/386: 'xccdf_org.ssgproject.content_rule_service_timesyncd_enabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { ( ! ( dpkg-query --show --showformat='${db:Status-Status}' 'chrony' 2>/dev/null | grep -q '^installed$' ) && ! ( dpkg-query --show --showformat='${db:Status-Status}' 'ntp' 2>/dev/null | grep -q '^installed$' ) ); }; then var_timesync_service='systemd-timesyncd' SYSTEMCTL_EXEC='/usr/bin/systemctl' if [ $var_timesync_service == systemd-timesyncd ]; then "$SYSTEMCTL_EXEC" unmask 'systemd-timesyncd.service' "$SYSTEMCTL_EXEC" start 'systemd-timesyncd.service' "$SYSTEMCTL_EXEC" enable 'systemd-timesyncd.service' fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_timesyncd_enabled' ############################################################################### # BEGIN fix (338 / 386) for 'xccdf_org.ssgproject.content_rule_service_chronyd_disabled' ############################################################################### (>&2 echo "Remediating rule 338/386: 'xccdf_org.ssgproject.content_rule_service_chronyd_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'chrony' 2>/dev/null | grep -q '^installed$'; }; then var_timesync_service='systemd-timesyncd' if [ $var_timesync_service != chronyd ]; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'chrony.service' "$SYSTEMCTL_EXEC" disable 'chrony.service' "$SYSTEMCTL_EXEC" mask 'chrony.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files chrony.socket; then "$SYSTEMCTL_EXEC" stop 'chrony.socket' "$SYSTEMCTL_EXEC" mask 'chrony.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'chrony.service' || true fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_chronyd_disabled' ############################################################################### # BEGIN fix (339 / 386) for 'xccdf_org.ssgproject.content_rule_service_timesyncd_disabled' ############################################################################### (>&2 echo "Remediating rule 339/386: 'xccdf_org.ssgproject.content_rule_service_timesyncd_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'systemd-timesyncd' 2>/dev/null | grep -q '^installed$'; }; then var_timesync_service='systemd-timesyncd' if [ $var_timesync_service != systemd-timesyncd ]; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'systemd-timesyncd.service' "$SYSTEMCTL_EXEC" disable 'systemd-timesyncd.service' "$SYSTEMCTL_EXEC" mask 'systemd-timesyncd.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files systemd-timesyncd.socket; then "$SYSTEMCTL_EXEC" stop 'systemd-timesyncd.socket' "$SYSTEMCTL_EXEC" mask 'systemd-timesyncd.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'systemd-timesyncd.service' || true fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_timesyncd_disabled' ############################################################################### # BEGIN fix (340 / 386) for 'xccdf_org.ssgproject.content_rule_chronyd_configure_pool_and_server' ############################################################################### (>&2 echo "Remediating rule 340/386: 'xccdf_org.ssgproject.content_rule_chronyd_configure_pool_and_server'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'chrony' 2>/dev/null | grep -q '^installed$'; }; then var_multiple_time_servers='time.nist.gov,time-a-g.nist.gov,time-b-g.nist.gov,time-c-g.nist.gov' var_multiple_time_pools='time.nist.gov' config_file="/etc/chrony/chrony.conf" # Check and configigure servers in /etc/chrony/chrony.conf IFS="," read -a SERVERS <<< $var_multiple_time_servers for srv in "${SERVERS[@]}" do NTP_SRV=$(grep -w $srv $config_file) if [[ ! "$NTP_SRV" == "server "* ]] then time_server="server $srv" echo $time_server >> "$config_file" fi done # Check and configure pools in /etc/chrony/chrony.conf IFS="," read -a POOLS <<< $var_multiple_time_pools for srv in "${POOLS[@]}" do NTP_POOL=$(grep -w $srv $config_file) if [[ ! "$NTP_POOL" == "pool "* ]] then time_server="pool $srv" echo $time_server >> "$config_file" fi done else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_chronyd_configure_pool_and_server' ############################################################################### # BEGIN fix (341 / 386) for 'xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user' ############################################################################### (>&2 echo "Remediating rule 341/386: 'xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'chrony' 2>/dev/null | grep -q '^installed$'; }; then # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^user") # shellcheck disable=SC2059 printf -v formatted_output "%s %s" "$stripped_key" "_chrony" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^user\\>" "/etc/chrony/chrony.conf"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^user\\>.*/$escaped_formatted_output/gi" "/etc/chrony/chrony.conf" else if [[ -s "/etc/chrony/chrony.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/chrony/chrony.conf" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/chrony/chrony.conf" fi printf '%s\n' "$formatted_output" >> "/etc/chrony/chrony.conf" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user' ############################################################################### # BEGIN fix (342 / 386) for 'xccdf_org.ssgproject.content_rule_ntp_single_service_active' ############################################################################### (>&2 echo "Remediating rule 342/386: 'xccdf_org.ssgproject.content_rule_ntp_single_service_active'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_ntp_single_service_active' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_ntp_single_service_active' ############################################################################### # BEGIN fix (343 / 386) for 'xccdf_org.ssgproject.content_rule_service_timesyncd_configured' ############################################################################### (>&2 echo "Remediating rule 343/386: 'xccdf_org.ssgproject.content_rule_service_timesyncd_configured'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' && { dpkg-query --show --showformat='${db:Status-Status}' 'systemd' 2>/dev/null | grep -q '^installed$'; }; then var_multiple_time_servers='time.nist.gov,time-a-g.nist.gov,time-b-g.nist.gov,time-c-g.nist.gov' IFS=',' read -r -a time_servers_array <<< "$var_multiple_time_servers" preferred_ntp_servers_array=("${time_servers_array[@]:0:2}") preferred_ntp_servers=$( echo "${preferred_ntp_servers_array[@]}"|sed -e 's/\s\+/,/g' ) fallback_ntp_servers_array=("${time_servers_array[@]:2}") fallback_ntp_servers=$( echo "${fallback_ntp_servers_array[@]}"|sed -e 's/\s\+/,/g' ) IFS=" " mapfile -t current_cfg_arr < <(ls -1 /etc/systemd/timesyncd.d/* /etc/systemd/timesyncd.conf.d/* 2>/dev/null) config_file="/etc/systemd/timesyncd.conf.d/oscap-remedy.conf" current_cfg_arr+=( "/etc/systemd/timesyncd.conf" ) # Comment existing NTP FallbackNTP settings for current_cfg in "${current_cfg_arr[@]}" do sed -i 's/^NTP/#&/g' "$current_cfg" sed -i 's/^FallbackNTP/#&/g' "$current_cfg" done if [ ! -d "/etc/systemd/timesyncd.conf.d" ] then mkdir /etc/systemd/timesyncd.conf.d fi # Set primary fallback NTP servers in drop-in configuration echo "NTP=$preferred_ntp_servers" >> "$config_file" echo "FallbackNTP=$fallback_ntp_servers" >> "$config_file" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_timesyncd_configured' ############################################################################### # BEGIN fix (344 / 386) for 'xccdf_org.ssgproject.content_rule_package_rsync_removed' ############################################################################### (>&2 echo "Remediating rule 344/386: 'xccdf_org.ssgproject.content_rule_package_rsync_removed'") # CAUTION: This remediation script will remove rsync # from the system, and may remove any packages # that depend on rsync. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "rsync" # END fix for 'xccdf_org.ssgproject.content_rule_package_rsync_removed' ############################################################################### # BEGIN fix (345 / 386) for 'xccdf_org.ssgproject.content_rule_service_rsyncd_disabled' ############################################################################### (>&2 echo "Remediating rule 345/386: 'xccdf_org.ssgproject.content_rule_service_rsyncd_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'rsyncd.service' fi "$SYSTEMCTL_EXEC" disable 'rsyncd.service' "$SYSTEMCTL_EXEC" mask 'rsyncd.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files rsyncd.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'rsyncd.socket' fi "$SYSTEMCTL_EXEC" mask 'rsyncd.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'rsyncd.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_rsyncd_disabled' ############################################################################### # BEGIN fix (346 / 386) for 'xccdf_org.ssgproject.content_rule_package_xinetd_removed' ############################################################################### (>&2 echo "Remediating rule 346/386: 'xccdf_org.ssgproject.content_rule_package_xinetd_removed'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # CAUTION: This remediation script will remove xinetd # from the system, and may remove any packages # that depend on xinetd. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "xinetd" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_package_xinetd_removed' ############################################################################### # BEGIN fix (347 / 386) for 'xccdf_org.ssgproject.content_rule_service_xinetd_disabled' ############################################################################### (>&2 echo "Remediating rule 347/386: 'xccdf_org.ssgproject.content_rule_service_xinetd_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'xinetd.service' fi "$SYSTEMCTL_EXEC" disable 'xinetd.service' "$SYSTEMCTL_EXEC" mask 'xinetd.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files xinetd.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'xinetd.socket' fi "$SYSTEMCTL_EXEC" mask 'xinetd.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'xinetd.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_xinetd_disabled' ############################################################################### # BEGIN fix (348 / 386) for 'xccdf_org.ssgproject.content_rule_package_ypserv_removed' ############################################################################### (>&2 echo "Remediating rule 348/386: 'xccdf_org.ssgproject.content_rule_package_ypserv_removed'") # CAUTION: This remediation script will remove ypserv # from the system, and may remove any packages # that depend on ypserv. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "ypserv" # END fix for 'xccdf_org.ssgproject.content_rule_package_ypserv_removed' ############################################################################### # BEGIN fix (349 / 386) for 'xccdf_org.ssgproject.content_rule_service_ypserv_disabled' ############################################################################### (>&2 echo "Remediating rule 349/386: 'xccdf_org.ssgproject.content_rule_service_ypserv_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'ypserv.service' fi "$SYSTEMCTL_EXEC" disable 'ypserv.service' "$SYSTEMCTL_EXEC" mask 'ypserv.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files ypserv.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'ypserv.socket' fi "$SYSTEMCTL_EXEC" mask 'ypserv.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'ypserv.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_ypserv_disabled' ############################################################################### # BEGIN fix (350 / 386) for 'xccdf_org.ssgproject.content_rule_package_rsh_removed' ############################################################################### (>&2 echo "Remediating rule 350/386: 'xccdf_org.ssgproject.content_rule_package_rsh_removed'") # CAUTION: This remediation script will remove rsh-client # from the system, and may remove any packages # that depend on rsh-client. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "rsh-client" # END fix for 'xccdf_org.ssgproject.content_rule_package_rsh_removed' ############################################################################### # BEGIN fix (351 / 386) for 'xccdf_org.ssgproject.content_rule_no_rsh_trust_files' ############################################################################### (>&2 echo "Remediating rule 351/386: 'xccdf_org.ssgproject.content_rule_no_rsh_trust_files'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'rsh-server' 2>/dev/null | grep -q '^installed$'; then find /root -xdev -type f -name ".rhosts" -exec rm -f {} \; find /home -maxdepth 2 -xdev -type f -name ".rhosts" -exec rm -f {} \; rm -f /etc/hosts.equiv else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_no_rsh_trust_files' ############################################################################### # BEGIN fix (352 / 386) for 'xccdf_org.ssgproject.content_rule_package_talk_removed' ############################################################################### (>&2 echo "Remediating rule 352/386: 'xccdf_org.ssgproject.content_rule_package_talk_removed'") # CAUTION: This remediation script will remove talk # from the system, and may remove any packages # that depend on talk. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "talk" # END fix for 'xccdf_org.ssgproject.content_rule_package_talk_removed' ############################################################################### # BEGIN fix (353 / 386) for 'xccdf_org.ssgproject.content_rule_package_telnet_removed' ############################################################################### (>&2 echo "Remediating rule 353/386: 'xccdf_org.ssgproject.content_rule_package_telnet_removed'") # CAUTION: This remediation script will remove telnet # from the system, and may remove any packages # that depend on telnet. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "telnet" # END fix for 'xccdf_org.ssgproject.content_rule_package_telnet_removed' ############################################################################### # BEGIN fix (354 / 386) for 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed' ############################################################################### (>&2 echo "Remediating rule 354/386: 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed'") # CAUTION: This remediation script will remove tftpd-hpa # from the system, and may remove any packages # that depend on tftpd-hpa. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "tftpd-hpa" # END fix for 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed' ############################################################################### # BEGIN fix (355 / 386) for 'xccdf_org.ssgproject.content_rule_service_tftp_disabled' ############################################################################### (>&2 echo "Remediating rule 355/386: 'xccdf_org.ssgproject.content_rule_service_tftp_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'tftpd-hpa.service' fi "$SYSTEMCTL_EXEC" disable 'tftpd-hpa.service' "$SYSTEMCTL_EXEC" mask 'tftpd-hpa.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files tftpd-hpa.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'tftpd-hpa.socket' fi "$SYSTEMCTL_EXEC" mask 'tftpd-hpa.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'tftpd-hpa.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_tftp_disabled' ############################################################################### # BEGIN fix (356 / 386) for 'xccdf_org.ssgproject.content_rule_package_squid_removed' ############################################################################### (>&2 echo "Remediating rule 356/386: 'xccdf_org.ssgproject.content_rule_package_squid_removed'") # CAUTION: This remediation script will remove squid # from the system, and may remove any packages # that depend on squid. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "squid" # END fix for 'xccdf_org.ssgproject.content_rule_package_squid_removed' ############################################################################### # BEGIN fix (357 / 386) for 'xccdf_org.ssgproject.content_rule_service_squid_disabled' ############################################################################### (>&2 echo "Remediating rule 357/386: 'xccdf_org.ssgproject.content_rule_service_squid_disabled'") # Remediation is applicable only in certain platforms if ( dpkg-query --show --showformat='${db:Status-Status}' 'squid' 2>/dev/null | grep -q '^installed$' && dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' ); then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'squid.service' fi "$SYSTEMCTL_EXEC" disable 'squid.service' "$SYSTEMCTL_EXEC" mask 'squid.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files squid.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'squid.socket' fi "$SYSTEMCTL_EXEC" mask 'squid.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'squid.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_squid_disabled' ############################################################################### # BEGIN fix (358 / 386) for 'xccdf_org.ssgproject.content_rule_package_samba_removed' ############################################################################### (>&2 echo "Remediating rule 358/386: 'xccdf_org.ssgproject.content_rule_package_samba_removed'") # CAUTION: This remediation script will remove samba # from the system, and may remove any packages # that depend on samba. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "samba" # END fix for 'xccdf_org.ssgproject.content_rule_package_samba_removed' ############################################################################### # BEGIN fix (359 / 386) for 'xccdf_org.ssgproject.content_rule_service_smb_disabled' ############################################################################### (>&2 echo "Remediating rule 359/386: 'xccdf_org.ssgproject.content_rule_service_smb_disabled'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'smbd.service' fi "$SYSTEMCTL_EXEC" disable 'smbd.service' "$SYSTEMCTL_EXEC" mask 'smbd.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files smbd.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'smbd.socket' fi "$SYSTEMCTL_EXEC" mask 'smbd.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'smbd.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_smb_disabled' ############################################################################### # BEGIN fix (360 / 386) for 'xccdf_org.ssgproject.content_rule_package_net-snmp_removed' ############################################################################### (>&2 echo "Remediating rule 360/386: 'xccdf_org.ssgproject.content_rule_package_net-snmp_removed'") # CAUTION: This remediation script will remove snmp # from the system, and may remove any packages # that depend on snmp. Execute this # remediation AFTER testing on a non-production # system! DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "snmp" # END fix for 'xccdf_org.ssgproject.content_rule_package_net-snmp_removed' ############################################################################### # BEGIN fix (361 / 386) for 'xccdf_org.ssgproject.content_rule_service_snmpd_disabled' ############################################################################### (>&2 echo "Remediating rule 361/386: 'xccdf_org.ssgproject.content_rule_service_snmpd_disabled'") # Remediation is applicable only in certain platforms if ( dpkg-query --show --showformat='${db:Status-Status}' 'snmp' 2>/dev/null | grep -q '^installed$' && dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' ); then SYSTEMCTL_EXEC='/usr/bin/systemctl' if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'snmpd.service' fi "$SYSTEMCTL_EXEC" disable 'snmpd.service' "$SYSTEMCTL_EXEC" mask 'snmpd.service' # Disable socket activation if we have a unit file for it if "$SYSTEMCTL_EXEC" -q list-unit-files snmpd.socket; then if [[ $("$SYSTEMCTL_EXEC" is-system-running) != "offline" ]]; then "$SYSTEMCTL_EXEC" stop 'snmpd.socket' fi "$SYSTEMCTL_EXEC" mask 'snmpd.socket' fi # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'snmpd.service' || true else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_service_snmpd_disabled' ############################################################################### # BEGIN fix (362 / 386) for 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config' ############################################################################### (>&2 echo "Remediating rule 362/386: 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else if ! stat -c "%g %G" "/etc/ssh/sshd_config" | grep -E -w -q "0"; then chgrp --no-dereference "$newgroup" /etc/ssh/sshd_config fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config' ############################################################################### # BEGIN fix (363 / 386) for 'xccdf_org.ssgproject.content_rule_file_owner_sshd_config' ############################################################################### (>&2 echo "Remediating rule 363/386: 'xccdf_org.ssgproject.content_rule_file_owner_sshd_config'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then newown="" if id "0" >/dev/null 2>&1; then newown="0" fi if [[ -z "$newown" ]]; then >&2 echo "0 is not a defined user on the system" else if ! stat -c "%u %U" "/etc/ssh/sshd_config" | grep -E -w -q "0"; then chown --no-dereference "$newown" /etc/ssh/sshd_config fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_sshd_config' ############################################################################### # BEGIN fix (364 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_config' ############################################################################### (>&2 echo "Remediating rule 364/386: 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_config'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then chmod u-xs,g-xwrs,o-xwrt /etc/ssh/sshd_config else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_config' ############################################################################### # BEGIN fix (365 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key' ############################################################################### (>&2 echo "Remediating rule 365/386: 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then for keyfile in /etc/ssh/*_key; do test -f "$keyfile" || continue if test root:root = "$(stat -c "%U:%G" "$keyfile")"; then chmod u-xs,g-xwrs,o-xwrt "$keyfile" else echo "Key-like file '$keyfile' is owned by an unexpected user:group combination" fi done else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key' ############################################################################### # BEGIN fix (366 / 386) for 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key' ############################################################################### (>&2 echo "Remediating rule 366/386: 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then find -P /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regextype posix-extended -regex '^.*\.pub$' -exec chmod u-xs,g-xws,o-xwt {} \; else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key' ############################################################################### # BEGIN fix (367 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' ############################################################################### (>&2 echo "Remediating rule 367/386: 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then var_sshd_set_keepalive='3' mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" else touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" # Insert at the beginning of the file printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' ############################################################################### # BEGIN fix (368 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' ############################################################################### (>&2 echo "Remediating rule 368/386: 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then sshd_idle_timeout_value='300' mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" else touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" # Insert at the beginning of the file printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' ############################################################################### # BEGIN fix (369 / 386) for 'xccdf_org.ssgproject.content_rule_disable_host_auth' ############################################################################### (>&2 echo "Remediating rule 369/386: 'xccdf_org.ssgproject.content_rule_disable_host_auth'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" else touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" # Insert at the beginning of the file printf '%s\n' "HostbasedAuthentication no" > "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" cat "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" >> "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_disable_host_auth' ############################################################################### # BEGIN fix (370 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' ############################################################################### (>&2 echo "Remediating rule 370/386: 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" else touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" # Insert at the beginning of the file printf '%s\n' "PermitEmptyPasswords no" > "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" cat "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" >> "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' ############################################################################### # BEGIN fix (371 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_disable_forwarding' ############################################################################### (>&2 echo "Remediating rule 371/386: 'xccdf_org.ssgproject.content_rule_sshd_disable_forwarding'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf LC_ALL=C sed -i "/^\s*DisableForwarding\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*DisableForwarding\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then LC_ALL=C sed -i "/^\s*DisableForwarding\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" else touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" # Insert at the beginning of the file printf '%s\n' "DisableForwarding yes" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_disable_forwarding' ############################################################################### # BEGIN fix (372 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' ############################################################################### (>&2 echo "Remediating rule 372/386: 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" else touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" # Insert at the beginning of the file printf '%s\n' "GSSAPIAuthentication no" > "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" cat "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" >> "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' ############################################################################### # BEGIN fix (373 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' ############################################################################### (>&2 echo "Remediating rule 373/386: 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" else touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" # Insert at the beginning of the file printf '%s\n' "IgnoreRhosts yes" > "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" cat "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" >> "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' ############################################################################### # BEGIN fix (374 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' ############################################################################### (>&2 echo "Remediating rule 374/386: 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" else touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" # Insert at the beginning of the file printf '%s\n' "PermitRootLogin no" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' ############################################################################### # BEGIN fix (375 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' ############################################################################### (>&2 echo "Remediating rule 375/386: 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" else touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" # Insert at the beginning of the file printf '%s\n' "PermitUserEnvironment no" > "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" cat "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" >> "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' ############################################################################### # BEGIN fix (376 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' ############################################################################### (>&2 echo "Remediating rule 376/386: 'xccdf_org.ssgproject.content_rule_sshd_enable_pam'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf LC_ALL=C sed -i "/^\s*UsePAM\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*UsePAM\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then LC_ALL=C sed -i "/^\s*UsePAM\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" else touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" # Insert at the beginning of the file printf '%s\n' "UsePAM yes" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' ############################################################################### # BEGIN fix (377 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' ############################################################################### (>&2 echo "Remediating rule 377/386: 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" else touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" # Insert at the beginning of the file printf '%s\n' "Banner /etc/issue.net" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' ############################################################################### # BEGIN fix (378 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_limit_user_access' ############################################################################### (>&2 echo "Remediating rule 378/386: 'xccdf_org.ssgproject.content_rule_sshd_limit_user_access'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_sshd_limit_user_access' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_sshd_limit_user_access' ############################################################################### # BEGIN fix (379 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' ############################################################################### (>&2 echo "Remediating rule 379/386: 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then var_sshd_set_login_grace_time='60' mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" else touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" # Insert at the beginning of the file printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' ############################################################################### # BEGIN fix (380 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' ############################################################################### (>&2 echo "Remediating rule 380/386: 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" else touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" # Insert at the beginning of the file printf '%s\n' "LogLevel INFO" > "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" cat "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" >> "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' ############################################################################### # BEGIN fix (381 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' ############################################################################### (>&2 echo "Remediating rule 381/386: 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then sshd_max_auth_tries_value='4' mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" else touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" # Insert at the beginning of the file printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' ############################################################################### # BEGIN fix (382 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' ############################################################################### (>&2 echo "Remediating rule 382/386: 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then var_sshd_max_sessions='10' mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" else touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" # Insert at the beginning of the file printf '%s\n' "MaxSessions $var_sshd_max_sessions" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' ############################################################################### # BEGIN fix (383 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' ############################################################################### (>&2 echo "Remediating rule 383/386: 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then var_sshd_set_maxstartups='10:30:60' mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" else touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" # Insert at the beginning of the file printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' ############################################################################### # BEGIN fix (384 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers' ############################################################################### (>&2 echo "Remediating rule 384/386: 'xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf LC_ALL=C sed -i "/^\s*Ciphers\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*Ciphers\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then LC_ALL=C sed -i "/^\s*Ciphers\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" else touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" # Insert at the beginning of the file printf '%s\n' "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers' ############################################################################### # BEGIN fix (385 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_use_strong_kex' ############################################################################### (>&2 echo "Remediating rule 385/386: 'xccdf_org.ssgproject.content_rule_sshd_use_strong_kex'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then sshd_strong_kex='curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256' mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf LC_ALL=C sed -i "/^\s*KexAlgorithms\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*KexAlgorithms\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then LC_ALL=C sed -i "/^\s*KexAlgorithms\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" else touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" # Insert at the beginning of the file printf '%s\n' "KexAlgorithms $sshd_strong_kex" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_use_strong_kex' ############################################################################### # BEGIN fix (386 / 386) for 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' ############################################################################### (>&2 echo "Remediating rule 386/386: 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs'") # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then sshd_strong_macs='hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256' mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf LC_ALL=C sed -i "/^\s*MACs\s\+/Id" "/etc/ssh/sshd_config" LC_ALL=C sed -i "/^\s*MACs\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then LC_ALL=C sed -i "/^\s*MACs\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" else touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" fi # make sure file has newline at the end sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" # Insert at the beginning of the file printf '%s\n' "MACs $sshd_strong_macs" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" # Clean up after ourselves. rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" else >&2 echo 'Remediation is not applicable, nothing was done' fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs'