From 39e9c794e47674e71273ffa50644220049fb54d4 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sat, 16 Apr 2016 18:55:44 +0200 Subject: [PATCH] 13.10_find_user_rhosts_files.sh --- bin/hardening.sh | 2 +- bin/hardening/13.10_find_user_rhosts_files.sh | 56 +++++++++++++++++++ bin/hardening/13.9_set_perm_on_user_netrc.sh | 10 +++- etc/conf.d/13.10_find_user_rhosts_files.cfg | 2 + 4 files changed, 67 insertions(+), 3 deletions(-) create mode 100755 bin/hardening/13.10_find_user_rhosts_files.sh create mode 100644 etc/conf.d/13.10_find_user_rhosts_files.cfg diff --git a/bin/hardening.sh b/bin/hardening.sh index d717d9b..1445dd0 100644 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -13,4 +13,4 @@ # Execute blindly binaries # Audit mode -# ls | sort -n +# ls | sort -V diff --git a/bin/hardening/13.10_find_user_rhosts_files.sh b/bin/hardening/13.10_find_user_rhosts_files.sh new file mode 100755 index 0000000..9e01752 --- /dev/null +++ b/bin/hardening/13.10_find_user_rhosts_files.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.10 Check for Presence of User .rhosts Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/.rhosts; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + crit "$FILE present" + ERRORS=$((ERRORS+1)) + fi + done + done + + if [ $ERRORS = 0 ]; then + ok "No .rhosts present in users files" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "If the audit returns something, please check with the user why he has this file" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.9_set_perm_on_user_netrc.sh b/bin/hardening/13.9_set_perm_on_user_netrc.sh index 420e2f3..553e740 100755 --- a/bin/hardening/13.9_set_perm_on_user_netrc.sh +++ b/bin/hardening/13.9_set_perm_on_user_netrc.sh @@ -6,14 +6,14 @@ # # -# 13.8 Check User Dot File Permissions (Scored) +# 13.9 Check Permissions on User .netrc Files (Scored) # set -e # One error, it's over set -u # One variable unset, it's over -ERRORS=0 PERMISSIONS="600" +ERRORS=0 # This function will be called if the script status is on enabled / audit mode audit () { @@ -26,10 +26,16 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE has not $PERMISSIONS permissions set" + ERRORS=$((ERRORS+1)) fi fi done done + + if [ $ERRORS = 0 ]; then + ok "permission $PERMISSIONS set on .netrc users files" + fi + } # This function will be called if the script status is on enabled mode diff --git a/etc/conf.d/13.10_find_user_rhosts_files.cfg b/etc/conf.d/13.10_find_user_rhosts_files.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.10_find_user_rhosts_files.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled