elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-06-24 11:34:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159)

Browse Source 
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
This commit is contained in:
ymartin-ovh
2022-07-04 14:29:25 +02:00
committed by GitHub
parent ea8334d516
commit 371c23cd52
12 changed files with 86 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
bin/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -20,6 +20,10 @@ DESCRIPTION="Ensure no ungrouped files or directories exist"
GROUP='root'
EXCLUDED=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if there are ungrouped files"
@ -27,13 +31,18 @@ audit() {
# maybe EXCLUDED allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi
if [ -n "$RESULT" ]; then