debian-cis/bin/hardening/6.2.8_check_user_dir_perm.sh

#!/bin/bash

# run-shellcheck
#
# CIS Debian Hardening
#

#
# 6.2.8 Check Permissions on User Home Directories (Scored)
#

set -e # One error, it's over
set -u # One variable unset, it's over

# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Check permissions on user home directories."

ERRORS=0

# This function will be called if the script status is on enabled / audit mode
audit() {
    for dir in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        debug "Working on $dir"
        debug "Exceptions : $EXCEPTIONS"
        debug "echo \"$EXCEPTIONS\" | grep -q $dir"
        if echo "$EXCEPTIONS" | grep -q "$dir"; then
            debug "$dir is confirmed as an exception"
            # shellcheck disable=SC2001
            RESULT=$(sed "s!$dir!!" <<<"$RESULT")
        else
            debug "$dir not found in exceptions"
        fi
        if [ -d "$dir" ]; then
            dirperm=$(/bin/ls -ld "$dir" | cut -f1 -d" ")
            if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
                crit "Group Write permission set on directory $dir"
                ERRORS=$((ERRORS + 1))
            fi
            if [ "$(echo "$dirperm" | cut -c8)" != "-" ]; then
                crit "Other Read permission set on directory $dir"
                ERRORS=$((ERRORS + 1))
            fi
            if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
                crit "Other Write permission set on directory $dir"
                ERRORS=$((ERRORS + 1))
            fi
            if [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then
                crit "Other Execute permission set on directory $dir"
                ERRORS=$((ERRORS + 1))
            fi
        fi
    done

    if [ "$ERRORS" = 0 ]; then
        ok "No incorrect permissions on home directories"
    fi

}

# This function will be called if the script status is on enabled mode
apply() {
    for dir in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        debug "Working on $dir"
        debug "Exceptions : $EXCEPTIONS"
        debug "echo \"$EXCEPTIONS\" | grep -q $dir"
        if echo "$EXCEPTIONS" | grep -q "$dir"; then
            debug "$dir is confirmed as an exception"
            # shellcheck disable=SC2001
            RESULT=$(sed "s!$dir!!" <<<"$RESULT")
        else
            debug "$dir not found in exceptions"
        fi
        if [ -d "$dir" ]; then
            dirperm=$(/bin/ls -ld "$dir" | cut -f1 -d" ")
            if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
                warn "Group Write permission set on directory $dir"
                chmod g-w "$dir"
            fi
            if [ "$(echo "$dirperm" | cut -c8)" != "-" ]; then
                warn "Other Read permission set on directory $dir"
                chmod o-r "$dir"
            fi
            if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
                warn "Other Write permission set on directory $dir"
                chmod o-w "$dir"
            fi
            if [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then
                warn "Other Execute permission set on directory $dir"
                chmod o-x "$dir"
            fi
        fi
    done
}

# This function will create the config file for this check with default values
create_config() {
    cat <<EOF
status=audit
# Put here user home directories exceptions, separated by spaces
EXCEPTIONS=""
EOF
}

# This function will check config parameters required
check_config() {
    if [ -z "$EXCEPTIONS" ]; then
        EXCEPTIONS="@"
    fi
}

# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
fi

# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
fi
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`#!/bin/bash`

IMP(shellcheck): add run-shellcheck prefix 2020-11-23 17:10:37 +01:00			`# run-shellcheck`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`#`
Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00			`# CIS Debian Hardening`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`#`

			`#`
Renum User and Groups settings 13.x to 6.2.x renamed: bin/hardening/13.8_check_user_dot_file_perm.sh -> bin/hardening/6.2.10_check_user_dot_file_perm.sh renamed: bin/hardening/13.19_find_user_forward_files.sh -> bin/hardening/6.2.11_find_user_forward_files.sh renamed: bin/hardening/13.18_find_user_netrc_files.sh -> bin/hardening/6.2.12_find_user_netrc_files.sh renamed: bin/hardening/13.9_set_perm_on_user_netrc.sh -> bin/hardening/6.2.13_set_perm_on_user_netrc.sh renamed: bin/hardening/13.10_find_user_rhosts_files.sh -> bin/hardening/6.2.14_find_user_rhosts_files.sh renamed: bin/hardening/13.11_find_passwd_group_inconsistencies.sh -> bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh renamed: bin/hardening/13.14_check_duplicate_uid.sh -> bin/hardening/6.2.16_check_duplicate_uid.sh renamed: bin/hardening/13.15_check_duplicate_gid.sh -> bin/hardening/6.2.17_check_duplicate_gid.sh renamed: bin/hardening/13.16_check_duplicate_username.sh -> bin/hardening/6.2.18_check_duplicate_username.sh renamed: bin/hardening/13.17_check_duplicate_groupname.sh -> bin/hardening/6.2.19_check_duplicate_groupname.sh renamed: bin/hardening/13.1_remove_empty_password_field.sh -> bin/hardening/6.2.1_remove_empty_password_field.sh renamed: bin/hardening/13.20_shadow_group_empty.sh -> bin/hardening/6.2.20_shadow_group_empty.sh renamed: bin/hardening/13.2_remove_legacy_passwd_entries.sh -> bin/hardening/6.2.2_remove_legacy_passwd_entries.sh renamed: bin/hardening/13.3_remove_legacy_shadow_entries.sh -> bin/hardening/6.2.3_remove_legacy_shadow_entries.sh renamed: bin/hardening/13.4_remove_legacy_group_entries.sh -> bin/hardening/6.2.4_remove_legacy_group_entries.sh renamed: bin/hardening/13.5_find_0_uid_non_root_account.sh -> bin/hardening/6.2.5_find_0_uid_non_root_account.sh renamed: bin/hardening/13.6_sanitize_root_path.sh -> bin/hardening/6.2.6_sanitize_root_path.sh renamed: bin/hardening/13.7_check_user_dir_perm.sh -> bin/hardening/6.2.8_check_user_dir_perm.sh renamed: bin/hardening/13.12_users_valid_homedir.sh -> bin/hardening/6.2.9_users_valid_homedir.sh renamed: tests/hardening/13.9_set_perm_on_user_netrc.sh -> tests/hardening/6.2.10_check_user_dot_file_perm.sh renamed: tests/hardening/13.8_check_user_dot_file_perm.sh -> tests/hardening/6.2.11_find_user_forward_files.sh renamed: tests/hardening/13.7_check_user_dir_perm.sh -> tests/hardening/6.2.12_find_user_netrc_files.sh renamed: tests/hardening/13.6_sanitize_root_path.sh -> tests/hardening/6.2.13_set_perm_on_user_netrc.sh renamed: tests/hardening/13.4_remove_legacy_group_entries.sh -> tests/hardening/6.2.15_find_passwd_group_inconsistencies.sh renamed: tests/hardening/13.14_check_duplicate_uid.sh -> tests/hardening/6.2.16_check_duplicate_uid.sh renamed: tests/hardening/13.15_check_duplicate_gid.sh -> tests/hardening/6.2.17_check_duplicate_gid.sh renamed: tests/hardening/13.3_remove_legacy_shadow_entries.sh -> tests/hardening/6.2.18_check_duplicate_username.sh renamed: tests/hardening/13.2_remove_legacy_passwd_entries.sh -> tests/hardening/6.2.19_check_duplicate_groupname.sh renamed: tests/hardening/13.20_shadow_group_empty.sh -> tests/hardening/6.2.1_remove_empty_password_field.sh renamed: tests/hardening/13.1_remove_empty_password_field.sh -> tests/hardening/6.2.20_shadow_group_empty.sh renamed: tests/hardening/13.19_find_user_forward_files.sh -> tests/hardening/6.2.2_remove_legacy_passwd_entries.sh renamed: tests/hardening/13.18_find_user_netrc_files.sh -> tests/hardening/6.2.3_remove_legacy_shadow_entries.sh renamed: tests/hardening/13.17_check_duplicate_groupname.sh -> tests/hardening/6.2.4_remove_legacy_group_entries.sh renamed: tests/hardening/13.5_find_0_uid_non_root_account.sh -> tests/hardening/6.2.5_find_0_uid_non_root_account.sh renamed: tests/hardening/13.16_check_duplicate_username.sh -> tests/hardening/6.2.6_sanitize_root_path.sh renamed: tests/hardening/13.12_users_valid_homedir.sh -> tests/hardening/6.2.8_check_user_dir_perm.sh renamed: tests/hardening/13.11_find_passwd_group_inconsistencies.sh -> tests/hardening/6.2.9_users_valid_homedir.sh 2019-09-12 17:43:12 +02:00			`# 6.2.8 Check Permissions on User Home Directories (Scored)`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`#`

			`set -e # One error, it's over`
			`set -u # One variable unset, it's over`

IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck disable=2034`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`HARDENING_LEVEL=2`
IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck disable=2034`
Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main Update README with --batch mode info Add --batch mode in hardening.sh Change summary to make it oneliner when batch mode AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74 2017-10-31 17:44:15 +01:00			`DESCRIPTION="Check permissions on user home directories."`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`ERRORS=0`

			`# This function will be called if the script status is on enabled / audit mode`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`audit() {`
IMP(shellcheck): replace deprecated egrep (SC2196) 2020-12-10 08:20:26 +01:00			`for dir in $(get_db passwd \| grep -Ev '(root\|halt\|sync\|shutdown)' \| awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`debug "Working on $dir"`
			`debug "Exceptions : $EXCEPTIONS"`
			`debug "echo \"$EXCEPTIONS\" \| grep -q $dir"`
IMP(shellcheck): quote variables (SC2086) 2020-12-07 16:49:11 +01:00			`if echo "$EXCEPTIONS" \| grep -q "$dir"; then`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`debug "$dir is confirmed as an exception"`
IMP(shellcheck): disable sed replacement (SC2001) Shellcheck recommands to replace sed by shell expansions in 'simple' cases. However, the replacement here is likely to lead to erros, so we disable this rule. Moreover, it does'nt really add readability. 2020-12-10 08:34:57 +01:00			`# shellcheck disable=SC2001`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`RESULT=$(sed "s!$dir!!" <<<"$RESULT")`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`else`
			`debug "$dir not found in exceptions"`
			`fi`
IMP(shellcheck): quote variables (SC2086) 2020-12-07 16:49:11 +01:00			`if [ -d "$dir" ]; then`
			`dirperm=$(/bin/ls -ld "$dir" \| cut -f1 -d" ")`
			`if [ "$(echo "$dirperm" \| cut -c6)" != "-" ]; then`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`crit "Group Write permission set on directory $dir"`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`ERRORS=$((ERRORS + 1))`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`fi`
IMP(shellcheck): quote variables (SC2086) 2020-12-07 16:49:11 +01:00			`if [ "$(echo "$dirperm" \| cut -c8)" != "-" ]; then`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`crit "Other Read permission set on directory $dir"`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`ERRORS=$((ERRORS + 1))`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`fi`
IMP(shellcheck): quote variables (SC2086) 2020-12-07 16:49:11 +01:00			`if [ "$(echo "$dirperm" \| cut -c9)" != "-" ]; then`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`crit "Other Write permission set on directory $dir"`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`ERRORS=$((ERRORS + 1))`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`fi`
IMP(shellcheck): quote variables (SC2086) 2020-12-07 16:49:11 +01:00			`if [ "$(echo "$dirperm" \| cut -c10)" != "-" ]; then`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`crit "Other Execute permission set on directory $dir"`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`ERRORS=$((ERRORS + 1))`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`fi`
			`fi`
			`done`
13.8_check_user_dot_file_perm.sh 13.9_set_perm_on_user_netrc.sh 2016-04-16 18:32:09 +02:00
IMP(shellcheck): quote variables (SC2086) 2020-12-04 15:04:22 +01:00			`if [ "$ERRORS" = 0 ]; then`
13.8_check_user_dot_file_perm.sh 13.9_set_perm_on_user_netrc.sh 2016-04-16 18:32:09 +02:00			`ok "No incorrect permissions on home directories"`
			`fi`

13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`}`

			`# This function will be called if the script status is on enabled mode`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`apply() {`
IMP(shellcheck): replace deprecated egrep (SC2196) 2020-12-10 08:20:26 +01:00			`for dir in $(get_db passwd \| grep -Ev '(root\|halt\|sync\|shutdown)' \| awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`debug "Working on $dir"`
			`debug "Exceptions : $EXCEPTIONS"`
			`debug "echo \"$EXCEPTIONS\" \| grep -q $dir"`
IMP(shellcheck): quote variables (SC2086) 2020-12-07 16:49:11 +01:00			`if echo "$EXCEPTIONS" \| grep -q "$dir"; then`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`debug "$dir is confirmed as an exception"`
IMP(shellcheck): disable sed replacement (SC2001) Shellcheck recommands to replace sed by shell expansions in 'simple' cases. However, the replacement here is likely to lead to erros, so we disable this rule. Moreover, it does'nt really add readability. 2020-12-10 08:34:57 +01:00			`# shellcheck disable=SC2001`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`RESULT=$(sed "s!$dir!!" <<<"$RESULT")`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`else`
			`debug "$dir not found in exceptions"`
			`fi`
IMP(shellcheck): quote variables (SC2086) 2020-12-07 16:49:11 +01:00			`if [ -d "$dir" ]; then`
			`dirperm=$(/bin/ls -ld "$dir" \| cut -f1 -d" ")`
			`if [ "$(echo "$dirperm" \| cut -c6)" != "-" ]; then`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`warn "Group Write permission set on directory $dir"`
IMP(shellcheck): quote variables (SC2086) 2020-12-04 15:04:22 +01:00			`chmod g-w "$dir"`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`fi`
IMP(shellcheck): quote variables (SC2086) 2020-12-07 16:49:11 +01:00			`if [ "$(echo "$dirperm" \| cut -c8)" != "-" ]; then`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`warn "Other Read permission set on directory $dir"`
IMP(shellcheck): quote variables (SC2086) 2020-12-04 15:04:22 +01:00			`chmod o-r "$dir"`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`fi`
IMP(shellcheck): quote variables (SC2086) 2020-12-07 16:49:11 +01:00			`if [ "$(echo "$dirperm" \| cut -c9)" != "-" ]; then`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`warn "Other Write permission set on directory $dir"`
IMP(shellcheck): quote variables (SC2086) 2020-12-04 15:04:22 +01:00			`chmod o-w "$dir"`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`fi`
IMP(shellcheck): quote variables (SC2086) 2020-12-07 16:49:11 +01:00			`if [ "$(echo "$dirperm" \| cut -c10)" != "-" ]; then`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`warn "Other Execute permission set on directory $dir"`
IMP(shellcheck): quote variables (SC2086) 2020-12-04 15:04:22 +01:00			`chmod o-x "$dir"`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`fi`
			`fi`
			`done`
			`}`

add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`# This function will create the config file for this check with default values`
			`create_config() {`
			`cat <<EOF`
Change default status to audit for file with custom `create_config` 2019-02-14 14:33:21 +01:00			`status=audit`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`# Put here user home directories exceptions, separated by spaces`
			`EXCEPTIONS=""`
			`EOF`
			`}`

13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00			`# This function will check config parameters required`
			`check_config() {`
			`if [ -z "$EXCEPTIONS" ]; then`
			`EXCEPTIONS="@"`
			`fi`
			`}`

			`# Source Root Dir Parameter`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`if [ -r /etc/default/cis-hardening ]; then`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`# shellcheck source=../../debian/default`
Corrected default file path 2016-04-18 17:39:14 +02:00			`. /etc/default/cis-hardening`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`fi`
			`if [ -z "$CIS_ROOT_DIR" ]; then`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."`
			`echo "Cannot source CIS_ROOT_DIR variable, aborting."`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`exit 128`
			`fi`
13.7_check_user_dir_perm.sh 2016-04-16 18:11:53 +02:00
			`# Main function, will call the proper functions given the configuration (audit, enabled, disabled)`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`# shellcheck source=../../lib/main.sh`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`. "$CIS_ROOT_DIR"/lib/main.sh`
Fixed default file error handling and quickstart 2016-04-21 23:19:50 +02:00			`else`
			`echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"`
			`exit 128`
			`fi`