elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP(13.13): Add exceptions for home directories not owned by owner

Browse Source 
Fill tests

Apply shellcheck recommendations
This commit is contained in:
Charles Herlin 2019-02-22 15:22:58 +01:00
parent 80a1146af7
commit 605a768fe1
2 changed files with 47 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
bin/hardening/13.13_check_user_homedir_ownership.sh
View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# run-shellcheck
# #
# CIS Debian Hardening # CIS Debian Hardening
# #
@ -11,46 +12,62 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Check user home directory ownership." DESCRIPTION="Check user home directory ownership."
EXCEPTIONS=""
ERRORS=0 ERRORS=0
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd )
for LINE in $RESULT; do for LINE in $RESULT; do
debug "Working on $LINE" debug "Working on $LINE"
USER=$(awk -F: {'print $1'} <<< $LINE) USER=$(awk -F: '{print $1}' <<< "$LINE")
USERID=$(awk -F: {'print $2'} <<< $LINE) USERID=$(awk -F: '{print $2}' <<< "$LINE")
DIR=$(awk -F: {'print $3'} <<< $LINE) DIR=$(awk -F: '{print $3}' <<< "$LINE")
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
OWNER=$(stat -L -c "%U" "$DIR") OWNER=$(stat -L -c "%U" "$DIR")
if [ "$OWNER" != "$USER" ]; then if [ "$OWNER" != "$USER" ]; then
crit "The home directory ($DIR) of user $USER is owned by $OWNER." if grep -qw "$DIR:$USER:$OWNER" <<< "$EXCEPTIONS"; then
ERRORS=$((ERRORS+1)) ok "The home directory ($DIR) of user $USER is owned by $OWNER but is part of exceptions ($DIR:$USER:$OWNER)."
else
crit "The home directory ($DIR) of user $USER is owned by $OWNER."
ERRORS=$((ERRORS+1))
fi
fi fi
fi fi
done done
if [ $ERRORS = 0 ]; then if [ $ERRORS = 0 ]; then
ok "All home directories have correct ownership" ok "All home directories have correct ownership"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do awk -F: '{ print $1 " " $3 " " $6 }' /etc/passwd | while read -r USER USERID DIR; do
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
OWNER=$(stat -L -c "%U" "$DIR") OWNER=$(stat -L -c "%U" "$DIR")
if [ "$OWNER" != "$USER" ]; then if [ "$OWNER" != "$USER" ]; then
warn "The home directory ($DIR) of user $USER is owned by $OWNER." warn "The home directory ($DIR) of user $USER is owned by $OWNER."
chown $USER $DIR chown "$USER" "$DIR"
fi fi
fi fi
done done
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Specify here exception for which owner of user's home directory is not the user
# "home:user:owner home2:user2:owner2"
EXCEPTIONS=""
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: :
@ -67,8 +84,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=/opt/debian-cis/lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

18
tests/hardening/13.13_check_user_homedir_ownership.sh
View File

@ -2,9 +2,23 @@
test_audit() { test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests useradd -m testhomeuser
chown root:root /home/testhomeuser
describe Wrong home owner
register_test retvalshouldbe 1
run wronghomeowner /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "EXCEPTIONS=\"/home/testhomeuser:testhomeuser:root\"" >> /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
describe Added exceptions
register_test retvalshouldbe 0
run exceptions /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup
userdel testhomeuser
} }