elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 05:27:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix EXCEPTIONS management (#104)

Browse Source 
* FIX(1.1.21, 6.1.10) fix EXCEPTIONS management
* Update changelog
* Refactor test for 6.1.10-14
This commit is contained in:
Thibault Ayanides 2021-06-02 13:47:19 +02:00 committed by GitHub
parent 4ed8adf790
commit 334d743125
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 118 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -23,21 +23,14 @@ EXCEPTIONS=''
audit() { audit() {
info "Checking if setuid is set on world writable Directories" info "Checking if setuid is set on world writable Directories"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086 if [ -n "$EXCEPTIONS" ]; then
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) # shellcheck disable=SC2086
IFS_BAK=$IFS RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
IFS=$'\n' else
for LINE in $RESULT; do # shellcheck disable=SC2086
debug "line : $LINE" RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if echo "$EXCEPTIONS" | grep -q "$LINE"; then fi
debug "$LINE is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$LINE not found in exceptions"
fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!" crit "Some world writable directories are not on sticky bit mode!"
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -50,20 +43,13 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) if [ -n "$EXCEPTIONS" ]; then
IFS_BAK=$IFS # shellcheck disable=SC2086
IFS=$'\n' RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
for LINE in $RESULT; do else
debug "line : $LINE" RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then fi
debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
warn "Setting sticky bit on world writable directories" warn "Setting sticky bit on world writable directories"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
@ -72,20 +58,10 @@ apply() {
fi fi
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Put here your exceptions separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
if [ -z "$EXCEPTIONS" ]; then # No param for this function
EXCEPTIONS="@" :
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

61
bin/hardening/6.1.10_find_world_writable_file.sh
View File

@ -17,27 +17,21 @@ HARDENING_LEVEL=3
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Ensure no world writable files exist" DESCRIPTION="Ensure no world writable files exist"
EXCEPTIONS='' EXCLUDED=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
info "Checking if there are world writable files" info "Checking if there are world writable files"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null) if [ -n "$EXCLUDED" ]; then
IFS_BAK=$IFS # shellcheck disable=SC2086
IFS=$'\n' RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
for LINE in $RESULT; do else
debug "line : $LINE" # shellcheck disable=SC2086
if echo "$EXCEPTIONS" | grep -q "$LINE"; then RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
debug "$LINE is confirmed as an exception" fi
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$LINE not found in exceptions"
fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some world writable files are present" crit "Some world writable files are present"
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -50,20 +44,13 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) if [ -n "$EXCLUDED" ]; then
IFS_BAK=$IFS # shellcheck disable=SC2086
IFS=$'\n' RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
for LINE in $RESULT; do else
debug "line : $LINE" RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then fi
debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
warn "chmoding o-w all files in the system" warn "chmoding o-w all files in the system"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
@ -72,20 +59,10 @@ apply() {
fi fi
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Put here your exceptions separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
if [ -z "$EXCEPTIONS" ]; then # No param for this function
EXCEPTIONS="@" :
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

5
bin/hardening/6.1.11_find_unowned_files.sh
View File

@ -26,7 +26,7 @@ audit() {
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
else else
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
@ -44,7 +44,8 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) # shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
else else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
fi fi

5
bin/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -26,7 +26,7 @@ audit() {
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
else else
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
@ -44,7 +44,8 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
if [ -n "$EXCLUDED" ]; then if [ -n "$EXCLUDED" ]; then
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) # shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
else else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
fi fi

2
bin/hardening/6.1.13_find_suid_files.sh
View File

@ -24,7 +24,7 @@ audit() {
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }') FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
# shellcheck disable=2086 # shellcheck disable=2086
if [ -n "$IGNORED_PATH" ]; then if [ -n "$IGNORED_PATH" ]; then
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
else else
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print) FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
fi fi

2
bin/hardening/6.1.14_find_sgid_files.sh
View File

@ -24,7 +24,7 @@ audit() {
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }') FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
# shellcheck disable=2086 # shellcheck disable=2086
if [ -n "$IGNORED_PATH" ]; then if [ -n "$IGNORED_PATH" ]; then
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
else else
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print) FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
fi fi

7
debian/changelog vendored
View File

@ -1,3 +1,10 @@
cis-hardening (3.1-6) unstable; urgency=medium
* Improve EXCEPTIONS management (1.1.21,6.1.10)
* Fix bug linked with regex quoting (6.1.10-11-12-13-14)
-- Thibault Ayanides <thibault.ayanides@ovhcloud.com> Wed, 02 Jun 2021 09:45:40 +0200
cis-hardening (3.1-5) unstable; urgency=medium cis-hardening (3.1-5) unstable; urgency=medium
* Fix unbound EXCEPTIONS variable in some cases * Fix unbound EXCEPTIONS variable in some cases

42
tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -1,29 +1,35 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCEPTIONS="$EXCEPTIONS /home/secaudit/exception"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
mkdir /home/secaudit/exception
chmod 777 /home/secaudit/exception
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit" register_test contain "All world writable directories have a sticky bit"
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
if [ -f "/.dockerenv" ]; then
skip "SKIPPED on docker"
else
describe Tests purposely failing
local targetdir="/home/secaudit/world_writable_folder"
mkdir $targetdir || true
chmod 777 "$targetdir"
register_test retvalshouldbe 1
register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation describe Tests purposely failing
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg local targetdir="/home/secaudit/world_writable_folder"
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true mkdir $targetdir || true
chmod 777 "$targetdir"
register_test retvalshouldbe 1
register_test contain "Some world writable directories are not on sticky bit mode"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "All world writable directories have a sticky bit"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
} }

49
tests/hardening/6.1.10_find_world_writable_file.sh
View File

@ -1,32 +1,33 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
#run this test only if we're not in docker describe Running on blank host
if [ -f "/.dockerenv" ]; then register_test retvalshouldbe 0
skip "SKIPPED on docker" register_test contain "No world writable files found"
else # shellcheck disable=2154
describe Running on blank host run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
register_test retvalshouldbe 0
register_test contain "No world writable files found"
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Tests purposely failing describe Tests purposely failing
local targetfile="/home/secaudit/worldwritable" local targetfile="/home/secaudit/worldwritable"
touch "$targetfile" touch "$targetfile"
chmod 777 "$targetfile" chmod 777 "$targetfile"
register_test retvalshouldbe 1 register_test retvalshouldbe 1
register_test contain "Some world writable files are present" register_test contain "Some world writable files are present"
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe correcting situation describe correcting situation
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
/opt/debian-cis/bin/hardening/"${script}".sh --apply || true /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No world writable files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
describe Checking resolved state
register_test retvalshouldbe 0
register_test contain "No world writable files found"
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
fi
} }

9
tests/hardening/6.1.11_find_unowned_files.sh
View File

@ -1,6 +1,15 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.11/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
mkdir /home/secaudit/6.1.11/
touch /home/secaudit/6.1.11/test
chown 1200 /home/secaudit/6.1.11/test
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "No unowned files found" register_test contain "No unowned files found"

9
tests/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -1,6 +1,15 @@
# shellcheck shell=bash # shellcheck shell=bash
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running void to generate the conf file that will later be edited
# shellcheck disable=2154
/opt/debian-cis/bin/hardening/"${script}".sh || true
# shellcheck disable=2016
echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.12/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
mkdir /home/secaudit/6.1.12/
touch /home/secaudit/6.1.12/test
chown 1200:1200 /home/secaudit/6.1.12/test
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "No ungrouped files found" register_test contain "No ungrouped files found"