From 371c23cd52ecf4000e4acea87187548943966860 Mon Sep 17 00:00:00 2001 From: ymartin-ovh <69240594+ymartin-ovh@users.noreply.github.com> Date: Mon, 4 Jul 2022 14:29:25 +0200 Subject: [PATCH] feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159) This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files) --- bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh | 8 ++++++++ bin/hardening/6.1.10_find_world_writable_file.sh | 8 ++++++++ bin/hardening/6.1.11_find_unowned_files.sh | 8 ++++++++ bin/hardening/6.1.12_find_ungrouped_files.sh | 9 +++++++++ bin/hardening/6.1.13_find_suid_files.sh | 8 ++++++++ bin/hardening/6.1.14_find_sgid_files.sh | 9 +++++++++ .../hardening/1.1.21_sticky_bit_world_writable_folder.sh | 6 ++++++ tests/hardening/6.1.10_find_world_writable_file.sh | 6 ++++++ tests/hardening/6.1.11_find_unowned_files.sh | 6 ++++++ tests/hardening/6.1.12_find_ungrouped_files.sh | 6 ++++++ tests/hardening/6.1.13_find_suid_files.sh | 6 ++++++ tests/hardening/6.1.14_find_sgid_files.sh | 6 ++++++ 12 files changed, 86 insertions(+) diff --git a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 49750dc..b74413b 100755 --- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -19,6 +19,10 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from EXCEPTIONS='' +# find emits following error if directory or file disappear during +# tree traversal: find: ‘/tmp/xxx’: No such file or directory +FIND_IGNORE_NOSUCHFILE_ERR=false + # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if setuid is set on world writable Directories" @@ -26,13 +30,17 @@ audit() { # maybe EXCEPTIONS allow us to filter out some FS FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS") + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null) + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e else FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e fi if [ -n "$RESULT" ]; then diff --git a/bin/hardening/6.1.10_find_world_writable_file.sh b/bin/hardening/6.1.10_find_world_writable_file.sh index 74cc957..5b66a8e 100755 --- a/bin/hardening/6.1.10_find_world_writable_file.sh +++ b/bin/hardening/6.1.10_find_world_writable_file.sh @@ -19,6 +19,10 @@ DESCRIPTION="Ensure no world writable files exist" EXCLUDED='' +# find emits following error if directory or file disappear during +# tree traversal: find: ‘/tmp/xxx’: No such file or directory +FIND_IGNORE_NOSUCHFILE_ERR=false + # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are world writable files" @@ -26,13 +30,17 @@ audit() { # maybe EXCLUDED allow us to filter out some FS FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED") + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e else FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null) + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e fi if [ -n "$RESULT" ]; then diff --git a/bin/hardening/6.1.11_find_unowned_files.sh b/bin/hardening/6.1.11_find_unowned_files.sh index 10fe5fb..cadf9e3 100755 --- a/bin/hardening/6.1.11_find_unowned_files.sh +++ b/bin/hardening/6.1.11_find_unowned_files.sh @@ -20,6 +20,10 @@ DESCRIPTION="Ensure no unowned files or directories exist." USER='root' EXCLUDED='' +# find emits following error if directory or file disappear during +# tree traversal: find: ‘/tmp/xxx’: No such file or directory +FIND_IGNORE_NOSUCHFILE_ERR=false + # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are unowned files" @@ -27,13 +31,17 @@ audit() { # maybe EXCLUDED allow us to filter out some FS FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED") + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e else FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null) + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e fi if [ -n "$RESULT" ]; then diff --git a/bin/hardening/6.1.12_find_ungrouped_files.sh b/bin/hardening/6.1.12_find_ungrouped_files.sh index 379f6d3..a860ccc 100755 --- a/bin/hardening/6.1.12_find_ungrouped_files.sh +++ b/bin/hardening/6.1.12_find_ungrouped_files.sh @@ -20,6 +20,10 @@ DESCRIPTION="Ensure no ungrouped files or directories exist" GROUP='root' EXCLUDED='' +# find emits following error if directory or file disappear during +# tree traversal: find: ‘/tmp/xxx’: No such file or directory +FIND_IGNORE_NOSUCHFILE_ERR=false + # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are ungrouped files" @@ -27,13 +31,18 @@ audit() { # maybe EXCLUDED allow us to filter out some FS FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED") + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e + else FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null) + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e fi if [ -n "$RESULT" ]; then diff --git a/bin/hardening/6.1.13_find_suid_files.sh b/bin/hardening/6.1.13_find_suid_files.sh index f142673..a753d12 100755 --- a/bin/hardening/6.1.13_find_suid_files.sh +++ b/bin/hardening/6.1.13_find_suid_files.sh @@ -18,6 +18,10 @@ HARDENING_LEVEL=2 DESCRIPTION="Find SUID system executables." IGNORED_PATH='' +# find emits following error if directory or file disappear during +# tree traversal: find: ‘/tmp/xxx’: No such file or directory +FIND_IGNORE_NOSUCHFILE_ERR=false + # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are suid files" @@ -25,13 +29,17 @@ audit() { # maybe IGNORED_PATH allow us to filter out some FS FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH") + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e # shellcheck disable=2086 FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print) + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e else FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e # shellcheck disable=2086 FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print) + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e fi BAD_BINARIES="" diff --git a/bin/hardening/6.1.14_find_sgid_files.sh b/bin/hardening/6.1.14_find_sgid_files.sh index 0387d1b..0cbe248 100755 --- a/bin/hardening/6.1.14_find_sgid_files.sh +++ b/bin/hardening/6.1.14_find_sgid_files.sh @@ -18,6 +18,10 @@ HARDENING_LEVEL=2 DESCRIPTION="Find SGID system executables." IGNORED_PATH='' +# find emits following error if directory or file disappear during +# tree traversal: find: ‘/tmp/xxx’: No such file or directory +FIND_IGNORE_NOSUCHFILE_ERR=false + # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are sgid files" @@ -25,13 +29,18 @@ audit() { # maybe IGNORED_PATH allow us to filter out some FS FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH") + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e # shellcheck disable=2086 FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print) + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e + else FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e # shellcheck disable=2086 FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print) + [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e fi BAD_BINARIES="" diff --git a/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 7dd3df8..601fe15 100644 --- a/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -23,6 +23,12 @@ test_audit() { register_test contain "Some world writable directories are not on sticky bit mode" run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Tests failing with find ignore flag + echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg + register_test retvalshouldbe 1 + register_test contain "Some world writable directories are not on sticky bit mode" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe correcting situation sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true diff --git a/tests/hardening/6.1.10_find_world_writable_file.sh b/tests/hardening/6.1.10_find_world_writable_file.sh index 2ee621f..8f237ed 100644 --- a/tests/hardening/6.1.10_find_world_writable_file.sh +++ b/tests/hardening/6.1.10_find_world_writable_file.sh @@ -23,6 +23,12 @@ test_audit() { register_test contain "Some world writable files are present" run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Tests failing with find ignore flag + echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg + register_test retvalshouldbe 1 + register_test contain "Some world writable files are present" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe correcting situation sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true diff --git a/tests/hardening/6.1.11_find_unowned_files.sh b/tests/hardening/6.1.11_find_unowned_files.sh index 7d9136d..6f36824 100644 --- a/tests/hardening/6.1.11_find_unowned_files.sh +++ b/tests/hardening/6.1.11_find_unowned_files.sh @@ -24,6 +24,12 @@ test_audit() { register_test contain "Some unowned files are present" run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Tests failing with find ignore flag + echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg + register_test retvalshouldbe 1 + register_test contain "Some unowned files are present" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe correcting situation sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh || true diff --git a/tests/hardening/6.1.12_find_ungrouped_files.sh b/tests/hardening/6.1.12_find_ungrouped_files.sh index c530aac..c6a80d0 100644 --- a/tests/hardening/6.1.12_find_ungrouped_files.sh +++ b/tests/hardening/6.1.12_find_ungrouped_files.sh @@ -24,6 +24,12 @@ test_audit() { register_test contain "Some ungrouped files are present" run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Tests failing with find ignore flag + echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg + register_test retvalshouldbe 1 + register_test contain "Some ungrouped files are present" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe correcting situation sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg /opt/debian-cis/bin/hardening/"${script}".sh --apply || true diff --git a/tests/hardening/6.1.13_find_suid_files.sh b/tests/hardening/6.1.13_find_suid_files.sh index eca7117..ec34b70 100644 --- a/tests/hardening/6.1.13_find_suid_files.sh +++ b/tests/hardening/6.1.13_find_suid_files.sh @@ -21,6 +21,12 @@ test_audit() { register_test contain "$targetfile" run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Tests failing with find ignore flag + echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg + register_test retvalshouldbe 1 + register_test contain "Some suid files are present" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe correcting situation chmod 700 $targetfile diff --git a/tests/hardening/6.1.14_find_sgid_files.sh b/tests/hardening/6.1.14_find_sgid_files.sh index a5b7d52..380442b 100644 --- a/tests/hardening/6.1.14_find_sgid_files.sh +++ b/tests/hardening/6.1.14_find_sgid_files.sh @@ -22,6 +22,12 @@ test_audit() { register_test contain "$targetfile" run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe Tests failing with find ignore flag + echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg + register_test retvalshouldbe 1 + register_test contain "Some sgid files are present" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + describe correcting situation chmod 700 $targetfile