From 440aeaf45f25ab9fe1c8fd53b942a6ac3de6c5ea Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Thu, 12 Sep 2019 16:44:45 +0200 Subject: [PATCH] Renum 12.x checks to 6.1.x Verify_System_File_Permissions modified: bin/hardening/12.4_etc_passwd_ownership.sh modified: bin/hardening/12.5_etc_shadow_ownership.sh modified: bin/hardening/12.6_etc_group_ownership.sh renamed: bin/hardening/12.7_find_world_writable_file.sh -> bin/hardening/6.1.10_find_world_writable_file.sh renamed: bin/hardening/12.8_find_unowned_files.sh -> bin/hardening/6.1.11_find_unowned_files.sh renamed: bin/hardening/12.9_find_ungrouped_files.sh -> bin/hardening/6.1.12_find_ungrouped_files.sh renamed: bin/hardening/12.10_find_suid_files.sh -> bin/hardening/6.1.13_find_suid_files.sh renamed: bin/hardening/12.11_find_sgid_files.sh -> bin/hardening/6.1.14_find_sgid_files.sh renamed: bin/hardening/12.1_etc_passwd_permissions.sh -> bin/hardening/6.1.2_etc_passwd_permissions.sh renamed: bin/hardening/12.2_etc_shadow_permissions.sh -> bin/hardening/6.1.3_etc_shadow_permissions.sh renamed: bin/hardening/12.3_etc_group_permissions.sh -> bin/hardening/6.1.4_etc_group_permissions.sh deleted: tests/hardening/12.1_etc_passwd_permissions.sh deleted: tests/hardening/12.2_etc_shadow_permissions.sh deleted: tests/hardening/12.3_etc_group_permissions.sh renamed: tests/hardening/12.7_find_world_writable_file.sh -> tests/hardening/6.1.10_find_world_writable_file.sh renamed: tests/hardening/12.8_find_unowned_files.sh -> tests/hardening/6.1.11_find_unowned_files.sh renamed: tests/hardening/12.9_find_ungrouped_files.sh -> tests/hardening/6.1.12_find_ungrouped_files.sh renamed: tests/hardening/12.10_find_suid_files.sh -> tests/hardening/6.1.13_find_suid_files.sh renamed: tests/hardening/12.11_find_sgid_files.sh -> tests/hardening/6.1.14_find_sgid_files.sh renamed: tests/hardening/12.6_etc_group_ownership.sh -> tests/hardening/6.1.2_etc_passwd_permissions.sh renamed: tests/hardening/12.5_etc_shadow_ownership.sh -> tests/hardening/6.1.3_etc_shadow_permissions.sh renamed: tests/hardening/12.4_etc_passwd_ownership.sh -> tests/hardening/6.1.4_etc_group_permissions.sh --- bin/hardening/12.4_etc_passwd_ownership.sh | 2 +- bin/hardening/12.5_etc_shadow_ownership.sh | 2 +- bin/hardening/12.6_etc_group_ownership.sh | 2 +- ....sh => 6.1.10_find_world_writable_file.sh} | 4 ++-- ..._files.sh => 6.1.11_find_unowned_files.sh} | 4 ++-- ...iles.sh => 6.1.12_find_ungrouped_files.sh} | 4 ++-- ...uid_files.sh => 6.1.13_find_suid_files.sh} | 2 +- ...gid_files.sh => 6.1.14_find_sgid_files.sh} | 2 +- ...ons.sh => 6.1.2_etc_passwd_permissions.sh} | 21 ++++++++++++++++--- ...ons.sh => 6.1.3_etc_shadow_permissions.sh} | 21 ++++++++++++++++--- ...ions.sh => 6.1.4_etc_group_permissions.sh} | 21 ++++++++++++++++--- tests/hardening/12.4_etc_passwd_ownership.sh | 10 --------- tests/hardening/12.5_etc_shadow_ownership.sh | 10 --------- tests/hardening/12.6_etc_group_ownership.sh | 10 --------- ....sh => 6.1.10_find_world_writable_file.sh} | 0 ..._files.sh => 6.1.11_find_unowned_files.sh} | 0 ...iles.sh => 6.1.12_find_ungrouped_files.sh} | 0 ...uid_files.sh => 6.1.13_find_suid_files.sh} | 0 ...gid_files.sh => 6.1.14_find_sgid_files.sh} | 0 ...ons.sh => 6.1.2_etc_passwd_permissions.sh} | 0 ...ons.sh => 6.1.3_etc_shadow_permissions.sh} | 0 ...ions.sh => 6.1.4_etc_group_permissions.sh} | 0 22 files changed, 65 insertions(+), 50 deletions(-) rename bin/hardening/{12.7_find_world_writable_file.sh => 6.1.10_find_world_writable_file.sh} (94%) rename bin/hardening/{12.8_find_unowned_files.sh => 6.1.11_find_unowned_files.sh} (95%) rename bin/hardening/{12.9_find_ungrouped_files.sh => 6.1.12_find_ungrouped_files.sh} (94%) rename bin/hardening/{12.10_find_suid_files.sh => 6.1.13_find_suid_files.sh} (98%) rename bin/hardening/{12.11_find_sgid_files.sh => 6.1.14_find_sgid_files.sh} (98%) rename bin/hardening/{12.1_etc_passwd_permissions.sh => 6.1.2_etc_passwd_permissions.sh} (71%) rename bin/hardening/{12.2_etc_shadow_permissions.sh => 6.1.3_etc_shadow_permissions.sh} (71%) rename bin/hardening/{12.3_etc_group_permissions.sh => 6.1.4_etc_group_permissions.sh} (72%) delete mode 100644 tests/hardening/12.4_etc_passwd_ownership.sh delete mode 100644 tests/hardening/12.5_etc_shadow_ownership.sh delete mode 100644 tests/hardening/12.6_etc_group_ownership.sh rename tests/hardening/{12.7_find_world_writable_file.sh => 6.1.10_find_world_writable_file.sh} (100%) rename tests/hardening/{12.8_find_unowned_files.sh => 6.1.11_find_unowned_files.sh} (100%) rename tests/hardening/{12.9_find_ungrouped_files.sh => 6.1.12_find_ungrouped_files.sh} (100%) rename tests/hardening/{12.10_find_suid_files.sh => 6.1.13_find_suid_files.sh} (100%) rename tests/hardening/{12.11_find_sgid_files.sh => 6.1.14_find_sgid_files.sh} (100%) rename tests/hardening/{12.1_etc_passwd_permissions.sh => 6.1.2_etc_passwd_permissions.sh} (100%) rename tests/hardening/{12.2_etc_shadow_permissions.sh => 6.1.3_etc_shadow_permissions.sh} (100%) rename tests/hardening/{12.3_etc_group_permissions.sh => 6.1.4_etc_group_permissions.sh} (100%) diff --git a/bin/hardening/12.4_etc_passwd_ownership.sh b/bin/hardening/12.4_etc_passwd_ownership.sh index 43e4121..7281642 100755 --- a/bin/hardening/12.4_etc_passwd_ownership.sh +++ b/bin/hardening/12.4_etc_passwd_ownership.sh @@ -25,7 +25,7 @@ audit () { ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" - fi + fi } # This function will be called if the script status is on enabled mode diff --git a/bin/hardening/12.5_etc_shadow_ownership.sh b/bin/hardening/12.5_etc_shadow_ownership.sh index 186c300..55b0ce5 100755 --- a/bin/hardening/12.5_etc_shadow_ownership.sh +++ b/bin/hardening/12.5_etc_shadow_ownership.sh @@ -25,7 +25,7 @@ audit () { ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" - fi + fi } # This function will be called if the script status is on enabled mode diff --git a/bin/hardening/12.6_etc_group_ownership.sh b/bin/hardening/12.6_etc_group_ownership.sh index 909a6c4..4d50275 100755 --- a/bin/hardening/12.6_etc_group_ownership.sh +++ b/bin/hardening/12.6_etc_group_ownership.sh @@ -25,7 +25,7 @@ audit () { ok "$FILE has correct ownership" else crit "$FILE ownership was not set to $USER:$GROUP" - fi + fi } # This function will be called if the script status is on enabled mode diff --git a/bin/hardening/12.7_find_world_writable_file.sh b/bin/hardening/6.1.10_find_world_writable_file.sh similarity index 94% rename from bin/hardening/12.7_find_world_writable_file.sh rename to bin/hardening/6.1.10_find_world_writable_file.sh index aac310a..461672a 100755 --- a/bin/hardening/12.7_find_world_writable_file.sh +++ b/bin/hardening/6.1.10_find_world_writable_file.sh @@ -5,14 +5,14 @@ # # -# 12.7 Find World Writable Files (Not Scored) +# 6.1.10 Ensure no world writable files exist (Scored) # set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=3 -DESCRIPTION="Find world writable files." +DESCRIPTION="Ensure no world writable files exist" # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/12.8_find_unowned_files.sh b/bin/hardening/6.1.11_find_unowned_files.sh similarity index 95% rename from bin/hardening/12.8_find_unowned_files.sh rename to bin/hardening/6.1.11_find_unowned_files.sh index 81a09b7..b18bf83 100755 --- a/bin/hardening/12.8_find_unowned_files.sh +++ b/bin/hardening/6.1.11_find_unowned_files.sh @@ -5,14 +5,14 @@ # # -# 12.8 Find Un-owned Files and Directories (Scored) +# 6.1.11 Ensure no unowned files or directories exist # set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 -DESCRIPTION="Find un-owned files and directories." +DESCRIPTION="Ensure no unowned files or directories exist" USER='root' EXCLUDED='' diff --git a/bin/hardening/12.9_find_ungrouped_files.sh b/bin/hardening/6.1.12_find_ungrouped_files.sh similarity index 94% rename from bin/hardening/12.9_find_ungrouped_files.sh rename to bin/hardening/6.1.12_find_ungrouped_files.sh index e0e8876..788eab4 100755 --- a/bin/hardening/12.9_find_ungrouped_files.sh +++ b/bin/hardening/6.1.12_find_ungrouped_files.sh @@ -5,14 +5,14 @@ # # -# 12.9 Find Un-grouped Files and Directories (Scored) +# 6.1.12 Ensure no ungrouped files or directories exist (Scored) # set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=2 -DESCRIPTION="Find un-grouped files and directories." +DESCRIPTION="Ensure no ungrouped files or directories exist" GROUP='root' EXCLUDED='' diff --git a/bin/hardening/12.10_find_suid_files.sh b/bin/hardening/6.1.13_find_suid_files.sh similarity index 98% rename from bin/hardening/12.10_find_suid_files.sh rename to bin/hardening/6.1.13_find_suid_files.sh index 8891832..300faf5 100755 --- a/bin/hardening/12.10_find_suid_files.sh +++ b/bin/hardening/6.1.13_find_suid_files.sh @@ -5,7 +5,7 @@ # # -# 12.10 Find SUID System Executables (Not Scored) +# 6.1.13 Audit SUID executables (Not Scored) # set -e # One error, it's over diff --git a/bin/hardening/12.11_find_sgid_files.sh b/bin/hardening/6.1.14_find_sgid_files.sh similarity index 98% rename from bin/hardening/12.11_find_sgid_files.sh rename to bin/hardening/6.1.14_find_sgid_files.sh index b636c4f..b9a834a 100755 --- a/bin/hardening/12.11_find_sgid_files.sh +++ b/bin/hardening/6.1.14_find_sgid_files.sh @@ -5,7 +5,7 @@ # # -# 12.11 Find SGID System Executables (Not Scored) +# 6.1.14 Audit SGID executables (Not Scored) # set -e # One error, it's over diff --git a/bin/hardening/12.1_etc_passwd_permissions.sh b/bin/hardening/6.1.2_etc_passwd_permissions.sh similarity index 71% rename from bin/hardening/12.1_etc_passwd_permissions.sh rename to bin/hardening/6.1.2_etc_passwd_permissions.sh index fd57bf6..623acbe 100755 --- a/bin/hardening/12.1_etc_passwd_permissions.sh +++ b/bin/hardening/6.1.2_etc_passwd_permissions.sh @@ -5,17 +5,19 @@ # # -# 12.1 Verify Permissions on /etc/passwd (Scored) +# 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) # set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 -DESCRIPTION="Check permissions on /etc/passwd to 644." +DESCRIPTION="Check 644 permissions and root:root ownership on /etc/passwd" FILE='/etc/passwd' PERMISSIONS='644' +USER='root' +GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { @@ -24,7 +26,13 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi } # This function will be called if the script status is on enabled mode @@ -36,6 +44,13 @@ apply () { info "fixing $FILE permissions to $PERMISSIONS" chmod 0$PERMISSIONS $FILE fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi } # This function will check config parameters required diff --git a/bin/hardening/12.2_etc_shadow_permissions.sh b/bin/hardening/6.1.3_etc_shadow_permissions.sh similarity index 71% rename from bin/hardening/12.2_etc_shadow_permissions.sh rename to bin/hardening/6.1.3_etc_shadow_permissions.sh index 7eeaf70..d200224 100755 --- a/bin/hardening/12.2_etc_shadow_permissions.sh +++ b/bin/hardening/6.1.3_etc_shadow_permissions.sh @@ -5,17 +5,19 @@ # # -# 12.2 Verify Permissions on /etc/shadow (Scored) +# 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) # set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 -DESCRIPTION="Check permissions on /etc/shadow to 640." +DESCRIPTION="Check 644 permissions and root:root ownership on /etc/shadow" FILE='/etc/shadow' PERMISSIONS='640' +USER='root' +GROUP='shadow' # This function will be called if the script status is on enabled / audit mode audit () { @@ -24,7 +26,13 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi } # This function will be called if the script status is on enabled mode @@ -36,6 +44,13 @@ apply () { info "fixing $FILE permissions to $PERMISSIONS" chmod 0$PERMISSIONS $FILE fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi } # This function will check config parameters required diff --git a/bin/hardening/12.3_etc_group_permissions.sh b/bin/hardening/6.1.4_etc_group_permissions.sh similarity index 72% rename from bin/hardening/12.3_etc_group_permissions.sh rename to bin/hardening/6.1.4_etc_group_permissions.sh index e964a2d..80b621d 100755 --- a/bin/hardening/12.3_etc_group_permissions.sh +++ b/bin/hardening/6.1.4_etc_group_permissions.sh @@ -5,17 +5,19 @@ # # -# 12.3 Verify Permissions on /etc/group (Scored) +# 6.1.4 Ensure permissions on /etc/group are configured (Scored) # set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=1 -DESCRIPTION="Check permissions on /etc/group to 644." +DESCRIPTION="Check 644 permissions and root:root ownership on /etc/group" FILE='/etc/group' PERMISSIONS='644' +USER='root' +GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { @@ -24,7 +26,13 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE ownership was not set to $USER:$GROUP" + fi } # This function will be called if the script status is on enabled mode @@ -36,6 +44,13 @@ apply () { info "fixing $FILE permissions to $PERMISSIONS" chmod 0$PERMISSIONS $FILE fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi } # This function will check config parameters required diff --git a/tests/hardening/12.4_etc_passwd_ownership.sh b/tests/hardening/12.4_etc_passwd_ownership.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/12.4_etc_passwd_ownership.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -} diff --git a/tests/hardening/12.5_etc_shadow_ownership.sh b/tests/hardening/12.5_etc_shadow_ownership.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/12.5_etc_shadow_ownership.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -} diff --git a/tests/hardening/12.6_etc_group_ownership.sh b/tests/hardening/12.6_etc_group_ownership.sh deleted file mode 100644 index b333419..0000000 --- a/tests/hardening/12.6_etc_group_ownership.sh +++ /dev/null @@ -1,10 +0,0 @@ -# run-shellcheck -test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - - # TODO fill comprehensive tests -} diff --git a/tests/hardening/12.7_find_world_writable_file.sh b/tests/hardening/6.1.10_find_world_writable_file.sh similarity index 100% rename from tests/hardening/12.7_find_world_writable_file.sh rename to tests/hardening/6.1.10_find_world_writable_file.sh diff --git a/tests/hardening/12.8_find_unowned_files.sh b/tests/hardening/6.1.11_find_unowned_files.sh similarity index 100% rename from tests/hardening/12.8_find_unowned_files.sh rename to tests/hardening/6.1.11_find_unowned_files.sh diff --git a/tests/hardening/12.9_find_ungrouped_files.sh b/tests/hardening/6.1.12_find_ungrouped_files.sh similarity index 100% rename from tests/hardening/12.9_find_ungrouped_files.sh rename to tests/hardening/6.1.12_find_ungrouped_files.sh diff --git a/tests/hardening/12.10_find_suid_files.sh b/tests/hardening/6.1.13_find_suid_files.sh similarity index 100% rename from tests/hardening/12.10_find_suid_files.sh rename to tests/hardening/6.1.13_find_suid_files.sh diff --git a/tests/hardening/12.11_find_sgid_files.sh b/tests/hardening/6.1.14_find_sgid_files.sh similarity index 100% rename from tests/hardening/12.11_find_sgid_files.sh rename to tests/hardening/6.1.14_find_sgid_files.sh diff --git a/tests/hardening/12.1_etc_passwd_permissions.sh b/tests/hardening/6.1.2_etc_passwd_permissions.sh similarity index 100% rename from tests/hardening/12.1_etc_passwd_permissions.sh rename to tests/hardening/6.1.2_etc_passwd_permissions.sh diff --git a/tests/hardening/12.2_etc_shadow_permissions.sh b/tests/hardening/6.1.3_etc_shadow_permissions.sh similarity index 100% rename from tests/hardening/12.2_etc_shadow_permissions.sh rename to tests/hardening/6.1.3_etc_shadow_permissions.sh diff --git a/tests/hardening/12.3_etc_group_permissions.sh b/tests/hardening/6.1.4_etc_group_permissions.sh similarity index 100% rename from tests/hardening/12.3_etc_group_permissions.sh rename to tests/hardening/6.1.4_etc_group_permissions.sh