mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 13:37:02 +01:00
Renum 12.x checks to 6.1.x Verify_System_File_Permissions
modified: bin/hardening/12.4_etc_passwd_ownership.sh modified: bin/hardening/12.5_etc_shadow_ownership.sh modified: bin/hardening/12.6_etc_group_ownership.sh renamed: bin/hardening/12.7_find_world_writable_file.sh -> bin/hardening/6.1.10_find_world_writable_file.sh renamed: bin/hardening/12.8_find_unowned_files.sh -> bin/hardening/6.1.11_find_unowned_files.sh renamed: bin/hardening/12.9_find_ungrouped_files.sh -> bin/hardening/6.1.12_find_ungrouped_files.sh renamed: bin/hardening/12.10_find_suid_files.sh -> bin/hardening/6.1.13_find_suid_files.sh renamed: bin/hardening/12.11_find_sgid_files.sh -> bin/hardening/6.1.14_find_sgid_files.sh renamed: bin/hardening/12.1_etc_passwd_permissions.sh -> bin/hardening/6.1.2_etc_passwd_permissions.sh renamed: bin/hardening/12.2_etc_shadow_permissions.sh -> bin/hardening/6.1.3_etc_shadow_permissions.sh renamed: bin/hardening/12.3_etc_group_permissions.sh -> bin/hardening/6.1.4_etc_group_permissions.sh deleted: tests/hardening/12.1_etc_passwd_permissions.sh deleted: tests/hardening/12.2_etc_shadow_permissions.sh deleted: tests/hardening/12.3_etc_group_permissions.sh renamed: tests/hardening/12.7_find_world_writable_file.sh -> tests/hardening/6.1.10_find_world_writable_file.sh renamed: tests/hardening/12.8_find_unowned_files.sh -> tests/hardening/6.1.11_find_unowned_files.sh renamed: tests/hardening/12.9_find_ungrouped_files.sh -> tests/hardening/6.1.12_find_ungrouped_files.sh renamed: tests/hardening/12.10_find_suid_files.sh -> tests/hardening/6.1.13_find_suid_files.sh renamed: tests/hardening/12.11_find_sgid_files.sh -> tests/hardening/6.1.14_find_sgid_files.sh renamed: tests/hardening/12.6_etc_group_ownership.sh -> tests/hardening/6.1.2_etc_passwd_permissions.sh renamed: tests/hardening/12.5_etc_shadow_ownership.sh -> tests/hardening/6.1.3_etc_shadow_permissions.sh renamed: tests/hardening/12.4_etc_passwd_ownership.sh -> tests/hardening/6.1.4_etc_group_permissions.sh
This commit is contained in:
parent
a085785321
commit
440aeaf45f
@ -25,7 +25,7 @@ audit () {
|
|||||||
ok "$FILE has correct ownership"
|
ok "$FILE has correct ownership"
|
||||||
else
|
else
|
||||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
|
@ -25,7 +25,7 @@ audit () {
|
|||||||
ok "$FILE has correct ownership"
|
ok "$FILE has correct ownership"
|
||||||
else
|
else
|
||||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
|
@ -25,7 +25,7 @@ audit () {
|
|||||||
ok "$FILE has correct ownership"
|
ok "$FILE has correct ownership"
|
||||||
else
|
else
|
||||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
|
@ -5,14 +5,14 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 12.7 Find World Writable Files (Not Scored)
|
# 6.1.10 Ensure no world writable files exist (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
HARDENING_LEVEL=3
|
HARDENING_LEVEL=3
|
||||||
DESCRIPTION="Find world writable files."
|
DESCRIPTION="Ensure no world writable files exist"
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
@ -5,14 +5,14 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 12.8 Find Un-owned Files and Directories (Scored)
|
# 6.1.11 Ensure no unowned files or directories exist
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
HARDENING_LEVEL=2
|
HARDENING_LEVEL=2
|
||||||
DESCRIPTION="Find un-owned files and directories."
|
DESCRIPTION="Ensure no unowned files or directories exist"
|
||||||
|
|
||||||
USER='root'
|
USER='root'
|
||||||
EXCLUDED=''
|
EXCLUDED=''
|
@ -5,14 +5,14 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 12.9 Find Un-grouped Files and Directories (Scored)
|
# 6.1.12 Ensure no ungrouped files or directories exist (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
HARDENING_LEVEL=2
|
HARDENING_LEVEL=2
|
||||||
DESCRIPTION="Find un-grouped files and directories."
|
DESCRIPTION="Ensure no ungrouped files or directories exist"
|
||||||
|
|
||||||
GROUP='root'
|
GROUP='root'
|
||||||
EXCLUDED=''
|
EXCLUDED=''
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 12.10 Find SUID System Executables (Not Scored)
|
# 6.1.13 Audit SUID executables (Not Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 12.11 Find SGID System Executables (Not Scored)
|
# 6.1.14 Audit SGID executables (Not Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,17 +5,19 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 12.1 Verify Permissions on /etc/passwd (Scored)
|
# 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
HARDENING_LEVEL=1
|
HARDENING_LEVEL=1
|
||||||
DESCRIPTION="Check permissions on /etc/passwd to 644."
|
DESCRIPTION="Check 644 permissions and root:root ownership on /etc/passwd"
|
||||||
|
|
||||||
FILE='/etc/passwd'
|
FILE='/etc/passwd'
|
||||||
PERMISSIONS='644'
|
PERMISSIONS='644'
|
||||||
|
USER='root'
|
||||||
|
GROUP='root'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
@ -24,7 +26,13 @@ audit () {
|
|||||||
ok "$FILE has correct permissions"
|
ok "$FILE has correct permissions"
|
||||||
else
|
else
|
||||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||||
fi
|
fi
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
@ -36,6 +44,13 @@ apply () {
|
|||||||
info "fixing $FILE permissions to $PERMISSIONS"
|
info "fixing $FILE permissions to $PERMISSIONS"
|
||||||
chmod 0$PERMISSIONS $FILE
|
chmod 0$PERMISSIONS $FILE
|
||||||
fi
|
fi
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
info "fixing $FILE ownership to $USER:$GROUP"
|
||||||
|
chown $USER:$GROUP $FILE
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
@ -5,17 +5,19 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 12.2 Verify Permissions on /etc/shadow (Scored)
|
# 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
HARDENING_LEVEL=1
|
HARDENING_LEVEL=1
|
||||||
DESCRIPTION="Check permissions on /etc/shadow to 640."
|
DESCRIPTION="Check 644 permissions and root:root ownership on /etc/shadow"
|
||||||
|
|
||||||
FILE='/etc/shadow'
|
FILE='/etc/shadow'
|
||||||
PERMISSIONS='640'
|
PERMISSIONS='640'
|
||||||
|
USER='root'
|
||||||
|
GROUP='shadow'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
@ -24,7 +26,13 @@ audit () {
|
|||||||
ok "$FILE has correct permissions"
|
ok "$FILE has correct permissions"
|
||||||
else
|
else
|
||||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||||
fi
|
fi
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
@ -36,6 +44,13 @@ apply () {
|
|||||||
info "fixing $FILE permissions to $PERMISSIONS"
|
info "fixing $FILE permissions to $PERMISSIONS"
|
||||||
chmod 0$PERMISSIONS $FILE
|
chmod 0$PERMISSIONS $FILE
|
||||||
fi
|
fi
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
info "fixing $FILE ownership to $USER:$GROUP"
|
||||||
|
chown $USER:$GROUP $FILE
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
@ -5,17 +5,19 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 12.3 Verify Permissions on /etc/group (Scored)
|
# 6.1.4 Ensure permissions on /etc/group are configured (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
HARDENING_LEVEL=1
|
HARDENING_LEVEL=1
|
||||||
DESCRIPTION="Check permissions on /etc/group to 644."
|
DESCRIPTION="Check 644 permissions and root:root ownership on /etc/group"
|
||||||
|
|
||||||
FILE='/etc/group'
|
FILE='/etc/group'
|
||||||
PERMISSIONS='644'
|
PERMISSIONS='644'
|
||||||
|
USER='root'
|
||||||
|
GROUP='root'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
@ -24,7 +26,13 @@ audit () {
|
|||||||
ok "$FILE has correct permissions"
|
ok "$FILE has correct permissions"
|
||||||
else
|
else
|
||||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||||
fi
|
fi
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
@ -36,6 +44,13 @@ apply () {
|
|||||||
info "fixing $FILE permissions to $PERMISSIONS"
|
info "fixing $FILE permissions to $PERMISSIONS"
|
||||||
chmod 0$PERMISSIONS $FILE
|
chmod 0$PERMISSIONS $FILE
|
||||||
fi
|
fi
|
||||||
|
has_file_correct_ownership $FILE $USER $GROUP
|
||||||
|
if [ $FNRET = 0 ]; then
|
||||||
|
ok "$FILE has correct ownership"
|
||||||
|
else
|
||||||
|
info "fixing $FILE ownership to $USER:$GROUP"
|
||||||
|
chown $USER:$GROUP $FILE
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
@ -1,10 +0,0 @@
|
|||||||
# run-shellcheck
|
|
||||||
test_audit() {
|
|
||||||
describe Running on blank host
|
|
||||||
register_test retvalshouldbe 0
|
|
||||||
dismiss_count_for_test
|
|
||||||
# shellcheck disable=2154
|
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
|
||||||
}
|
|
@ -1,10 +0,0 @@
|
|||||||
# run-shellcheck
|
|
||||||
test_audit() {
|
|
||||||
describe Running on blank host
|
|
||||||
register_test retvalshouldbe 0
|
|
||||||
dismiss_count_for_test
|
|
||||||
# shellcheck disable=2154
|
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
|
||||||
}
|
|
@ -1,10 +0,0 @@
|
|||||||
# run-shellcheck
|
|
||||||
test_audit() {
|
|
||||||
describe Running on blank host
|
|
||||||
register_test retvalshouldbe 0
|
|
||||||
dismiss_count_for_test
|
|
||||||
# shellcheck disable=2154
|
|
||||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
|
||||||
|
|
||||||
# TODO fill comprehensive tests
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user