elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-24 06:21:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP: add utils to check perm in authorized perm

Browse Source
This commit is contained in:
Thibault Ayanides 2020-12-21 10:39:44 +01:00
parent a2adf0f15c
commit 5c40d48f85
2 changed files with 25 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
View File

@ -19,6 +19,7 @@ DESCRIPTION="Checking permissions and ownership to root 644 for ssh public keys.
DIR='/etc/ssh'
PERMISSIONS='644'
PERMISSIONSOK='644 640 600'
USER='root'
GROUP='root'
@ -26,22 +27,12 @@ GROUP='root'
audit() {
ERRORS=0
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do
has_file_correct_permissions "$FILE" "$PERMISSIONS"
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS"
else
has_file_correct_permissions "$FILE" 640
if [ "$FNRET" = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS"
else
has_file_correct_permissions "$FILE" 600
if [ "$FNRET" = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS"
else
ERRORS=$((ERRORS + 1))
crit "$FILE permissions were not set to $PERMISSIONS"
fi
fi
ERRORS=$((ERRORS + 1))
crit "$FILE permissions were not set to $PERMISSIONS"
fi
done
@ -70,22 +61,12 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub'); do
has_file_correct_permissions "$FILE" "$PERMISSIONS"
has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
if [ "$FNRET" = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS"
else
has_file_correct_permissions "$FILE" 640
if [ "$FNRET" = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS"
else
has_file_correct_permissions "$FILE" 600
if [ "$FNRET" = 0 ]; then
ok "$FILE permissions were set to $PERMISSIONS"
else
warn "fixing $DIR SSH public keys permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
fi
warn "fixing $DIR SSH public keys permissions to $PERMISSIONS"
chmod 0"$PERMISSIONS" "$FILE"
fi
done

27
lib/utils.sh
View File

@ -90,19 +90,17 @@ has_file_correct_ownership() {
has_file_one_of_ownership() {
local FILE=$1
local USERS_OK=$2
local USER=$2
local GROUPS_OK=$3
local USEROK=1
local GROUPOK=1
for USER in $USERS_OK; do
local USERID
USERID=$(id -u "$USER")
if [ "$($SUDO_CMD stat -c "%u" "$FILE")" = "$USERID" ]; then
USEROK=0
fi
done
local USERID
USERID=$(id -u "$USER")
if [ "$($SUDO_CMD stat -c "%u" "$FILE")" = "$USERID" ]; then
USEROK=0
fi
for GROUP in $GROUPS_OK; do
local GROUPID
@ -130,6 +128,17 @@ has_file_correct_permissions() {
fi
}
has_file_one_of_permissions() {
local FILE=$1
local PERMISSIONS=$2
FNRET=1
for PERMISSION in $PERMISSIONS; do
if [ "$($SUDO_CMD stat -L -c "%a" "$FILE")" = "$PERMISSION" ]; then
FNRET=0
fi
done
}
does_pattern_exist_in_file_nocase() {
_does_pattern_exist_in_file "-Ei" "$@"
}