elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-21 21:17:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX(5.2.2,5.2.3) find was not working properly

Browse Source 
I removed the functions in utils and replace them with loops, so that
there is no more problems with the options arrays.
This commit is contained in:
Thibault Ayanides 2020-10-27 12:47:11 +01:00
parent 97bb1927c3
commit 20f432765d
4 changed files with 132 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
bin/hardening/4.2.4_logs_permissions.sh
View File

@ -16,27 +16,41 @@ DESCRIPTION="Check permissions on logs (other has no permissions on any files an
DIR='/var/log' DIR='/var/log'
PERMISSIONS='640' PERMISSIONS='640'
OPTIONS=(-type f)
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS ERRORS=0
for FILE in $($SUDO_CMD find $DIR -type f);
do
perm=$(stat -L -c '%a' $FILE)
echo "$perm ttt $PERMISSIONS"
if [ "$perm" != "$PERMISSIONS" ]; then
ERRORS=$((ERRORS+1))
crit "Some logs in $DIR permissions were not set to $PERMISSIONS"
fi
done
if [ $FNRET = 0 ]; then if [ $ERRORS = 0 ]; then
ok "Logs in $DIR have correct permissions" ok "Logs in $DIR have correct permissions"
else
crit "Some logs in $DIR permissions were not set to $PERMISSIONS"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS ERRORS=0
if [ $FNRET = 0 ]; then for FILE in $($SUDO_CMD find $DIR -type f);
do
perm=$(stat -L -c '%a' $FILE)
echo "$perm ttt $PERMISSIONS"
if [ "$perm" != "$PERMISSIONS" ]; then
info "fixing $DIR logs permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE
fi
done
if [ $ERRORS = 0 ]; then
ok "Logs in $DIR have correct permissions" ok "Logs in $DIR have correct permissions"
else
info "fixing $DIR logs permissions to $PERMISSIONS"
find $DIR -type f -exec chmod 0$PERMISSIONS {} \;
fi fi
} }

81
bin/hardening/5.2.2_ssh_host_private_keys_perm_ownership.sh
View File

@ -18,41 +18,70 @@ DIR='/etc/ssh'
PERMISSIONS='600' PERMISSIONS='600'
USER='root' USER='root'
GROUP='root' GROUP='root'
OPTIONS=(-xdev -type f -name "ssh_host_*_key")
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS ERRORS=0
if [ $FNRET = 0 ]; then for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
ok "SSH public keys in $DIR have correct ownership" do
else has_file_correct_permissions $FILE $PERMISSIONS
crit "Some $DIR SSH public keys ownership were not set to $USER:$GROUP" if [ $FNRET = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS"
else
ERRORS=$((ERRORS+1))
crit "$FILE permissions were not set to $PERMISSIONS"
fi
done
if [ $ERRORS = 0 ]; then
ok "SSH private keys in $DIR have correct permissions"
fi
ERRORS=0
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
do
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE ownership was set to $USER:$GROUP"
else
ERRORS=$((ERRORS+1))
crit "$FILE ownership was not set to $USER:$GROUP"
fi
done
if [ $ERRORS = 0 ]; then
ok "SSH private keys in $DIR have correct ownership"
fi fi
have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS
if [ $FNRET = 0 ]; then
ok "SSH public keys in $DIR have correct permissions"
else
crit "Some $DIR SSH public keys permissions were not set to $PERMISSIONS"
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
do
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE ownership was set to $USER:$GROUP"
else
warn "fixing $DIR SSH private keys permissions to $USER:$GROUP"
chown $USER:$GROUP $FILE
have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS fi
if [ $FNRET = 0 ]; then done
ok "SSH public keys in $DIR have correct ownership"
else for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key');
warn "fixing $DIR SSH public keys ownership to $USER:$GROUP" do
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \; has_file_correct_permissions $FILE $PERMISSIONS
fi if [ $FNRET = 0 ]; then
have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS ok "$FILE permissions were set to $PERMISSIONS"
if [ $FNRET = 0 ]; then else
ok "SSH public keys in $DIR have correct permissions" warn "fixing $DIR SSH private keys ownership to $PERMISSIONS"
else chmod 0$PERMISSIONS $FILE
info "fixing $DIR SSH public keys permissions to $PERMISSIONS" fi
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0600 {} \; done
fi
} }
# This function will check config parameters required # This function will check config parameters required

79
bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
View File

@ -18,41 +18,68 @@ DIR='/etc/ssh'
PERMISSIONS='644' PERMISSIONS='644'
USER='root' USER='root'
GROUP='root' GROUP='root'
OPTIONS=(-xdev -type f -name "ssh_host_*_key.pub")
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS ERRORS=0
if [ $FNRET = 0 ]; then for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
ok "SSH public keys in $DIR have correct ownership" do
else has_file_correct_permissions $FILE $PERMISSIONS
crit "Some $DIR SSH public keys ownership were not set to $USER:$GROUP" if [ $FNRET = 0 ]; then
fi ok "$FILE permissions were set to $PERMISSIONS"
have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS else
if [ $FNRET = 0 ]; then ERRORS=$((ERRORS+1))
crit "$FILE permissions were not set to $PERMISSIONS"
fi
done
if [ $ERRORS = 0 ]; then
ok "SSH public keys in $DIR have correct permissions" ok "SSH public keys in $DIR have correct permissions"
else fi
crit "Some $DIR SSH public keys permissions were not set to $PERMISSIONS"
fi ERRORS=0
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
do
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE ownership was set to $USER:$GROUP"
else
ERRORS=$((ERRORS+1))
crit "$FILE ownership was not set to $USER:$GROUP"
fi
done
if [ $ERRORS = 0 ]; then
ok "SSH public keys in $DIR have correct ownership"
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
do
has_file_correct_permissions $FILE $PERMISSIONS
if [ $FNRET = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS"
else
warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
chmod 0$PERMISSIONS $FILE
fi
done
have_files_in_dir_correct_ownership $DIR $USER $GROUP OPTIONS for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
if [ $FNRET = 0 ]; then do
ok "SSH public keys in $DIR have correct ownership" has_file_correct_ownership $FILE $USER $GROUP
else if [ $FNRET = 0 ]; then
warn "fixing $DIR SSH public keys ownership to $USER:$GROUP" ok "$FILE ownership was set to $USER:$GROUP"
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \; else
fi warn "fixing $DIR SSH public keys ownership to $PERMISSIONS"
have_files_in_dir_correct_permissions $DIR $PERMISSIONS OPTIONS chown $USER:$GROUP $FILE
if [ $FNRET = 0 ]; then fi
ok "SSH public keys in $DIR have correct permissions" done
else
info "fixing $DIR SSH public keys permissions to $PERMISSIONS"
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \;
fi
} }
# This function will check config parameters required # This function will check config parameters required

40
lib/utils.sh
View File

@ -84,29 +84,6 @@ has_file_correct_ownership() {
fi fi
} }
have_files_in_dir_correct_ownership(){
local DIR=$1
local USER=$2
local GROUP=$3
local name=$4[@]
local OPTIONS=("${!name}")
local USERID=$(id -u $USER)
local GROUPID=$(getent group $GROUP | cut -d: -f3)
FNRET=0
OIFS="$IFS"
IFS=$'\n' # prevents word splitting
for owner in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -c '%u %g' {} \;");
do
if [ "$owner" != "$USERID $GROUPID" ]; then
FNRET=1
break
fi
done
IFS="$OIFS"
}
has_file_correct_permissions() { has_file_correct_permissions() {
local FILE=$1 local FILE=$1
local PERMISSIONS=$2 local PERMISSIONS=$2
@ -118,23 +95,6 @@ has_file_correct_permissions() {
fi fi
} }
have_files_in_dir_correct_permissions(){
local DIR=$1
local PERMISSIONS=$2
local name=$3[@]
local OPTIONS=("${!name}")
FNRET=0
for perm in $("$SUDO_CMD find $DIR" "${OPTIONS[@]}" "-exec stat -L -c '%a' {} \;");
do
echo "$perm ttt $PERMISSIONS"
if [ "$perm" != "$PERMISSIONS" ]; then
FNRET=1
break
fi
done
}
does_pattern_exist_in_file_nocase() { does_pattern_exist_in_file_nocase() {
_does_pattern_exist_in_file "-Ei" $* _does_pattern_exist_in_file "-Ei" $*
} }