From baba35897f3fff9062edeb07777dc97ef7cee521 Mon Sep 17 00:00:00 2001 From: davni-fbp Date: Thu, 14 Mar 2024 14:41:26 +0100 Subject: [PATCH 01/17] 'Manual Review Required' replaced by 'None' --- ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index 7889c424..cfdf7798 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -3,7 +3,7 @@ $rcTrue = "True" $rcCompliant = "Compliant" $rcFalse = "False" $rcNonCompliant = "Non-Compliant" -$rcNonCompliantManualReviewRequired = "Manual review required" +$rcNonCompliantManualReviewRequired = "None" $rcCompliantIPv6isDisabled = "IPv6 is disabled" $retCompliant = @{ From 5ffe1d3288b564d8c35fc320c4846f3bf166c3f2 Mon Sep 17 00:00:00 2001 From: davni-fbp Date: Thu, 14 Mar 2024 14:46:56 +0100 Subject: [PATCH 02/17] Fix for None --- .../AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index cfdf7798..a58a8d8a 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -2,8 +2,9 @@ $parentPath = Split-Path -Parent -Path $PSScriptRoot $rcTrue = "True" $rcCompliant = "Compliant" $rcFalse = "False" +$rcNone = "None" $rcNonCompliant = "Non-Compliant" -$rcNonCompliantManualReviewRequired = "None" +$rcNonCompliantManualReviewRequired = "Manual Review Required" $rcCompliantIPv6isDisabled = "IPv6 is disabled" $retCompliant = @{ @@ -20,7 +21,7 @@ $retCompliantIPv6Disabled = @{ } $retNonCompliantManualReviewRequired = @{ Message = $rcNonCompliantManualReviewRequired - Status = $rcFalse + Status = $rcNone } $IPv6Status_script = @' From b820f3d35b8e37a69acc77f64254a953c5d743aa Mon Sep 17 00:00:00 2001 From: davni-fbp Date: Mon, 18 Mar 2024 16:23:16 +0100 Subject: [PATCH 03/17] Assignment for firewall settings --- .../SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 228 +++++++++++++++++- 1 file changed, 227 insertions(+), 1 deletion(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index a58a8d8a..cb8b8fef 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -6,6 +6,9 @@ $rcNone = "None" $rcNonCompliant = "Non-Compliant" $rcNonCompliantManualReviewRequired = "Manual Review Required" $rcCompliantIPv6isDisabled = "IPv6 is disabled" +$rcFirewallStatus1 = "Using firewalld with iptables" +$rcFirewallStatus2 = "Using nftables" +$rcFirewallStatus3 = "Using iptables" $retCompliant = @{ Message = $rcCompliant @@ -23,6 +26,19 @@ $retNonCompliantManualReviewRequired = @{ Message = $rcNonCompliantManualReviewRequired Status = $rcNone } +$retUsingFW1 = @{ + Message = $rcFirewallStatus1 + Status = $rcNone +} +$retUsingFW2 = @{ + Message = $rcFirewallStatus2 + Status = $rcNone +} +$retUsingFW3 = @{ + Message = $rcFirewallStatus3 + Status = $rcNone +} + $IPv6Status_script = @' #!/bin/bash @@ -42,6 +58,54 @@ if ($IPv6Status -match "enabled") { $IPv6Status = "disabled" } +# Firewall evaluation + +# 0 = init. value, undefined +# 1 = using firewalld with iptabes as backend +# 2 = using nftables +# 3 = using iptables +$FirewallStatus = 0 + +# Testing for firewalld with iptables as backend +$test1 = rpm -q firewalld iptables +$test2 = rpm -q nftables +$test3 = systemctl status nftables | grep "Active: " | grep -v "active (running)" +$test4 = systemctl is-enabled nftables +$test5 = systemctl is-enabled firewalld +$test6 = firewall-cmd --state +if($test1 -match "firewalld-" -and $test1 -match "iptables-" -and !($test2 -match "nftables-" -or $test3 -match "active (running)") -and ($test4 -match "masked" -or $test4 -match "Failed to get unit file") -and $test5 -match "enabled" -and $test6 -match "running") { + $FirewallStatus = 1 +} + +# Testing for nftables +$test1 = rpm -q nftables +$test2 = rpm -q firewalld +$test3 = systemctl status firewalld | grep "Active: " | grep -v "active (running)" +$test4 = systemctl is-enabled firewalld +$test5 = systemctl is-enabled nftables +if($test1 -match "nftables-" -and !($test2 -match "firewalld-" -or $test3 -match "active (running)") -and ($test4 -match "masked" -or $test4 -match "Failed to get unit file") -and $test5 -match "enabled") { + $FirewallStatus = 2 +} + +# Testing for iptables +$test1 = rpm -q iptables +$test2 = rpm -q nftables +$test3 = rpm -q firewalld +$test4 = systemctl status firewalld | grep "Active: " | grep -v "active (running)" +$test5 = systemctl is-enabled firewalld +if($test1 -match "iptables-" -and $test2 -match "not installed" -and $test3 -match "not installed" -and !($test4 -match "running (active)") -and $test5 -match "masked") { + $FirewallStatus = 3 +} +if ($FirewallStatus = 1) { + return $retUsingFW1 +} +if ($FirewallStatus = 2) { + return $retUsingFW2 +} +if ($FirewallStatus = 3) { + return $retUsingFW3 +} + ### Chapter 1 - Initial Setup [AuditTest] @{ @@ -1378,6 +1442,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.1" Task = "Ensure FirewallD is installed" Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $result = rpm -q firewalld iptables if($result -match "firewalld-" -and $result -match "iptables-"){ return $retCompliant @@ -1391,8 +1461,14 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.2" Task = "Ensure nftables is not installed or stopped and masked" Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $result1 = rpm -q nftables - $result21 = systemctl status nftables | grep "Active: " | grep -v "active (running) " + $result21 = systemctl status nftables | grep "Active: " | grep -v "active (running)" $result22 = systemctl is-enabled nftables if($result1 -match "not installed" -or ($result21 -eq $null -and $result22 -match "masked")){ return $retCompliant @@ -1406,6 +1482,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.3" Task = "Ensure firewalld service is enabled and running" Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $result1 = systemctl is-enabled firewalld $result2 = firewall-cmd --state if($result1 -match "enabled" -and $result2 -match "running"){ @@ -1420,6 +1502,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.4" Task = "Ensure default zone is set" Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $result = firewall-cmd --get-default-zone if($result -ne $null){ return $retCompliant @@ -1433,6 +1521,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.5" Task = "Ensure network interfaces are assigned to appropriate zone" Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } return $retNonCompliantManualReviewRequired } } @@ -1441,6 +1535,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.6" Task = "Ensure unnecessary services and ports are not accepted" Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } return $retNonCompliantManualReviewRequired } } @@ -1449,6 +1549,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.1" Task = "Ensure nftables is installed" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $result = rpm -q nftables if($result -match "nftables-"){ return $retCompliant @@ -1462,6 +1568,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.2" Task = "Ensure firewalld is not installed or stopped and masked" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $result1 = rpm -q firewalld $result21 = systemctl status firewalld | grep "Active: " | grep -v "active (running) " $result22 = systemctl is-enabled firewalld @@ -1477,6 +1589,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.3" Task = "Ensure iptables are flushed" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $retNonCompliantManualReviewRequired } } @@ -1485,6 +1603,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.4" Task = "Ensure a table exists" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $result = nft list tables if($result -match "table inet filter") { return $retCompliant @@ -1498,6 +1622,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.5" Task = "Ensure base chain exist" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $result1 = nft list ruleset | grep 'hook input' $result2 = nft list ruleset | grep 'hook forward' $result3 = nft list ruleset | grep 'hook output' @@ -1513,6 +1643,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.6" Task = "Ensure loopback traffic is configured" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $result1 = nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' $result2 = nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' if($result1 -match "iif ""lo"" accept" -and $result2 -match "ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop") { @@ -1527,6 +1663,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.7" Task = "Ensure outbound and established connections are configured" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $retNonCompliantManualReviewRequired } } @@ -1535,6 +1677,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.8" Task = "Ensure default deny firewall policy" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $result1 = nft list ruleset | grep 'hook input' $result2 = nft list ruleset | grep 'hook forward' $result3 = nft list ruleset | grep 'hook output' @@ -1550,6 +1698,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.9" Task = "Ensure nftables service is enabled" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $result = systemctl is-enabled nftables if($result -match "enabled") { return $retCompliant @@ -1563,6 +1717,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.10" Task = "Ensure nftables rules are permanent" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } $retNonCompliantManualReviewRequired } } @@ -1571,6 +1731,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.1.1" Task = "Ensure iptables package is installed" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } $result = rpm -q iptables if($result -match "iptables-") { return $retCompliant @@ -1584,6 +1750,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.1.2" Task = "Ensure nftables is not installed" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } $result = rpm -q nftables if($result -match "not installed") { return $retCompliant @@ -1597,6 +1769,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.1.3" Task = "Ensure firewalld is not installed or stopped and masked" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } $result1 = rpm -q firewalld $result21 = systemctl status firewalld | grep "Active: " | grep -v "active (running) " $result22 = systemctl is-enabled firewalld @@ -1612,6 +1790,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.2.1" Task = "Ensure default deny firewall policy" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } $output = iptables -L $test11 = $output -match "DROP" | grep "Chain INPUT (policy DROP)" $result11 = $? @@ -1637,6 +1821,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.2.2" Task = "Ensure iptables loopback traffic is configured" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } $test1 = iptables -L INPUT -v -n | grep "Chain\s*INPUT\s*(policy\s*DROP" $test2 = iptables -L OUTPUT -v -n | grep "Chain\s*OUTPUT\s*(policy\s*DROP" if($test1 -ne $null -and $test2 -ne $null){ @@ -1650,6 +1840,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.2.3" Task = "Ensure outbound and established connections are configured" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } $retNonCompliantManualReviewRequired } } @@ -1658,6 +1854,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.2.4" Task = "Ensure firewall rules exist for all open ports" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } $retNonCompliantManualReviewRequired } } @@ -1666,6 +1868,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.3.1" Task = "Ensure IPv6 default deny firewall policy" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } if ($IPv6Status -match "disabled") { return $retCompliantIPv6Disabled } @@ -1694,6 +1902,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.3.2" Task = "Ensure IPv6 loopback traffic is configured" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } if ($IPv6Status -match "disabled") { return $retCompliantIPv6Disabled } @@ -1714,6 +1928,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.3.3" Task = "Ensure IPv6 outbound and established connections are configured" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } if ($IPv6Status -match "disabled") { return $retCompliantIPv6Disabled } @@ -1725,6 +1945,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.3.4" Task = "Ensure IPv6 firewall rules exist for all open ports" Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } if ($IPv6Status -match "disabled") { return $retCompliantIPv6Disabled } From da94caf8db7cbc750667eba86aa00d83bcc5f519 Mon Sep 17 00:00:00 2001 From: davni-fbp Date: Mon, 18 Mar 2024 16:26:05 +0100 Subject: [PATCH 04/17] Correction for Firewall Settings --- .../AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 9 --------- 1 file changed, 9 deletions(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index cb8b8fef..52cbaa30 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -96,15 +96,6 @@ $test5 = systemctl is-enabled firewalld if($test1 -match "iptables-" -and $test2 -match "not installed" -and $test3 -match "not installed" -and !($test4 -match "running (active)") -and $test5 -match "masked") { $FirewallStatus = 3 } -if ($FirewallStatus = 1) { - return $retUsingFW1 -} -if ($FirewallStatus = 2) { - return $retUsingFW2 -} -if ($FirewallStatus = 3) { - return $retUsingFW3 -} ### Chapter 1 - Initial Setup From 6f53da1382810d06f9a3c27d89387739e39b861b Mon Sep 17 00:00:00 2001 From: davni-fbp Date: Wed, 20 Mar 2024 12:14:28 +0100 Subject: [PATCH 05/17] =?UTF-8?q?Anpassungen=20f=C3=BCr=20Firewall?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 102 +++++++++++------- 1 file changed, 66 insertions(+), 36 deletions(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index 52cbaa30..96bb42f9 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -58,43 +58,47 @@ if ($IPv6Status -match "enabled") { $IPv6Status = "disabled" } -# Firewall evaluation -# 0 = init. value, undefined -# 1 = using firewalld with iptabes as backend -# 2 = using nftables -# 3 = using iptables -$FirewallStatus = 0 - -# Testing for firewalld with iptables as backend -$test1 = rpm -q firewalld iptables -$test2 = rpm -q nftables -$test3 = systemctl status nftables | grep "Active: " | grep -v "active (running)" -$test4 = systemctl is-enabled nftables -$test5 = systemctl is-enabled firewalld -$test6 = firewall-cmd --state -if($test1 -match "firewalld-" -and $test1 -match "iptables-" -and !($test2 -match "nftables-" -or $test3 -match "active (running)") -and ($test4 -match "masked" -or $test4 -match "Failed to get unit file") -and $test5 -match "enabled" -and $test6 -match "running") { - $FirewallStatus = 1 -} - -# Testing for nftables -$test1 = rpm -q nftables -$test2 = rpm -q firewalld -$test3 = systemctl status firewalld | grep "Active: " | grep -v "active (running)" -$test4 = systemctl is-enabled firewalld -$test5 = systemctl is-enabled nftables -if($test1 -match "nftables-" -and !($test2 -match "firewalld-" -or $test3 -match "active (running)") -and ($test4 -match "masked" -or $test4 -match "Failed to get unit file") -and $test5 -match "enabled") { - $FirewallStatus = 2 -} - -# Testing for iptables -$test1 = rpm -q iptables -$test2 = rpm -q nftables -$test3 = rpm -q firewalld -$test4 = systemctl status firewalld | grep "Active: " | grep -v "active (running)" -$test5 = systemctl is-enabled firewalld -if($test1 -match "iptables-" -and $test2 -match "not installed" -and $test3 -match "not installed" -and !($test4 -match "running (active)") -and $test5 -match "masked") { - $FirewallStatus = 3 +# Firewall evaluation +function GetFirewallStatus { + # 0 = init. value, undefined + # 1 = using firewalld with iptabes as backend + # 2 = using nftables + # 3 = using iptables + $FirewallStatus = 0 + + # Testing for firewalld with iptables as backend + $test1 = rpm -q firewalld iptables + $test2 = rpm -q nftables + $test3 = systemctl status nftables | grep "Active: " | grep -v "active (running)" + $test4 = systemctl is-enabled nftables + $test5 = systemctl is-enabled firewalld + $test6 = firewall-cmd --state + if($test1 -match "firewalld-" -and $test1 -match "iptables-" -and !($test2 -match "nftables-" -or $test3 -match "active (running)") -and ($test4 -match "masked" -or $test4 -match "Failed to get unit file") -and $test5 -match "enabled" -and $test6 -match "running") { + return 1 + } + + # Testing for nftables + $test1 = rpm -q nftables + $test2 = rpm -q firewalld + $test3 = systemctl status firewalld | grep "Active: " | grep -v "active (running)" + $test4 = systemctl is-enabled firewalld + $test5 = systemctl is-enabled nftables + if($test1 -match "nftables-" -and !($test2 -match "firewalld-" -or $test3 -match "active (running)") -and ($test4 -match "masked" -or $test4 -match "Failed to get unit file") -and $test5 -match "enabled") { + return 2 + } + + # Testing for iptables + $test1 = rpm -q iptables + $test2 = rpm -q nftables + $test3 = rpm -q firewalld + $test4 = systemctl status firewalld | grep "Active: " | grep -v "active (running)" + $test5 = systemctl is-enabled firewalld + if($test1 -match "iptables-" -and $test2 -match "not installed" -and $test3 -match "not installed" -and !($test4 -match "running (active)") -and ($test5 -match "masked" -or $test5 -match "Failed to get unit file")) { + return 3 + } + + return $FirewallStatus } ### Chapter 1 - Initial Setup @@ -1433,6 +1437,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.1" Task = "Ensure FirewallD is installed" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 2) { return $retUsingFW2 } @@ -1452,6 +1457,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.2" Task = "Ensure nftables is not installed or stopped and masked" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 2) { return $retUsingFW2 } @@ -1473,6 +1479,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.3" Task = "Ensure firewalld service is enabled and running" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 2) { return $retUsingFW2 } @@ -1493,6 +1500,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.4" Task = "Ensure default zone is set" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 2) { return $retUsingFW2 } @@ -1512,6 +1520,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.5" Task = "Ensure network interfaces are assigned to appropriate zone" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 2) { return $retUsingFW2 } @@ -1526,6 +1535,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.6" Task = "Ensure unnecessary services and ports are not accepted" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 2) { return $retUsingFW2 } @@ -1540,6 +1550,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.1" Task = "Ensure nftables is installed" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1559,6 +1570,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.2" Task = "Ensure firewalld is not installed or stopped and masked" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1594,6 +1606,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.4" Task = "Ensure a table exists" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1613,6 +1626,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.5" Task = "Ensure base chain exist" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1634,6 +1648,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.6" Task = "Ensure loopback traffic is configured" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1654,6 +1669,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.7" Task = "Ensure outbound and established connections are configured" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1668,6 +1684,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.8" Task = "Ensure default deny firewall policy" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1689,6 +1706,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.9" Task = "Ensure nftables service is enabled" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1708,6 +1726,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.10" Task = "Ensure nftables rules are permanent" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1722,6 +1741,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.1.1" Task = "Ensure iptables package is installed" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1741,6 +1761,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.1.2" Task = "Ensure nftables is not installed" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1760,6 +1781,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.1.3" Task = "Ensure firewalld is not installed or stopped and masked" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1781,6 +1803,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.2.1" Task = "Ensure default deny firewall policy" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1812,6 +1835,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.2.2" Task = "Ensure iptables loopback traffic is configured" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1831,6 +1855,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.2.3" Task = "Ensure outbound and established connections are configured" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1845,6 +1870,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.2.4" Task = "Ensure firewall rules exist for all open ports" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1859,6 +1885,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.3.1" Task = "Ensure IPv6 default deny firewall policy" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1893,6 +1920,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.3.2" Task = "Ensure IPv6 loopback traffic is configured" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1919,6 +1947,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.3.3" Task = "Ensure IPv6 outbound and established connections are configured" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1936,6 +1965,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.3.4" Task = "Ensure IPv6 firewall rules exist for all open ports" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } From c8063fb39d018ce26bda27cca046b1d1055bd581 Mon Sep 17 00:00:00 2001 From: davni-fbp Date: Wed, 20 Mar 2024 13:21:09 +0100 Subject: [PATCH 06/17] Anpassungen Firewall v2 --- ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index 96bb42f9..ef3cbeb9 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -74,7 +74,7 @@ function GetFirewallStatus { $test4 = systemctl is-enabled nftables $test5 = systemctl is-enabled firewalld $test6 = firewall-cmd --state - if($test1 -match "firewalld-" -and $test1 -match "iptables-" -and !($test2 -match "nftables-" -or $test3 -match "active (running)") -and ($test4 -match "masked" -or $test4 -match "Failed to get unit file") -and $test5 -match "enabled" -and $test6 -match "running") { + if($test1 -match "firewalld-" -and $test1 -match "iptables-" -and (!($test2 -match "nftables-") -or !($test3 -match "active (running)")) -and ($test4 -match "masked" -or $test4 -match "Failed to get unit file") -and $test5 -match "enabled" -and $test6 -match "running") { return 1 } From 0e2dfbe3d22ba77516f68be01d3ab40184431a62 Mon Sep 17 00:00:00 2001 From: davni-fbp Date: Wed, 20 Mar 2024 13:57:16 +0100 Subject: [PATCH 07/17] Anpassungen Firewall v3 --- ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index ef3cbeb9..b3215944 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -1467,7 +1467,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} $result1 = rpm -q nftables $result21 = systemctl status nftables | grep "Active: " | grep -v "active (running)" $result22 = systemctl is-enabled nftables - if($result1 -match "not installed" -or ($result21 -eq $null -and $result22 -match "masked")){ + if($result1 -match "not installed" -or (!($result21 -match "active (running)") -and $result22 -match "masked")){ return $retCompliant } else { return $retNonCompliant From 57968a8d74039c136ee9b6a4ba402e771bc809cd Mon Sep 17 00:00:00 2001 From: davni-fbp Date: Wed, 20 Mar 2024 14:15:56 +0100 Subject: [PATCH 08/17] Anpassungen Firewall v4 --- .../AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index b3215944..6bb93830 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -70,7 +70,7 @@ function GetFirewallStatus { # Testing for firewalld with iptables as backend $test1 = rpm -q firewalld iptables $test2 = rpm -q nftables - $test3 = systemctl status nftables | grep "Active: " | grep -v "active (running)" + $test3 = systemctl status nftables | grep "active (running)" $test4 = systemctl is-enabled nftables $test5 = systemctl is-enabled firewalld $test6 = firewall-cmd --state @@ -81,7 +81,7 @@ function GetFirewallStatus { # Testing for nftables $test1 = rpm -q nftables $test2 = rpm -q firewalld - $test3 = systemctl status firewalld | grep "Active: " | grep -v "active (running)" + $test3 = systemctl status firewalld | grep "active (running)" $test4 = systemctl is-enabled firewalld $test5 = systemctl is-enabled nftables if($test1 -match "nftables-" -and !($test2 -match "firewalld-" -or $test3 -match "active (running)") -and ($test4 -match "masked" -or $test4 -match "Failed to get unit file") -and $test5 -match "enabled") { @@ -92,7 +92,7 @@ function GetFirewallStatus { $test1 = rpm -q iptables $test2 = rpm -q nftables $test3 = rpm -q firewalld - $test4 = systemctl status firewalld | grep "Active: " | grep -v "active (running)" + $test4 = systemctl status firewalld | grep "active (running)" $test5 = systemctl is-enabled firewalld if($test1 -match "iptables-" -and $test2 -match "not installed" -and $test3 -match "not installed" -and !($test4 -match "running (active)") -and ($test5 -match "masked" -or $test5 -match "Failed to get unit file")) { return 3 @@ -1465,7 +1465,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} return $retUsingFW3 } $result1 = rpm -q nftables - $result21 = systemctl status nftables | grep "Active: " | grep -v "active (running)" + $result21 = systemctl status nftables | grep "active (running)" $result22 = systemctl is-enabled nftables if($result1 -match "not installed" -or (!($result21 -match "active (running)") -and $result22 -match "masked")){ return $retCompliant From 9df36ebd1a4f3773363ea5727ec2167ad6bdf0d2 Mon Sep 17 00:00:00 2001 From: davni-fbp Date: Wed, 20 Mar 2024 14:26:04 +0100 Subject: [PATCH 09/17] Firewall Anpassungen v6 --- .../AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index 6bb93830..2e71f08d 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -74,7 +74,7 @@ function GetFirewallStatus { $test4 = systemctl is-enabled nftables $test5 = systemctl is-enabled firewalld $test6 = firewall-cmd --state - if($test1 -match "firewalld-" -and $test1 -match "iptables-" -and (!($test2 -match "nftables-") -or !($test3 -match "active (running)")) -and ($test4 -match "masked" -or $test4 -match "Failed to get unit file") -and $test5 -match "enabled" -and $test6 -match "running") { + if($test1 -match "firewalld-" -and $test1 -match "iptables-" -and (!($test2 -match "nftables-") -or !($test3 -match "active (running)")) -and !($test4 -match "enabled") -and $test5 -match "enabled" -and $test6 -match "running") { return 1 } @@ -84,7 +84,7 @@ function GetFirewallStatus { $test3 = systemctl status firewalld | grep "active (running)" $test4 = systemctl is-enabled firewalld $test5 = systemctl is-enabled nftables - if($test1 -match "nftables-" -and !($test2 -match "firewalld-" -or $test3 -match "active (running)") -and ($test4 -match "masked" -or $test4 -match "Failed to get unit file") -and $test5 -match "enabled") { + if($test1 -match "nftables-" -and !($test2 -match "firewalld-" -or $test3 -match "active (running)") -and !($test4 -match "enabled") -and $test5 -match "enabled") { return 2 } @@ -94,7 +94,7 @@ function GetFirewallStatus { $test3 = rpm -q firewalld $test4 = systemctl status firewalld | grep "active (running)" $test5 = systemctl is-enabled firewalld - if($test1 -match "iptables-" -and $test2 -match "not installed" -and $test3 -match "not installed" -and !($test4 -match "running (active)") -and ($test5 -match "masked" -or $test5 -match "Failed to get unit file")) { + if($test1 -match "iptables-" -and $test2 -match "not installed" -and $test3 -match "not installed" -and !($test4 -match "running (active)") -and !($test5 -match "enabled")) { return 3 } @@ -1467,7 +1467,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} $result1 = rpm -q nftables $result21 = systemctl status nftables | grep "active (running)" $result22 = systemctl is-enabled nftables - if($result1 -match "not installed" -or (!($result21 -match "active (running)") -and $result22 -match "masked")){ + if($result1 -match "not installed" -or (!($result21 -match "active (running)") -and !($result22 -match "enabled"))){ return $retCompliant } else { return $retNonCompliant From 460afa05cc6921570775af1bbd2edec6205c498d Mon Sep 17 00:00:00 2001 From: davni-fbp Date: Thu, 21 Mar 2024 13:09:00 +0100 Subject: [PATCH 10/17] Anpassungen Skripte --- .../SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 52 +++---------------- .../ShellScripts/SLE_15/CIS-SEL15-1.8.1.3.sh | 2 + 2 files changed, 8 insertions(+), 46 deletions(-) create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-1.8.1.3.sh diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index 2e71f08d..b94e3ecf 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -1,4 +1,5 @@ $parentPath = Split-Path -Parent -Path $PSScriptRoot +$scriptPath = $parentPath + "Helpers/ShellScripts/SLE_15/" $rcTrue = "True" $rcCompliant = "Compliant" $rcFalse = "False" @@ -375,21 +376,7 @@ function GetFirewallStatus { Id = "1.1.19" Task = "Ensure noexec option set on removable media partitions" Test = { - $result_script = @' -#!/bin/bash -while read -r name; do - if [ "$(<${name/dev/sys\/block}/removable)" -eq "1" ]; then - mount | grep "$name" - fi -done < <(awk '/^\/dev\/sd/ {sub(/[0-9]+$/,"",$1); print $1}' /proc/mounts | uniq) -'@ - $result = bash -c $result_script - foreach($line in $result){ - if(!($line -match "noexec")){ - return $retNonCompliant - } - } - return $retCompliant + return $retNonCompliantManualReviewRequired } } @@ -397,21 +384,7 @@ done < <(awk '/^\/dev\/sd/ {sub(/[0-9]+$/,"",$1); print $1}' /proc/mounts | uniq Id = "1.1.20" Task = "Ensure nodev option set on removable media partitions" Test = { - $result_script = @' -#!/bin/bash -while read -r name; do - if [ "$(<${name/dev/sys\/block}/removable)" -eq "1" ]; then - mount | grep "$name" - fi -done < <(awk '/^\/dev\/sd/ {sub(/[0-9]+$/,"",$1); print $1}' /proc/mounts | uniq) -'@ - $result = bash -c $result_script - foreach($line in $result){ - if(!($line -match "nodev")){ - return $retNonCompliant - } - } - return $retCompliant + return $retNonCompliantManualReviewRequired } } @@ -419,21 +392,7 @@ done < <(awk '/^\/dev\/sd/ {sub(/[0-9]+$/,"",$1); print $1}' /proc/mounts | uniq Id = "1.1.21" Task = "Ensure nosuid option set on removable media partitions" Test = { - $result_script = @' -#!/bin/bash -while read -r name; do - if [ "$(<${name/dev/sys\/block}/removable)" -eq "1" ]; then - mount | grep "$name" - fi -done < <(awk '/^\/dev\/sd/ {sub(/[0-9]+$/,"",$1); print $1}' /proc/mounts | uniq) -'@ - $result = bash -c $result_script - foreach($line in $result){ - if(!($line -match "nosuid")){ - return $retNonCompliant - } - } - return $retCompliant + return $retNonCompliantManualReviewRequired } } @@ -752,7 +711,8 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "1.8.1.3" Task = "Ensure remote login warning banner is configured properly" Test = { - $result = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net + $script = $scriptPath + "CIS-SEL15-1.8.1.3.sh" + $result = bash $script if($result -eq $null){ return $retCompliant } else { diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-1.8.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-1.8.1.3.sh new file mode 100644 index 00000000..9e530cc4 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-1.8.1.3.sh @@ -0,0 +1,2 @@ +#!/bin/bash +grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net \ No newline at end of file From f126ffdb6402267a08f871c459dbd35f3a0b616e Mon Sep 17 00:00:00 2001 From: davni-fbp Date: Fri, 22 Mar 2024 14:07:17 +0100 Subject: [PATCH 11/17] Skriptfehler behoben v1 --- .../SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 184 +++--------------- .../ShellScripts/SLE_15/CIS-SEL15-5.4.2_1.sh | 2 + .../ShellScripts/SLE_15/CIS-SEL15-5.4.2_2.sh | 2 + .../ShellScripts/SLE_15/CIS-SEL15-5.4.4.sh | 4 + .../ShellScripts/SLE_15/CIS-SEL15-6.2.1.sh | 2 + .../ShellScripts/SLE_15/CIS-SEL15-6.2.10.sh | 10 + .../ShellScripts/SLE_15/CIS-SEL15-6.2.11.sh | 30 +++ .../ShellScripts/SLE_15/CIS-SEL15-6.2.12.sh | 12 ++ .../ShellScripts/SLE_15/CIS-SEL15-6.2.18_1.sh | 2 + .../ShellScripts/SLE_15/CIS-SEL15-6.2.18_2.sh | 2 + .../ShellScripts/SLE_15/CIS-SEL15-6.2.2.sh | 2 + .../ShellScripts/SLE_15/CIS-SEL15-6.2.5.sh | 6 + .../ShellScripts/SLE_15/CIS-SEL15-6.2.6.sh | 20 ++ .../ShellScripts/SLE_15/CIS-SEL15-6.2.8.sh | 18 ++ .../ShellScripts/SLE_15/CIS-SEL15-6.2.9.sh | 10 + 15 files changed, 151 insertions(+), 155 deletions(-) create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_1.sh create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_2.sh create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.4.sh create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.1.sh create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.10.sh create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.11.sh create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.12.sh create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_1.sh create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_2.sh create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.2.sh create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.5.sh create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.6.sh create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.8.sh create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.9.sh diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index b94e3ecf..5457605e 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -685,7 +685,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "1.8.1.1" Task = "Ensure message of the day is configured properly" Test = { - $result = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd + $result = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd 2>/dev/null if($result -eq $null){ return $retCompliant } else { @@ -3022,16 +3022,10 @@ for usr in $(cut -d: -f1 /etc/shadow); do Id = "5.4.2" Task = "Ensure system accounts are secured" Test = { - $test1_script = @' -#!/bin/bash -awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print}' /etc/passwd -'@ - $test1 = bash -c $test1_script - $test2_script = @' -#!/bin/bash -awk -F: '($1!="root" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}' -'@ - $test2 = bash -c $test2_script + $script1 = $scriptPath + "CIS-SEL15-5.4.2_1.sh" + $test1 = bash $script1 + $script2 = $scriptPath + "CIS-SEL15-5.4.2_2.sh" + $test2 = bash $script2 if($test1 -eq $null -and $test2 -eq $null){ return $retCompliant } else { @@ -3057,11 +3051,8 @@ awk -F: '($1!="root" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/l Id = "5.4.4" Task = "Ensure default user shell timeout is configured" Test = { - $test1_script = @' -#!/bin/bash -for f in /etc/profile.d/*.sh ; do grep -Eq '(^|^[^#]*;)\s*(readonly|export(\s+[^$#;]+\s*)*)?\s*TMOUT=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9])\b' $f && grep -Eq '(^|^[^#]*;)\s*readonly\s+TMOUT\b' $f && grep -Eq '(^|^[^#]*;)\s*export\s+([^$#;]+\s+)*TMOUT\b' $f && echo "TMOUT correctly configured in file: $f"; done -'@ - $test1 = bash -c $test1_script + $script = $scriptPath + "CIS-SEL15-5.4.4.sh" + $test1 = bash $script $test2 = grep -PR '^\s*([^$#;]+\s+)*TMOUT=(9[0-9][1-9]|0+|[1-9]\d{3,})\b\s*(\S+\s*)*(\s+#.*)?$' /etc/profile* /etc/bashrc.bashrc* if($test1 -match "configured in file: /etc/profile.d/" -and $test2 -eq $null){ return $retCompliant @@ -3256,11 +3247,8 @@ for f in /etc/profile.d/*.sh ; do grep -Eq '(^|^[^#]*;)\s*(readonly|export(\s+[^ Id = "6.2.1" Task = "Ensure accounts in /etc/passwd use shadowed passwords" Test = { - $test1_script = @' -#!/bin/bash -awk -F: '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd -'@ - $test1 = bash -c $test1_script + $script1 = $scriptPath + "CIS-SEL15-6.2.1.sh" + $test1 = bash $script1 if($test1 -eq $null){ return $retCompliant } else { @@ -3273,11 +3261,8 @@ awk -F: '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/pas Id = "6.2.2" Task = "Ensure /etc/shadow password fields are not empty" Test = { - $test1_script = @' -#!/bin/bash -awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow -'@ - $test1 = bash -c $test1_script + $script1 = $scriptPath + "CIS-SEL15-6.2.2.sh" + $test1 = bash $script1 if($test1 -eq $null){ return $retCompliant } else { @@ -3340,15 +3325,8 @@ done Id = "6.2.5" Task = "Ensure all users' home directories exist" Test = { - $test_script = @' -#!/bin/bash -grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read -r user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - fi -done -'@ - $test = bash -c $test_script + $script1 = $scriptPath + "CIS-SEL15-6.2.5.sh" + $test = bash $script1 if($test -match "does not exist"){ return $retNonCompliant } else { @@ -3361,29 +3339,8 @@ done Id = "6.2.6" Task = "Ensure users' home directories permissions are 750 or more restrictive" Test = { - $test_script = @' -#!/bin/bash -grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - dirperm=$(ls -ld $dir | cut -f1 -d" ") - if [ $(echo $dirperm | cut -c6) != "-" ]; then - echo "Group Write permission set on the home directory ($dir) of user $user" - fi - if [ $(echo $dirperm | cut -c8) != "-" ]; then - echo "Other Read permission set on the home directory ($dir) of user $user" - fi - if [ $(echo $dirperm | cut -c9) != "-" ]; then - echo "Other Write permission set on the home directory ($dir) of user $user" - fi - if [ $(echo $dirperm | cut -c10) != "-" ]; then - echo "Other Execute permission set on the home directory ($dir) of user $user" - fi - fi -done -'@ - $test = bash -c $test_script + $script1 = $scriptPath + "CIS-SEL15-6.2.6.sh" + $test = bash $script1 if($test -ne $null){ return $retNonCompliant } else { @@ -3421,27 +3378,8 @@ done Id = "6.2.8" Task = "Ensure users' dot files are not group or world writable" Test = { - $test_script = @' -#!/bin/bash -grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - for file in $dir/.[A-Za-z0-9]*; do - if [ ! -h "$file" -a -f "$file" ]; then - fileperm=$(ls -ld $file | cut -f1 -d" ") - if [ $(echo $fileperm | cut -c6) != "-" ]; then - echo "Group Write permission set on file $file" - fi - if [ $(echo $fileperm | cut -c9) != "-" ]; then - echo "Other Write permission set on file $file" - fi - fi - done - fi -done -'@ - $test = bash -c $test_script + $script1 = $scriptPath + "CIS-SEL15-6.2.8.sh" + $test = bash $script1 if($test -ne $null){ return $retNonCompliant } else { @@ -3454,19 +3392,8 @@ done Id = "6.2.9" Task = "Ensure no users have .forward files" Test = { - $test_script = @' -#!/bin/bash -awk -F: '($1 !~ /^(root|halt|sync|shutdown)$/ && $7 != "'"$(which nologin)"'" && $7 != "/bin/false" && $7 != "/usr/bin/false") { print $1 " " $6 }' /etc/passwd | while read user dir; do - if [ ! -d "$dir" ] ; then - echo "The home directory ($dir) of user $user does not exist." - else - if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then - echo ".forward file $dir/.forward exists" - fi - fi -done -'@ - $test = bash -c $test_script + $script1 = $scriptPath + "CIS-SEL15-6.2.9.sh" + $test = bash $script1 if($test -ne $null){ return $retNonCompliant } else { @@ -3479,19 +3406,8 @@ done Id = "6.2.10" Task = "Ensure no users have .netrc files" Test = { - $test_script = @' -#!/bin/bash -awk -F: '($1 !~ /^(root|halt|sync|shutdown)$/ && $7 != "'"$(which nologin)"'" && $7 != "/bin/false" && $7 != "/usr/bin/false") { print $1 " " $6 }' /etc/passwd | while read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then - echo ".netrc file $dir/.netrc exists" - fi - fi -done -'@ - $test = bash -c $test_script + $script1 = $scriptPath + "CIS-SEL15-6.2.10.sh" + $test = bash $script1 if($test -ne $null){ return $retNonCompliant } else { @@ -3504,39 +3420,8 @@ done Id = "6.2.11" Task = "Ensure users' .netrc Files are not group or world accessible" Test = { - $test_script = @' -#!/bin/bash -awk -F: '($1 !~ /^(root|halt|sync|shutdown)$/ && $7 != "'"$(which nologin)"'" && $7 != "/bin/false" && $7 != "/usr/bin/false") { print $1 " " $6 }' /etc/passwd | while read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - for file in $dir/.netrc; do - if [ ! -h "$file" -a -f "$file" ]; then - fileperm=$(ls -ld $file | cut -f1 -d" ") - if [ $(echo $fileperm | cut -c5) != "-" ]; then - echo "Group Read set on $file" - fi - if [ $(echo $fileperm | cut -c6) != "-" ]; then - echo "Group Write set on $file" - fi - if [ $(echo $fileperm | cut -c7) != "-" ]; then - echo "Group Execute set on $file" - fi - if [ $(echo $fileperm | cut -c8) != "-" ]; then - echo "Other Read set on $file" - fi - if [ $(echo $fileperm | cut -c9) != "-" ]; then - echo "Other Write set on $file" - fi - if [ $(echo $fileperm | cut -c10) != "-" ]; then - echo "Other Execute set on $file" - fi - fi - done - fi -done -'@ - $test = bash -c $test_script + $script1 = $scriptPath + "CIS-SEL15-6.2.11.sh" + $test = bash $script1 if($test -ne $null){ return $retNonCompliant } else { @@ -3549,21 +3434,8 @@ done Id = "6.2.12" Task = "Ensure no users have .rhosts files" Test = { - $test_script = @' -#!/bin/bash -awk -F: '($1 !~ /^(root|halt|sync|shutdown)$/ && $7 != "'"$(which nologin)"'" && $7 != "/bin/false" && $7 != "/usr/bin/false") { print $1 " " $6 }' /etc/passwd | while read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - for file in $dir/.rhosts; do - if [ ! -h "$file" -a -e "$file" ]; then - echo ".rhosts file in $dir" - fi - done - fi -done -'@ - $test = bash -c $test_script + $script1 = $scriptPath + "CIS-SEL15-6.2.12.sh" + $test = bash $script1 if($test -ne $null){ return $retNonCompliant } else { @@ -3679,8 +3551,10 @@ done Id = "6.2.18" Task = "Ensure shadow group is empty" Test = { - $test1 = grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group - $test2 = awk -F: '($4 == "") { print }' /etc/passwd + $script1 = $scriptPath + "CIS-SEL15-6.2.18_1.sh" + $test1 = bash $script1 + $script2 = $scriptPath + "CIS-SEL15-6.2.18_2.sh" + $test2 = bash $script2 if($test1 -eq $null -and $test2 -eq $null){ return $retCompliant } else { diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_1.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_1.sh new file mode 100644 index 00000000..47785d83 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_1.sh @@ -0,0 +1,2 @@ +#!/bin/bash +awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print}' /etc/passwd \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_2.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_2.sh new file mode 100644 index 00000000..af16149a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_2.sh @@ -0,0 +1,2 @@ +#!/bin/bash +awk -F: '($1!="root" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}' \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.4.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.4.sh new file mode 100644 index 00000000..21cdbfc3 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.4.sh @@ -0,0 +1,4 @@ +#!/bin/bash +for f in /etc/profile.d/*.sh ; do + grep -Eq '(^|^[^#]*;)\s*(readonly|export(\s+[^$#;]+\s*)*)?\s*TMOUT=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9])\b' $f && grep -Eq '(^|^[^#]*;)\s*readonly\s+TMOUT\b' $f && grep -Eq '(^|^[^#]*;)\s*export\s+([^$#;]+\s+)*TMOUT\b' $f && echo "TMOUT correctly configured in file: $f"; +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.1.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.1.sh new file mode 100644 index 00000000..38c459dd --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.1.sh @@ -0,0 +1,2 @@ +#!/bin/bash +awk -F: '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.10.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.10.sh new file mode 100644 index 00000000..bbd8860b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.10.sh @@ -0,0 +1,10 @@ +#!/bin/bash +awk -F: '($1 !~ /^(root|halt|sync|shutdown)$/ && $7 != "'"$(which nologin)"'" && $7 != "/bin/false" && $7 != "/usr/bin/false") { print $1 " " $6 }' /etc/passwd | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then + echo ".netrc file $dir/.netrc exists" + fi + fi +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.11.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.11.sh new file mode 100644 index 00000000..118123e1 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.11.sh @@ -0,0 +1,30 @@ +#!/bin/bash +awk -F: '($1 !~ /^(root|halt|sync|shutdown)$/ && $7 != "'"$(which nologin)"'" && $7 != "/bin/false" && $7 != "/usr/bin/false") { print $1 " " $6 }' /etc/passwd | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.netrc; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=$(ls -ld $file | cut -f1 -d" ") + if [ $(echo $fileperm | cut -c5) != "-" ]; then + echo "Group Read set on $file" + fi + if [ $(echo $fileperm | cut -c6) != "-" ]; then + echo "Group Write set on $file" + fi + if [ $(echo $fileperm | cut -c7) != "-" ]; then + echo "Group Execute set on $file" + fi + if [ $(echo $fileperm | cut -c8) != "-" ]; then + echo "Other Read set on $file" + fi + if [ $(echo $fileperm | cut -c9) != "-" ]; then + echo "Other Write set on $file" + fi + if [ $(echo $fileperm | cut -c10) != "-" ]; then + echo "Other Execute set on $file" + fi + fi + done + fi +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.12.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.12.sh new file mode 100644 index 00000000..685a0d0a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.12.sh @@ -0,0 +1,12 @@ +#!/bin/bash +awk -F: '($1 !~ /^(root|halt|sync|shutdown)$/ && $7 != "'"$(which nologin)"'" && $7 != "/bin/false" && $7 != "/usr/bin/false") { print $1 " " $6 }' /etc/passwd | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.rhosts; do + if [ ! -h "$file" -a -e "$file" ]; then + echo ".rhosts file in $dir" + fi + done + fi +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_1.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_1.sh new file mode 100644 index 00000000..810e3252 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_1.sh @@ -0,0 +1,2 @@ +#!/bin/bash +grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_2.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_2.sh new file mode 100644 index 00000000..ab4d48a3 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_2.sh @@ -0,0 +1,2 @@ +#!/bin/bash +awk -F: '($4 == "") { print }' /etc/passwd \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.2.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.2.sh new file mode 100644 index 00000000..5e6b3c34 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.2.sh @@ -0,0 +1,2 @@ +#!/bin/bash +awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.5.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.5.sh new file mode 100644 index 00000000..ef0dc088 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.5.sh @@ -0,0 +1,6 @@ +#!/bin/bash +grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read -r user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + fi +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.6.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.6.sh new file mode 100644 index 00000000..9d142230 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.6.sh @@ -0,0 +1,20 @@ +#!/bin/bash +grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + dirperm=$(ls -ld $dir | cut -f1 -d" ") + if [ $(echo $dirperm | cut -c6) != "-" ]; then + echo "Group Write permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c8) != "-" ]; then + echo "Other Read permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c9) != "-" ]; then + echo "Other Write permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c10) != "-" ]; then + echo "Other Execute permission set on the home directory ($dir) of user $user" + fi + fi +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.8.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.8.sh new file mode 100644 index 00000000..01e4ddc7 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.8.sh @@ -0,0 +1,18 @@ +#!/bin/bash +grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.[A-Za-z0-9]*; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=$(ls -ld $file | cut -f1 -d" ") + if [ $(echo $fileperm | cut -c6) != "-" ]; then + echo "Group Write permission set on file $file" + fi + if [ $(echo $fileperm | cut -c9) != "-" ]; then + echo "Other Write permission set on file $file" + fi + fi + done + fi +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.9.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.9.sh new file mode 100644 index 00000000..113a2ced --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.9.sh @@ -0,0 +1,10 @@ +#!/bin/bash +awk -F: '($1 !~ /^(root|halt|sync|shutdown)$/ && $7 != "'"$(which nologin)"'" && $7 != "/bin/false" && $7 != "/usr/bin/false") { print $1 " " $6 }' /etc/passwd | while read user dir; do + if [ ! -d "$dir" ] ; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then + echo ".forward file $dir/.forward exists" + fi + fi +done \ No newline at end of file From e8cc90483d4bb6ead3be227eecc85880d924ebce Mon Sep 17 00:00:00 2001 From: davni-fbp Date: Fri, 22 Mar 2024 14:10:19 +0100 Subject: [PATCH 12/17] Skripfehler v2 --- ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index 5457605e..1ede2eee 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -1,5 +1,5 @@ $parentPath = Split-Path -Parent -Path $PSScriptRoot -$scriptPath = $parentPath + "Helpers/ShellScripts/SLE_15/" +$scriptPath = $parentPath + "/Helpers/ShellScripts/SLE_15/" $rcTrue = "True" $rcCompliant = "Compliant" $rcFalse = "False" From 2b4c3498a7cfa43f57ca6992a9e13e38b453baed Mon Sep 17 00:00:00 2001 From: davni-fbp Date: Tue, 26 Mar 2024 15:19:32 +0100 Subject: [PATCH 13/17] Korrektur bei FW Ermittlung --- .../AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index 1ede2eee..aaea6adf 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -1552,13 +1552,14 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.3" Task = "Ensure iptables are flushed" Test = { + $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } if ($FirewallStatus -match 3) { return $retUsingFW3 } - $retNonCompliantManualReviewRequired + return $retNonCompliantManualReviewRequired } } @@ -1636,7 +1637,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} if ($FirewallStatus -match 3) { return $retUsingFW3 } - $retNonCompliantManualReviewRequired + return $retNonCompliantManualReviewRequired } } From 6524235bd6cc501c45b3a9aa56dd2b727978c9b4 Mon Sep 17 00:00:00 2001 From: svenschrader Date: Tue, 2 Apr 2024 15:04:38 +0200 Subject: [PATCH 14/17] Simplified permission checks --- .../SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index aaea6adf..b889a5f7 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -2455,7 +2455,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Task = "Ensure permissions on /etc/crontab are configured" Test = { $test = stat /etc/crontab - if($test -match "Access:\s+(0600/-rw-------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test -match "0600/-rw-"){ return $retCompliant } else { return $retNonCompliant @@ -2468,7 +2468,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Task = "Ensure permissions on /etc/cron.hourly are configured" Test = { $test = stat /etc/cron.hourly/ - if($test -match "Access:\s+(0700/drwx------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test -match "0700/drwx"){ return $retCompliant } else { return $retNonCompliant @@ -2481,7 +2481,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Task = "Ensure permissions on /etc/cron.daily are configured" Test = { $test = stat /etc/cron.daily - if($test -match "Access:\s+(0700/drwx------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test -match "0700/drwx"){ return $retCompliant } else { return $retNonCompliant @@ -2494,7 +2494,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Task = "Ensure permissions on /etc/cron.weekly are configured" Test = { $test = stat /etc/cron.weekly - if($test -match "Access:\s+(0700/drwx------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test -match "0700/drwx"){ return $retCompliant } else { return $retNonCompliant @@ -2507,7 +2507,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Task = "Ensure permissions on /etc/cron.monthly are configured" Test = { $test = stat /etc/cron.weekly - if($test -match "Access:\s+(0700/drwx------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test -match "0700/drwx"){ return $retCompliant } else { return $retNonCompliant @@ -2520,7 +2520,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Task = "Ensure permissions on /etc/cron.d are configured" Test = { $test = stat /etc/cron.weekly - if($test -match "Access:\s+(0700/drwx------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test -match "0700/drwx"){ return $retCompliant } else { return $retNonCompliant @@ -2547,7 +2547,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Test = { $test1 = stat /etc/at.deny $test2 = stat /etc/at.allow - if($test1 -match "cannot stat" -and $test2 -match "Access:\s+(0600/-rw-------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test1 -match "cannot stat" -and $test2 -match "0600/-rw-"){ return $retCompliant } else { return $retNonCompliant @@ -2560,7 +2560,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Task = "Ensure permissions on /etc/ssh/sshd_config are configured" Test = { $test1 = stat /etc/ssh/sshd_config - if($test1 -match "Access:\s+(0600/-rw-------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test1 -match "0600/-rw-"){ return $retCompliant } else { return $retNonCompliant @@ -3116,7 +3116,7 @@ for usr in $(cut -d: -f1 /etc/shadow); do Task = "Ensure permissions on /etc/passwd are configured" Test = { $test1 = stat /etc/passwd - if($test1 -match "Access:\s+(0644/-rw-------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test1 -match "0644"){ return $retCompliant } else { return $retNonCompliant @@ -3129,7 +3129,7 @@ for usr in $(cut -d: -f1 /etc/shadow); do Task = "Ensure permissions on /etc/shadow are configured" Test = { $test1 = stat /etc/shadow - if($test1 -match "Access:\s+(0640/-rw-------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test1 -match "0640"){ return $retCompliant } else { return $retNonCompliant @@ -3142,7 +3142,7 @@ for usr in $(cut -d: -f1 /etc/shadow); do Task = "Ensure permissions on /etc/group are configured" Test = { $test1 = stat /etc/group - if($test1 -match "Access:\s+(0644/-rw-------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test1 -match "0644"){ return $retCompliant } else { return $retNonCompliant @@ -3155,7 +3155,7 @@ for usr in $(cut -d: -f1 /etc/shadow); do Task = "Ensure permissions on /etc/passwd- are configured" Test = { $test1 = stat /etc/passwd- - if($test1 -match "Access:\s+(0644/-rw-------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test1 -match "0644"){ return $retCompliant } else { return $retNonCompliant @@ -3168,7 +3168,7 @@ for usr in $(cut -d: -f1 /etc/shadow); do Task = "Ensure permissions on /etc/shadow- are configured" Test = { $test1 = stat /etc/shadow- - if($test1 -match "Access:\s+(0640/-rw-------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test1 -match "0640"){ return $retCompliant } else { return $retNonCompliant @@ -3181,7 +3181,7 @@ for usr in $(cut -d: -f1 /etc/shadow); do Task = "Ensure permissions on /etc/group- are configured" Test = { $test1 = stat /etc/group- - if($test1 -match "Access:\s+(0644/-rw-------)\s+Uid:\s+(\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + if($test1 -match "0644"){ return $retCompliant } else { return $retNonCompliant From b7b28727e87eea42dead094b6ddf7fb6baabeec4 Mon Sep 17 00:00:00 2001 From: svenschrader Date: Wed, 3 Apr 2024 10:46:10 +0200 Subject: [PATCH 15/17] Correction on 6.2.7 --- .../SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 17 +++-------------- .../ShellScripts/SLE_15/CIS-SEL15-6.2.7.sh | 11 +++++++++++ 2 files changed, 14 insertions(+), 14 deletions(-) create mode 100644 ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.7.sh diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index b889a5f7..bba34353 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -3354,20 +3354,9 @@ done Id = "6.2.7" Task = "Ensure users own their home directories" Test = { - $test1 = @' -#!/bin/bash -grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - owner=$(stat -L -c "%U" "$dir") - if [ "$owner" != "$user" ]; then - echo "The home directory ($dir) of user $user is owned by $owner." - fi - fi -done -'@ - if($test1 -eq $null){ + $script1 = $scriptPath + "CIS-SEL15-6.2.7.sh" + $test = bash $script1 + if($test -eq $null){ return $retCompliant } else { return $retNonCompliant diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.7.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.7.sh new file mode 100644 index 00000000..4df7421e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.7.sh @@ -0,0 +1,11 @@ +#!/bin/bash +grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + owner=$(stat -L -c "%U" "$dir") + if [ "$owner" != "$user" ]; then + echo "The home directory ($dir) of user $user is owned by $owner." + fi + fi +done From 0e61090056d4b4e03321d76e0c2ad1a5a0b25a62 Mon Sep 17 00:00:00 2001 From: svenschrader Date: Wed, 3 Apr 2024 14:59:39 +0200 Subject: [PATCH 16/17] Changes firewall behavior and non-existing files --- .../SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 49 +++++++------------ 1 file changed, 18 insertions(+), 31 deletions(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index bba34353..27a9bbfe 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -102,6 +102,7 @@ function GetFirewallStatus { return $FirewallStatus } +$FirewallStatus = GetFirewallStatus ### Chapter 1 - Initial Setup [AuditTest] @{ @@ -725,8 +726,8 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "1.8.1.4" Task = "Ensure permissions on /etc/motd are configured" Test = { - $result = stat -L /etc/motd | grep "Access:\s*(0644/-rw-r--r--)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)" - if($result -eq $null -or $result -match "Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)"){ + $result = stat -L /etc/motd | grep "0644" + if($result -eq $null -or $result -match "0644"){ return $retCompliant } else { return $retNonCompliant @@ -738,7 +739,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "1.8.1.5" Task = "Ensure permissions on /etc/issue are configured" Test = { - $result = stat -L /etc/issue | grep "Access:\s*(0644/-rw-r--r--)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)" + $result = stat -L /etc/issue | grep "(0644" if($result -ne $null){ return $retCompliant } else { @@ -747,11 +748,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} } } +if (Test-Path -Path '/etc/issue.net') { [AuditTest] @{ Id = "1.8.1.6" Task = "Ensure permissions on /etc/issue.net are configured" Test = { - $result = stat -L /etc/issue.net | grep "Access:\s*(0644/-rw-r--r--)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)" + $result = stat -L /etc/issue.net | grep "(0644" if($result -ne $null){ return $retCompliant } else { @@ -759,6 +761,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} } } } +} [AuditTest] @{ Id = "1.9" @@ -1393,11 +1396,12 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} } } +### Chapter 3.5.1.X firewalld +if( ($FirewallStatus -eq 0) -or ($FirewallStatus -eq 1) ){ [AuditTest] @{ Id = "3.5.1.1" Task = "Ensure FirewallD is installed" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 2) { return $retUsingFW2 } @@ -1417,7 +1421,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.2" Task = "Ensure nftables is not installed or stopped and masked" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 2) { return $retUsingFW2 } @@ -1439,7 +1442,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.3" Task = "Ensure firewalld service is enabled and running" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 2) { return $retUsingFW2 } @@ -1460,7 +1462,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.4" Task = "Ensure default zone is set" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 2) { return $retUsingFW2 } @@ -1480,7 +1481,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.5" Task = "Ensure network interfaces are assigned to appropriate zone" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 2) { return $retUsingFW2 } @@ -1495,7 +1495,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.1.6" Task = "Ensure unnecessary services and ports are not accepted" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 2) { return $retUsingFW2 } @@ -1505,12 +1504,14 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} return $retNonCompliantManualReviewRequired } } +} +### Chapter 3.5.2.X nftables +if( ($FirewallStatus -eq 0) -or ($FirewallStatus -eq 2) ){ [AuditTest] @{ Id = "3.5.2.1" Task = "Ensure nftables is installed" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1530,7 +1531,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.2" Task = "Ensure firewalld is not installed or stopped and masked" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1552,7 +1552,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.3" Task = "Ensure iptables are flushed" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1567,7 +1566,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.4" Task = "Ensure a table exists" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1587,7 +1585,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.5" Task = "Ensure base chain exist" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1609,7 +1606,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.6" Task = "Ensure loopback traffic is configured" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1630,7 +1626,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.7" Task = "Ensure outbound and established connections are configured" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1645,7 +1640,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.8" Task = "Ensure default deny firewall policy" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1667,7 +1661,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.9" Task = "Ensure nftables service is enabled" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1687,7 +1680,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.2.10" Task = "Ensure nftables rules are permanent" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1697,12 +1689,14 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} $retNonCompliantManualReviewRequired } } +} +### Chapter 3.5.3.X iptables +if( ($FirewallStatus -eq 0) -or ($FirewallStatus -eq 3) ){ [AuditTest] @{ Id = "3.5.3.1.1" Task = "Ensure iptables package is installed" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1722,7 +1716,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.1.2" Task = "Ensure nftables is not installed" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1742,7 +1735,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.1.3" Task = "Ensure firewalld is not installed or stopped and masked" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1764,7 +1756,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.2.1" Task = "Ensure default deny firewall policy" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1796,7 +1787,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.2.2" Task = "Ensure iptables loopback traffic is configured" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1816,7 +1806,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.2.3" Task = "Ensure outbound and established connections are configured" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1831,7 +1820,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.2.4" Task = "Ensure firewall rules exist for all open ports" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1846,7 +1834,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.3.1" Task = "Ensure IPv6 default deny firewall policy" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1881,7 +1868,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.3.2" Task = "Ensure IPv6 loopback traffic is configured" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1908,7 +1894,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.3.3" Task = "Ensure IPv6 outbound and established connections are configured" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1926,7 +1911,6 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "3.5.3.3.4" Task = "Ensure IPv6 firewall rules exist for all open ports" Test = { - $FirewallStatus = GetFirewallStatus if ($FirewallStatus -match 1) { return $retUsingFW1 } @@ -1939,6 +1923,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} return $retNonCompliantManualReviewRequired } } +} ## Chapter 4 Logging and Auditing @@ -2785,6 +2770,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} } } +if (Test-Path -Path '/etc/issue.net') { [AuditTest] @{ Id = "5.2.18" Task = "Ensure SSH warning banner is configured" @@ -2797,6 +2783,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} } } } +} [AuditTest] @{ Id = "5.2.19" From abac8b899b0d6c2ada462f06c246ead829702c17 Mon Sep 17 00:00:00 2001 From: svenschrader Date: Thu, 4 Apr 2024 14:16:26 +0200 Subject: [PATCH 17/17] Permission check fix --- .../AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 index 27a9bbfe..27929d78 100644 --- a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -739,7 +739,7 @@ df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{} Id = "1.8.1.5" Task = "Ensure permissions on /etc/issue are configured" Test = { - $result = stat -L /etc/issue | grep "(0644" + $result = stat -L /etc/issue | grep "0644" if($result -ne $null){ return $retCompliant } else { @@ -753,7 +753,7 @@ if (Test-Path -Path '/etc/issue.net') { Id = "1.8.1.6" Task = "Ensure permissions on /etc/issue.net are configured" Test = { - $result = stat -L /etc/issue.net | grep "(0644" + $result = stat -L /etc/issue.net | grep "0644" if($result -ne $null){ return $retCompliant } else {