debian-cis/bin/hardening/5.1.6_cron_monthly_perm_ownership.sh

#!/bin/bash

#
# CIS Debian Hardening
#

#
# 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
#

set -e # One error, it's over
set -u # One variable unset, it's over

HARDENING_LEVEL=1
DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.monthly ."

FILE='/etc/cron.monthly'
PERMISSIONS='700'
USER='root'
GROUP='root'

# This function will be called if the script status is on enabled / audit mode
audit () {
    has_file_correct_ownership $FILE $USER $GROUP
    if [ $FNRET = 0 ]; then
        ok "$FILE has correct ownership"
    else
        crit "$FILE ownership was not set to $USER:$GROUP"
    fi
    has_file_correct_permissions $FILE $PERMISSIONS
    if [ $FNRET = 0 ]; then
        ok "$FILE has correct permissions"
    else
        crit "$FILE permissions were not set to $PERMISSIONS"
    fi 
}

# This function will be called if the script status is on enabled mode
apply () {
    does_file_exist $FILE
    if [ $FNRET != 0 ]; then
        info "$FILE does not exist"
        touch $FILE
    fi
    has_file_correct_ownership $FILE $USER $GROUP
    if [ $FNRET = 0 ]; then
        ok "$FILE has correct ownership"
    else
        warn "fixing $FILE ownership to $USER:$GROUP"
        chown $USER:$GROUP $FILE
    fi
    has_file_correct_permissions $FILE $PERMISSIONS
    if [ $FNRET = 0 ]; then
        ok "$FILE has correct permissions"
    else
        info "fixing $FILE permissions to $PERMISSIONS"
        chmod 0$PERMISSIONS $FILE
    fi
}

# This function will check config parameters required
check_config() {
    does_user_exist $USER
    if [ $FNRET != 0 ]; then
        crit "$USER does not exist"
        exit 128
    fi
    does_group_exist $GROUP
    if [ $FNRET != 0 ]; then
        crit "$GROUP does not exist"
        exit 128
    fi
}

# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
fi

# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
    . $CIS_ROOT_DIR/lib/main.sh
else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
fi
9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh 2016-04-15 10:18:23 +02:00			`#!/bin/bash`

			`#`
Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00			`# CIS Debian Hardening`
9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh 2016-04-15 10:18:23 +02:00			`#`

			`#`
Renum 9.1.x to 5.1.x cron checks renamed: bin/hardening/9.1.1_enable_cron.sh -> bin/hardening/5.1.1_enable_cron.sh renamed: bin/hardening/9.1.2_crontab_perm_ownership.sh -> bin/hardening/5.1.2_crontab_perm_ownership.sh renamed: bin/hardening/9.1.3_cron_hourly_perm_ownership.sh -> bin/hardening/5.1.3_cron_hourly_perm_ownership.sh renamed: bin/hardening/9.1.4_cron_daily_perm_ownership.sh -> bin/hardening/5.1.4_cron_daily_perm_ownership.sh renamed: bin/hardening/9.1.5_cron_weekly_perm_ownership.sh -> bin/hardening/5.1.5_cron_weekly_perm_ownership.sh renamed: bin/hardening/9.1.6_cron_monthly_perm_ownership.sh -> bin/hardening/5.1.6_cron_monthly_perm_ownership.sh renamed: bin/hardening/9.1.7_cron_d_perm_ownership.sh -> bin/hardening/5.1.7_cron_d_perm_ownership.sh renamed: bin/hardening/9.1.8_cron_users.sh -> bin/hardening/5.1.8_cron_users.sh renamed: tests/hardening/9.1.8_cron_users.sh -> tests/hardening/5.1.1_enable_cron.sh renamed: tests/hardening/9.1.7_cron_d_perm_ownership.sh -> tests/hardening/5.1.2_crontab_perm_ownership.sh renamed: tests/hardening/9.1.6_cron_monthly_perm_ownership.sh -> tests/hardening/5.1.3_cron_hourly_perm_ownership.sh renamed: tests/hardening/9.1.5_cron_weekly_perm_ownership.sh -> tests/hardening/5.1.4_cron_daily_perm_ownership.sh renamed: tests/hardening/9.1.4_cron_daily_perm_ownership.sh -> tests/hardening/5.1.5_cron_weekly_perm_ownership.sh renamed: tests/hardening/9.1.3_cron_hourly_perm_ownership.sh -> tests/hardening/5.1.6_cron_monthly_perm_ownership.sh renamed: tests/hardening/9.1.2_crontab_perm_ownership.sh -> tests/hardening/5.1.7_cron_d_perm_ownership.sh renamed: tests/hardening/9.1.1_enable_cron.sh -> tests/hardening/5.1.8_cron_users.sh 2019-09-11 12:16:50 +02:00			`# 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)`
9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh 2016-04-15 10:18:23 +02:00			`#`

			`set -e # One error, it's over`
			`set -u # One variable unset, it's over`

add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`HARDENING_LEVEL=1`
Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main Update README with --batch mode info Add --batch mode in hardening.sh Change summary to make it oneliner when batch mode AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74 2017-10-31 17:44:15 +01:00			`DESCRIPTION="User/group set to root and permissions to 700 on /etc/cron.monthly ."`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00
9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh 2016-04-15 10:18:23 +02:00			`FILE='/etc/cron.monthly'`
			`PERMISSIONS='700'`
			`USER='root'`
			`GROUP='root'`

			`# This function will be called if the script status is on enabled / audit mode`
			`audit () {`
			`has_file_correct_ownership $FILE $USER $GROUP`
			`if [ $FNRET = 0 ]; then`
			`ok "$FILE has correct ownership"`
			`else`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`crit "$FILE ownership was not set to $USER:$GROUP"`
9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh 2016-04-15 10:18:23 +02:00			`fi`
			`has_file_correct_permissions $FILE $PERMISSIONS`
			`if [ $FNRET = 0 ]; then`
			`ok "$FILE has correct permissions"`
			`else`
Rephrase confusing messages 2016-04-21 18:32:36 +02:00			`crit "$FILE permissions were not set to $PERMISSIONS"`
9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh 2016-04-15 10:18:23 +02:00			`fi`
			`}`

			`# This function will be called if the script status is on enabled mode`
			`apply () {`
			`does_file_exist $FILE`
			`if [ $FNRET != 0 ]; then`
			`info "$FILE does not exist"`
			`touch $FILE`
			`fi`
			`has_file_correct_ownership $FILE $USER $GROUP`
			`if [ $FNRET = 0 ]; then`
			`ok "$FILE has correct ownership"`
			`else`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`warn "fixing $FILE ownership to $USER:$GROUP"`
9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh 2016-04-15 10:18:23 +02:00			`chown $USER:$GROUP $FILE`
			`fi`
			`has_file_correct_permissions $FILE $PERMISSIONS`
			`if [ $FNRET = 0 ]; then`
			`ok "$FILE has correct permissions"`
			`else`
			`info "fixing $FILE permissions to $PERMISSIONS"`
			`chmod 0$PERMISSIONS $FILE`
			`fi`
			`}`

			`# This function will check config parameters required`
			`check_config() {`
			`does_user_exist $USER`
			`if [ $FNRET != 0 ]; then`
			`crit "$USER does not exist"`
			`exit 128`
			`fi`
			`does_group_exist $GROUP`
			`if [ $FNRET != 0 ]; then`
			`crit "$GROUP does not exist"`
			`exit 128`
			`fi`
			`}`

			`# Source Root Dir Parameter`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`if [ -r /etc/default/cis-hardening ]; then`
Corrected default file path 2016-04-18 17:39:14 +02:00			`. /etc/default/cis-hardening`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`fi`
			`if [ -z "$CIS_ROOT_DIR" ]; then`
Expand tabs to 4 spaces and trim trailing spaces 2017-11-17 15:13:27 +01:00			`echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`echo "Cannot source CIS_ROOT_DIR variable, aborting."`
			`exit 128`
			`fi`
9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh 2016-04-15 10:18:23 +02:00
			`# Main function, will call the proper functions given the configuration (audit, enabled, disabled)`
Fixed default file error handling and quickstart 2016-04-21 23:19:50 +02:00			`if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then`
			`. $CIS_ROOT_DIR/lib/main.sh`
			`else`
			`echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"`
			`exit 128`
			`fi`