From 20f432765d2786e44f5300d171d6535402e49d18 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Tue, 27 Oct 2020 12:47:11 +0100 Subject: [PATCH] FIX(5.2.2,5.2.3) find was not working properly I removed the functions in utils and replace them with loops, so that there is no more problems with the options arrays. --- bin/hardening/4.2.4_logs_permissions.sh | 34 +++++--- ....2_ssh_host_private_keys_perm_ownership.sh | 81 +++++++++++++------ ...2.3_ssh_host_public_keys_perm_ownership.sh | 79 ++++++++++++------ lib/utils.sh | 40 --------- 4 files changed, 132 insertions(+), 102 deletions(-) diff --git a/bin/hardening/4.2.4_logs_permissions.sh b/bin/hardening/4.2.4_logs_permissions.sh index 3b5abc1..ce4f1ef 100755 --- a/bin/hardening/4.2.4_logs_permissions.sh +++ b/bin/hardening/4.2.4_logs_permissions.sh @@ -16,27 +16,41 @@ DESCRIPTION="Check permissions on logs (other has no permissions on any files an DIR='/var/log' PERMISSIONS='640' -OPTIONS=(-type f) # This function will be called if the script status is on enabled / audit mode audit () { - have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS + ERRORS=0 + for FILE in $($SUDO_CMD find $DIR -type f); + do + perm=$(stat -L -c '%a' $FILE) + echo "$perm ttt $PERMISSIONS" + if [ "$perm" != "$PERMISSIONS" ]; then + ERRORS=$((ERRORS+1)) + crit "Some logs in $DIR permissions were not set to $PERMISSIONS" + fi + done - if [ $FNRET = 0 ]; then + if [ $ERRORS = 0 ]; then ok "Logs in $DIR have correct permissions" - else - crit "Some logs in $DIR permissions were not set to $PERMISSIONS" fi } # This function will be called if the script status is on enabled mode apply () { - have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS - if [ $FNRET = 0 ]; then + ERRORS=0 + for FILE in $($SUDO_CMD find $DIR -type f); + do + perm=$(stat -L -c '%a' $FILE) + echo "$perm ttt $PERMISSIONS" + if [ "$perm" != "$PERMISSIONS" ]; then + info "fixing $DIR logs permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + + fi + done + + if [ $ERRORS = 0 ]; then ok "Logs in $DIR have correct permissions" - else - info "fixing $DIR logs permissions to $PERMISSIONS" - find $DIR -type f -exec chmod 0$PERMISSIONS {} \; fi } diff --git a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh index e7ba3b9..f3690ea 100755 --- a/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh +++ b/bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh @@ -18,41 +18,70 @@ DIR='/etc/ssh' PERMISSIONS='600' USER='root' GROUP='root' -OPTIONS=(-xdev -type f -name "ssh_host_*_key") # This function will be called if the script status is on enabled / audit mode audit () { - have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS - if [ $FNRET = 0 ]; then - ok "SSH public keys in $DIR have correct ownership" - else - crit "Some $DIR SSH public keys ownership were not set to $USER:$GROUP" + ERRORS=0 + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); + do + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE permissions were set to $PERMISSIONS" + else + ERRORS=$((ERRORS+1)) + crit "$FILE permissions were not set to $PERMISSIONS" + fi + + done + + if [ $ERRORS = 0 ]; then + ok "SSH private keys in $DIR have correct permissions" + fi + + ERRORS=0 + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); + do + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE ownership was set to $USER:$GROUP" + + else + ERRORS=$((ERRORS+1)) + crit "$FILE ownership was not set to $USER:$GROUP" + fi + done + + if [ $ERRORS = 0 ]; then + ok "SSH private keys in $DIR have correct ownership" fi - have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS - if [ $FNRET = 0 ]; then - ok "SSH public keys in $DIR have correct permissions" - else - crit "Some $DIR SSH public keys permissions were not set to $PERMISSIONS" - fi } # This function will be called if the script status is on enabled mode apply () { + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); + do + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE ownership was set to $USER:$GROUP" + else + warn "fixing $DIR SSH private keys permissions to $USER:$GROUP" + chown $USER:$GROUP $FILE - have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS - if [ $FNRET = 0 ]; then - ok "SSH public keys in $DIR have correct ownership" - else - warn "fixing $DIR SSH public keys ownership to $USER:$GROUP" - find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \; - fi - have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS - if [ $FNRET = 0 ]; then - ok "SSH public keys in $DIR have correct permissions" - else - info "fixing $DIR SSH public keys permissions to $PERMISSIONS" - find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0600 {} \; - fi + fi + done + + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key'); + do + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE permissions were set to $PERMISSIONS" + else + warn "fixing $DIR SSH private keys ownership to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi + done + + } # This function will check config parameters required diff --git a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh index c068618..656df33 100755 --- a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh +++ b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh @@ -18,41 +18,68 @@ DIR='/etc/ssh' PERMISSIONS='644' USER='root' GROUP='root' -OPTIONS=(-xdev -type f -name "ssh_host_*_key.pub") # This function will be called if the script status is on enabled / audit mode audit () { - have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS - if [ $FNRET = 0 ]; then - ok "SSH public keys in $DIR have correct ownership" - else - crit "Some $DIR SSH public keys ownership were not set to $USER:$GROUP" - fi - have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS - if [ $FNRET = 0 ]; then + ERRORS=0 + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); + do + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE permissions were set to $PERMISSIONS" + else + ERRORS=$((ERRORS+1)) + crit "$FILE permissions were not set to $PERMISSIONS" + fi + + done + + if [ $ERRORS = 0 ]; then ok "SSH public keys in $DIR have correct permissions" - else - crit "Some $DIR SSH public keys permissions were not set to $PERMISSIONS" - fi + fi + + ERRORS=0 + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); + do + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE ownership was set to $USER:$GROUP" + + else + ERRORS=$((ERRORS+1)) + crit "$FILE ownership was not set to $USER:$GROUP" + fi + done + + if [ $ERRORS = 0 ]; then + ok "SSH public keys in $DIR have correct ownership" + fi } # This function will be called if the script status is on enabled mode apply () { + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); + do + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE permissions were set to $PERMISSIONS" + else + warn "fixing $DIR SSH public keys permissions to $USER:$GROUP" + chmod 0$PERMISSIONS $FILE + fi + done - have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS - if [ $FNRET = 0 ]; then - ok "SSH public keys in $DIR have correct ownership" - else - warn "fixing $DIR SSH public keys ownership to $USER:$GROUP" - find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \; - fi - have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS - if [ $FNRET = 0 ]; then - ok "SSH public keys in $DIR have correct permissions" - else - info "fixing $DIR SSH public keys permissions to $PERMISSIONS" - find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \; - fi + for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); + do + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE ownership was set to $USER:$GROUP" + else + warn "fixing $DIR SSH public keys ownership to $PERMISSIONS" + chown $USER:$GROUP $FILE + fi + done + } # This function will check config parameters required diff --git a/lib/utils.sh b/lib/utils.sh index b2e33b1..57afc62 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -84,29 +84,6 @@ has_file_correct_ownership() { fi } -have_files_in_dir_correct_ownership(){ - local DIR=$1 - local USER=$2 - local GROUP=$3 - local name=$4[@] - local OPTIONS=("${!name}") - - local USERID=$(id -u $USER) - local GROUPID=$(getent group $GROUP | cut -d: -f3) - - FNRET=0 - OIFS="$IFS" - IFS=$'\n' # prevents word splitting - for owner in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -c '%u %g' {} \;"); - do - if [ "$owner" != "$USERID $GROUPID" ]; then - FNRET=1 - break - fi - done - IFS="$OIFS" -} - has_file_correct_permissions() { local FILE=$1 local PERMISSIONS=$2 @@ -118,23 +95,6 @@ has_file_correct_permissions() { fi } -have_files_in_dir_correct_permissions(){ - local DIR=$1 - local PERMISSIONS=$2 - local name=$3[@] - local OPTIONS=("${!name}") - - FNRET=0 - for perm in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -L -c '%a' {} \;"); - do - echo "$perm ttt $PERMISSIONS" - if [ "$perm" != "$PERMISSIONS" ]; then - FNRET=1 - break - fi - done -} - does_pattern_exist_in_file_nocase() { _does_pattern_exist_in_file "-Ei" $* }