hardenedlinux / harbian-audit Goto Github PK

configuration error - unknown item 'FAIL_DELAY' (notify administrator)

First, really appreciate the scripts. Hard to get tools that actually work.

The way the scripts check settings for SSHD should be improved. The default parameters are mostly correct, but the scripts flag them as "not set". The script should use "sshd -T" to check the value of settings, instead of directly grepping /etc/ssh/sshd_config. This would probably clear up most problems in a default install.

Rationale
It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected.
Remediation
Edit either /etc/rsyslog.conf or a dedicated .conf file in /etc/rsyslog.d/ and set $FileCreateMode to 0640 or more restrictive: $FileCreateMode 0640 Restart the service: # systemctl restart rsyslog
Description
RSyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files.
Path
/etc/rsyslog.d
Checks (Condition: all)

    d:/etc/rsyslog.d -> r:\.*.conf -> r:^\s*\t*\$FileCreateMode 0640
    f:/etc/rsyslog.conf -> r:^\s*\t*\$FileCreateMode 0640

Similar to #14 .
When checking for the expression "audit=1" for the bootloader configuration the sub directoy /etc/default/grub.d/ is not accounted for.

For this test the same check of /proc/cmdline would be suited.

I'm getting a false postive failure for 14.1 due to the grep method being used returning the full path of the matching lines, followed by a colon. The grep expects the line output to start with blacklist but that will never match because grepping a folder will return <full file path>:blacklist - this grep needs to either change the regex to not expect blacklist to be the first word, or it needs to parse the results with cut and remove everything up to and including the : in the returned lines.

# grep -w nf_nat_sip -r /etc/modprobe.d/* | grep "^blacklist" | wc -l
0

# grep -w nf_nat_sip -r /etc/modprobe.d/* | grep "^blacklist"

# cat /etc/modprobe.d/cis-blacklist.conf 
blacklist nf_nat_sip
blacklist nf_conntrack_sip

# grep -w nf_nat_sip -r /etc/modprobe.d/*
/etc/modprobe.d/CIS.conf:install nf_nat_sip /bin/true
/etc/modprobe.d/cis-blacklist.conf:blacklist nf_nat_sip

The firewall checks currently require that iptables be installed to pass, but much like the RHEL 8 STIG expectations, Debian 11 is a systemd system that leverages nftables under the hood, and these checks should be looking for nftables configuration on Debian 11+, not iptables.

Ubuntu has different path of audisp:

/etc/audit/audisp-remote.conf

Please fix it in 8.1.1.5_ensure_set_remote_server.sh

Some of the detail messages for 9.2.16_pam_limit_password_reuse.sh are misleading. For example, in line 38 of the script, the option $OPTIONNAME is checked against the value $CONDT_VAL with the ge (greater than or equal to) operator. However, if the check returns 0 (success), the message used states that "$OPTIONNAME set condition is less-than-or-equal-to $CONDT_VAL". This message should probably be "$OPTIONNAME set condition is greater-than-or-equal-to $CONDT_VAL" instead.

There's a few more instances in the file where "less-than-or-equal-to" is used instead of "greater-than-or-equal-to". Unless I'm misunderstanding something here and the check should actually be using the le operator instead of ge, the following patch should resolve this "issue":

diff --git a/bin/hardening/9.2.16_pam_limit_password_reuse.sh b/bin/hardening/9.2.16_pam_limit_password_reuse.sh
index b59cdd0..e466375 100755
--- a/bin/hardening/9.2.16_pam_limit_password_reuse.sh
+++ b/bin/hardening/9.2.16_pam_limit_password_reuse.sh
@@ -37,11 +37,11 @@ audit () {
                ok "$PATTERN is present in $FILE"
                check_param_pair_by_pam $FILE $KEYWORD $OPTIONNAME ge $CONDT_VAL
                if [ $FNRET = 0 ]; then
-                                       ok "$OPTIONNAME set condition is less-than-or-equal-to $CONDT_VAL"
+                                       ok "$OPTIONNAME set condition is greater-than-or-equal-to $CONDT_VAL"
                                        reset_ok
                                        return
                else
-                       crit "$OPTIONNAME set condition is not less-than-or-equal-to $CONDT_VAL"
+                       crit "$OPTIONNAME set condition is not greater-than-or-equal-to $CONDT_VAL"
                fi
                else
                crit "$PATTERN is not present in $FILE"
@@ -54,7 +54,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
     if [ $FNRET = 0 ]; then
-               ok "$OPTIONNAME set condition is less-than-or-equal-to $CONDT_VAL"
+               ok "$OPTIONNAME set condition is greater-than-or-equal-to $CONDT_VAL"
     elif [ $FNRET = 1 ]; then
         crit "$PACKAGE is absent, installing it"
         install_package $PACKAGE
@@ -71,7 +71,7 @@ apply () {
         add_option_to_password_check $FILE $KEYWORD "$OPTIONNAME=$CONDT_VAL"
     elif [ $FNRET = 5 ]; then
         reset_option_to_password_check $FILE $KEYWORD $OPTIONNAME $CONDT_VAL 
-               crit "$OPTIONNAME set is not less-than-or-equal-to $CONDT_VAL, reset it to $CONDT_VAL"
+               crit "$OPTIONNAME set is not greater-than-or-equal-to $CONDT_VAL, reset it to $CONDT_VAL"
     fi 
 }

Debian distrop ships pam_tally2.so in libpam-modules while Ubuntu doesn't. harbian-audit need to adapt the differences.

It appears that the script files which audit the auditd configuration only ever inspect the default configuration file which is located at /etc/audit/rules.d/audit.rules. Since it is possible (and probably recommended because of updates) to create additional files in the /etc/audit/rules.d/ directory, I think it would be better to instead use the file /etc/audit/audit.rules, which is – at least on Debian 10 – a file which is automatically generated from the entire contents of /etc/audit/rules.d/ when auditd is restarted or augenrules is run manually. It contains all rules, regardless of the file they were defined in, and hence would make detection of missing rules easier and less prone to false negatives.

Something you could both consider a benefit and drawback of this change is that, unless the audit.rules file is manually re-generated, it only considers the running configuration of auditd.

I generated a patch for the above-mentioned changes, however, it's also possible to make the adjustments with one simple sed command:

sed -i 's#/etc/audit/rules.d/audit.rules#/etc/audit/audit.rules#' bin/hardening/*.sh

Hi there.

I'm currently fighting the harbian-audit checks for the following files:

• /etc/shadow
• /etc/shadow-
• /etc/gshadow
• /etc/gshadow-

harbian-audit expects the main files to be 640, while the backups with - at the end must be 600 - but this isn't possible to maintain. The shadow backup tools do not have a configurable UMASK, so they will always clobber the permissions of the main files. The only way for the - to maintain a 600 mode is for the main files to also have a 600 mode set. Other wise every change to the primary file will result in the backup being clobbered to 640. There is no negative impact on these files being set to 600 from what I can tell, so both the primary check and the secondary checks should be set to 600.

Additionally, the same issue affects /etc/passwd and /etc/group and their backups - however you cannot set the main files to 600 or it breaks the systems ability to resolve the username and group names when a user logs in. I can see no way to reconcile this with the 640/600 requirements for main file/backup - these audits need to be adjusted.

Debian 11 uses pwquality for password checks, not cracklib. While cracklib is available for Deb 11, it is considered the deprecated package. Checks should be preferring pwquality.

The check "4.5_enable_apparmor" from /harbian-audit/bin/hardening/4.5_enable_apparmor.sh is only checking for the kernel flags "apparmor=1" and "security=apparmor" in the file "/etc/default/grub".
But at least on debian based systems it is possible to set these settings in configurations files at "/etc/default/grub.d/".
The check is not taking into account that these settings could be separated from the main configuration.

In general a more suitable check would be to see if the keywords are present in "/proc/cmdline".

In some script (e.g. 1.2_enable_verify_sign_packages_from_repository.sh), the value OS_RELEASE is compared to 1 for Debian but the value is 12 for Debian Bookworm and so the audit fails with "current OS is not support".

Please consider using semver.
0.1 -> 0.1.0

Hi,

When exec: hardening.sh --final, i received this error: hardening.sh: line 275: [: missing ]
I checked the file hardening.sh, line 275, i did not see any missing or unpair [ & ].
Can you please help. THanks.

The 1st one on the workaround profile would be NAT Slipstreaming. Please add those features into it asap:

• Add the following two lines into /etc/modprobe.d/harbian-security-workaround.conf:

blacklist nf_nat_sip
blacklist nf_conntrack_sip

• According to the description, check "net.netfilter.nf_conntrack_helper" via sysctl or /etc/sysctl.conf if its 0, otherwise, please set it to 0

Note the following expressions which are checked to be present in the auditd rules configuration:

-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

The same expressions are checked by other scripts in the auditd section.
Only the "-k" flag differs, e.g. -k privileged-ssh, -k privileged-passwd, -k privileged-priv_change, -k privileged-cron
Applying all recommendations would mean overloading the auditd rules configuration with duplicates, leading to an unoptimized system.
I recommend removing the listed expressions from "/harbian-audit/bin/hardening/8.1.12_record_privileged_commands.sh" as they are covered by other checks already.

Checks 10.1.1 and 10.1.2 both fail in spite of the following being present in login.defs:

PASS_MAX_DAYS 60
PASS_MIN_DAYS 1

Output

hardening                 [INFO] Treating /root/harbian-audit/bin/hardening/10.1.1_set_password_exp_days.sh
10.1.1_set_password_exp_d [INFO] Working on 10.1.1_set_password_exp_days
10.1.1_set_password_exp_d [INFO] Checking Configuration
10.1.1_set_password_exp_d [INFO] Performing audit
10.1.1_set_password_exp_d [ OK ] ^PASS_MAX_DAYS[[:space:]]*60 is present in /etc/login.defs
10.1.1_set_password_exp_d [ KO ] Have least user's maxinum password lifttime is greater than 60 day
10.1.1_set_password_exp_d [ KO ] Check Failed
hardening                 [INFO] Treating /root/harbian-audit/bin/hardening/10.1.2_set_password_min_days_change.sh
10.1.2_set_password_min_d [INFO] Working on 10.1.2_set_password_min_days_change
10.1.2_set_password_min_d [INFO] Checking Configuration
10.1.2_set_password_min_d [INFO] Performing audit
10.1.2_set_password_min_d [ OK ] ^PASS_MIN_DAYS[[:space:]]*1 is present in /etc/login.defs
10.1.2_set_password_min_d [ KO ] Have least user's mininum password lifttime is not equal or less than 1 day
10.1.2_set_password_min_d [ KO ] Check Failed

According to the definition of CIS-suppoerts which can get the CIS benchmark officially:

https://www.cisecurity.org/cis-controls-supporters/

We are not CIS-supporter( yet! Maybe we can't cu'z we're not a company). I did some study a bit after ppl asked about it:

https://lists.debian.org/debian-security/2018/12/msg00045.html

I personally think we should remove CIS official benchmark doc from the repo, any ideas?

Maybe shellcheck can help this project very much.

Rationale
Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot.
Remediation
Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent Restart the service: # systemctl restart systemd-journald Additional Information: The main configuration file /etc/systemd/journald.conf is read before any of the custom *.conf files. If there are custom configs present, they override the main configuration parameters.
Description
Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot.
Check (Condition: all)

    f:/etc/systemd/journald.conf -> r:^\s*\t*Storage=persistent

Rationale
Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts.
Remediation
Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes Restart the service: # systemctl restart systemd-journald Additional Information: The main configuration file /etc/systemd/journald.conf is read before any of the custom *.conf files. If there are custom configs present, they override the main configuration parameters. It is possible to change the default threshold of 512 bytes per object before compression is used.
Description
The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large.
Check (Condition: all)

    f:/etc/systemd/journald.conf -> r:^\s*\t*Compress=yes

Some kernel modules should be disabled on GNU/Linux server but the current implementation doesn't check if its blacklisted, e.g:

2.20_disable_jffs2
2.18_disable_cramfs
2.19_disable_freevxfs
2.20_disable_jffs2
2.21_disable_hfs
2.22_disable_hfsplus
2.23_disable_squashfs

Shouldn't be an extra check on /etc/modprobe.d/ and see if they're being blacklisted already. Autofix (--apply) can be doing sth like adding all of them into harbian_security_workaround*.conf