From 8940e8f767e7ebf4c1ae58f99b42bee75942eef7 Mon Sep 17 00:00:00 2001 From: YuQing Date: Thu, 6 Apr 2023 09:56:24 +0800 Subject: [PATCH] =?UTF-8?q?fix=20some=20warnings=20about=20grep.Support=20?= =?UTF-8?q?grep3.8=20or=20later.=20This=20commit=20fixes=20the=20following?= =?UTF-8?q?=20error:=20grep=20version=EF=BC=9Agrep3.8=20or=20later=20grep?= =?UTF-8?q?=20warning1=EF=BC=9Agrep:=20warning:=20stray=20\=20before=20-?= =?UTF-8?q?=20grep=20warning1=EF=BC=9Aegrep:=20warning:=20egrep=20is=20obs?= =?UTF-8?q?olescent;=20using=20grep=20-E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: YuQing --- ...1.13-ensure-ssh-loglevel-is-appropriate.sh | 2 +- ...re-ssh-maxauthtries-is-set-to-4-or-less.sh | 2 +- ...1.15-ensure-ssh-ignorerhosts-is-enabled.sh | 2 +- ...ssh-hostbasedauthentication-is-disabled.sh | 2 +- .../1.17-ensure-ssh-root-login-is-disabled.sh | 2 +- ...re-ssh-permitemptypasswords-is-disabled.sh | 2 +- ...e-ssh-permituserenvironment-is-disabled.sh | 2 +- ...ssh-idle-timeout-interval-is-configured.sh | 4 ++-- ...ngracetime-is-set-to-one-minute-or-less.sh | 2 +- ...ensure-ssh-warning-banner-is-configured.sh | 2 +- ...rd-creation-requirements-are-configured.sh | 14 ++++++------- ...e-password-hashing-algorithm-is-sha-512.sh | 4 ++-- ...password-expiration-is-365-days-or-less.sh | 4 ++-- ...s-between-password-changes-is-7-or-more.sh | 4 ++-- ...rd-expiration-warning-days-is-7-or-more.sh | 4 ++-- ...t-user-umask-is-027-or-more-restrictive.sh | 10 +++++----- ...-access-to-the-su-command-is-restricted.sh | 2 +- ...-maxauthtries-is-set-to-between-3-and-5.sh | 2 +- ...-management-scope-sudoers-are-collected.sh | 20 +++++++++---------- ...fy-user-group-information-are-collected.sh | 8 ++++---- ...ntication-required-for-single-user-mode.sh | 4 ++-- .../4.13-ensure-core-dumps-are-restricted.sh | 6 +++--- ...ure-packet-redirect-sending-is-disabled.sh | 6 +++--- ...-source-routed-packets-are-not-accepted.sh | 10 +++++----- ...-ensure-icmp-redirects-are-not-accepted.sh | 10 +++++----- ...-secure-icmp-redirects-are-not-accepted.sh | 6 +++--- ...52-ensure-suspicious-packets-are-logged.sh | 6 +++--- ...nsure-reverse-path-filtering-is-enabled.sh | 6 +++--- ...-router-advertisements-are-not-accepted.sh | 6 +++--- ...7-ensure-gpgcheck-is-globally-activated.sh | 6 +++--- ...lesystem-integrity-is-regularly-checked.sh | 2 +- ...h-private-host-key-files-are-configured.sh | 6 +++--- ...sh-public-host-key-files-are-configured.sh | 4 ++-- ...rmissions-on-etc-crontab-are-configured.sh | 4 ++-- ...sions-on-etc-cron.hourly-are-configured.sh | 4 ++-- ...s-between-password-changes-is-7-or-more.sh | 6 +++--- ...rd-expiration-warning-days-is-7-or-more.sh | 6 +++--- ...ssions-on-etc-cron.daily-are-configured.sh | 4 ++-- ...sions-on-etc-cron.weekly-are-configured.sh | 4 ++-- ...ions-on-etc-cron.monthly-are-configured.sh | 4 ++-- ...ermissions-on-etc-cron.d-are-configured.sh | 4 ++-- ...-cron-is-restricted-to-authorized-users.sh | 6 +++--- ...s-on-etc-ssh-sshd_config-are-configured.sh | 4 ++-- ...-management-scope-sudoers-are-collected.sh | 20 +++++++++---------- ...fy-user-group-information-are-collected.sh | 8 ++++---- ...ermissions-on-etc-passwd-are-configured.sh | 4 ++-- ...ermissions-on-etc-shadow-are-configured.sh | 4 ++-- ...permissions-on-etc-group-are-configured.sh | 4 ++-- ...rmissions-on-etc-gshadow-are-configured.sh | 4 ++-- ...rmissions-on-etc-passwd--are-configured.sh | 4 ++-- ...rmissions-on-etc-shadow--are-configured.sh | 4 ++-- ...ermissions-on-etc-group--are-configured.sh | 4 ++-- ...missions-on-etc-gshadow--are-configured.sh | 4 ++-- ...-permissions-on-etc-motd-are-configured.sh | 6 +++--- ...permissions-on-etc-issue-are-configured.sh | 4 ++-- ...issions-on-etc-issue.net-are-configured.sh | 4 ++-- .../run_Anolis_remediation_kit.sh | 4 ++-- tools/scanners/run_Anolis_scanners.sh | 4 ++-- 58 files changed, 150 insertions(+), 150 deletions(-) diff --git a/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh b/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh index 21e931b..c4f7476 100644 --- a/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh +++ b/remediation-kits/access-and-control/1.13-ensure-ssh-loglevel-is-appropriate.sh @@ -1 +1 @@ -egrep -q "^(\s*)LogLevel\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LogLevel\s+\S+(\s*#.*)?\s*$/\1LogLevel INFO\2/" /etc/ssh/sshd_config || echo "LogLevel INFO" >> /etc/ssh/sshd_config \ No newline at end of file +grep -Eq "^(\s*)LogLevel\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LogLevel\s+\S+(\s*#.*)?\s*$/\1LogLevel INFO\2/" /etc/ssh/sshd_config || echo "LogLevel INFO" >> /etc/ssh/sshd_config diff --git a/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh b/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh index 7dee409..c788cf6 100644 --- a/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh +++ b/remediation-kits/access-and-control/1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less.sh @@ -1 +1 @@ -egrep -q "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config \ No newline at end of file +grep -Eq "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config diff --git a/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh b/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh index 3a0b244..ae6c476 100644 --- a/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh +++ b/remediation-kits/access-and-control/1.15-ensure-ssh-ignorerhosts-is-enabled.sh @@ -1 +1 @@ -egrep -q "^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$/\1IgnoreRhosts yes\2/" /etc/ssh/sshd_config || echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config \ No newline at end of file +grep -Eq "^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)IgnoreRhosts\s+\S+(\s*#.*)?\s*$/\1IgnoreRhosts yes\2/" /etc/ssh/sshd_config || echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config diff --git a/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh b/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh index 2eeb713..e656d0d 100644 --- a/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh +++ b/remediation-kits/access-and-control/1.16-ensure-ssh-hostbasedauthentication-is-disabled.sh @@ -1 +1 @@ -egrep -q "^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$/\1HostbasedAuthentication no\2/" /etc/ssh/sshd_config || echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config \ No newline at end of file +grep -Eq "^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)HostbasedAuthentication\s+\S+(\s*#.*)?\s*$/\1HostbasedAuthentication no\2/" /etc/ssh/sshd_config || echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config diff --git a/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh b/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh index e5cb44c..2907dce 100644 --- a/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh +++ b/remediation-kits/access-and-control/1.17-ensure-ssh-root-login-is-disabled.sh @@ -1 +1 @@ -egrep -q "^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$/\1PermitRootLogin no\2/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config \ No newline at end of file +grep -Eq "^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitRootLogin\s+\S+(\s*#.*)?\s*$/\1PermitRootLogin no\2/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config diff --git a/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh b/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh index 18205cc..b74e7ab 100644 --- a/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh +++ b/remediation-kits/access-and-control/1.18-ensure-ssh-permitemptypasswords-is-disabled.sh @@ -1 +1 @@ -egrep -q "^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$/\1PermitEmptyPasswords no\2/" /etc/ssh/sshd_config || echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config \ No newline at end of file +grep -Eq "^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitEmptyPasswords\s+\S+(\s*#.*)?\s*$/\1PermitEmptyPasswords no\2/" /etc/ssh/sshd_config || echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config diff --git a/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh b/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh index d3903a4..26173ae 100644 --- a/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh +++ b/remediation-kits/access-and-control/1.19-ensure-ssh-permituserenvironment-is-disabled.sh @@ -1 +1 @@ -egrep -q "^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$/\1PermitUserEnvironment no\2/" /etc/ssh/sshd_config || echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config \ No newline at end of file +grep -Eq "^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)PermitUserEnvironment\s+\S+(\s*#.*)?\s*$/\1PermitUserEnvironment no\2/" /etc/ssh/sshd_config || echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config diff --git a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh index 0e253f8..ac8940f 100644 --- a/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh +++ b/remediation-kits/access-and-control/1.20-ensure-ssh-idle-timeout-interval-is-configured.sh @@ -1,2 +1,2 @@ -egrep -q "^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$/\1ClientAliveInterval 900\2/" /etc/ssh/sshd_config || echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config -egrep -q "^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$/\1ClientAliveCountMax 0\2/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config \ No newline at end of file +grep -Eq "^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveInterval\s+\S+(\s*#.*)?\s*$/\1ClientAliveInterval 900\2/" /etc/ssh/sshd_config || echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config +grep -Eq "^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)ClientAliveCountMax\s+\S+(\s*#.*)?\s*$/\1ClientAliveCountMax 0\2/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config diff --git a/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh b/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh index cbba3de..65003ec 100644 --- a/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh +++ b/remediation-kits/access-and-control/1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less.sh @@ -1 +1 @@ -egrep -q "^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$/\1LoginGraceTime 60\2/" /etc/ssh/sshd_config || echo "LoginGraceTime 60" >> /etc/ssh/sshd_config \ No newline at end of file +grep -Eq "^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)LoginGraceTime\s+\S+(\s*#.*)?\s*$/\1LoginGraceTime 60\2/" /etc/ssh/sshd_config || echo "LoginGraceTime 60" >> /etc/ssh/sshd_config diff --git a/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh b/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh index 4e5e59b..3b6a476 100644 --- a/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh +++ b/remediation-kits/access-and-control/1.22-ensure-ssh-warning-banner-is-configured.sh @@ -1 +1 @@ -egrep -q "^(\s*)Banner\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)Banner\s+\S+(\s*#.*)?\s*$/\1Banner \/etc\/issue.net\2/" /etc/ssh/sshd_config || echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config \ No newline at end of file +grep -Eq "^(\s*)Banner\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)Banner\s+\S+(\s*#.*)?\s*$/\1Banner \/etc\/issue.net\2/" /etc/ssh/sshd_config || echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config diff --git a/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh b/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh index 72d6829..f376ec1 100644 --- a/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh +++ b/remediation-kits/access-and-control/1.27-ensure-password-creation-requirements-are-configured.sh @@ -1,7 +1,7 @@ -egrep -q "^(\s*)minlen\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)minlen\s*=\s*\S+(\s*#.*)?\s*$/\minlen=14\2/" /etc/security/pwquality.conf || echo "minlen=14" >> /etc/security/pwquality.conf -egrep -q "^(\s*)dcredit\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)dcredit\s*=\s*\S+(\s*#.*)?\s*$/\dcredit=-1\2/" /etc/security/pwquality.conf || echo "dcredit=-1" >> /etc/security/pwquality.conf -egrep -q "^(\s*)ucredit\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)ucredit\s*=\s*\S+(\s*#.*)?\s*$/\ucredit=-1\2/" /etc/security/pwquality.conf || echo "ucredit=-1" >> /etc/security/pwquality.conf -egrep -q "^(\s*)ocredit\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)ocredit\s*=\s*\S+(\s*#.*)?\s*$/\ocredit=-1\2/" /etc/security/pwquality.conf || echo "ocredit=-1" >> /etc/security/pwquality.conf -egrep -q "^(\s*)lcredit\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)lcredit\s*=\s*\S+(\s*#.*)?\s*$/\lcredit=-1\2/" /etc/security/pwquality.conf || echo "lcredit=-1" >> /etc/security/pwquality.conf -egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/system-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+try_first_pass)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1try_first_pass \2/ }' /etc/pam.d/system-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+retry=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1retry=3 \2/ }' /etc/pam.d/system-auth && sed -ri 's/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)retry=[0-9]+(\s+.*)?$/\1retry=3\3/' /etc/pam.d/system-auth || echo Ensure\ password\ creation\ requirements\ are\ configured - /etc/pam.d/system-auth not configured. -egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/password-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+try_first_pass)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1try_first_pass \2/ }' /etc/pam.d/password-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+retry=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1retry=3 \2/ }' /etc/pam.d/password-auth && sed -ri 's/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)retry=[0-9]+(\s+.*)?$/\1retry=3\3/' /etc/pam.d/password-auth || echo Ensure\ password\ creation\ requirements\ are\ configured - /etc/pam.d/password-auth not configured. \ No newline at end of file +grep -Eq "^(\s*)minlen\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)minlen\s*=\s*\S+(\s*#.*)?\s*$/\minlen=14\2/" /etc/security/pwquality.conf || echo "minlen=14" >> /etc/security/pwquality.conf +grep -Eq "^(\s*)dcredit\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)dcredit\s*=\s*\S+(\s*#.*)?\s*$/\dcredit=-1\2/" /etc/security/pwquality.conf || echo "dcredit=-1" >> /etc/security/pwquality.conf +grep -Eq "^(\s*)ucredit\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)ucredit\s*=\s*\S+(\s*#.*)?\s*$/\ucredit=-1\2/" /etc/security/pwquality.conf || echo "ucredit=-1" >> /etc/security/pwquality.conf +grep -Eq "^(\s*)ocredit\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)ocredit\s*=\s*\S+(\s*#.*)?\s*$/\ocredit=-1\2/" /etc/security/pwquality.conf || echo "ocredit=-1" >> /etc/security/pwquality.conf +grep -Eq "^(\s*)lcredit\s*=\s*\S+(\s*#.*)?\s*$" /etc/security/pwquality.conf && sed -ri "s/^(\s*)lcredit\s*=\s*\S+(\s*#.*)?\s*$/\lcredit=-1\2/" /etc/security/pwquality.conf || echo "lcredit=-1" >> /etc/security/pwquality.conf +grep -Eq "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/system-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+try_first_pass)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1try_first_pass \2/ }' /etc/pam.d/system-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+retry=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1retry=3 \2/ }' /etc/pam.d/system-auth && sed -ri 's/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)retry=[0-9]+(\s+.*)?$/\1retry=3\3/' /etc/pam.d/system-auth || echo Ensure\ password\ creation\ requirements\ are\ configured - /etc/pam.d/system-auth not configured. +grep -Eq "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/password-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+try_first_pass)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1try_first_pass \2/ }' /etc/pam.d/password-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+retry=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1retry=3 \2/ }' /etc/pam.d/password-auth && sed -ri 's/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)retry=[0-9]+(\s+.*)?$/\1retry=3\3/' /etc/pam.d/password-auth || echo Ensure\ password\ creation\ requirements\ are\ configured - /etc/pam.d/password-auth not configured. diff --git a/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh b/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh index aa6b0c6..28c105e 100644 --- a/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh +++ b/remediation-kits/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh @@ -1,2 +1,2 @@ -egrep -q "^\s*password\s+sufficient\s+pam_unix.so\s+" /etc/pam.d/system-auth && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' /etc/pam.d/system-auth -egrep -q "^\s*password\s+sufficient\s+pam_unix.so\s+" /etc/pam.d/password-auth && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' /etc/pam.d/password-auth \ No newline at end of file +grep -Eq "^\s*password\s+sufficient\s+pam_unix.so\s+" /etc/pam.d/system-auth && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' /etc/pam.d/system-auth +grep -Eq "^\s*password\s+sufficient\s+pam_unix.so\s+" /etc/pam.d/password-auth && sed -ri '/^\s*password\s+sufficient\s+pam_unix.so\s+/ { /^\s*password\s+sufficient\s+pam_unix.so(\s+\S+)*(\s+sha512)(\s+.*)?$/! s/^(\s*password\s+sufficient\s+pam_unix.so\s+)(.*)$/\1sha512 \2/ }' /etc/pam.d/password-auth diff --git a/remediation-kits/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh b/remediation-kits/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh index 65925be..8029db2 100644 --- a/remediation-kits/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh +++ b/remediation-kits/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh @@ -1,2 +1,2 @@ -egrep -q "^(\s*)PASS_MAX_DAYS\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MAX_DAYS\s+\S+(\s*#.*)?\s*$/\PASS_MAX_DAYS 365\2/" /etc/login.defs || echo "PASS_MAX_DAYS 365" >> /etc/login.defs -getent passwd | cut -f1 -d ":" | xargs -n1 chage --maxdays 365 \ No newline at end of file +grep -Eq "^(\s*)PASS_MAX_DAYS\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MAX_DAYS\s+\S+(\s*#.*)?\s*$/\PASS_MAX_DAYS 365\2/" /etc/login.defs || echo "PASS_MAX_DAYS 365" >> /etc/login.defs +getent passwd | cut -f1 -d ":" | xargs -n1 chage --maxdays 365 diff --git a/remediation-kits/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh b/remediation-kits/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh index 330eb9e..0f17772 100644 --- a/remediation-kits/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh +++ b/remediation-kits/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh @@ -1,2 +1,2 @@ -egrep -q "^(\s*)PASS_MIN_DAYS\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_DAYS\s+\S+(\s*#.*)?\s*$/\PASS_MIN_DAYS 7\2/" /etc/login.defs || echo "PASS_MIN_DAYS 7" >> /etc/login.defs -getent passwd | cut -f1 -d ":" | xargs -n1 chage --mindays 7 \ No newline at end of file +grep -Eq "^(\s*)PASS_MIN_DAYS\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_DAYS\s+\S+(\s*#.*)?\s*$/\PASS_MIN_DAYS 7\2/" /etc/login.defs || echo "PASS_MIN_DAYS 7" >> /etc/login.defs +getent passwd | cut -f1 -d ":" | xargs -n1 chage --mindays 7 diff --git a/remediation-kits/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh b/remediation-kits/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh index 27ef4a4..424e012 100644 --- a/remediation-kits/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh +++ b/remediation-kits/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh @@ -1,2 +1,2 @@ -egrep -q "^(\s*)PASS_WARN_AGE\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_WARN_AGE\s+\S+(\s*#.*)?\s*$/\PASS_WARN_AGE 7\2/" /etc/login.defs || echo "PASS_WARN_AGE 7" >> /etc/login.defs -getent passwd | cut -f1 -d ":" | xargs -n1 chage --warndays 7 \ No newline at end of file +grep -Eq "^(\s*)PASS_WARN_AGE\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_WARN_AGE\s+\S+(\s*#.*)?\s*$/\PASS_WARN_AGE 7\2/" /etc/login.defs || echo "PASS_WARN_AGE 7" >> /etc/login.defs +getent passwd | cut -f1 -d ":" | xargs -n1 chage --warndays 7 diff --git a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh index bf298c6..e03ab96 100644 --- a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh +++ b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh @@ -1,7 +1,7 @@ -egrep -q "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile.d/set_umask.sh && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile.d/set_umask.sh || echo "umask 027" >> /etc/profile.d/set_umask.sh -egrep -q "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/bashrc && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/bashrc || echo "umask 027" >> /etc/bashrc -egrep -q "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile || echo "umask 027" >> /etc/profile -egrep -q "^(\s*)UMASK\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)UMASK\s+\S+(\s*#.*)?\s*$/\1UMASK 027\2/" /etc/login.defs || echo "UMASK 027" >> /etc/login.defs +grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile.d/set_umask.sh && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile.d/set_umask.sh || echo "umask 027" >> /etc/profile.d/set_umask.sh +grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/bashrc && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/bashrc || echo "umask 027" >> /etc/bashrc +grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile || echo "umask 027" >> /etc/profile +grep -Eq "^(\s*)UMASK\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)UMASK\s+\S+(\s*#.*)?\s*$/\1UMASK 027\2/" /etc/login.defs || echo "UMASK 027" >> /etc/login.defs grep -q "USERGROUPS_ENAB" /etc/login.defs && sed -ri "s/^(\s*)USERGROUPS_ENAB\s+\S+(\s*#.*)?\s*$/\1USERGROUPS_ENAB on\2/" /etc/login.defs || echo "USERGROUPS_ENAB no" >> /etc/login.defs echo "session optional pam_umask.so" >> /etc/pam.d/password-auth -echo "session optional pam_umask.so" >> /etc/pam.d/system-auth \ No newline at end of file +echo "session optional pam_umask.so" >> /etc/pam.d/system-auth diff --git a/remediation-kits/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh b/remediation-kits/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh index 163499f..ef02787 100644 --- a/remediation-kits/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh +++ b/remediation-kits/access-and-control/1.40-ensure-access-to-the-su-command-is-restricted.sh @@ -1 +1 @@ -egrep -q "^\s*auth\s+required\s+pam_wheel.so(\s+.*)?$" /etc/pam.d/su && sed -ri '/^\s*auth\s+required\s+pam_wheel.so(\s+.*)?$/ { /^\s*auth\s+required\s+pam_wheel.so(\s+\S+)*(\s+use_uid)(\s+.*)?$/! s/^(\s*auth\s+required\s+pam_wheel.so)(\s+.*)?$/\1 use_uid\2/ }' /etc/pam.d/su || echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su \ No newline at end of file +grep -Eq "^\s*auth\s+required\s+pam_wheel.so(\s+.*)?$" /etc/pam.d/su && sed -ri '/^\s*auth\s+required\s+pam_wheel.so(\s+.*)?$/ { /^\s*auth\s+required\s+pam_wheel.so(\s+\S+)*(\s+use_uid)(\s+.*)?$/! s/^(\s*auth\s+required\s+pam_wheel.so)(\s+.*)?$/\1 use_uid\2/ }' /etc/pam.d/su || echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su diff --git a/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh b/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh index 7dee409..c788cf6 100644 --- a/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh +++ b/remediation-kits/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh @@ -1 +1 @@ -egrep -q "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config \ No newline at end of file +grep -Eq "^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$" /etc/ssh/sshd_config && sed -ri "s/^(\s*)MaxAuthTries\s+\S+(\s*#.*)?\s*$/\1MaxAuthTries 4\2/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config diff --git a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh index 4470486..b331cca 100644 --- a/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -1,10 +1,10 @@ -grep -Eq "\-w\s/etc/group\s\-p\swa\s\-k\sidentity -\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity -\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity -\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity -\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/rules.d/audit.rules || echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules -grep -Eq "\-w\s/etc/group\s\-p\swa\s\-k\sidentity -\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity -\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity -\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity -\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/audit.rules || echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules \ No newline at end of file +grep -q "\-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/rules.d/audit.rules +grep -q "\-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules || echo -e "\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" >> /etc/audit/audit.rules diff --git a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh index 4de526e..d106118 100644 --- a/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh +++ b/remediation-kits/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh @@ -1,4 +1,4 @@ -grep -Eq "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope -\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/rules.d/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules -grep -Eq "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope -\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules \ No newline at end of file +grep -q "\-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules +grep -q "\-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules || echo -e "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules diff --git a/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh b/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh index 54d72c2..0696642 100644 --- a/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh +++ b/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh @@ -1,2 +1,2 @@ -egrep -q "^\s*ExecStart\=" /usr/lib/systemd/system/rescue.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell rescue/" /usr/lib/systemd/system/rescue.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" >> /usr/lib/systemd/system/rescue.service -egrep -q "^\s*ExecStart\=" /usr/lib/systemd/system/emergency.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell emergency/" /usr/lib/systemd/system/emergency.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" >> /usr/lib/systemd/system/emergency.service \ No newline at end of file +grep -Eq "^\s*ExecStart\=" /usr/lib/systemd/system/rescue.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell rescue/" /usr/lib/systemd/system/rescue.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" >> /usr/lib/systemd/system/rescue.service +grep -Eq "^\s*ExecStart\=" /usr/lib/systemd/system/emergency.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell emergency/" /usr/lib/systemd/system/emergency.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" >> /usr/lib/systemd/system/emergency.service diff --git a/remediation-kits/system-configurations/4.13-ensure-core-dumps-are-restricted.sh b/remediation-kits/system-configurations/4.13-ensure-core-dumps-are-restricted.sh index dfe5e7e..c0c4e6b 100644 --- a/remediation-kits/system-configurations/4.13-ensure-core-dumps-are-restricted.sh +++ b/remediation-kits/system-configurations/4.13-ensure-core-dumps-are-restricted.sh @@ -1,3 +1,3 @@ -egrep -q "^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$" /etc/security/limits.conf && sed -ri "s/^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$/\1* hard core 0\2/" /etc/security/limits.conf || echo "* hard core 0" >> /etc/security/limits.conf -egrep -q "^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$/\1fs.suid_dumpable = 0\2/" /etc/sysctl.conf || echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf -sysctl -w fs.suid_dumpable=0 \ No newline at end of file +grep -Eq "^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$" /etc/security/limits.conf && sed -ri "s/^(\s*)\*\s+hard\s+core\s+\S+(\s*#.*)?\s*$/\1* hard core 0\2/" /etc/security/limits.conf || echo "* hard core 0" >> /etc/security/limits.conf +grep -Eq "^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)fs.suid_dumpable\s*=\s*\S+(\s*#.*)?\s*$/\1fs.suid_dumpable = 0\2/" /etc/sysctl.conf || echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf +sysctl -w fs.suid_dumpable=0 diff --git a/remediation-kits/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh b/remediation-kits/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh index daeebbf..0f2c20f 100644 --- a/remediation-kits/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh +++ b/remediation-kits/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh @@ -1,5 +1,5 @@ -egrep -q "^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf -egrep -q "^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.send_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.send_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.default.send_redirects=0 -sysctl -w net.ipv4.route.flush=1 \ No newline at end of file +sysctl -w net.ipv4.route.flush=1 diff --git a/remediation-kits/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh b/remediation-kits/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh index d6d831c..dd1feb1 100644 --- a/remediation-kits/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh +++ b/remediation-kits/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh @@ -1,10 +1,10 @@ -egrep -q "^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf -egrep -q "^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf -egrep -q "^(\s*)net.ipv6.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_source_route = 0" >> /etc/sysctl.conf -egrep -q "^(\s*)net.ipv6.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.default.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.default.accept_source_route = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv6.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_source_route = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv6.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.default.accept_source_route\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.default.accept_source_route = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.default.accept_source_route = 0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.accept_source_route=0 sysctl -w net.ipv4.conf.default.accept_source_route=0 sysctl -w net.ipv6.conf.all.accept_source_route=0 sysctl -w net.ipv6.conf.default.accept_source_route=0 sysctl -w net.ipv4.route.flush=1 -sysctl -w net.ipv6.route.flush=1 \ No newline at end of file +sysctl -w net.ipv6.route.flush=1 diff --git a/remediation-kits/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh b/remediation-kits/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh index f897493..025b169 100644 --- a/remediation-kits/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh +++ b/remediation-kits/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh @@ -1,10 +1,10 @@ -egrep -q "^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf -egrep -q "^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf -egrep -q "^(\s*)net.ipv6.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf -egrep -q "^(\s*)net.ipv6.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.default.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv6.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv6.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.default.accept_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.default.accept_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.default.accept_redirects=0 sysctl -w net.ipv6.conf.all.accept_redirects=0 sysctl -w net.ipv6.conf.default.accept_redirects=0 sysctl -w net.ipv4.route.flush=1 -sysctl -w net.ipv6.route.flush=1 \ No newline at end of file +sysctl -w net.ipv6.route.flush=1 diff --git a/remediation-kits/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh b/remediation-kits/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh index e2bb075..051910d 100644 --- a/remediation-kits/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh +++ b/remediation-kits/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh @@ -1,5 +1,5 @@ -egrep -q "^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf -egrep -q "^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.secure_redirects\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.secure_redirects = 0\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.secure_redirects=0 sysctl -w net.ipv4.conf.default.secure_redirects=0 -sysctl -w net.ipv4.route.flush=1 \ No newline at end of file +sysctl -w net.ipv4.route.flush=1 diff --git a/remediation-kits/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh b/remediation-kits/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh index 18c7c30..1dda5ca 100644 --- a/remediation-kits/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh +++ b/remediation-kits/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh @@ -1,5 +1,5 @@ -egrep -q "^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf -egrep -q "^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.log_martians\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.log_martians = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.log_martians=1 sysctl -w net.ipv4.conf.default.log_martians=1 -sysctl -w net.ipv4.route.flush=1 \ No newline at end of file +sysctl -w net.ipv4.route.flush=1 diff --git a/remediation-kits/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh b/remediation-kits/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh index 601ec8d..eb376f8 100644 --- a/remediation-kits/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh +++ b/remediation-kits/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh @@ -1,5 +1,5 @@ -egrep -q "^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf -egrep -q "^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.all.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.all.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv4.conf.default.rp_filter\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv4.conf.default.rp_filter = 1\2/" /etc/sysctl.conf || echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.rp_filter=1 sysctl -w net.ipv4.conf.default.rp_filter=1 -sysctl -w net.ipv4.route.flush=1 \ No newline at end of file +sysctl -w net.ipv4.route.flush=1 diff --git a/remediation-kits/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh b/remediation-kits/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh index bc556be..b22df1d 100644 --- a/remediation-kits/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh +++ b/remediation-kits/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh @@ -1,5 +1,5 @@ -egrep -q "^(\s*)net.ipv6.conf.all.accept_ra\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_ra\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_ra = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf -egrep -q "^(\s*)net.ipv6.conf.default.accept_ra\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.default.accept_ra\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.default.accept_ra = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv6.conf.all.accept_ra\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.all.accept_ra\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.all.accept_ra = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf +grep -Eq "^(\s*)net.ipv6.conf.default.accept_ra\s*=\s*\S+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^(\s*)net.ipv6.conf.default.accept_ra\s*=\s*\S+(\s*#.*)?\s*$/\1net.ipv6.conf.default.accept_ra = 0\2/" /etc/sysctl.conf || echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf sysctl -w net.ipv6.conf.all.accept_ra=0 sysctl -w net.ipv6.conf.default.accept_ra=0 -sysctl -w net.ipv6.route.flush=1 \ No newline at end of file +sysctl -w net.ipv6.route.flush=1 diff --git a/remediation-kits/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh b/remediation-kits/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh index 197c8ca..73c9468 100644 --- a/remediation-kits/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh +++ b/remediation-kits/system-configurations/4.7-ensure-gpgcheck-is-globally-activated.sh @@ -1,4 +1,4 @@ -egrep -q "^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$" /etc/yum.conf && sed -ri "s/^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$/\1gpgcheck=1\2/" /etc/yum.conf || echo "gpgcheck=1" >> /etc/yum.conf +grep -Eq "^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$" /etc/yum.conf && sed -ri "s/^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$/\1gpgcheck=1\2/" /etc/yum.conf || echo "gpgcheck=1" >> /etc/yum.conf for file in /etc/yum.repos.d/*; do - egrep -q "^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$" $file && sed -ri "s/^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$/\1gpgcheck=1\2/" $file || echo "gpgcheck=1" >> $file -done \ No newline at end of file + grep -Eq "^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$" $file && sed -ri "s/^(\s*)gpgcheck\s*=\s*\S+(\s*#.*)?\s*$/\1gpgcheck=1\2/" $file || echo "gpgcheck=1" >> $file +done diff --git a/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh b/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh index 3195ab6..1473e99 100644 --- a/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh +++ b/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh @@ -1 +1 @@ -(crontab -u root -l; crontab -u root -l | egrep -q "^0 5 \* \* \* /usr/sbin/aide --check$" || echo "0 5 * * * /usr/sbin/aide --check" ) | crontab -u root - \ No newline at end of file +(crontab -u root -l; crontab -u root -l | grep -Eq "^0 5 \* \* \* /usr/sbin/aide --check$" || echo "0 5 * * * /usr/sbin/aide --check" ) | crontab -u root - diff --git a/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh b/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh index 542acaf..9737c3a 100644 --- a/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh +++ b/scanners/access-and-control/1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured.sh @@ -1,11 +1,11 @@ result_root=false result_ssh_keys=false -find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat -c %G-%U-%a {} \; | grep -Eiq "root\-root\-([7][1-7][1-7]|[0-7][1-7][1-7])" || result_root=true -find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat -c %G-%U-%a {} \; | grep -Eiq "ssh_keys\-root\-([7][5-7][1-7]|[0-7][5-7][1-7])" || result_ssh_keys=true +find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat -c %G-%U-%a {} \; | grep -Piq "root\-root\-([7][1-7][1-7]|[0-7][1-7][1-7])" || result_root=true +find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat -c %G-%U-%a {} \; | grep -Piq "ssh_keys\-root\-([7][5-7][1-7]|[0-7][5-7][1-7])" || result_ssh_keys=true if [[ "$result_root" == true && "$result_ssh_keys" == true ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh b/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh index 07fb861..4a24cd5 100644 --- a/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh +++ b/scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh @@ -1,9 +1,9 @@ result=false -find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec stat -c %G-%U-%a {} \; | grep -Ei "root\-root\-([7][5-7][5-7]|[0-7][5-7][5-7])" || result=true +find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec stat -c %G-%U-%a {} \; | grep -Pi "root\-root\-([7][5-7][5-7]|[0-7][5-7][5-7])" || result=true if [[ "$result" == true ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh b/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh index 8d5a03a..3a30bfc 100644 --- a/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh +++ b/scanners/access-and-control/1.2-ensure-permissions-on-etc-crontab-are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/crontab | grep -Eq '^[0-6][0][0]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/crontab | grep -Pq '^[0-6][0][0]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh b/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh index 161faa8..8803947 100644 --- a/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh +++ b/scanners/access-and-control/1.3-ensure-permissions-on-etc-cron.hourly-are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/cron.hourly | grep -Eq '^[0-7][0][0]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/cron.hourly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh b/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh index 2cba096..8daa8e1 100644 --- a/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh +++ b/scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh @@ -1,11 +1,11 @@ result_login_defs=false result_shadow=false -grep -Eiq "^\s*PASS_MIN_DAYS\s+([7-9]|[1-9][0-9]+)\s*(\s+#.*)?$" /etc/login.defs && result_login_defs=true -grep -Eiq "^\S+:[^\!\*:]*:[^:]*:([0-6]|\-1):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*\s*$" /etc/shadow || result_shadow=true +grep -Piq "^\s*PASS_MIN_DAYS\s+([7-9]|[1-9][0-9]+)\s*(\s+#.*)?$" /etc/login.defs && result_login_defs=true +grep -Piq "^\S+:[^\!\*:]*:[^:]*:([0-6]|\-1):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*\s*$" /etc/shadow || result_shadow=true if [[ $result_login_defs == true && $result_shadow == true ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh b/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh index f5c3626..0581b9d 100644 --- a/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh +++ b/scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh @@ -1,11 +1,11 @@ result_login_defs=false result_shadow=false -grep -Eiq "^\s*PASS_WARN_AGE\s+([789]|[1-9][0-9]+)\s*(\s+#.*)?$" /etc/login.defs && result_login_defs=true -grep -Eiq "^\S+:[^\!\*:]*:[^:]*:[^:]*:[^:]*:([0-6]|\-1):[^:]*:[^:]*:[^:]*\s*$" /etc/shadow || result_shadow=true +grep -Piq "^\s*PASS_WARN_AGE\s+([789]|[1-9][0-9]+)\s*(\s+#.*)?$" /etc/login.defs && result_login_defs=true +grep -Piq "^\S+:[^\!\*:]*:[^:]*:[^:]*:[^:]*:([0-6]|\-1):[^:]*:[^:]*:[^:]*\s*$" /etc/shadow || result_shadow=true if [[ $result_login_defs == true && $result_shadow == true ]]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh b/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh index 8e6af63..79b5731 100644 --- a/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh +++ b/scanners/access-and-control/1.4-ensure-permissions-on-etc-cron.daily-are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/cron.daily | grep -Eq '^[0-7][0][0]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/cron.daily | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh b/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh index e4519e5..7719f2f 100644 --- a/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh +++ b/scanners/access-and-control/1.5-ensure-permissions-on-etc-cron.weekly-are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/cron.weekly | grep -Eq '^[0-7][0][0]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/cron.weekly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh b/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh index c9aca52..9015c1d 100644 --- a/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh +++ b/scanners/access-and-control/1.6-ensure-permissions-on-etc-cron.monthly-are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/cron.monthly | grep -Eq '^[0-7][0][0]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/cron.monthly | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh b/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh index 45bc412..e04716e 100644 --- a/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh +++ b/scanners/access-and-control/1.7-ensure-permissions-on-etc-cron.d-are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/cron.d | grep -Eq '^[0-7][0][0]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/cron.d | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh b/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh index e273bc8..da68eef 100644 --- a/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh +++ b/scanners/access-and-control/1.8-ensure-at-cron-is-restricted-to-authorized-users.sh @@ -7,15 +7,15 @@ result_at_allow=false [ -e /etc/at.deny ] || result_at_deny=true if [ -e /etc/cron.allow ] ; then - stat -c "%a-%U-%G" /etc/cron.allow | grep -Eq '^[0-6][0][0]\-root\-root$' && result_cron_allow=true + stat -c "%a-%U-%G" /etc/cron.allow | grep -Pq '^[0-6][0][0]\-root\-root$' && result_cron_allow=true fi if [ -e /etc/at.allow ] ; then - stat -c "%a-%U-%G" /etc/at.allow | grep -Eq '^[0-6][0][0]\-root\-root$' && result_at_allow=true + stat -c "%a-%U-%G" /etc/at.allow | grep -Pq '^[0-6][0][0]\-root\-root$' && result_at_allow=true fi if [[ "$result_cron_deny" == true && "$result_at_deny" == true && "$result_cron_allow" == true && "$result_at_allow" == true ]] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh b/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh index 5ef6214..951aaf1 100644 --- a/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh +++ b/scanners/access-and-control/1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/ssh/sshd_config | grep -Eq '^[0-7][0][0]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/ssh/sshd_config | grep -Pq '^[0-7][0][0]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh index e2f6748..30de77b 100644 --- a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh +++ b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh @@ -1,17 +1,17 @@ result=false -grep -Eq "\-w\s/etc/group\s\-p\swa\s\-k\sidentity -\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity -\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity -\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity -\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/rules.d/audit.rules && grep -Eq "\-w\s/etc/group\s\-p\swa\s\-k\sidentity -\-w\s/etc/passwd\s\-p\swa\s\-k\sidentity -\-w\s/etc/gshadow\s\-p\swa\s\-k\sidentity -\-w\s/etc/shadow\s\-p\swa\s\-k\sidentity -\-w\s/etc/security/opasswd\s\-p\swa\s\-k\sidentity" /etc/audit/audit.rules && result=true +grep -q "\-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules && grep -q "\-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules && result=true if [ "$result" = true ]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh index c370724..ec29b97 100644 --- a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh +++ b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh @@ -1,11 +1,11 @@ result=false -grep -Eq "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope -\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/rules.d/audit.rules && grep -Eq "\-w\s/etc/sudoers\s\-p\swa\s\-k\sscope -\-w\s/etc/sudoers.d/\s\-p\swa\s\-k\sscope" /etc/audit/audit.rules && result=true +grep -q "\-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules && grep -q "\-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules && result=true if [ "$result" = true ]; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh b/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh index a7acb21..ebf9c80 100644 --- a/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh +++ b/scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/passwd | grep -Eq '^[0-6][0-4][0-4]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/passwd | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh b/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh index dcaa5b1..051fee1 100644 --- a/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh +++ b/scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/shadow | grep -Eq '^[0]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/shadow | grep -Pq '^[0]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh b/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh index a6493d0..f826879 100644 --- a/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh +++ b/scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/group | grep -Eq '^[0-6][0-4][0-4]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/group | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh b/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh index 9186800..05dcadb 100644 --- a/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh +++ b/scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/gshadow | grep -Eq '^[0]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/gshadow | grep -Pq '^[0]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh b/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh index b32766c..8a33498 100644 --- a/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh +++ b/scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/passwd- | grep -Eq '^[0-6][0-4][0-4]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/passwd- | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh b/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh index 1c956f7..b6ffb57 100644 --- a/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh +++ b/scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/shadow- | grep -Eq '^[0]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/shadow- | grep -Pq '^[0]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh b/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh index b70dbec..283c771 100644 --- a/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh +++ b/scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/group- | grep -Eq '^[0-6][0-4][0-4]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/group- | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh b/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh index 781ba59..eced746 100644 --- a/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh +++ b/scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/gshadow- | grep -Eq '^[0]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/gshadow- | grep -Pq '^[0]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh b/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh index 47ed743..dd58a16 100644 --- a/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh +++ b/scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh @@ -3,13 +3,13 @@ result=false if [[ ! -f /etc/motd ]] ; then result=true elif [[ ! -h /etc/motd ]] ; then - stat -c "%a-%U-%G" /etc/motd | grep -Eq '^[0-6][0-4][0-4]\-root\-root$' && result=true + stat -c "%a-%U-%G" /etc/motd | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true elif [[ -h /etc/motd ]] && [[ -f /var/lib/update-motd/motd ]] ; then - stat -c "%a-%U-%G" /var/lib/update-motd/motd | grep -Eq '^[0-6][0-4][0-4]\-root\-root$' && stat -c "%U-%G" /etc/motd | grep -Eq '^root\-root$' && result=true + stat -c "%a-%U-%G" /var/lib/update-motd/motd | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && stat -c "%U-%G" /etc/motd | grep -Pq '^root\-root$' && result=true fi if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh b/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh index c55bd2d..95edca7 100644 --- a/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh +++ b/scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/issue | grep -Eq '^[0-6][0-4][0-4]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/issue | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh b/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh index 9e7c5ff..ee5dfd4 100644 --- a/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh +++ b/scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh @@ -1,9 +1,9 @@ result=false -stat -c "%a-%U-%G" /etc/issue.net | grep -Eq '^[0-6][0-4][0-4]\-root\-root$' && result=true +stat -c "%a-%U-%G" /etc/issue.net | grep -Pq '^[0-6][0-4][0-4]\-root\-root$' && result=true if [ "$result" = true ] ; then echo "pass" else echo "fail" -fi \ No newline at end of file +fi diff --git a/tools/remediation-kits/run_Anolis_remediation_kit.sh b/tools/remediation-kits/run_Anolis_remediation_kit.sh index a3048e4..22cd485 100755 --- a/tools/remediation-kits/run_Anolis_remediation_kit.sh +++ b/tools/remediation-kits/run_Anolis_remediation_kit.sh @@ -39,7 +39,7 @@ function executeScripts() if [[ ! -z "$Dir" ]] ; then cd $Dir # 切换至修复脚本所在目录 number=$line - filename=`ls | grep "^$number\-.*.sh$"` # 根据编号查询修复脚本完整文件名 + filename=`ls | grep -P "^$number\-.*.sh$"` # 根据编号查询修复脚本完整文件名 if [[ -a $filename ]] ; then echo "---Executing the script: $filename---" sh $filename @@ -82,4 +82,4 @@ elif [[ $# -eq 2 && $1 == "-c" ]] ; then # -c参数 指定自定义config fi else helpinfo -fi \ No newline at end of file +fi diff --git a/tools/scanners/run_Anolis_scanners.sh b/tools/scanners/run_Anolis_scanners.sh index 9174950..8931675 100755 --- a/tools/scanners/run_Anolis_scanners.sh +++ b/tools/scanners/run_Anolis_scanners.sh @@ -55,7 +55,7 @@ function executeScripts() assignPath if [[ ! -z "$Dir" ]] ; then cd $Dir - filename=`ls | grep "^$line\-.*.sh$"` # 获取扫描脚本完整名称 + filename=`ls | grep -P "^$line\-.*.sh$"` # 获取扫描脚本完整名称 if [[ -a $filename ]] ; then res1=`sh $filename | grep -P "^(pass|fail)$"` # 获取扫描脚本执行结果(pass or fail) ((total++)) # 总检查量 @@ -134,4 +134,4 @@ current_path="$(cd $(dirname $0);pwd)" # 获取绝对路径 option $@ -[ ! -z $config ] && main \ No newline at end of file +[ ! -z $config ] && main -- Gitee