From 413277d7ebb19331a14891af6bbe2a34a8e3253d Mon Sep 17 00:00:00 2001 From: Benjamin MONTHOUEL Date: Mon, 30 Mar 2020 19:11:07 +0200 Subject: [PATCH] IMP(12.8,12.9): be able to exclude some paths --- bin/hardening/12.8_find_unowned_files.sh | 7 ++++++- bin/hardening/12.9_find_ungrouped_files.sh | 7 ++++++- debian/changelog | 7 +++++++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/bin/hardening/12.8_find_unowned_files.sh b/bin/hardening/12.8_find_unowned_files.sh index 2687ad6..33167c8 100755 --- a/bin/hardening/12.8_find_unowned_files.sh +++ b/bin/hardening/12.8_find_unowned_files.sh @@ -15,12 +15,17 @@ HARDENING_LEVEL=2 DESCRIPTION="Find un-owned files and directories." USER='root' +EXCLUDED='' # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are unowned files" FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) - RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null) + if [ ! -z $EXCLUDED ]; then + RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) + else + RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null) + fi if [ ! -z "$RESULT" ]; then crit "Some unowned files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') diff --git a/bin/hardening/12.9_find_ungrouped_files.sh b/bin/hardening/12.9_find_ungrouped_files.sh index 96d7ca2..2df8095 100755 --- a/bin/hardening/12.9_find_ungrouped_files.sh +++ b/bin/hardening/12.9_find_ungrouped_files.sh @@ -15,12 +15,17 @@ HARDENING_LEVEL=2 DESCRIPTION="Find un-grouped files and directories." GROUP='root' +EXCLUDED='' # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are ungrouped files" FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) - RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null) + if [ ! -z $EXCLUDED ]; then + RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) + else + RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null) + fi if [ ! -z "$RESULT" ]; then crit "Some ungrouped files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') diff --git a/debian/changelog b/debian/changelog index 88d7072..30bd107 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +cis-hardening (1.3-3) unstable; urgency=medium + + * changelog: update changelog + * IMP(12.8,12.9): be able to exclude some paths + + -- Benjamin MONTHOUËL Mon, 30 Mar 2020 19:12:03 +0200 + cis-hardening (1.3-2) unstable; urgency=medium * IMP(test/13.12): ignore the phony '/nonexistent' home folder