debian-cis/bin/hardening/6.1.12_find_ungrouped_files.sh

#!/bin/bash

# run-shellcheck
#
# CIS Debian Hardening
#

#
# 6.1.12 Ensure no ungrouped files or directories exist (Scored)
#

set -e # One error, it's over
set -u # One variable unset, it's over

# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Ensure no ungrouped files or directories exist"

GROUP='root'
EXCLUDED=''

# This function will be called if the script status is on enabled / audit mode
audit () {
    info "Checking if there are ungrouped files"
    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
    if [ ! -z $EXCLUDED ]; then
        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
    else
        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
    fi
    if [ ! -z "$RESULT" ]; then
        crit "Some ungrouped files are present"
        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
        crit "$FORMATTED_RESULT"
    else
        ok "No ungrouped files found"
    fi
}

# This function will be called if the script status is on enabled mode
apply () {
    if [ ! -z $EXCLUDED ]; then
        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
    else
        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
    fi
    if [ ! -z "$RESULT" ]; then
        warn "Applying chgrp on all ungrouped files in the system"
        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
    else
        ok "No ungrouped files found, nothing to apply"
    fi
}

# This function will check config parameters required
check_config() {
    # No param for this function
    :
}

# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
    . /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
fi

# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
# shellcheck source=../../lib/main.sh
    . $CIS_ROOT_DIR/lib/main.sh
else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
fi
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00			`#!/bin/bash`

IMP(shellcheck): add run-shellcheck prefix 2020-11-23 17:10:37 +01:00			`# run-shellcheck`
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00			`#`
Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00			`# CIS Debian Hardening`
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00			`#`

			`#`
Renum 12.x checks to 6.1.x Verify_System_File_Permissions modified: bin/hardening/12.4_etc_passwd_ownership.sh modified: bin/hardening/12.5_etc_shadow_ownership.sh modified: bin/hardening/12.6_etc_group_ownership.sh renamed: bin/hardening/12.7_find_world_writable_file.sh -> bin/hardening/6.1.10_find_world_writable_file.sh renamed: bin/hardening/12.8_find_unowned_files.sh -> bin/hardening/6.1.11_find_unowned_files.sh renamed: bin/hardening/12.9_find_ungrouped_files.sh -> bin/hardening/6.1.12_find_ungrouped_files.sh renamed: bin/hardening/12.10_find_suid_files.sh -> bin/hardening/6.1.13_find_suid_files.sh renamed: bin/hardening/12.11_find_sgid_files.sh -> bin/hardening/6.1.14_find_sgid_files.sh renamed: bin/hardening/12.1_etc_passwd_permissions.sh -> bin/hardening/6.1.2_etc_passwd_permissions.sh renamed: bin/hardening/12.2_etc_shadow_permissions.sh -> bin/hardening/6.1.3_etc_shadow_permissions.sh renamed: bin/hardening/12.3_etc_group_permissions.sh -> bin/hardening/6.1.4_etc_group_permissions.sh deleted: tests/hardening/12.1_etc_passwd_permissions.sh deleted: tests/hardening/12.2_etc_shadow_permissions.sh deleted: tests/hardening/12.3_etc_group_permissions.sh renamed: tests/hardening/12.7_find_world_writable_file.sh -> tests/hardening/6.1.10_find_world_writable_file.sh renamed: tests/hardening/12.8_find_unowned_files.sh -> tests/hardening/6.1.11_find_unowned_files.sh renamed: tests/hardening/12.9_find_ungrouped_files.sh -> tests/hardening/6.1.12_find_ungrouped_files.sh renamed: tests/hardening/12.10_find_suid_files.sh -> tests/hardening/6.1.13_find_suid_files.sh renamed: tests/hardening/12.11_find_sgid_files.sh -> tests/hardening/6.1.14_find_sgid_files.sh renamed: tests/hardening/12.6_etc_group_ownership.sh -> tests/hardening/6.1.2_etc_passwd_permissions.sh renamed: tests/hardening/12.5_etc_shadow_ownership.sh -> tests/hardening/6.1.3_etc_shadow_permissions.sh renamed: tests/hardening/12.4_etc_passwd_ownership.sh -> tests/hardening/6.1.4_etc_group_permissions.sh 2019-09-12 16:44:45 +02:00			`# 6.1.12 Ensure no ungrouped files or directories exist (Scored)`
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00			`#`

			`set -e # One error, it's over`
			`set -u # One variable unset, it's over`

IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck disable=2034`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`HARDENING_LEVEL=2`
IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck disable=2034`
Renum 12.x checks to 6.1.x Verify_System_File_Permissions modified: bin/hardening/12.4_etc_passwd_ownership.sh modified: bin/hardening/12.5_etc_shadow_ownership.sh modified: bin/hardening/12.6_etc_group_ownership.sh renamed: bin/hardening/12.7_find_world_writable_file.sh -> bin/hardening/6.1.10_find_world_writable_file.sh renamed: bin/hardening/12.8_find_unowned_files.sh -> bin/hardening/6.1.11_find_unowned_files.sh renamed: bin/hardening/12.9_find_ungrouped_files.sh -> bin/hardening/6.1.12_find_ungrouped_files.sh renamed: bin/hardening/12.10_find_suid_files.sh -> bin/hardening/6.1.13_find_suid_files.sh renamed: bin/hardening/12.11_find_sgid_files.sh -> bin/hardening/6.1.14_find_sgid_files.sh renamed: bin/hardening/12.1_etc_passwd_permissions.sh -> bin/hardening/6.1.2_etc_passwd_permissions.sh renamed: bin/hardening/12.2_etc_shadow_permissions.sh -> bin/hardening/6.1.3_etc_shadow_permissions.sh renamed: bin/hardening/12.3_etc_group_permissions.sh -> bin/hardening/6.1.4_etc_group_permissions.sh deleted: tests/hardening/12.1_etc_passwd_permissions.sh deleted: tests/hardening/12.2_etc_shadow_permissions.sh deleted: tests/hardening/12.3_etc_group_permissions.sh renamed: tests/hardening/12.7_find_world_writable_file.sh -> tests/hardening/6.1.10_find_world_writable_file.sh renamed: tests/hardening/12.8_find_unowned_files.sh -> tests/hardening/6.1.11_find_unowned_files.sh renamed: tests/hardening/12.9_find_ungrouped_files.sh -> tests/hardening/6.1.12_find_ungrouped_files.sh renamed: tests/hardening/12.10_find_suid_files.sh -> tests/hardening/6.1.13_find_suid_files.sh renamed: tests/hardening/12.11_find_sgid_files.sh -> tests/hardening/6.1.14_find_sgid_files.sh renamed: tests/hardening/12.6_etc_group_ownership.sh -> tests/hardening/6.1.2_etc_passwd_permissions.sh renamed: tests/hardening/12.5_etc_shadow_ownership.sh -> tests/hardening/6.1.3_etc_shadow_permissions.sh renamed: tests/hardening/12.4_etc_passwd_ownership.sh -> tests/hardening/6.1.4_etc_group_permissions.sh 2019-09-12 16:44:45 +02:00			`DESCRIPTION="Ensure no ungrouped files or directories exist"`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00			`GROUP='root'`
IMP(12.8,12.9): be able to exclude some paths 2020-03-30 19:11:07 +02:00			`EXCLUDED=''`
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00
			`# This function will be called if the script status is on enabled / audit mode`
			`audit () {`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`info "Checking if there are ungrouped files"`
FEAT: Add sudo_wrapper to catch unauthorized sudo commands As for now, if a sudo command was not allowed, check might sometimes pass, resulting compliant state even if it actually is not. Sudo wrapper first checks wether command is allowed before running it, otherwise issues a crit message, setting check as not compliant Fix script to make sudo_wrapper work, split "find" lines Fix quotes in $@ and $* when running sudo command Fixed quotes and curly braces with shellcheck report 2018-03-16 12:06:56 +01:00			`FS_NAMES=$(df --local -P \| awk {'if (NR!=1) print $6'} )`
IMP(12.8,12.9): be able to exclude some paths 2020-03-30 19:11:07 +02:00			`if [ ! -z $EXCLUDED ]; then`
			`RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)`
			`else`
			`RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)`
			`fi`
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00			`if [ ! -z "$RESULT" ]; then`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`crit "Some ungrouped files are present"`
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00			`FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT \| sort \| uniq \| tr '\n' ' ')`
			`crit "$FORMATTED_RESULT"`
			`else`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`ok "No ungrouped files found"`
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00			`fi`
			`}`

			`# This function will be called if the script status is on enabled mode`
			`apply () {`
IMP(12.8,12.9,12.10,12.11): be able to exclude some paths consider exclusions in apply() functions 2020-03-31 14:22:24 +02:00			`if [ ! -z $EXCLUDED ]; then`
			`RESULT=$(df --local -P \| awk {'if (NR!=1) print $6'} \| xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)`
			`else`
			`RESULT=$(df --local -P \| awk {'if (NR!=1) print $6'} \| xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)`
			`fi`
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00			`if [ ! -z "$RESULT" ]; then`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`warn "Applying chgrp on all ungrouped files in the system"`
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00			`df --local -P \| awk {'if (NR!=1) print $6'} \| xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null \| xargs chgrp $GROUP`
			`else`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`ok "No ungrouped files found, nothing to apply"`
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00			`fi`
			`}`

			`# This function will check config parameters required`
			`check_config() {`
			`# No param for this function`
			`:`
			`}`

			`# Source Root Dir Parameter`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`if [ -r /etc/default/cis-hardening ]; then`
IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck source=../../debian/default`
Corrected default file path 2016-04-18 17:39:14 +02:00			`. /etc/default/cis-hardening`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`fi`
			`if [ -z "$CIS_ROOT_DIR" ]; then`
Expand tabs to 4 spaces and trim trailing spaces 2017-11-17 15:13:27 +01:00			`echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`echo "Cannot source CIS_ROOT_DIR variable, aborting."`
			`exit 128`
			`fi`
12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh 2016-04-16 00:26:19 +02:00
			`# Main function, will call the proper functions given the configuration (audit, enabled, disabled)`
Fixed default file error handling and quickstart 2016-04-21 23:19:50 +02:00			`if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then`
IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck source=../../lib/main.sh`
Fixed default file error handling and quickstart 2016-04-21 23:19:50 +02:00			`. $CIS_ROOT_DIR/lib/main.sh`
			`else`
			`echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"`
			`exit 128`
			`fi`