mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 13:37:02 +01:00
Renum 12.x checks to 6.1.x Verify_System_File_Permissions
modified: bin/hardening/12.4_etc_passwd_ownership.sh modified: bin/hardening/12.5_etc_shadow_ownership.sh modified: bin/hardening/12.6_etc_group_ownership.sh renamed: bin/hardening/12.7_find_world_writable_file.sh -> bin/hardening/6.1.10_find_world_writable_file.sh renamed: bin/hardening/12.8_find_unowned_files.sh -> bin/hardening/6.1.11_find_unowned_files.sh renamed: bin/hardening/12.9_find_ungrouped_files.sh -> bin/hardening/6.1.12_find_ungrouped_files.sh renamed: bin/hardening/12.10_find_suid_files.sh -> bin/hardening/6.1.13_find_suid_files.sh renamed: bin/hardening/12.11_find_sgid_files.sh -> bin/hardening/6.1.14_find_sgid_files.sh renamed: bin/hardening/12.1_etc_passwd_permissions.sh -> bin/hardening/6.1.2_etc_passwd_permissions.sh renamed: bin/hardening/12.2_etc_shadow_permissions.sh -> bin/hardening/6.1.3_etc_shadow_permissions.sh renamed: bin/hardening/12.3_etc_group_permissions.sh -> bin/hardening/6.1.4_etc_group_permissions.sh deleted: tests/hardening/12.1_etc_passwd_permissions.sh deleted: tests/hardening/12.2_etc_shadow_permissions.sh deleted: tests/hardening/12.3_etc_group_permissions.sh renamed: tests/hardening/12.7_find_world_writable_file.sh -> tests/hardening/6.1.10_find_world_writable_file.sh renamed: tests/hardening/12.8_find_unowned_files.sh -> tests/hardening/6.1.11_find_unowned_files.sh renamed: tests/hardening/12.9_find_ungrouped_files.sh -> tests/hardening/6.1.12_find_ungrouped_files.sh renamed: tests/hardening/12.10_find_suid_files.sh -> tests/hardening/6.1.13_find_suid_files.sh renamed: tests/hardening/12.11_find_sgid_files.sh -> tests/hardening/6.1.14_find_sgid_files.sh renamed: tests/hardening/12.6_etc_group_ownership.sh -> tests/hardening/6.1.2_etc_passwd_permissions.sh renamed: tests/hardening/12.5_etc_shadow_ownership.sh -> tests/hardening/6.1.3_etc_shadow_permissions.sh renamed: tests/hardening/12.4_etc_passwd_ownership.sh -> tests/hardening/6.1.4_etc_group_permissions.sh
This commit is contained in:
Charles Herlin
Thibault Ayanides
parent
a085785321
commit
440aeaf45f
@ -5,14 +5,14 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 12.7 Find World Writable Files (Not Scored)
|
||||
# 6.1.10 Ensure no world writable files exist (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=3
|
||||
DESCRIPTION="Find world writable files."
|
||||
DESCRIPTION="Ensure no world writable files exist"
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
@ -5,14 +5,14 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 12.8 Find Un-owned Files and Directories (Scored)
|
||||
# 6.1.11 Ensure no unowned files or directories exist
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Find un-owned files and directories."
|
||||
DESCRIPTION="Ensure no unowned files or directories exist"
|
||||
|
||||
USER='root'
|
||||
EXCLUDED=''
|
||||
@ -5,14 +5,14 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 12.9 Find Un-grouped Files and Directories (Scored)
|
||||
# 6.1.12 Ensure no ungrouped files or directories exist (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Find un-grouped files and directories."
|
||||
DESCRIPTION="Ensure no ungrouped files or directories exist"
|
||||
|
||||
GROUP='root'
|
||||
EXCLUDED=''
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 12.10 Find SUID System Executables (Not Scored)
|
||||
# 6.1.13 Audit SUID executables (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 12.11 Find SGID System Executables (Not Scored)
|
||||
# 6.1.14 Audit SGID executables (Not Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,17 +5,19 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 12.1 Verify Permissions on /etc/passwd (Scored)
|
||||
# 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
DESCRIPTION="Check permissions on /etc/passwd to 644."
|
||||
DESCRIPTION="Check 644 permissions and root:root ownership on /etc/passwd"
|
||||
|
||||
FILE='/etc/passwd'
|
||||
PERMISSIONS='644'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
@ -25,6 +27,12 @@ audit () {
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
@ -36,6 +44,13 @@ apply () {
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
info "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -5,17 +5,19 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 12.2 Verify Permissions on /etc/shadow (Scored)
|
||||
# 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
DESCRIPTION="Check permissions on /etc/shadow to 640."
|
||||
DESCRIPTION="Check 644 permissions and root:root ownership on /etc/shadow"
|
||||
|
||||
FILE='/etc/shadow'
|
||||
PERMISSIONS='640'
|
||||
USER='root'
|
||||
GROUP='shadow'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
@ -25,6 +27,12 @@ audit () {
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
@ -36,6 +44,13 @@ apply () {
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
info "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -5,17 +5,19 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 12.3 Verify Permissions on /etc/group (Scored)
|
||||
# 6.1.4 Ensure permissions on /etc/group are configured (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=1
|
||||
DESCRIPTION="Check permissions on /etc/group to 644."
|
||||
DESCRIPTION="Check 644 permissions and root:root ownership on /etc/group"
|
||||
|
||||
FILE='/etc/group'
|
||||
PERMISSIONS='644'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
@ -25,6 +27,12 @@ audit () {
|
||||
else
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
@ -36,6 +44,13 @@ apply () {
|
||||
info "fixing $FILE permissions to $PERMISSIONS"
|
||||
chmod 0$PERMISSIONS $FILE
|
||||
fi
|
||||
has_file_correct_ownership $FILE $USER $GROUP
|
||||
if [ $FNRET = 0 ]; then
|
||||
ok "$FILE has correct ownership"
|
||||
else
|
||||
info "fixing $FILE ownership to $USER:$GROUP"
|
||||
chown $USER:$GROUP $FILE
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
@ -1,10 +0,0 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
}
|
||||
@ -1,10 +0,0 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
}
|
||||
@ -1,10 +0,0 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
dismiss_count_for_test
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# TODO fill comprehensive tests
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user