2021-11-08 08:33:46 +01:00
|
|
|
#!/bin/bash
|
|
|
|
|
|
|
|
|
|
ssh_clean ()
|
|
|
|
|
{
|
|
|
|
|
ssh-keygen -R "[127.0.0.1]:4242" >/dev/null 2>&1
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ssh_exec ()
|
|
|
|
|
{
|
2021-11-08 14:58:27 +01:00
|
|
|
port=${1-4242}
|
|
|
|
|
shift
|
2021-11-08 08:33:46 +01:00
|
|
|
login=${1-marvin}
|
|
|
|
|
shift
|
2021-11-08 22:19:13 +01:00
|
|
|
pass=${1-Born2beWild}
|
2021-11-08 08:33:46 +01:00
|
|
|
shift
|
2021-11-08 14:58:27 +01:00
|
|
|
export SSHPASS="${pass}"
|
|
|
|
|
./ssh.exp -p ${port} ${login}@127.0.0.1 $@ 2>&1 \
|
|
|
|
|
| grep -v -i -e '^Warning: Permanently added' -e ' password:' -e '^spawn ssh'
|
2021-11-08 08:33:46 +01:00
|
|
|
}
|
|
|
|
|
|
2021-11-08 17:58:25 +01:00
|
|
|
ssh_sudo ()
|
|
|
|
|
{
|
|
|
|
|
port=${1-4242}
|
|
|
|
|
shift
|
|
|
|
|
login=${1-marvin}
|
|
|
|
|
shift
|
2021-11-08 22:19:13 +01:00
|
|
|
pass=${1-Born2beWild}
|
2021-11-08 17:58:25 +01:00
|
|
|
shift
|
|
|
|
|
export SSHPASS="${pass}"
|
|
|
|
|
./ssh_sudo.exp -p ${port} ${login}@127.0.0.1 sudo $@ 2>&1 \
|
|
|
|
|
| grep -v -i -e '^Warning: Permanently added' -e 'password' -e '^spawn ssh' -e 'Connection to'
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-08 08:33:46 +01:00
|
|
|
main ()
|
|
|
|
|
{
|
2021-11-08 14:58:27 +01:00
|
|
|
port=${1-4242}
|
|
|
|
|
echo -n "Username: "
|
|
|
|
|
read -r login
|
|
|
|
|
if [ "${login}" == "" ]
|
|
|
|
|
then
|
2021-11-08 18:47:19 +01:00
|
|
|
login=$(git config user.name || echo $USER)
|
2021-11-08 14:58:27 +01:00
|
|
|
fi
|
|
|
|
|
echo -n "Password: "
|
|
|
|
|
read -s pass
|
|
|
|
|
if [ "${pass}" == "" ]
|
|
|
|
|
then
|
2021-11-08 22:19:13 +01:00
|
|
|
pass="Born2beWild"
|
2021-11-08 14:58:27 +01:00
|
|
|
fi
|
2021-11-08 17:58:25 +01:00
|
|
|
echo ""
|
2021-11-08 14:58:27 +01:00
|
|
|
|
2021-11-08 08:33:46 +01:00
|
|
|
ssh_clean
|
2021-11-08 14:58:27 +01:00
|
|
|
|
|
|
|
|
if ssh_exec ${port} ${login} ${pass} hostname -s | grep -q "^${login}42"
|
|
|
|
|
then
|
2021-11-08 17:58:25 +01:00
|
|
|
echo "OK: Hostname is ${login}42"
|
2021-11-08 14:58:27 +01:00
|
|
|
else
|
|
|
|
|
echo "KO: Unexpected hostname (should be ${login}42)"
|
|
|
|
|
fi
|
|
|
|
|
|
2021-11-08 17:58:25 +01:00
|
|
|
if ssh_exec ${port} ${login} ${pass} cat /etc/os-release | grep -q -i -E "(CentOS|Debian)"
|
|
|
|
|
then
|
|
|
|
|
echo "OK: Debian or CentOS installed"
|
|
|
|
|
else
|
|
|
|
|
echo "KO: Unknown Linux distribution"
|
|
|
|
|
fi
|
|
|
|
|
|
2021-11-08 19:43:30 +01:00
|
|
|
if ssh_exec ${port} ${login} ${pass} cat /etc/os-release | grep -q -i -E '(bullseye|"8")'
|
|
|
|
|
then
|
|
|
|
|
echo "OK: Using stable distro"
|
|
|
|
|
else
|
|
|
|
|
echo "KO: Not using stable distro"
|
|
|
|
|
fi
|
|
|
|
|
|
2021-11-08 17:58:25 +01:00
|
|
|
if ssh_exec ${port} ${login} ${pass} /usr/sbin/aa-status | grep -q -i -E "apparmor module is loaded" \
|
|
|
|
|
|| ssh_exec ${port} ${login} ${pass} sestatus | grep -q -i -E "SELinux status:[^e]*enabled"
|
|
|
|
|
then
|
|
|
|
|
echo "OK: AppArmor or SELinux is active"
|
|
|
|
|
else
|
|
|
|
|
echo "KO: No AppArmor or SELinux is active"
|
|
|
|
|
fi
|
|
|
|
|
|
2021-11-08 14:58:27 +01:00
|
|
|
if ssh_exec ${port} ${login} ${pass} lspci | grep -q -i -E "(VirtualBox|QEMU)"
|
|
|
|
|
then
|
|
|
|
|
echo "OK: VirtualBox or UTM QEMU"
|
|
|
|
|
else
|
|
|
|
|
echo "KO: Unexpected Virtual Machine"
|
|
|
|
|
fi
|
|
|
|
|
|
2021-11-08 17:58:25 +01:00
|
|
|
if ssh_exec ${port} ${login} ${pass} dpkg -l | grep -q -i -E "(xserver|xorg)" \
|
|
|
|
|
|| ssh_exec ${port} ${login} ${pass} rpm -qa | grep -q -i -E "(xserver|xorg)"
|
|
|
|
|
then
|
|
|
|
|
echo "KO: X server is present"
|
|
|
|
|
else
|
|
|
|
|
echo "OK: No X server"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ssh_exec ${port} ${login} ${pass} lsblk | grep -q -i -E "_crypt"
|
|
|
|
|
then
|
2021-11-08 20:48:58 +01:00
|
|
|
echo "OK: Disk is encrypted"
|
2021-11-08 17:58:25 +01:00
|
|
|
else
|
2021-11-08 20:48:58 +01:00
|
|
|
echo "KO: Disk is not encrypted"
|
2021-11-08 17:58:25 +01:00
|
|
|
fi
|
|
|
|
|
|
2021-11-08 19:43:30 +01:00
|
|
|
if ssh_exec ${port} ${login} ${pass} lsblk | grep -c "lvm" | grep -q -E '^[2-9]'
|
|
|
|
|
then
|
|
|
|
|
echo "OK: Two or more partitions use LVM"
|
|
|
|
|
else
|
|
|
|
|
echo "KO: Less than two or no partitions use LVM"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ssh_exec ${port} ${login} ${pass} cat /etc/ssh/sshd_config | grep -q -i -E '^Port 4242' \
|
|
|
|
|
&& ssh_exec ${port} ${login} ${pass} cat /etc/ssh/sshd_config | grep -q -i -E '^PermitRootLogin no'
|
|
|
|
|
then
|
|
|
|
|
echo "OK: SSH config is correctly setup"
|
|
|
|
|
else
|
|
|
|
|
echo "KO: SSH config is not correctly setup"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ssh_exec ${port} ${login} ${pass} groups ${login} | grep -q -E "( user42.* sudo| sudo.* user42)"
|
|
|
|
|
then
|
|
|
|
|
echo "OK: ${login} is member of both user42 and sudo groups"
|
|
|
|
|
else
|
|
|
|
|
echo "KO: ${login} is not member of both user42 and sudo groups"
|
|
|
|
|
fi
|
|
|
|
|
|
2021-11-08 21:58:57 +01:00
|
|
|
if ssh_exec ${port} ${login} ${pass} chage -l ${login} | grep -q -i -E '^Maximum number of days between password change.*\: 30' \
|
|
|
|
|
&& ssh_exec ${port} ${login} ${pass} chage -l ${login} | grep -q -i -E '^Minimum number of days between password change.*\: 2' \
|
|
|
|
|
&& ssh_exec ${port} ${login} ${pass} chage -l ${login} | grep -q -i -E '^Number of days of warning before password expires.*\: 7'
|
|
|
|
|
then
|
|
|
|
|
echo "OK: Password expiration for ${login} is correct"
|
|
|
|
|
else
|
|
|
|
|
echo "KO: Password expiration for ${login} is wrong"
|
2021-11-08 23:21:10 +01:00
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ssh_sudo ${port} ${login} ${pass} chage -l root | grep -q -i -E '^Maximum number of days between password change.*\: 31' \
|
|
|
|
|
&& ssh_sudo ${port} ${login} ${pass} chage -l root | grep -q -i -E '^Minimum number of days between password change.*\: 2' \
|
|
|
|
|
&& ssh_sudo ${port} ${login} ${pass} chage -l root | grep -q -i -E '^Number of days of warning before password expires.*\: 7'
|
|
|
|
|
then
|
|
|
|
|
echo "OK: Password expiration for root is correct"
|
|
|
|
|
else
|
|
|
|
|
echo "KO: Password expiration for root is wrong"
|
2021-11-08 21:58:57 +01:00
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ssh_exec ${port} ${login} ${pass} cat /etc/login.defs | grep -q -i -E '^PASS_MAX_DAYS.*\t30' \
|
|
|
|
|
&& ssh_exec ${port} ${login} ${pass} cat /etc/login.defs | grep -q -i -E '^PASS_MIN_DAYS.*\t2' \
|
|
|
|
|
&& ssh_exec ${port} ${login} ${pass} cat /etc/login.defs | grep -q -i -E '^PASS_WARN_AGE.*\t7'
|
|
|
|
|
then
|
|
|
|
|
echo "OK: Password expiration policy is correct"
|
|
|
|
|
else
|
|
|
|
|
echo "KO: Password expiration policy is wrong"
|
|
|
|
|
fi
|
|
|
|
|
|
2021-11-08 17:58:25 +01:00
|
|
|
if ssh_exec ${port} ${login} ${pass} ss -tunlpe | grep -q -E "LISTEN.*:4242.*ssh"
|
|
|
|
|
then
|
|
|
|
|
echo "OK: ssh running on 4242"
|
|
|
|
|
else
|
|
|
|
|
echo "KO: ssh not running on 4242"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ssh_sudo ${port} ${login} ${pass} /usr/sbin/ufw status | grep -q -E "Status: active"
|
|
|
|
|
then
|
|
|
|
|
echo "OK: Firewall ufw is active"
|
|
|
|
|
else
|
|
|
|
|
echo "KO: No firewall ufw is active"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ssh_sudo ${port} ${login} ${pass} /usr/sbin/ufw status | grep -q -E "4242.*ALLOW.*Anywhere"
|
|
|
|
|
then
|
|
|
|
|
echo "OK: Firewall allow port 4242 from anywhere"
|
|
|
|
|
else
|
|
|
|
|
echo "KO: Firewall does not allow port 4242 from anywhere"
|
|
|
|
|
fi
|
2021-11-08 08:33:46 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
main $@
|
|
|
|
|
exit $?
|
|
|
|
|
|
|
|
|
|
#42
|
