Created
February 14, 2019 12:07
-
-
Save spajai/53ff724b4db5f7bc48c3caa506feea50 to your computer and use it in GitHub Desktop.
ubuntu linux hardening
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| echo "2.1.1 Ensure chargen services are not enabled (Scored)" | |
| if grep -R "^chargen" /etc/inetd.* > /dev/null 2>&1 ; then | |
| fail "chargen services enabled in inetd" | |
| fi | |
| if grep -R "^chargen" /etc/xinetd.* > /dev/null 2>&1 ; then | |
| fail "chargen services enabled in xinetd" | |
| fi | |
| echo "2.1.2 Ensure daytime services are not enabled (Scored)" | |
| if grep -R "^daytime" /etc/inetd.* > /dev/null 2>&1 ; then | |
| fail "daytime services enabled in inetd" | |
| fi | |
| if grep -R "^daytime" /etc/xinetd.* > /dev/null 2>&1 ; then | |
| fail "daytime services enabled in xinetd" | |
| fi | |
| echo "2.1.3 Ensure discard services are not enabled (Scored)" | |
| if grep -R "^discard" /etc/inetd.* > /dev/null 2>&1 ; then | |
| fail "discard services enabled in inetd" | |
| fi | |
| if grep -R "^discard" /etc/xinetd.* > /dev/null 2>&1 ; then | |
| fail "discard services enabled in xinetd" | |
| fi | |
| echo "2.1.4 Ensure echo services are not enabled (Scored)" | |
| if grep -R "^echo" /etc/inetd.* > /dev/null 2>&1 ; then | |
| fail "echo services enabled in inetd" | |
| fi | |
| if grep -R "^echo" /etc/xinetd.* > /dev/null 2>&1 ; then | |
| fail "echo services enabled in xinetd" | |
| fi | |
| echo "2.1.5 Ensure time services are not enabled (Scored)" | |
| if grep -R "^time" /etc/inetd.* > /dev/null 2>&1 ; then | |
| fail "time services enabled in inetd" | |
| fi | |
| if grep -R "^time" /etc/xinetd.* > /dev/null 2>&1 ; then | |
| fail "time services enabled in xinetd" | |
| fi | |
| echo "2.1.6 Ensure rsh server is not enabled (Scored)" | |
| if grep -R "^shell" /etc/inetd.* > /dev/null 2>&1 ; then | |
| fail "rsh services enabled in inetd" | |
| fi | |
| if grep -R "^shell" /etc/xinetd.* > /dev/null 2>&1 ; then | |
| fail "rsh services enabled in xinetd" | |
| fi | |
| if grep -R "^login" /etc/inetd.* > /dev/null 2>&1 ; then | |
| fail "login services enabled in inetd" | |
| fi | |
| if grep -R "^login" /etc/xinetd.* > /dev/null 2>&1 ; then | |
| fail "login services enabled in xinetd" | |
| fi | |
| if grep -R "^exec" /etc/inetd.* > /dev/null 2>&1 ; then | |
| fail "exec services enabled in inetd" | |
| fi | |
| if grep -R "^exec" /etc/xinetd.* > /dev/null 2>&1 ; then | |
| fail "exec services enabled in xinetd" | |
| fi | |
| echo "2.1.7 Ensure talk server is not enabled (Scored)" | |
| if grep -R "^talk" /etc/inetd.* > /dev/null 2>&1 ; then | |
| fail "talk services enabled in inetd" | |
| fi | |
| if grep -R "^ntalk" /etc/xinetd.* > /dev/null 2>&1 ; then | |
| fail "ntalk services enabled in xinetd" | |
| fi | |
| echo "2.1.8 Ensure telnet server is not enabled (Scored)" | |
| if grep -R "^telnet" /etc/inetd.* > /dev/null 2>&1 ; then | |
| fail "telnet services enabled in inetd" | |
| fi | |
| if grep -R "^telnet" /etc/xinetd.* > /dev/null 2>&1 ; then | |
| fail "telnet services enabled in xinetd" | |
| fi | |
| echo "2.1.9 Ensure tftp server is not enabled (Scored)" | |
| if grep -R "^tftp" /etc/inetd.* > /dev/null 2>&1 ; then | |
| fail "tftp services enabled in inetd" | |
| fi | |
| if grep -R "^tftp" /etc/xinetd.* > /dev/null 2>&1 ; then | |
| fail "tftp services enabled in xinetd" | |
| fi | |
| echo "2.1.10 Ensure xinetd is not enabled (Scored)" | |
| if systemctl is-enabled xinetd > /dev/null 2>&1 ; then | |
| systemctl disable xinetd | |
| fi | |
| echo "2.1.11 Ensure openbsd-inetd is not installed (Scored)" | |
| if dpkg -s openbsd-inetd > /dev/null 2>&1 ; then | |
| apt-get remove -y openbsd-inetd | |
| fi | |
| echo "2.2.1.1 Ensure time synchronization is in use (Not Scored)" | |
| if dpkg -s ntp > /dev/null 2>&1 ; then | |
| apt-get remove -y ntp | |
| fi | |
| if ! dpkg -s chrony ; then | |
| apt-get install -y chrony | |
| fi | |
| echo "2.2.1.2 Ensure ntp is configured (Scored) skipped" | |
| # We are using chrony | |
| echo "2.2.1.3 Ensure chrony is configured (Scored)" | |
| if ! grep --silent '^server 169.254.169.123' /etc/chrony/chrony.conf ; then | |
| sed -i -e '/^pool/iserver 169.254.169.123 prefer iburst' /etc/chrony/chrony.conf | |
| systemctl restart chrony | |
| fi | |
| echo "2.2.2 Ensure X Window System is not installed (Scored)" | |
| if dpkg -l xserver-xorg* ; then | |
| apt-get remove -y xserver-xorg* | |
| fi | |
| echo "2.2.3 Ensure Avahi Server is not enabled (Scored)" | |
| if systemctl is-enabled avahi-daemon > /dev/null 2>&1 ; then | |
| systemctl disable avahi-daemon | |
| fi | |
| echo "2.2.4 Ensure CUPS is not enabled (Scored)" | |
| if systemctl is-enabled cups > /dev/null 2>&1 ; then | |
| systemctl disable cups | |
| fi | |
| echo "2.2.5 Ensure DHCP Server is not enabled (Scored)" | |
| if systemctl is-enabled isc-dhcp-server > /dev/null 2>&1 ; then | |
| systemctl disable isc-dhcp-server | |
| fi | |
| if systemctl is-enabled isc-dhcp-server6 > /dev/null 2>&1 ; then | |
| systemctl disable isc-dhcp-server6 | |
| fi | |
| echo "2.2.6 Ensure LDAP server is not enabled (Scored)" | |
| if systemctl is-enabled slapd > /dev/null 2>&1 ; then | |
| systemctl disable slapd | |
| fi | |
| echo "2.2.7 Ensure NFS and RPC are not enabled (Scored)" | |
| if systemctl is-enabled nfs-server > /dev/null 2>&1 ; then | |
| systemctl disable nfs-server | |
| fi | |
| if systemctl is-enabled rpcbind > /dev/null 2>&1 ; then | |
| systemctl disable rpcbind | |
| fi | |
| echo "2.2.8 Ensure DNS Server is not enabled (Scored)" | |
| if systemctl is-enabled bind9 > /dev/null 2>&1 ; then | |
| systemctl disable bind9 | |
| fi | |
| echo "2.2.9 Ensure FTP Server is not enabled (Scored)" | |
| if systemctl is-enabled vsftpd > /dev/null 2>&1 ; then | |
| systemctl disable vsftpd | |
| fi | |
| echo "2.2.10 Ensure HTTP server is not enabled (Scored)" | |
| if systemctl is-enabled apache2 > /dev/null 2>&1 ; then | |
| systemctl disable apache2 | |
| fi | |
| echo "2.2.11 Ensure IMAP and POP3 server is not enabled (Scored)" | |
| if systemctl is-enabled dovecot > /dev/null 2>&1 ; then | |
| systemctl disable dovecot | |
| fi | |
| if systemctl is-enabled exim > /dev/null 2>&1 ; then | |
| systemctl disable exim | |
| fi | |
| if systemctl is-enabled cyrus-imap > /dev/null 2>&1 ; then | |
| systemctl disable cyrus-imap | |
| fi | |
| echo "2.2.12 Ensure Samba is not enabled (Scored)" | |
| echo "2.2.12 Ensure Samba is not enabled (Scored)" | |
| echo "2.2.12 Ensure Samba is not enabled (Scored)" | |
| if systemctl is-enabled smbd > /dev/null 2>&1 ; then | |
| systemctl disable smbd | |
| fi | |
| echo "2.2.13 Ensure HTTP Proxy Server is not enabled (Scored)" | |
| if systemctl is-enabled squid > /dev/null 2>&1 ; then | |
| systemctl disable squid | |
| fi | |
| echo "2.2.14 Ensure SNMP Server is not enabled (Scored)" | |
| if systemctl is-enabled snmpd > /dev/null 2>&1 ; then | |
| systemctl disable snmpd | |
| fi | |
| echo "2.2.15 Ensure mail transfer agent is configured for local-only mode (Scored)" | |
| # Rather than local-only we turn it off completely | |
| if systemctl is-enabled postfix > dev/null 2>&1 ; then | |
| systemctl disable postfix | |
| fi | |
| if systemctl is-enabled sendmail > dev/null 2>&1 ; then | |
| systemctl disable sendmail | |
| fi | |
| echo "2.2.16 Ensure rsync service is not enabled (Scored)" | |
| if systemctl is-enabled rsync > dev/null 2>&1 ; then | |
| systemctl disable rsync | |
| fi | |
| echo "2.2.17 Ensure NIS Server is not enabled (Scored)" | |
| if systemctl is-enabled nis > dev/null 2>&1 ; then | |
| systemctl disable nis | |
| fi | |
| echo "2.3.1 Ensure NIS Client is not installed (Scored)" | |
| if dpkg -s nis > /dev/null 2>&1 ; then | |
| apt-get remove -y nis | |
| fi | |
| echo "2.3.2 Ensure rsh client is not installed (Scored)" | |
| if dpkg -s rsh-client > /dev/null 2>&1 ; then | |
| apt-get remove -y rsh-client | |
| fi | |
| if dpkg -s rsh-redone-client > /dev/null 2>&1 ; then | |
| apt-get remove -y rsh-redone-client | |
| fi | |
| echo "2.3.3 Ensure talk client is not installed (Scored)" | |
| if dpkg -s talk > /dev/null 2>&1 ; then | |
| apt-get remove -y talk | |
| fi | |
| echo "2.3.4 Ensure telnet client is not installed (Scored)" | |
| if dpkg -s telnet > /dev/null 2>&1 ; then | |
| apt-get remove -y telnet | |
| fi | |
| echo "2.3.5 Ensure LDAP client is not installed (Scored)" | |
| if dpkg -s ldap-utils > /dev/null 2>&1 ; then | |
| apt-get remove -y ldap-utils | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment