Merge pull request #56 from Samson-W/master

Add CIS-compliant Debian 13 support

Author: Samson-W

README-CN.md

@@ -1,7 +1,7 @@
 # harbian-audit审计与加固
 
 ## 简介 
-此项目是一个Debian GNU/Linux及CentOS 8及Ubuntu发行版加固的审计工具。主要的测试环境是基于Debian GNU/Linux 9/10/11/12及CentOS 8及Ubuntu22，其它版本未充分测试。此项目主要是针对服务器版本，对桌面版本的项没有实现。
+此项目是一个Debian GNU/Linux及CentOS 8及Ubuntu发行版加固的审计工具。主要的测试环境是基于Debian GNU/Linux 9/10/11/12/13及CentOS 8及Ubuntu22，其它版本未充分测试。此项目主要是针对服务器版本，对桌面版本的项没有实现。
 此项目的框架基于[OVH-debian-cis](https://github.com/ovh/debian-cis)，根据Debian GNU/Linux 9的一些特性进行了优化，并根据安全部署合规STIG（[STIG Red_Hat_Enterprise_Linux_7_V2R5](redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip)及[STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip)）及CIS（[cisecurity.org](https://www.cisecurity.org/)）进行了安全检查项的添加，同时也根据HardenedLinux社区就具体生产环境添加了一些安全检查项的审计功能的实现。此项目不仅具有安全项的审计功能，同时也有自动修改的功能。
 
 审计功能的使用示例： 

README.md

@@ -4,9 +4,9 @@
 
 Hardened Debian GNU/Linux and CentOS 8 distro auditing.  
 
-The main test environment is in debian GNU/Linux 9/10/11/12 and CentOS 8 and ubuntu 22, and other versions are not fully tested. There are no implementations of desktop related items in this release.
+The main test environment is in debian GNU/Linux 9/10/11/12/13 and CentOS 8 and ubuntu 22, and other versions are not fully tested. There are no implementations of desktop related items in this release.
 
-The code framework is based on the [OVH-debian-cis](https://github.com/ovh/debian-cis) project, Modified some of the original implementations according to the features of Debian 9/10/11/12 and CentOS 8, added and implemented check items for [STIG Red_Hat_Enterprise_Linux_7_V2R5](https://github.com/hardenedlinux/STIG-OS-mirror/blob/master/redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip) [STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip) and [cisecurity.org](https://www.cisecurity.org/) recommendations, and also added and implemented some check items by the HardenedLinux community. The audit and apply functions of the infrastructure are implemented, and the automatic fix function is implemented for the items that can be automatically fixed. 
+The code framework is based on the [OVH-debian-cis](https://github.com/ovh/debian-cis) project, Modified some of the original implementations according to the features of Debian 9/10/11/12/13 and CentOS 8, added and implemented check items for [STIG Red_Hat_Enterprise_Linux_7_V2R5](https://github.com/hardenedlinux/STIG-OS-mirror/blob/master/redhat-STIG-DOCs/U_Red_Hat_Enterprise_Linux_7_V2R5_STIG.zip) [STIG Ubuntu V1R2](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R2_STIG.zip) and [cisecurity.org](https://www.cisecurity.org/) recommendations, and also added and implemented some check items by the HardenedLinux community. The audit and apply functions of the infrastructure are implemented, and the automatic fix function is implemented for the items that can be automatically fixed.
 
 
 ```console
@@ -47,12 +47,12 @@ hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening
 1.1_install_updates       [ OK ] Check Passed
 [...]
 ################### SUMMARY ###################
-      Total Available Checks : 270
-         Total Runned Checks : 270
-         Total Passed Checks : [ 226/270 ]
-         Total Failed Checks : [  44/270 ]
+      Total Available Checks : 284
+         Total Runned Checks : 284
+         Total Passed Checks : [ 260/284 ]
+         Total Failed Checks : [  24/284 ]
    Enabled Checks Percentage : 100.00 %
-       Conformity Percentage : 83.70 %
+       Conformity Percentage : 91.55 %
 # bin/hardening.sh --set-hardening-level 5
 # bin/hardening.sh --apply 
 hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
@@ -181,7 +181,7 @@ Set the corresponding firewall rules according to the applications used. Hardene
 
 ### Iptabels format rules:
 [etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh)
-to do the following:
+First install the iptables-persistent package, then to do the following:
 ```
 $ INTERFACENAME="your network interfacename(Example eth0)"
 # bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME

bin/hardening.sh

@@ -240,6 +240,8 @@ elif [ $OS_RELEASE -eq 11 ]; then
 	info "Start auditing for Debian11."
 elif [ $OS_RELEASE -eq 12 ]; then
 	info "Start auditing for Debian12."
+elif [ $OS_RELEASE -eq 13 ]; then
+	info "Start auditing for Debian13."
 elif [ $OS_RELEASE -eq 2 ]; then
 	info "Start auditing for redhat/CentOS."
 elif [ $OS_RELEASE -eq 3 ]; then
@@ -276,7 +278,12 @@ if [ $FINAL_G_CONFIG -eq 1 ]; then
 		aide --init
 	else
 		aide --config /etc/aide/aide.conf --init
-        mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+	is_debian_13
+	if [ $FNRET -eq 0 ]; then
+	    :
+    	else
+            mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+	fi
 	fi
 	exit 0
 fi

bin/hardening/1.1_install_updates.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening
+# harbian-audit for Debian GNU/Linux Debian 9/10/11/12/13 or CentOS 8 Hardening
 # Modify by: Samson-W (samson@hardenedlinux.org)
 #
 

bin/hardening/1.2_enable_verify_sign_packages_from_repository.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening
+# harbian-audit for Debian GNU/Linux Debian 9/10/11/12/13 or CentOS 8 Hardening
 #
 
 #

bin/hardening/1.3_enable_verify_sign_of_local_packages.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening
+# harbian-audit for Debian GNU/Linux Debian 9/10/11/12/13 or CentOS 8 Hardening
 #
 
 #

bin/hardening/1.4_set_no_allow_insecure_repository_by_apt.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# harbian-audit for Debian GNU/Linux Debian 9/10/11/12 or CentOS 8 Hardening
+# harbian-audit for Debian GNU/Linux Debian 9/10/11/12/13 or CentOS 8 Hardening
 #
 
 #

bin/hardening/1.5.11_ensure_core_file_size_configured.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+
+#
+# harbian-audit for Debian GNU/Linux 13
+#
+
+#
+# 1.5.11 Ensure core file size is configured
+#
+
+set -e
+set -u
+
+HARDENING_LEVEL=2
+
+
+
+
+audit () {
+    is_debian_ge_13
+    if [ $FNRET = 0 ]; then
+        file_limit_check '* hard core 0'
+    else
+        ok "Rule is not applicable to OS versions prior to Debian 13."
+        FNRET=0
+    fi
+}
+
+apply () {
+    # The main framework automatically calls audit() first to set FNRET based on the current system state.
+    # Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
+    if [ $FNRET = 0 ]; then
+        ok "Already compliant. Nothing to apply for 1.5.11 Ensure core file size is configured."
+    elif [ $FNRET != 0 ]; then
+        is_debian_ge_13
+        local is_supported=$FNRET
+        if [ $is_supported = 0 ]; then
+            file_limit_apply '* hard core 0'
+        else
+            ok "Rule is not applicable to OS versions prior to Debian 13."
+        fi
+    fi
+}
+
+check_config() {
+    :
+}
+
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory?"
+    exit 128
+fi

bin/hardening/1.5.12_ensure_systemd_coredump_processsizemax.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+#
+# harbian-audit for Debian GNU/Linux 13
+#
+
+#
+# 1.5.12 Ensure systemd-coredump ProcessSizeMax is configured
+#
+
+set -e
+set -u
+
+HARDENING_LEVEL=2
+
+
+
+
+audit () {
+    is_debian_ge_13
+    if [ $FNRET = 0 ]; then
+        check_param_pair_by_str '/etc/systemd/coredump.conf' 'ProcessSizeMax' '0'
+        if [ $FNRET = 0 ]; then
+            ok "Parameter is correctly set"
+        else
+            crit "Parameter is missing or incorrect"
+        fi
+
+    else
+        ok "Rule is not applicable to OS versions prior to Debian 13."
+        FNRET=0
+    fi
+}
+
+apply () {
+    # The main framework automatically calls audit() first to set FNRET based on the current system state.
+    # Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
+    if [ $FNRET = 0 ]; then
+        ok "Already compliant. Nothing to apply for 1.5.12 Ensure systemd-coredump ProcessSizeMax is configured."
+    elif [ $FNRET != 0 ]; then
+        is_debian_ge_13
+        local is_supported=$FNRET
+        if [ $is_supported = 0 ]; then
+            replace_in_file_custom '/etc/systemd/coredump.conf' '^#?ProcessSizeMax.*' 'ProcessSizeMax=0'
+        else
+            ok "Rule is not applicable to OS versions prior to Debian 13."
+        fi
+    fi
+}
+
+check_config() {
+    :
+}
+
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory?"
+    exit 128
+fi

bin/hardening/1.5.13_ensure_systemd_coredump_storage.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+#
+# harbian-audit for Debian GNU/Linux 13
+#
+
+#
+# 1.5.13 Ensure systemd-coredump Storage is configured
+#
+
+set -e
+set -u
+
+HARDENING_LEVEL=2
+
+
+
+
+audit () {
+    is_debian_ge_13
+    if [ $FNRET = 0 ]; then
+        check_param_pair_by_str '/etc/systemd/coredump.conf' 'Storage' 'none'
+        if [ $FNRET = 0 ]; then
+            ok "Parameter is correctly set"
+        else
+            crit "Parameter is missing or incorrect"
+        fi
+
+    else
+        ok "Rule is not applicable to OS versions prior to Debian 13."
+        FNRET=0
+    fi
+}
+
+apply () {
+    # The main framework automatically calls audit() first to set FNRET based on the current system state.
+    # Therefore, we just use the existing $FNRET instead of calling is_debian_ge_13 again which would clobber it.
+    if [ $FNRET = 0 ]; then
+        ok "Already compliant. Nothing to apply for 1.5.13 Ensure systemd-coredump Storage is configured."
+    elif [ $FNRET != 0 ]; then
+        is_debian_ge_13
+        local is_supported=$FNRET
+        if [ $is_supported = 0 ]; then
+            replace_in_file_custom '/etc/systemd/coredump.conf' '^#?Storage.*' 'Storage=none'
+        else
+            ok "Rule is not applicable to OS versions prior to Debian 13."
+        fi
+    fi
+}
+
+check_config() {
+    :
+}
+
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+    echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory?"
+    exit 128
+fi