mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-22 05:55:24 +01:00
FIX(5.2.2,5.2.3) find was not working properly
I removed the functions in utils and replace them with loops, so that there is no more problems with the options arrays.
This commit is contained in:
parent
97bb1927c3
commit
20f432765d
@ -16,27 +16,41 @@ DESCRIPTION="Check permissions on logs (other has no permissions on any files an
|
||||
|
||||
DIR='/var/log'
|
||||
PERMISSIONS='640'
|
||||
OPTIONS=(-type f)
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
|
||||
ERRORS=0
|
||||
for FILE in $($SUDO_CMD find $DIR -type f);
|
||||
do
|
||||
perm=$(stat -L -c '%a' $FILE)
|
||||
echo "$perm ttt $PERMISSIONS"
|
||||
if [ "$perm" != "$PERMISSIONS" ]; then
|
||||
ERRORS=$((ERRORS+1))
|
||||
crit "Some logs in $DIR permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $FNRET = 0 ]; then
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "Logs in $DIR have correct permissions"
|
||||
else
|
||||
crit "Some logs in $DIR permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ERRORS=0
|
||||
for FILE in $($SUDO_CMD find $DIR -type f);
|
||||
do
|
||||
perm=$(stat -L -c '%a' $FILE)
|
||||
echo "$perm ttt $PERMISSIONS"
|
||||
if [ "$perm" != "$PERMISSIONS" ]; then
|
||||
info "fixing $DIR logs permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "Logs in $DIR have correct permissions"
|
||||
else
|
||||
info "fixing $DIR logs permissions to $PERMISSIONS"
|
||||
find $DIR -type f -exec chmod 0$PERMISSIONS {} \;
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -18,41 +18,70 @@ DIR='/etc/ssh'
|
||||
PERMISSIONS='600'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
OPTIONS=(-xdev -type f -name "ssh_host_*_key")
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "SSH public keys in $DIR have correct ownership"
|
||||
else
|
||||
crit "Some $DIR SSH public keys ownership were not set to $USER:$GROUP"
|
||||
ERRORS=0
|
||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
|
||||
do
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE permissions were set to $PERMISSIONS"
|
||||
else
|
||||
ERRORS=$((ERRORS+1))
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "SSH private keys in $DIR have correct permissions"
|
||||
fi
|
||||
|
||||
ERRORS=0
|
||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
|
||||
do
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE ownership was set to $USER:$GROUP"
|
||||
|
||||
else
|
||||
ERRORS=$((ERRORS+1))
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "SSH private keys in $DIR have correct ownership"
|
||||
fi
|
||||
have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "SSH public keys in $DIR have correct permissions"
|
||||
else
|
||||
crit "Some $DIR SSH public keys permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
|
||||
do
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE ownership was set to $USER:$GROUP"
|
||||
else
|
||||
warn "fixing $DIR SSH private keys permissions to $USER:$GROUP"
|
||||
chown $USER:$GROUP $FILE
|
||||
|
||||
have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "SSH public keys in $DIR have correct ownership"
|
||||
else
|
||||
warn "fixing $DIR SSH public keys ownership to $USER:$GROUP"
|
||||
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \;
|
||||
fi
|
||||
have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "SSH public keys in $DIR have correct permissions"
|
||||
else
|
||||
info "fixing $DIR SSH public keys permissions to $PERMISSIONS"
|
||||
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0600 {} \;
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
|
||||
do
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE permissions were set to $PERMISSIONS"
|
||||
else
|
||||
warn "fixing $DIR SSH private keys ownership to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
@ -18,41 +18,68 @@ DIR='/etc/ssh'
|
||||
PERMISSIONS='644'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
OPTIONS=(-xdev -type f -name "ssh_host_*_key.pub")
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "SSH public keys in $DIR have correct ownership"
|
||||
else
|
||||
crit "Some $DIR SSH public keys ownership were not set to $USER:$GROUP"
|
||||
fi
|
||||
have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ERRORS=0
|
||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
|
||||
do
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE permissions were set to $PERMISSIONS"
|
||||
else
|
||||
ERRORS=$((ERRORS+1))
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "SSH public keys in $DIR have correct permissions"
|
||||
else
|
||||
crit "Some $DIR SSH public keys permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
|
||||
ERRORS=0
|
||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
|
||||
do
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE ownership was set to $USER:$GROUP"
|
||||
|
||||
else
|
||||
ERRORS=$((ERRORS+1))
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "SSH public keys in $DIR have correct ownership"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
|
||||
do
|
||||
has_file_correct_permissions $FILE $PERMISSIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE permissions were set to $PERMISSIONS"
|
||||
else
|
||||
warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
done
|
||||
|
||||
have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "SSH public keys in $DIR have correct ownership"
|
||||
else
|
||||
warn "fixing $DIR SSH public keys ownership to $USER:$GROUP"
|
||||
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \;
|
||||
fi
|
||||
have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "SSH public keys in $DIR have correct permissions"
|
||||
else
|
||||
info "fixing $DIR SSH public keys permissions to $PERMISSIONS"
|
||||
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \;
|
||||
fi
|
||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
|
||||
do
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE ownership was set to $USER:$GROUP"
|
||||
else
|
||||
warn "fixing $DIR SSH public keys ownership to $PERMISSIONS"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
done
|
||||
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
|
40
lib/utils.sh
40
lib/utils.sh
@ -84,29 +84,6 @@ has_file_correct_ownership() {
|
||||
fi
|
||||
}
|
||||
|
||||
have_files_in_dir_correct_ownership(){
|
||||
local DIR=$1
|
||||
local USER=$2
|
||||
local GROUP=$3
|
||||
local name=$4[@]
|
||||
local OPTIONS=("${!name}")
|
||||
|
||||
local USERID=$(id -u $USER)
|
||||
local GROUPID=$(getent group $GROUP | cut -d: -f3)
|
||||
|
||||
FNRET=0
|
||||
OIFS="$IFS"
|
||||
IFS=$'\n' # prevents word splitting
|
||||
for owner in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -c '%u %g' {} \;");
|
||||
do
|
||||
if [ "$owner" != "$USERID $GROUPID" ]; then
|
||||
FNRET=1
|
||||
break
|
||||
fi
|
||||
done
|
||||
IFS="$OIFS"
|
||||
}
|
||||
|
||||
has_file_correct_permissions() {
|
||||
local FILE=$1
|
||||
local PERMISSIONS=$2
|
||||
@ -118,23 +95,6 @@ has_file_correct_permissions() {
|
||||
fi
|
||||
}
|
||||
|
||||
have_files_in_dir_correct_permissions(){
|
||||
local DIR=$1
|
||||
local PERMISSIONS=$2
|
||||
local name=$3[@]
|
||||
local OPTIONS=("${!name}")
|
||||
|
||||
FNRET=0
|
||||
for perm in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -L -c '%a' {} \;");
|
||||
do
|
||||
echo "$perm ttt $PERMISSIONS"
|
||||
if [ "$perm" != "$PERMISSIONS" ]; then
|
||||
FNRET=1
|
||||
break
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
does_pattern_exist_in_file_nocase() {
|
||||
_does_pattern_exist_in_file "-Ei" $*
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user