elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Renum 12.x checks to 6.1.x Verify_System_File_Permissions

Browse Source 
modified:   bin/hardening/12.4_etc_passwd_ownership.sh
	modified:   bin/hardening/12.5_etc_shadow_ownership.sh
	modified:   bin/hardening/12.6_etc_group_ownership.sh
	renamed:    bin/hardening/12.7_find_world_writable_file.sh -> bin/hardening/6.1.10_find_world_writable_file.sh
	renamed:    bin/hardening/12.8_find_unowned_files.sh -> bin/hardening/6.1.11_find_unowned_files.sh
	renamed:    bin/hardening/12.9_find_ungrouped_files.sh -> bin/hardening/6.1.12_find_ungrouped_files.sh
	renamed:    bin/hardening/12.10_find_suid_files.sh -> bin/hardening/6.1.13_find_suid_files.sh
	renamed:    bin/hardening/12.11_find_sgid_files.sh -> bin/hardening/6.1.14_find_sgid_files.sh
	renamed:    bin/hardening/12.1_etc_passwd_permissions.sh -> bin/hardening/6.1.2_etc_passwd_permissions.sh
	renamed:    bin/hardening/12.2_etc_shadow_permissions.sh -> bin/hardening/6.1.3_etc_shadow_permissions.sh
	renamed:    bin/hardening/12.3_etc_group_permissions.sh -> bin/hardening/6.1.4_etc_group_permissions.sh
	deleted:    tests/hardening/12.1_etc_passwd_permissions.sh
	deleted:    tests/hardening/12.2_etc_shadow_permissions.sh
	deleted:    tests/hardening/12.3_etc_group_permissions.sh
	renamed:    tests/hardening/12.7_find_world_writable_file.sh -> tests/hardening/6.1.10_find_world_writable_file.sh
	renamed:    tests/hardening/12.8_find_unowned_files.sh -> tests/hardening/6.1.11_find_unowned_files.sh
	renamed:    tests/hardening/12.9_find_ungrouped_files.sh -> tests/hardening/6.1.12_find_ungrouped_files.sh
	renamed:    tests/hardening/12.10_find_suid_files.sh -> tests/hardening/6.1.13_find_suid_files.sh
	renamed:    tests/hardening/12.11_find_sgid_files.sh -> tests/hardening/6.1.14_find_sgid_files.sh
	renamed:    tests/hardening/12.6_etc_group_ownership.sh -> tests/hardening/6.1.2_etc_passwd_permissions.sh
	renamed:    tests/hardening/12.5_etc_shadow_ownership.sh -> tests/hardening/6.1.3_etc_shadow_permissions.sh
	renamed:    tests/hardening/12.4_etc_passwd_ownership.sh -> tests/hardening/6.1.4_etc_group_permissions.sh
This commit is contained in:
Charles Herlin 2019-09-12 16:44:45 +02:00 committed by Thibault Ayanides
parent a085785321
commit 440aeaf45f
22 changed files with 65 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bin/hardening/12.7_find_world_writable_file.sh → bin/hardening/6.1.10_find_world_writable_file.sh
View File

@ -5,14 +5,14 @@
# #
# #
# 12.7 Find World Writable Files (Not Scored) # 6.1.10 Ensure no world writable files exist (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
DESCRIPTION="Find world writable files." DESCRIPTION="Ensure no world writable files exist"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {

4
bin/hardening/12.8_find_unowned_files.sh → bin/hardening/6.1.11_find_unowned_files.sh
View File

@ -5,14 +5,14 @@
# #
# #
# 12.8 Find Un-owned Files and Directories (Scored) # 6.1.11 Ensure no unowned files or directories exist
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
DESCRIPTION="Find un-owned files and directories." DESCRIPTION="Ensure no unowned files or directories exist"
USER='root' USER='root'
EXCLUDED='' EXCLUDED=''

4
bin/hardening/12.9_find_ungrouped_files.sh → bin/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -5,14 +5,14 @@
# #
# #
# 12.9 Find Un-grouped Files and Directories (Scored) # 6.1.12 Ensure no ungrouped files or directories exist (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
DESCRIPTION="Find un-grouped files and directories." DESCRIPTION="Ensure no ungrouped files or directories exist"
GROUP='root' GROUP='root'
EXCLUDED='' EXCLUDED=''

2
bin/hardening/12.10_find_suid_files.sh → bin/hardening/6.1.13_find_suid_files.sh
View File

@ -5,7 +5,7 @@
# #
# #
# 12.10 Find SUID System Executables (Not Scored) # 6.1.13 Audit SUID executables (Not Scored)
# #
set -e # One error, it's over set -e # One error, it's over

2
bin/hardening/12.11_find_sgid_files.sh → bin/hardening/6.1.14_find_sgid_files.sh
View File

@ -5,7 +5,7 @@
# #
# #
# 12.11 Find SGID System Executables (Not Scored) # 6.1.14 Audit SGID executables (Not Scored)
# #
set -e # One error, it's over set -e # One error, it's over

19
bin/hardening/12.1_etc_passwd_permissions.sh → bin/hardening/6.1.2_etc_passwd_permissions.sh
View File

@ -5,17 +5,19 @@
# #
# #
# 12.1 Verify Permissions on /etc/passwd (Scored) # 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=1 HARDENING_LEVEL=1
DESCRIPTION="Check permissions on /etc/passwd to 644." DESCRIPTION="Check 644 permissions and root:root ownership on /etc/passwd"
FILE='/etc/passwd' FILE='/etc/passwd'
PERMISSIONS='644' PERMISSIONS='644'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -25,6 +27,12 @@ audit () {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -36,6 +44,13 @@ apply () {
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE chmod 0$PERMISSIONS $FILE
fi fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
} }
# This function will check config parameters required # This function will check config parameters required

19
bin/hardening/12.2_etc_shadow_permissions.sh → bin/hardening/6.1.3_etc_shadow_permissions.sh
View File

@ -5,17 +5,19 @@
# #
# #
# 12.2 Verify Permissions on /etc/shadow (Scored) # 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=1 HARDENING_LEVEL=1
DESCRIPTION="Check permissions on /etc/shadow to 640." DESCRIPTION="Check 644 permissions and root:root ownership on /etc/shadow"
FILE='/etc/shadow' FILE='/etc/shadow'
PERMISSIONS='640' PERMISSIONS='640'
USER='root'
GROUP='shadow'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -25,6 +27,12 @@ audit () {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -36,6 +44,13 @@ apply () {
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE chmod 0$PERMISSIONS $FILE
fi fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
} }
# This function will check config parameters required # This function will check config parameters required

19
bin/hardening/12.3_etc_group_permissions.sh → bin/hardening/6.1.4_etc_group_permissions.sh
View File

@ -5,17 +5,19 @@
# #
# #
# 12.3 Verify Permissions on /etc/group (Scored) # 6.1.4 Ensure permissions on /etc/group are configured (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=1 HARDENING_LEVEL=1
DESCRIPTION="Check permissions on /etc/group to 644." DESCRIPTION="Check 644 permissions and root:root ownership on /etc/group"
FILE='/etc/group' FILE='/etc/group'
PERMISSIONS='644' PERMISSIONS='644'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -25,6 +27,12 @@ audit () {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -36,6 +44,13 @@ apply () {
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE chmod 0$PERMISSIONS $FILE
fi fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
} }
# This function will check config parameters required # This function will check config parameters required

10
tests/hardening/12.4_etc_passwd_ownership.sh
View File

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

10
tests/hardening/12.5_etc_shadow_ownership.sh
View File

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

10
tests/hardening/12.6_etc_group_ownership.sh
View File

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

0
tests/hardening/12.7_find_world_writable_file.sh → tests/hardening/6.1.10_find_world_writable_file.sh
View File

0
tests/hardening/12.8_find_unowned_files.sh → tests/hardening/6.1.11_find_unowned_files.sh
View File

0
tests/hardening/12.9_find_ungrouped_files.sh → tests/hardening/6.1.12_find_ungrouped_files.sh
View File

0
tests/hardening/12.10_find_suid_files.sh → tests/hardening/6.1.13_find_suid_files.sh
View File

0
tests/hardening/12.11_find_sgid_files.sh → tests/hardening/6.1.14_find_sgid_files.sh
View File

0
tests/hardening/12.1_etc_passwd_permissions.sh → tests/hardening/6.1.2_etc_passwd_permissions.sh
View File

0
tests/hardening/12.2_etc_shadow_permissions.sh → tests/hardening/6.1.3_etc_shadow_permissions.sh
View File

0
tests/hardening/12.3_etc_group_permissions.sh → tests/hardening/6.1.4_etc_group_permissions.sh
View File