mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-21 21:17:00 +01:00
fix EXCEPTIONS management (#104)
* FIX(1.1.21, 6.1.10) fix EXCEPTIONS management * Update changelog * Refactor test for 6.1.10-14
This commit is contained in:
parent
4ed8adf790
commit
334d743125
@ -23,21 +23,14 @@ EXCEPTIONS=''
|
||||
audit() {
|
||||
info "Checking if setuid is set on world writable Directories"
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
IFS_BAK=$IFS
|
||||
IFS=$'\n'
|
||||
for LINE in $RESULT; do
|
||||
debug "line : $LINE"
|
||||
if echo "$EXCEPTIONS" | grep -q "$LINE"; then
|
||||
debug "$LINE is confirmed as an exception"
|
||||
# shellcheck disable=SC2001
|
||||
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
|
||||
else
|
||||
debug "$LINE not found in exceptions"
|
||||
fi
|
||||
done
|
||||
IFS=$IFS_BAK
|
||||
if [ -n "$EXCEPTIONS" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
|
||||
else
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
fi
|
||||
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some world writable directories are not on sticky bit mode!"
|
||||
# shellcheck disable=SC2001
|
||||
@ -50,20 +43,13 @@ audit() {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
IFS_BAK=$IFS
|
||||
IFS=$'\n'
|
||||
for LINE in $RESULT; do
|
||||
debug "line : $LINE"
|
||||
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
|
||||
debug "$ACCOUNT is confirmed as an exception"
|
||||
# shellcheck disable=SC2001
|
||||
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
|
||||
else
|
||||
debug "$ACCOUNT not found in exceptions"
|
||||
fi
|
||||
done
|
||||
IFS=$IFS_BAK
|
||||
if [ -n "$EXCEPTIONS" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
fi
|
||||
|
||||
if [ -n "$RESULT" ]; then
|
||||
warn "Setting sticky bit on world writable directories"
|
||||
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
|
||||
@ -72,20 +58,10 @@ apply() {
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will create the config file for this check with default values
|
||||
create_config() {
|
||||
cat <<EOF
|
||||
status=audit
|
||||
# Put here your exceptions separated by spaces
|
||||
EXCEPTIONS=""
|
||||
EOF
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z "$EXCEPTIONS" ]; then
|
||||
EXCEPTIONS="@"
|
||||
fi
|
||||
# No param for this function
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
@ -17,27 +17,21 @@ HARDENING_LEVEL=3
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Ensure no world writable files exist"
|
||||
|
||||
EXCEPTIONS=''
|
||||
EXCLUDED=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if there are world writable files"
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||
IFS_BAK=$IFS
|
||||
IFS=$'\n'
|
||||
for LINE in $RESULT; do
|
||||
debug "line : $LINE"
|
||||
if echo "$EXCEPTIONS" | grep -q "$LINE"; then
|
||||
debug "$LINE is confirmed as an exception"
|
||||
# shellcheck disable=SC2001
|
||||
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
|
||||
else
|
||||
debug "$LINE not found in exceptions"
|
||||
fi
|
||||
done
|
||||
IFS=$IFS_BAK
|
||||
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
|
||||
else
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||
fi
|
||||
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some world writable files are present"
|
||||
# shellcheck disable=SC2001
|
||||
@ -50,20 +44,13 @@ audit() {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||
IFS_BAK=$IFS
|
||||
IFS=$'\n'
|
||||
for LINE in $RESULT; do
|
||||
debug "line : $LINE"
|
||||
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
|
||||
debug "$ACCOUNT is confirmed as an exception"
|
||||
# shellcheck disable=SC2001
|
||||
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
|
||||
else
|
||||
debug "$ACCOUNT not found in exceptions"
|
||||
fi
|
||||
done
|
||||
IFS=$IFS_BAK
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||
fi
|
||||
|
||||
if [ -n "$RESULT" ]; then
|
||||
warn "chmoding o-w all files in the system"
|
||||
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
|
||||
@ -72,20 +59,10 @@ apply() {
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will create the config file for this check with default values
|
||||
create_config() {
|
||||
cat <<EOF
|
||||
status=audit
|
||||
# Put here your exceptions separated by spaces
|
||||
EXCEPTIONS=""
|
||||
EOF
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ -z "$EXCEPTIONS" ]; then
|
||||
EXCEPTIONS="@"
|
||||
fi
|
||||
# No param for this function
|
||||
:
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
@ -26,7 +26,7 @@ audit() {
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
|
||||
else
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
|
||||
@ -44,7 +44,8 @@ audit() {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
||||
fi
|
||||
|
@ -26,7 +26,7 @@ audit() {
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
|
||||
else
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
|
||||
@ -44,7 +44,8 @@ audit() {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
||||
fi
|
||||
|
@ -24,7 +24,7 @@ audit() {
|
||||
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
|
||||
# shellcheck disable=2086
|
||||
if [ -n "$IGNORED_PATH" ]; then
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
|
||||
else
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
|
||||
fi
|
||||
|
@ -24,7 +24,7 @@ audit() {
|
||||
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
|
||||
# shellcheck disable=2086
|
||||
if [ -n "$IGNORED_PATH" ]; then
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
|
||||
else
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
|
||||
fi
|
||||
|
7
debian/changelog
vendored
7
debian/changelog
vendored
@ -1,3 +1,10 @@
|
||||
cis-hardening (3.1-6) unstable; urgency=medium
|
||||
|
||||
* Improve EXCEPTIONS management (1.1.21,6.1.10)
|
||||
* Fix bug linked with regex quoting (6.1.10-11-12-13-14)
|
||||
|
||||
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Wed, 02 Jun 2021 09:45:40 +0200
|
||||
|
||||
cis-hardening (3.1-5) unstable; urgency=medium
|
||||
|
||||
* Fix unbound EXCEPTIONS variable in some cases
|
||||
|
@ -1,29 +1,35 @@
|
||||
# shellcheck shell=bash
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running void to generate the conf file that will later be edited
|
||||
# shellcheck disable=2154
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
# shellcheck disable=2016
|
||||
echo 'EXCEPTIONS="$EXCEPTIONS /home/secaudit/exception"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
mkdir /home/secaudit/exception
|
||||
chmod 777 /home/secaudit/exception
|
||||
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "All world writable directories have a sticky bit"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
if [ -f "/.dockerenv" ]; then
|
||||
skip "SKIPPED on docker"
|
||||
else
|
||||
describe Tests purposely failing
|
||||
local targetdir="/home/secaudit/world_writable_folder"
|
||||
mkdir $targetdir || true
|
||||
chmod 777 "$targetdir"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Some world writable directories are not on sticky bit mode"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
describe Tests purposely failing
|
||||
local targetdir="/home/secaudit/world_writable_folder"
|
||||
mkdir $targetdir || true
|
||||
chmod 777 "$targetdir"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Some world writable directories are not on sticky bit mode"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "All world writable directories have a sticky bit"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "All world writable directories have a sticky bit"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
fi
|
||||
}
|
||||
|
@ -1,32 +1,33 @@
|
||||
# shellcheck shell=bash
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running void to generate the conf file that will later be edited
|
||||
# shellcheck disable=2154
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
# shellcheck disable=2016
|
||||
echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
#run this test only if we're not in docker
|
||||
if [ -f "/.dockerenv" ]; then
|
||||
skip "SKIPPED on docker"
|
||||
else
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No world writable files found"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No world writable files found"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Tests purposely failing
|
||||
local targetfile="/home/secaudit/worldwritable"
|
||||
touch "$targetfile"
|
||||
chmod 777 "$targetfile"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Some world writable files are present"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
describe Tests purposely failing
|
||||
local targetfile="/home/secaudit/worldwritable"
|
||||
touch "$targetfile"
|
||||
chmod 777 "$targetfile"
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "Some world writable files are present"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
describe correcting situation
|
||||
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No world writable files found"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
describe Checking resolved state
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No world writable files found"
|
||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
fi
|
||||
}
|
||||
|
@ -1,6 +1,15 @@
|
||||
# shellcheck shell=bash
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running void to generate the conf file that will later be edited
|
||||
# shellcheck disable=2154
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
# shellcheck disable=2016
|
||||
echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.11/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
mkdir /home/secaudit/6.1.11/
|
||||
touch /home/secaudit/6.1.11/test
|
||||
chown 1200 /home/secaudit/6.1.11/test
|
||||
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No unowned files found"
|
||||
|
@ -1,6 +1,15 @@
|
||||
# shellcheck shell=bash
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running void to generate the conf file that will later be edited
|
||||
# shellcheck disable=2154
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
# shellcheck disable=2016
|
||||
echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.12/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
mkdir /home/secaudit/6.1.12/
|
||||
touch /home/secaudit/6.1.12/test
|
||||
chown 1200:1200 /home/secaudit/6.1.12/test
|
||||
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "No ungrouped files found"
|
||||
|
Loading…
Reference in New Issue
Block a user