mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-23 14:35:26 +01:00
resolve #SOC-30 Also check /etc/security/limits.d/ for core dump limit
This commit is contained in:
parent
47857774b4
commit
39246bc175
@ -14,17 +14,33 @@ set -u # One variable unset, it's over
|
|||||||
HARDENING_LEVEL=2
|
HARDENING_LEVEL=2
|
||||||
|
|
||||||
LIMIT_FILE='/etc/security/limits.conf'
|
LIMIT_FILE='/etc/security/limits.conf'
|
||||||
|
LIMIT_DIR='/etc/security/limits.d'
|
||||||
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
|
LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$'
|
||||||
SYSCTL_PARAM='fs.suid_dumpable'
|
SYSCTL_PARAM='fs.suid_dumpable'
|
||||||
SYSCTL_EXP_RESULT=0
|
SYSCTL_EXP_RESULT=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN
|
SEARCH_RES=0
|
||||||
if [ $FNRET != 0 ]; then
|
LIMIT_FILES=""
|
||||||
crit "$LIMIT_PATTERN not present in $LIMIT_FILE"
|
if $SUDO_CMD [ -d $LIMIT_DIR ]; then
|
||||||
else
|
for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf); do
|
||||||
ok "$LIMIT_PATTERN present in $LIMIT_FILE"
|
LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
debug "Files to search $LIMIT_FILE $LIMIT_FILES"
|
||||||
|
for file in $LIMIT_FILE $LIMIT_FILES; do
|
||||||
|
does_pattern_exist_in_file $file $LIMIT_PATTERN
|
||||||
|
if [ $FNRET != 0 ]; then
|
||||||
|
debug "$LIMIT_PATTERN not present in $file"
|
||||||
|
else
|
||||||
|
ok "$LIMIT_PATTERN present in $file"
|
||||||
|
SEARCH_RES=1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $SEARCH_RES = 0 ]; then
|
||||||
|
crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES"
|
||||||
fi
|
fi
|
||||||
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user