elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-06-24 11:34:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159)

Browse Source 
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
This commit is contained in:
ymartin-ovh
2022-07-04 14:29:25 +02:00
committed by GitHub
parent ea8334d516
commit 371c23cd52
12 changed files with 86 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
bin/hardening/6.1.13_find_suid_files.sh
View File

@ -18,6 +18,10 @@ HARDENING_LEVEL=2
DESCRIPTION="Find SUID system executables."
IGNORED_PATH=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if there are suid files"
@ -25,13 +29,17 @@ audit() {
# maybe IGNORED_PATH allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi
BAD_BINARIES=""