41 lines
1.1 KiB
Bash
41 lines
1.1 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
set -euo pipefail
|
|
|
|
# Function to check if hardening has been applied correctly
|
|
check_hardening() {
|
|
local sysctl_conf="/usr/etc/sysctl.d/hardening.conf"
|
|
local bwrap="/usr/bin/bwrap"
|
|
|
|
# Check for the presence of user namespace hardening
|
|
if grep -q "user.max_user_namespaces = 0" "$sysctl_conf" &&
|
|
grep -q "kernel.unprivileged_userns_clone = 0" "$sysctl_conf"; then
|
|
printf "Hardening settings are correctly applied in %s\n" "$sysctl_conf"
|
|
else
|
|
printf "Hardening settings are missing or incorrect in %s\n" "$sysctl_conf" >&2
|
|
return 1
|
|
fi
|
|
|
|
# Check ownership and SUID bit of bwrap
|
|
if [ "$(stat -c '%U' "$bwrap")" = "root" ] && [ "$(stat -c '%a' "$bwrap")" -eq 4755 ]; then
|
|
printf "%s ownership and permissions are correctly set\n" "$bwrap"
|
|
else
|
|
printf "%s ownership or permissions are incorrect\n" "$bwrap" >&2
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# Main function to orchestrate the checks
|
|
main() {
|
|
set -euo pipefail
|
|
|
|
# Perform the checks
|
|
if ! check_hardening; then
|
|
printf "Hardening checks failed\n" >&2
|
|
exit 1
|
|
else
|
|
printf "All hardening checks passed\n"
|
|
fi
|
|
}
|
|
|
|
main "$@"
|