IMP(13.13): Add exceptions for home directories not owned by owner

Fill tests

Apply shellcheck recommendations
This commit is contained in:
Charles Herlin 2019-02-22 15:22:58 +01:00
parent 80a1146af7
commit 605a768fe1
2 changed files with 47 additions and 15 deletions

View File

@ -1,5 +1,6 @@
#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
@ -11,26 +12,33 @@
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Check user home directory ownership."
EXCEPTIONS=""
ERRORS=0
# This function will be called if the script status is on enabled / audit mode
audit () {
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd )
for LINE in $RESULT; do
debug "Working on $LINE"
USER=$(awk -F: {'print $1'} <<< $LINE)
USERID=$(awk -F: {'print $2'} <<< $LINE)
DIR=$(awk -F: {'print $3'} <<< $LINE)
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
USER=$(awk -F: '{print $1}' <<< "$LINE")
USERID=$(awk -F: '{print $2}' <<< "$LINE")
DIR=$(awk -F: '{print $3}' <<< "$LINE")
if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
OWNER=$(stat -L -c "%U" "$DIR")
if [ "$OWNER" != "$USER" ]; then
if grep -qw "$DIR:$USER:$OWNER" <<< "$EXCEPTIONS"; then
ok "The home directory ($DIR) of user $USER is owned by $OWNER but is part of exceptions ($DIR:$USER:$OWNER)."
else
crit "The home directory ($DIR) of user $USER is owned by $OWNER."
ERRORS=$((ERRORS+1))
fi
fi
fi
done
if [ $ERRORS = 0 ]; then
@ -40,17 +48,26 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do
if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
awk -F: '{ print $1 " " $3 " " $6 }' /etc/passwd | while read -r USER USERID DIR; do
if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
OWNER=$(stat -L -c "%U" "$DIR")
if [ "$OWNER" != "$USER" ]; then
warn "The home directory ($DIR) of user $USER is owned by $OWNER."
chown $USER $DIR
chown "$USER" "$DIR"
fi
fi
done
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Specify here exception for which owner of user's home directory is not the user
# "home:user:owner home2:user2:owner2"
EXCEPTIONS=""
EOF
}
# This function will check config parameters required
check_config() {
:
@ -67,8 +84,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
# shellcheck source=/opt/debian-cis/lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128

View File

@ -2,9 +2,23 @@
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
useradd -m testhomeuser
chown root:root /home/testhomeuser
describe Wrong home owner
register_test retvalshouldbe 1
run wronghomeowner /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
echo "EXCEPTIONS=\"/home/testhomeuser:testhomeuser:root\"" >> /opt/debian-cis/etc/conf.d/"${script}".cfg
sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
describe Added exceptions
register_test retvalshouldbe 0
run exceptions /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup
userdel testhomeuser
}