From 3d0b49a4f937ddd3691f4682b821eac39cd647df Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Fri, 22 Feb 2019 15:22:58 +0100 Subject: [PATCH] IMP(13.13): Add exceptions for home directories not owned by owner Fill tests Apply shellcheck recommendations --- .../13.13_check_user_homedir_ownership.sh | 44 +++++++++++++------ .../13.13_check_user_homedir_ownership.sh | 18 +++++++- 2 files changed, 47 insertions(+), 15 deletions(-) diff --git a/bin/hardening/13.13_check_user_homedir_ownership.sh b/bin/hardening/13.13_check_user_homedir_ownership.sh index e33df8b..b2252ca 100755 --- a/bin/hardening/13.13_check_user_homedir_ownership.sh +++ b/bin/hardening/13.13_check_user_homedir_ownership.sh @@ -1,5 +1,6 @@ #!/bin/bash +# run-shellcheck # # CIS Debian Hardening # @@ -11,46 +12,62 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 +# shellcheck disable=2034 DESCRIPTION="Check user home directory ownership." +EXCEPTIONS="" ERRORS=0 # This function will be called if the script status is on enabled / audit mode audit () { - RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') + RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd ) for LINE in $RESULT; do debug "Working on $LINE" - USER=$(awk -F: {'print $1'} <<< $LINE) - USERID=$(awk -F: {'print $2'} <<< $LINE) - DIR=$(awk -F: {'print $3'} <<< $LINE) - if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then + USER=$(awk -F: '{print $1}' <<< "$LINE") + USERID=$(awk -F: '{print $2}' <<< "$LINE") + DIR=$(awk -F: '{print $3}' <<< "$LINE") + if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then OWNER=$(stat -L -c "%U" "$DIR") if [ "$OWNER" != "$USER" ]; then - crit "The home directory ($DIR) of user $USER is owned by $OWNER." - ERRORS=$((ERRORS+1)) + if grep -qw "$DIR:$USER:$OWNER" <<< "$EXCEPTIONS"; then + ok "The home directory ($DIR) of user $USER is owned by $OWNER but is part of exceptions ($DIR:$USER:$OWNER)." + else + crit "The home directory ($DIR) of user $USER is owned by $OWNER." + ERRORS=$((ERRORS+1)) + fi fi fi done if [ $ERRORS = 0 ]; then ok "All home directories have correct ownership" - fi + fi } # This function will be called if the script status is on enabled mode apply () { - cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do - if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then + awk -F: '{ print $1 " " $3 " " $6 }' /etc/passwd | while read -r USER USERID DIR; do + if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then OWNER=$(stat -L -c "%U" "$DIR") if [ "$OWNER" != "$USER" ]; then warn "The home directory ($DIR) of user $USER is owned by $OWNER." - chown $USER $DIR + chown "$USER" "$DIR" fi fi done } +# This function will create the config file for this check with default values +create_config() { + cat <> /opt/debian-cis/etc/conf.d/"${script}".cfg + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + + describe Added exceptions + register_test retvalshouldbe 0 + run exceptions /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel testhomeuser }