mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-24 23:15:23 +01:00
IMP: add utils to check perm in authorized perm
This commit is contained in:
parent
a2adf0f15c
commit
5c40d48f85
@ -19,6 +19,7 @@ DESCRIPTION="Checking permissions and ownership to root 644 for ssh public keys.
|
||||
|
||||
DIR='/etc/ssh'
|
||||
PERMISSIONS='644'
|
||||
PERMISSIONSOK='644 640 600'
|
||||
USER='root'
|
||||
GROUP='root'
|
||||
|
||||
@ -26,22 +27,12 @@ GROUP='root'
|
||||
audit() {
|
||||
ERRORS=0
|
||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE permissions were set to $PERMISSIONS"
|
||||
else
|
||||
has_file_correct_permissions "$FILE" 640
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE permissions were set to $PERMISSIONS"
|
||||
else
|
||||
has_file_correct_permissions "$FILE" 600
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE permissions were set to $PERMISSIONS"
|
||||
else
|
||||
ERRORS=$((ERRORS + 1))
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
fi
|
||||
ERRORS=$((ERRORS + 1))
|
||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
||||
fi
|
||||
|
||||
done
|
||||
@ -70,22 +61,12 @@ audit() {
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply() {
|
||||
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do
|
||||
has_file_correct_permissions "$FILE" "$PERMISSIONS"
|
||||
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE permissions were set to $PERMISSIONS"
|
||||
else
|
||||
has_file_correct_permissions "$FILE" 640
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE permissions were set to $PERMISSIONS"
|
||||
else
|
||||
has_file_correct_permissions "$FILE" 600
|
||||
if [ "$FNRET" = 0 ]; then
|
||||
ok "$FILE permissions were set to $PERMISSIONS"
|
||||
else
|
||||
warn "fixing $DIR SSH public keys permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
fi
|
||||
warn "fixing $DIR SSH public keys permissions to $PERMISSIONS"
|
||||
chmod 0"$PERMISSIONS" "$FILE"
|
||||
fi
|
||||
done
|
||||
|
||||
|
27
lib/utils.sh
27
lib/utils.sh
@ -90,19 +90,17 @@ has_file_correct_ownership() {
|
||||
|
||||
has_file_one_of_ownership() {
|
||||
local FILE=$1
|
||||
local USERS_OK=$2
|
||||
local USER=$2
|
||||
local GROUPS_OK=$3
|
||||
|
||||
local USEROK=1
|
||||
local GROUPOK=1
|
||||
|
||||
for USER in $USERS_OK; do
|
||||
local USERID
|
||||
USERID=$(id -u "$USER")
|
||||
if [ "$($SUDO_CMD stat -c "%u" "$FILE")" = "$USERID" ]; then
|
||||
USEROK=0
|
||||
fi
|
||||
done
|
||||
|
||||
local USERID
|
||||
USERID=$(id -u "$USER")
|
||||
if [ "$($SUDO_CMD stat -c "%u" "$FILE")" = "$USERID" ]; then
|
||||
USEROK=0
|
||||
fi
|
||||
|
||||
for GROUP in $GROUPS_OK; do
|
||||
local GROUPID
|
||||
@ -130,6 +128,17 @@ has_file_correct_permissions() {
|
||||
fi
|
||||
}
|
||||
|
||||
has_file_one_of_permissions() {
|
||||
local FILE=$1
|
||||
local PERMISSIONS=$2
|
||||
FNRET=1
|
||||
for PERMISSION in $PERMISSIONS; do
|
||||
if [ "$($SUDO_CMD stat -L -c "%a" "$FILE")" = "$PERMISSION" ]; then
|
||||
FNRET=0
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
does_pattern_exist_in_file_nocase() {
|
||||
_does_pattern_exist_in_file "-Ei" "$@"
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user