diff --git a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 86c45c0..7152683 100755 --- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -23,21 +23,14 @@ EXCEPTIONS='' audit() { info "Checking if setuid is set on world writable Directories" FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') - # shellcheck disable=SC2086 - RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) - IFS_BAK=$IFS - IFS=$'\n' - for LINE in $RESULT; do - debug "line : $LINE" - if echo "$EXCEPTIONS" | grep -q "$LINE"; then - debug "$LINE is confirmed as an exception" - # shellcheck disable=SC2001 - RESULT=$(sed "s!$LINE!!" <<<"$RESULT") - else - debug "$LINE not found in exceptions" - fi - done - IFS=$IFS_BAK + if [ -n "$EXCEPTIONS" ]; then + # shellcheck disable=SC2086 + RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null) + else + # shellcheck disable=SC2086 + RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) + fi + if [ -n "$RESULT" ]; then crit "Some world writable directories are not on sticky bit mode!" # shellcheck disable=SC2001 @@ -50,20 +43,13 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) - IFS_BAK=$IFS - IFS=$'\n' - for LINE in $RESULT; do - debug "line : $LINE" - if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then - debug "$ACCOUNT is confirmed as an exception" - # shellcheck disable=SC2001 - RESULT=$(sed "s!$LINE!!" <<<"$RESULT") - else - debug "$ACCOUNT not found in exceptions" - fi - done - IFS=$IFS_BAK + if [ -n "$EXCEPTIONS" ]; then + # shellcheck disable=SC2086 + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null) + else + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) + fi + if [ -n "$RESULT" ]; then warn "Setting sticky bit on world writable directories" df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t @@ -72,20 +58,10 @@ apply() { fi } -# This function will create the config file for this check with default values -create_config() { - cat </dev/null) - IFS_BAK=$IFS - IFS=$'\n' - for LINE in $RESULT; do - debug "line : $LINE" - if echo "$EXCEPTIONS" | grep -q "$LINE"; then - debug "$LINE is confirmed as an exception" - # shellcheck disable=SC2001 - RESULT=$(sed "s!$LINE!!" <<<"$RESULT") - else - debug "$LINE not found in exceptions" - fi - done - IFS=$IFS_BAK + + if [ -n "$EXCLUDED" ]; then + # shellcheck disable=SC2086 + RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) + else + # shellcheck disable=SC2086 + RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null) + fi + if [ -n "$RESULT" ]; then crit "Some world writable files are present" # shellcheck disable=SC2001 @@ -50,20 +44,13 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) - IFS_BAK=$IFS - IFS=$'\n' - for LINE in $RESULT; do - debug "line : $LINE" - if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then - debug "$ACCOUNT is confirmed as an exception" - # shellcheck disable=SC2001 - RESULT=$(sed "s!$LINE!!" <<<"$RESULT") - else - debug "$ACCOUNT not found in exceptions" - fi - done - IFS=$IFS_BAK + if [ -n "$EXCLUDED" ]; then + # shellcheck disable=SC2086 + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) + else + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) + fi + if [ -n "$RESULT" ]; then warn "chmoding o-w all files in the system" df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w @@ -72,20 +59,10 @@ apply() { fi } -# This function will create the config file for this check with default values -create_config() { - cat </dev/null) + RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) else # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null) @@ -44,7 +44,8 @@ audit() { # This function will be called if the script status is on enabled mode apply() { if [ -n "$EXCLUDED" ]; then - RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) + # shellcheck disable=SC2086 + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null) else RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) fi diff --git a/bin/hardening/6.1.12_find_ungrouped_files.sh b/bin/hardening/6.1.12_find_ungrouped_files.sh index 02a302c..df06afb 100755 --- a/bin/hardening/6.1.12_find_ungrouped_files.sh +++ b/bin/hardening/6.1.12_find_ungrouped_files.sh @@ -26,7 +26,7 @@ audit() { FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') if [ -n "$EXCLUDED" ]; then # shellcheck disable=SC2086 - RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) + RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) else # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null) @@ -44,7 +44,8 @@ audit() { # This function will be called if the script status is on enabled mode apply() { if [ -n "$EXCLUDED" ]; then - RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) + # shellcheck disable=SC2086 + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null) else RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) fi diff --git a/bin/hardening/6.1.13_find_suid_files.sh b/bin/hardening/6.1.13_find_suid_files.sh index 5a22ac5..54670a1 100755 --- a/bin/hardening/6.1.13_find_suid_files.sh +++ b/bin/hardening/6.1.13_find_suid_files.sh @@ -24,7 +24,7 @@ audit() { FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }') # shellcheck disable=2086 if [ -n "$IGNORED_PATH" ]; then - FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) + FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print) else FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print) fi diff --git a/bin/hardening/6.1.14_find_sgid_files.sh b/bin/hardening/6.1.14_find_sgid_files.sh index 2793915..1c18a32 100755 --- a/bin/hardening/6.1.14_find_sgid_files.sh +++ b/bin/hardening/6.1.14_find_sgid_files.sh @@ -24,7 +24,7 @@ audit() { FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }') # shellcheck disable=2086 if [ -n "$IGNORED_PATH" ]; then - FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) + FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print) else FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print) fi diff --git a/debian/changelog b/debian/changelog index 877fdee..ede977d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +cis-hardening (3.1-6) unstable; urgency=medium + + * Improve EXCEPTIONS management (1.1.21,6.1.10) + * Fix bug linked with regex quoting (6.1.10-11-12-13-14) + + -- Thibault Ayanides Wed, 02 Jun 2021 09:45:40 +0200 + cis-hardening (3.1-5) unstable; urgency=medium * Fix unbound EXCEPTIONS variable in some cases diff --git a/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 4602fcd..7dd3df8 100644 --- a/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -1,29 +1,35 @@ # shellcheck shell=bash # run-shellcheck test_audit() { + describe Running void to generate the conf file that will later be edited + # shellcheck disable=2154 + /opt/debian-cis/bin/hardening/"${script}".sh || true + # shellcheck disable=2016 + echo 'EXCEPTIONS="$EXCEPTIONS /home/secaudit/exception"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg + mkdir /home/secaudit/exception + chmod 777 /home/secaudit/exception + describe Running on blank host register_test retvalshouldbe 0 register_test contain "All world writable directories have a sticky bit" # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - if [ -f "/.dockerenv" ]; then - skip "SKIPPED on docker" - else - describe Tests purposely failing - local targetdir="/home/secaudit/world_writable_folder" - mkdir $targetdir || true - chmod 777 "$targetdir" - register_test retvalshouldbe 1 - register_test contain "Some world writable directories are not on sticky bit mode" - run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg - /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + describe Tests purposely failing + local targetdir="/home/secaudit/world_writable_folder" + mkdir $targetdir || true + chmod 777 "$targetdir" + register_test retvalshouldbe 1 + register_test contain "Some world writable directories are not on sticky bit mode" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "All world writable directories have a sticky bit" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - describe Checking resolved state - register_test retvalshouldbe 0 - register_test contain "All world writable directories have a sticky bit" - run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - fi } diff --git a/tests/hardening/6.1.10_find_world_writable_file.sh b/tests/hardening/6.1.10_find_world_writable_file.sh index 53b4f33..faf9229 100644 --- a/tests/hardening/6.1.10_find_world_writable_file.sh +++ b/tests/hardening/6.1.10_find_world_writable_file.sh @@ -1,32 +1,33 @@ # shellcheck shell=bash # run-shellcheck test_audit() { + describe Running void to generate the conf file that will later be edited + # shellcheck disable=2154 + /opt/debian-cis/bin/hardening/"${script}".sh || true + # shellcheck disable=2016 + echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg - #run this test only if we're not in docker - if [ -f "/.dockerenv" ]; then - skip "SKIPPED on docker" - else - describe Running on blank host - register_test retvalshouldbe 0 - register_test contain "No world writable files found" - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Running on blank host + register_test retvalshouldbe 0 + register_test contain "No world writable files found" + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - describe Tests purposely failing - local targetfile="/home/secaudit/worldwritable" - touch "$targetfile" - chmod 777 "$targetfile" - register_test retvalshouldbe 1 - register_test contain "Some world writable files are present" - run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Tests purposely failing + local targetfile="/home/secaudit/worldwritable" + touch "$targetfile" + chmod 777 "$targetfile" + register_test retvalshouldbe 1 + register_test contain "Some world writable files are present" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - describe correcting situation - sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg - /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "No world writable files found" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - describe Checking resolved state - register_test retvalshouldbe 0 - register_test contain "No world writable files found" - run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - fi } diff --git a/tests/hardening/6.1.11_find_unowned_files.sh b/tests/hardening/6.1.11_find_unowned_files.sh index 1bc9094..7d9136d 100644 --- a/tests/hardening/6.1.11_find_unowned_files.sh +++ b/tests/hardening/6.1.11_find_unowned_files.sh @@ -1,6 +1,15 @@ # shellcheck shell=bash # run-shellcheck test_audit() { + describe Running void to generate the conf file that will later be edited + # shellcheck disable=2154 + /opt/debian-cis/bin/hardening/"${script}".sh || true + # shellcheck disable=2016 + echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.11/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg + mkdir /home/secaudit/6.1.11/ + touch /home/secaudit/6.1.11/test + chown 1200 /home/secaudit/6.1.11/test + describe Running on blank host register_test retvalshouldbe 0 register_test contain "No unowned files found" diff --git a/tests/hardening/6.1.12_find_ungrouped_files.sh b/tests/hardening/6.1.12_find_ungrouped_files.sh index 04ff6ab..c530aac 100644 --- a/tests/hardening/6.1.12_find_ungrouped_files.sh +++ b/tests/hardening/6.1.12_find_ungrouped_files.sh @@ -1,6 +1,15 @@ # shellcheck shell=bash # run-shellcheck test_audit() { + describe Running void to generate the conf file that will later be edited + # shellcheck disable=2154 + /opt/debian-cis/bin/hardening/"${script}".sh || true + # shellcheck disable=2016 + echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.12/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg + mkdir /home/secaudit/6.1.12/ + touch /home/secaudit/6.1.12/test + chown 1200:1200 /home/secaudit/6.1.12/test + describe Running on blank host register_test retvalshouldbe 0 register_test contain "No ungrouped files found"