From 4894b6d4026071b0123998b5a23579670206a9ec Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sun, 17 Apr 2016 18:58:25 +0200 Subject: [PATCH] 13.12_users_valid_homedir.sh 13.11_find_passwd_group_inconsistencies.sh 13.13_check_user_homedir_ownership.sh --- ...13.11_find_passwd_group_inconsistencies.sh | 65 +++++++++++++++++++ bin/hardening/13.12_users_valid_homedir.sh | 56 ++++++++++++++++ .../13.13_check_user_homedir_ownership.sh | 65 +++++++++++++++++++ etc/conf.d/1.1_install_updates.cfg | 2 +- ...3.11_find_passwd_group_inconsistencies.cfg | 2 + etc/conf.d/13.12_users_valid_homedir.cfg | 2 + .../13.13_check_user_homedir_ownership.cfg | 2 + 7 files changed, 193 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/13.11_find_passwd_group_inconsistencies.sh create mode 100755 bin/hardening/13.12_users_valid_homedir.sh create mode 100755 bin/hardening/13.13_check_user_homedir_ownership.sh create mode 100644 etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg create mode 100644 etc/conf.d/13.12_users_valid_homedir.cfg create mode 100644 etc/conf.d/13.13_check_user_homedir_ownership.cfg diff --git a/bin/hardening/13.11_find_passwd_group_inconsistencies.sh b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh new file mode 100755 index 0000000..cac5469 --- /dev/null +++ b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.11 Check Groups in /etc/passwd (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + + for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + debug "Working on group $GROUP" + if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then + crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group" + ERRORS=$(($ERRORS+1)) + fi + done + + if [ $ERRORS = 0 ]; then + ok "passwd and group Groups are consistent" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + debug "Working on group $GROUP" + if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then + crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group" + ERRORS=$(($ERRORS+1)) + fi + done + + if [ $ERRORS != 0 ]; then + warn "Consider creating missing group" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.12_users_valid_homedir.sh b/bin/hardening/13.12_users_valid_homedir.sh new file mode 100755 index 0000000..e94db47 --- /dev/null +++ b/bin/hardening/13.12_users_valid_homedir.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.12 Check That Users Are Assigned Valid Home Directories (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do + if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then + crit "The home directory ($DIR) of user $USER does not exist." + ERRORS=$((ERRORS+1)) + fi + done + + if [ $ERRORS = 0 ]; then + ok "All home directories exists" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $ERRORS != 0 ]; then + warn "Consider creating missing home directories" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.13_check_user_homedir_ownership.sh b/bin/hardening/13.13_check_user_homedir_ownership.sh new file mode 100755 index 0000000..28e3aea --- /dev/null +++ b/bin/hardening/13.13_check_user_homedir_ownership.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.13 Check User Home Directory Ownership (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + + cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do + if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then + OWNER=$(stat -L -c "%U" "$DIR") + if [ "$OWNER" != "$USER" ]; then + crit "The home directory ($DIR) of user $USER is owned by $OWNER." + ERRORS=$(($ERRORS+1)) + fi + fi + done + + if [ $ERRORS = 0 ]; then + ok "All home directories have correct ownership" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do + if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then + OWNER=$(stat -L -c "%U" "$DIR") + if [ "$OWNER" != "$USER" ]; then + warn "The home directory ($DIR) of user $USER is owned by $OWNER." + chown $USER $DIR + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/1.1_install_updates.cfg b/etc/conf.d/1.1_install_updates.cfg index acee522..e1e4502 100644 --- a/etc/conf.d/1.1_install_updates.cfg +++ b/etc/conf.d/1.1_install_updates.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=disabled +status=enabled diff --git a/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg b/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.12_users_valid_homedir.cfg b/etc/conf.d/13.12_users_valid_homedir.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.12_users_valid_homedir.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.13_check_user_homedir_ownership.cfg b/etc/conf.d/13.13_check_user_homedir_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.13_check_user_homedir_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled