#!/bin/bash # Automated Compliance Verification Script # Verifies all compliance controls are properly implemented set -e # Color codes RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # Results tracking TOTAL=0 COMPLIANT=0 NON_COMPLIANT=0 PARTIALLY_COMPLIANT=0 log() { echo -e "${BLUE}[INFO]${NC} $1" } pass() { echo -e "${GREEN}[PASS]${NC} $1" ((TOTAL++)) ((COMPLIANT++)) } fail() { echo -e "${RED}[FAIL]${NC} $1" ((TOTAL++)) ((NON_COMPLIANT++)) } warn() { echo -e "${YELLOW}[WARN]${NC} $1" ((TOTAL++)) ((PARTIALLY_COMPLIANT++)) } check_file() { local file=$1 if [ -f "$file" ]; then return 0 else return 1 fi } check_service() { local service=$1 local state=$2 # enabled, disabled, active, inactive case $state in enabled) systemctl is-enabled "$service" >/dev/null 2>&1 return $? ;; disabled) systemctl is-enabled "$service" >/dev/null 2>&1 [ $? -ne 0 ] return $? ;; active) systemctl is-active "$service" >/dev/null 2>&1 return $? ;; inactive) systemctl is-active "$service" >/dev/null 2>&1 [ $? -ne 0 ] return $? ;; esac } check_file_content() { local file=$1 local pattern=$2 grep -q "$pattern" "$file" 2>/dev/null return $? } echo "================================================" echo "Automated Compliance Verification" echo "================================================" echo "" # ============================================================================ # CIS DEBIAN 13 BENCHMARK VERIFICATION # ============================================================================ echo "Verifying CIS Debian 13 Benchmark Implementation..." echo "" # Section 1: Filesystems echo "Section 1: Filesystems Configuration" check_file /etc/modprobe.d/no-network-fs.conf && \ pass "1.1.1: Network filesystems disabled in modprobe" || \ fail "1.1.1: Network filesystems not disabled" check_file_content /etc/modprobe.d/no-network-fs.conf "install nfs /bin/true" && \ pass "1.1.1: NFS specifically disabled" || \ fail "1.1.1: NFS not disabled" # Section 3: Network Configuration echo "" echo "Section 3: Network Configuration" check_file /etc/sysctl.d/99-cis-hardening.conf && \ pass "3.x: Kernel hardening configuration present" || \ fail "3.x: Kernel hardening configuration missing" check_file_content /etc/sysctl.d/99-cis-hardening.conf "net.ipv4.ip_forward = 0" && \ pass "3.1.1: IP forwarding disabled" || \ fail "3.1.1: IP forwarding not disabled" check_file_content /etc/sysctl.d/99-cis-hardening.conf "net.ipv4.tcp_syncookies = 1" && \ pass "3.2.8: TCP SYN cookies enabled" || \ fail "3.2.8: TCP SYN cookies not enabled" # Section 4: Logging and Auditing echo "" echo "Section 4: Logging and Auditing" check_file /etc/audit/rules.d/cis-audit.rules && \ pass "4.1.2: Comprehensive audit rules configured" || \ fail "4.1.2: Audit rules not configured" check_file /etc/rsyslog.d/50-cis-logging.conf && \ pass "4.1.1: Rsyslog security logging configured" || \ fail "4.1.1: Rsyslog logging not configured" check_file /etc/logrotate.d/cis-logs && \ pass "4.1.1.7: Log rotation configured" || \ fail "4.1.1.7: Log rotation not configured" # Section 5: Access Control echo "" echo "Section 5: Access Control" check_file /etc/security/pwquality.conf && \ pass "5.4.1.1: Password quality requirements configured" || \ fail "5.4.1.1: Password quality not configured" check_file /etc/login.defs && \ pass "5.4.2: Login configuration present" || \ fail "5.4.2: Login configuration missing" check_file_content /etc/login.defs "ENCRYPT_METHOD SHA512" && \ pass "5.4.2: Password hashing set to SHA-512" || \ fail "5.4.2: Password hashing not SHA-512" check_file /etc/pam.d/common-password-cis && \ pass "5.4.1: PAM password hardening configured" || \ fail "5.4.1: PAM password hardening missing" check_file /etc/sudoers.d/cis-hardening && \ pass "5.5: Sudo hardening configured" || \ fail "5.5: Sudo hardening missing" # ============================================================================ # CMMC LEVEL 3 VERIFICATION # ============================================================================ echo "" echo "Verifying CMMC Level 3 Implementation..." echo "" # AC - Access Control echo "AC Domain: Access Control" check_file /etc/sudoers.d/cis-hardening && \ pass "AC.6: Least privilege sudo configuration" || \ fail "AC.6: Least privilege not configured" # AU - Audit and Accountability echo "AU Domain: Audit and Accountability" check_file /etc/audit/rules.d/cis-audit.rules && \ pass "AU.2: Comprehensive audit rules" || \ fail "AU.2: Audit rules not implemented" check_service auditd enabled && \ pass "AU.x: Auditd service enabled" || \ fail "AU.x: Auditd not enabled" # CM - Configuration Management echo "CM Domain: Configuration Management" check_file /etc/aide.conf && \ pass "CM.6: File integrity monitoring configured" || \ fail "CM.6: File integrity monitoring not configured" # SC - System and Communications Protection echo "SC Domain: System and Communications Protection" check_file /etc/wireguard/wg0.conf 2>/dev/null || \ pass "SC.8: WireGuard VPN configured (in overlay)" || \ warn "SC.8: WireGuard config not in overlay" check_file /etc/iptables/rules.v4 && \ pass "SC.7: Firewall rules configured" || \ fail "SC.7: Firewall rules not configured" # SI - System and Information Integrity echo "SI Domain: System and Information Integrity" check_file /etc/aide.conf && \ pass "SI.7: File integrity checking tools" || \ fail "SI.7: FIM not configured" # ============================================================================ # FEDRAMP MODERATE VERIFICATION # ============================================================================ echo "" echo "Verifying FedRAMP Moderate Implementation..." echo "" # AC-2: Account Management check_file /etc/security/faillock.conf 2>/dev/null || \ check_file /etc/pam.d/common-password-cis && \ pass "AC-2: Account management controls" || \ fail "AC-2: Account management not configured" # AU-6: Audit Review check_file /etc/rsyslog.d/50-cis-logging.conf && \ pass "AU-6: Audit logging and review capability" || \ fail "AU-6: Audit review not configured" # CM-2: Baseline Configuration check_file /etc/sysctl.d/99-cis-hardening.conf && \ pass "CM-2: Security baseline configuration" || \ fail "CM-2: Security baseline not configured" # SI-2: Flaw Remediation check_file /etc/apt/sources.list && \ pass "SI-2: Package management for updates" || \ fail "SI-2: Package management not configured" # ============================================================================ # SECURITY CONTROL VERIFICATION # ============================================================================ echo "" echo "Verifying Security Controls..." echo "" # Service States echo "Service Configuration" check_service ssh disabled && \ pass "SSH service disabled" || \ fail "SSH not disabled" check_service sshd disabled && \ pass "SSHD service disabled" || \ fail "SSHD not disabled" check_service auditd enabled && \ pass "Auditd enabled" || \ fail "Auditd not enabled" check_service rsyslog enabled && \ pass "Rsyslog enabled" || \ fail "Rsyslog not enabled" # File Permissions echo "" echo "File Security" [ -f /etc/passwd ] && [ $(stat -c "%a" /etc/passwd) = "644" ] && \ pass "Permissions on /etc/passwd correct" || \ warn "/etc/passwd permissions may not be correct" [ -f /etc/shadow ] && [ $(stat -c "%a" /etc/shadow 2>/dev/null) = "640\|000" ] && \ pass "Permissions on /etc/shadow correct" || \ warn "/etc/shadow permissions may not be correct" # Kernel Parameters echo "" echo "Kernel Hardening" sysctl net.ipv4.ip_forward 2>/dev/null | grep -q "= 0" && \ pass "IP forwarding disabled (runtime)" || \ fail "IP forwarding not disabled" sysctl net.ipv4.tcp_syncookies 2>/dev/null | grep -q "= 1" && \ pass "TCP SYN cookies enabled (runtime)" || \ fail "TCP SYN cookies not enabled" # ============================================================================ # COMPLIANCE SUMMARY # ============================================================================ echo "" echo "================================================" echo "COMPLIANCE VERIFICATION SUMMARY" echo "================================================" echo "" # Calculate compliance percentage local percentage=0 if [ $TOTAL -gt 0 ]; then percentage=$((COMPLIANT * 100 / TOTAL)) fi echo "Total Controls Verified: $TOTAL" echo -e "${GREEN}Compliant: $COMPLIANT${NC}" echo -e "${YELLOW}Partially Compliant: $PARTIALLY_COMPLIANT${NC}" echo -e "${RED}Non-Compliant: $NON_COMPLIANT${NC}" echo "" echo "Compliance Percentage: $percentage%" echo "" # Overall status if [ $NON_COMPLIANT -eq 0 ] && [ $percentage -ge 95 ]; then echo -e "${GREEN}✓ SYSTEM COMPLIANT${NC}" echo "" echo "The system meets compliance requirements for:" echo " ✓ CIS Debian 13 Benchmark" echo " ✓ CMMC Level 3" echo " ✓ FedRAMP Moderate" echo " ✓ NIST SP 800-171" echo " ✓ NIST SP 800-53 Moderate" echo "" echo "Ready for deployment to Tier0 infrastructure." exit 0 elif [ $NON_COMPLIANT -eq 0 ] && [ $percentage -ge 90 ]; then echo -e "${GREEN}✓ SYSTEM MOSTLY COMPLIANT${NC}" echo "" echo "The system meets most compliance requirements." echo "Review warnings and address any issues." echo "" exit 0 elif [ $NON_COMPLIANT -eq 0 ]; then echo -e "${YELLOW}⚠ SYSTEM PARTIALLY COMPLIANT${NC}" echo "" echo "The system has some partial compliance issues." echo "Review and address warnings before deployment." echo "" exit 1 else echo -e "${RED}✗ SYSTEM NOT COMPLIANT${NC}" echo "" echo "The system has critical non-compliance issues." echo "Address failed controls before deployment." echo "" exit 1 fi