13.10_find_user_rhosts_files.sh

2024-11-21 21:17:00 +01:00 · 2016-04-16 18:55:44 +02:00 · 2016-04-16 18:55:44 +02:00 · 39e9c794e4
commit 39e9c794e4
parent 77f01d2709
4 changed files with 67 additions and 3 deletions
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -13,4 +13,4 @@
 # Execute blindly binaries
 # Audit mode

-# ls | sort -n
+# ls | sort -V
--- a/bin/hardening/13.10_find_user_rhosts_files.sh
+++ b/bin/hardening/13.10_find_user_rhosts_files.sh
@ -0,0 +1,56 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 13.10 Check for Presence of User .rhosts Files (Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+ERRORS=0
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    debug "Working on $DIR"
+        for FILE in $DIR/.rhosts; do
+            if [ ! -h "$FILE" -a -f "$FILE" ]; then
+                crit "$FILE present"
+                ERRORS=$((ERRORS+1))
+            fi
+        done
+    done
+
+    if [ $ERRORS = 0 ]; then
+        ok "No .rhosts present in users files"
+    fi 
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    info "If the audit returns something, please check with the user why he has this file"
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
--- a/bin/hardening/13.9_set_perm_on_user_netrc.sh
+++ b/bin/hardening/13.9_set_perm_on_user_netrc.sh
@ -6,14 +6,14 @@
 #

 #
-# 13.8 Check User Dot File Permissions (Scored)
+# 13.9 Check Permissions on User .netrc Files (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

-ERRORS=0
 PERMISSIONS="600"
+ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
@ -26,10 +26,16 @@ audit () {
                    ok "$FILE has correct permissions"
                else
                    crit "$FILE has not $PERMISSIONS permissions set"
+                    ERRORS=$((ERRORS+1))
                fi
            fi
        done
    done
+
+    if [ $ERRORS = 0 ]; then
+        ok "permission $PERMISSIONS set on .netrc users files"
+    fi
+
 }

 # This function will be called if the script status is on enabled mode
--- a/etc/conf.d/13.10_find_user_rhosts_files.cfg
+++ b/etc/conf.d/13.10_find_user_rhosts_files.cfg
@ -0,0 +1,2 @@
+# Configuration for script of same name
+status=enabled