From 91ede64dce300f8c0173a13d2ffb564daf6e3f98 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Fri, 10 Nov 2023 15:42:54 +0000 Subject: [PATCH] enh: remove ssh system sandbox check UsePrivilegeSeparation option is deprecated. Since the oldest supported Debian distribution is Buster (10), we can safely remove this check Fixes #212 --- bin/hardening/99.5.2.8_ssh_sys_sandbox.sh | 98 --------------------- tests/hardening/99.5.2.8_ssh_sys_sandbox.sh | 22 ----- 2 files changed, 120 deletions(-) delete mode 100755 bin/hardening/99.5.2.8_ssh_sys_sandbox.sh delete mode 100644 tests/hardening/99.5.2.8_ssh_sys_sandbox.sh diff --git a/bin/hardening/99.5.2.8_ssh_sys_sandbox.sh b/bin/hardening/99.5.2.8_ssh_sys_sandbox.sh deleted file mode 100755 index 2776f48f..00000000 --- a/bin/hardening/99.5.2.8_ssh_sys_sandbox.sh +++ /dev/null @@ -1,98 +0,0 @@ -#!/bin/bash - -# run-shellcheck -# -# Legacy CIS Debian Hardening -# - -# -# 99.5.2.8 Check UsePrivilegeSeparation set to sandbox. -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -# shellcheck disable=2034 -HARDENING_LEVEL=2 -# shellcheck disable=2034 -DESCRIPTION="Check UsePrivilegeSeparation set to sandbox." - -PACKAGE='openssh-server' -OPTIONS='UsePrivilegeSeparation=sandbox' -FILE='/etc/ssh/sshd_config' - -# This function will be called if the script status is on enabled / audit mode -audit() { - is_pkg_installed "$PACKAGE" - if [ "$FNRET" != 0 ]; then - ok "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) - SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) - PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi -} - -# This function will be called if the script status is on enabled mode -apply() { - is_pkg_installed "$PACKAGE" - if [ "$FNRET" = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - apt_install "$PACKAGE" - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1) - SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2) - PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file_nocase "$FILE" "$PATTERN" - if [ "$FNRET" = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file_nocase "$FILE" "^${SSH_PARAM}" - if [ "$FNRET" != 0 ]; then - add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload >/dev/null 2>&1 - fi - done -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - # shellcheck source=../../debian/default - . /etc/default/cis-hardening -fi -if [ -z "$CIS_LIB_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_LIB_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r "${CIS_LIB_DIR}"/main.sh ]; then - # shellcheck source=../../lib/main.sh - . "${CIS_LIB_DIR}"/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening" - exit 128 -fi diff --git a/tests/hardening/99.5.2.8_ssh_sys_sandbox.sh b/tests/hardening/99.5.2.8_ssh_sys_sandbox.sh deleted file mode 100644 index 060934d0..00000000 --- a/tests/hardening/99.5.2.8_ssh_sys_sandbox.sh +++ /dev/null @@ -1,22 +0,0 @@ -# shellcheck shell=bash -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 1 - register_test contain "openssh-server is installed" - # shellcheck disable=2154 - run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all - - describe Correcting situation - # `apply` performs a service reload after each change in the config file - # the service needs to be started for the reload to succeed - service ssh start - # if the audit script provides "apply" option, enable and run it - sed -i 's/audit/enabled/' "${CIS_CONF_DIR}/conf.d/${script}.cfg" - "${CIS_CHECKS_DIR}/${script}.sh" || true - - describe Checking resolved state - register_test retvalshouldbe 0 - register_test contain "[ OK ] ^UsePrivilegeSeparation[[:space:]]*sandbox is present in /etc/ssh/sshd_config" - run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all -}