FIX(5.2.2,5.2.3) find was not working properly

I removed the functions in utils and replace them with loops, so that there is no more problems with the options arrays.
2024-11-21 13:07:01 +01:00 · 2020-10-27 12:47:11 +01:00 · 2020-10-27 12:47:11 +01:00 · 20f432765d
commit 20f432765d
parent 97bb1927c3
4 changed files with 132 additions and 102 deletions
--- a/bin/hardening/4.2.4_logs_permissions.sh
+++ b/bin/hardening/4.2.4_logs_permissions.sh
@ -16,27 +16,41 @@ DESCRIPTION="Check permissions on logs (other has no permissions on any files an

 DIR='/var/log'
 PERMISSIONS='640'
-OPTIONS=(-type f)

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
+    ERRORS=0
+    for FILE in $($SUDO_CMD find $DIR -type f);
+    do
+        perm=$(stat -L -c '%a' $FILE)
+        echo "$perm  ttt $PERMISSIONS"
+        if [ "$perm" != "$PERMISSIONS" ]; then
+            ERRORS=$((ERRORS+1))
+            crit "Some logs in $DIR permissions were not set to $PERMISSIONS"
+        fi
+    done

-    if [ $FNRET = 0 ]; then
+    if [ $ERRORS = 0 ]; then
        ok "Logs in $DIR have correct permissions"
-    else
-        crit "Some logs in $DIR permissions were not set to $PERMISSIONS"
    fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
-    if [ $FNRET = 0 ]; then
+    ERRORS=0
+    for FILE in $($SUDO_CMD find $DIR -type f);
+    do
+        perm=$(stat -L -c '%a' $FILE)
+        echo "$perm  ttt $PERMISSIONS"
+        if [ "$perm" != "$PERMISSIONS" ]; then
+            info "fixing $DIR logs permissions to $PERMISSIONS"
+            chmod 0$PERMISSIONS $FILE
+            
+        fi
+    done
+    
+    if [ $ERRORS = 0 ]; then
        ok "Logs in $DIR have correct permissions"
-    else
-        info "fixing $DIR logs permissions to $PERMISSIONS"
-        find $DIR -type f -exec chmod 0$PERMISSIONS {} \;
    fi
 }

--- a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh
+++ b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh
@ -18,41 +18,70 @@ DIR='/etc/ssh'
 PERMISSIONS='600'
 USER='root'
 GROUP='root'
-OPTIONS=(-xdev -type f -name "ssh_host_*_key")

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
-    if [ $FNRET = 0 ]; then
-        ok "SSH public keys in $DIR have correct ownership"
-    else
-        crit "Some $DIR SSH public keys ownership were not set to $USER:$GROUP"
+    ERRORS=0
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
+    do
+        has_file_correct_permissions $FILE $PERMISSIONS
+        if [ $FNRET = 0 ]; then
+            ok "$FILE permissions were set to $PERMISSIONS"
+        else
+            ERRORS=$((ERRORS+1))
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+
+    done
+
+    if [ $ERRORS = 0 ]; then
+        ok "SSH private keys in $DIR have correct permissions"
+    fi
+
+    ERRORS=0
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
+    do
+        has_file_correct_ownership $FILE $USER $GROUP
+        if  [ $FNRET = 0 ]; then
+            ok "$FILE ownership was set to $USER:$GROUP"
+
+        else
+            ERRORS=$((ERRORS+1))
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+    done
+    
+    if [ $ERRORS = 0 ]; then
+        ok "SSH private keys in $DIR have correct ownership"
    fi
-    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
-    if [ $FNRET = 0 ]; then
-        ok "SSH public keys in $DIR have correct permissions"
-    else
-        crit "Some $DIR SSH public keys permissions were not set to $PERMISSIONS"
-    fi 
 }

 # This function will be called if the script status is on enabled mode
 apply () {
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
+    do
+        has_file_correct_ownership $FILE $USER $GROUP
+        if [ $FNRET = 0 ]; then
+            ok "$FILE ownership was set to $USER:$GROUP"
+        else
+            warn "fixing $DIR SSH private keys permissions to $USER:$GROUP"
+            chown $USER:$GROUP $FILE

-    have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
-    if [ $FNRET = 0 ]; then
-        ok "SSH public keys in $DIR have correct ownership"
-    else
-        warn "fixing $DIR SSH public keys ownership to $USER:$GROUP"
-        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \;
-    fi
-    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
-    if [ $FNRET = 0 ]; then
-        ok "SSH public keys in $DIR have correct permissions"
-    else
-        info "fixing $DIR SSH public keys permissions to $PERMISSIONS"
-        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0600 {} \;
-    fi
+        fi
+    done
+
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
+    do
+        has_file_correct_permissions $FILE $PERMISSIONS
+        if [ $FNRET = 0 ]; then
+            ok "$FILE permissions were set to $PERMISSIONS"
+        else
+            warn "fixing $DIR SSH private keys ownership to $PERMISSIONS"
+            chmod 0$PERMISSIONS $FILE
+        fi
+    done
+
+ 
 }

 # This function will check config parameters required
--- a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
+++ b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
@ -18,41 +18,68 @@ DIR='/etc/ssh'
 PERMISSIONS='644'
 USER='root'
 GROUP='root'
-OPTIONS=(-xdev -type f -name "ssh_host_*_key.pub")

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
-    if [ $FNRET = 0 ]; then
-        ok "SSH public keys in $DIR have correct ownership"
-    else
-        crit "Some $DIR SSH public keys ownership were not set to $USER:$GROUP"
-    fi
-    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
-    if [ $FNRET = 0 ]; then
+    ERRORS=0
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
+    do
+        has_file_correct_permissions $FILE $PERMISSIONS
+        if [ $FNRET = 0 ]; then
+            ok "$FILE permissions were set to $PERMISSIONS"
+        else
+            ERRORS=$((ERRORS+1))
+            crit "$FILE permissions were not set to $PERMISSIONS"
+        fi
+
+    done
+
+    if [ $ERRORS = 0 ]; then
        ok "SSH public keys in $DIR have correct permissions"
-    else
-        crit "Some $DIR SSH public keys permissions were not set to $PERMISSIONS"
-    fi 
+    fi
+
+    ERRORS=0
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
+    do
+        has_file_correct_ownership $FILE $USER $GROUP
+        if  [ $FNRET = 0 ]; then
+            ok "$FILE ownership was set to $USER:$GROUP"
+
+        else
+            ERRORS=$((ERRORS+1))
+            crit "$FILE ownership was not set to $USER:$GROUP"
+        fi
+    done
+    
+    if [ $ERRORS = 0 ]; then
+        ok "SSH public keys in $DIR have correct ownership"
+    fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
+    do
+        has_file_correct_permissions $FILE $PERMISSIONS
+        if [ $FNRET = 0 ]; then
+            ok "$FILE permissions were set to $PERMISSIONS"
+        else
+            warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
+            chmod 0$PERMISSIONS $FILE
+        fi
+    done

-    have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
-    if [ $FNRET = 0 ]; then
-        ok "SSH public keys in $DIR have correct ownership"
-    else
-        warn "fixing $DIR SSH public keys ownership to $USER:$GROUP"
-        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \;
-    fi
-    have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
-    if [ $FNRET = 0 ]; then
-        ok "SSH public keys in $DIR have correct permissions"
-    else
-        info "fixing $DIR SSH public keys permissions to $PERMISSIONS"
-        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \;
-    fi
+    for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
+    do
+        has_file_correct_ownership $FILE $USER $GROUP
+        if [ $FNRET = 0 ]; then
+            ok "$FILE ownership was set to $USER:$GROUP"
+        else
+            warn "fixing $DIR SSH public keys ownership to $PERMISSIONS"
+            chown $USER:$GROUP $FILE
+        fi
+    done
+    
 }

 # This function will check config parameters required
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -84,29 +84,6 @@ has_file_correct_ownership() {
    fi
 }

-have_files_in_dir_correct_ownership(){
-    local DIR=$1
-    local USER=$2
-    local GROUP=$3
-    local name=$4[@]
-    local OPTIONS=("${!name}")
-
-    local USERID=$(id -u $USER)
-    local GROUPID=$(getent group $GROUP | cut -d: -f3)
-
-    FNRET=0
-    OIFS="$IFS"
-    IFS=$'\n' # prevents word splitting
-    for owner in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -c '%u %g' {} \;");
-    do
-    if [ "$owner" != "$USERID $GROUPID" ]; then
-        FNRET=1
-        break
-    fi
-    done
-    IFS="$OIFS"
-}
-
 has_file_correct_permissions() {
    local FILE=$1
    local PERMISSIONS=$2
@ -118,23 +95,6 @@ has_file_correct_permissions() {
    fi 
 }

-have_files_in_dir_correct_permissions(){
-    local DIR=$1
-    local PERMISSIONS=$2
-    local name=$3[@]
-    local OPTIONS=("${!name}")
-    
-    FNRET=0
-    for perm in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -L -c '%a' {} \;");
-    do
-    echo "$perm  ttt $PERMISSIONS"
-    if [ "$perm" != "$PERMISSIONS" ]; then
-        FNRET=1
-        break
-    fi
-    done
-}
-
 does_pattern_exist_in_file_nocase() {
    _does_pattern_exist_in_file "-Ei" $*
 }