elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-06-24 11:34:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Renum User and Groups settings 13.x to 6.2.x

Browse Source 
renamed:    bin/hardening/13.8_check_user_dot_file_perm.sh -> bin/hardening/6.2.10_check_user_dot_file_perm.sh
	renamed:    bin/hardening/13.19_find_user_forward_files.sh -> bin/hardening/6.2.11_find_user_forward_files.sh
	renamed:    bin/hardening/13.18_find_user_netrc_files.sh -> bin/hardening/6.2.12_find_user_netrc_files.sh
	renamed:    bin/hardening/13.9_set_perm_on_user_netrc.sh -> bin/hardening/6.2.13_set_perm_on_user_netrc.sh
	renamed:    bin/hardening/13.10_find_user_rhosts_files.sh -> bin/hardening/6.2.14_find_user_rhosts_files.sh
	renamed:    bin/hardening/13.11_find_passwd_group_inconsistencies.sh -> bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh
	renamed:    bin/hardening/13.14_check_duplicate_uid.sh -> bin/hardening/6.2.16_check_duplicate_uid.sh
	renamed:    bin/hardening/13.15_check_duplicate_gid.sh -> bin/hardening/6.2.17_check_duplicate_gid.sh
	renamed:    bin/hardening/13.16_check_duplicate_username.sh -> bin/hardening/6.2.18_check_duplicate_username.sh
	renamed:    bin/hardening/13.17_check_duplicate_groupname.sh -> bin/hardening/6.2.19_check_duplicate_groupname.sh
	renamed:    bin/hardening/13.1_remove_empty_password_field.sh -> bin/hardening/6.2.1_remove_empty_password_field.sh
	renamed:    bin/hardening/13.20_shadow_group_empty.sh -> bin/hardening/6.2.20_shadow_group_empty.sh
	renamed:    bin/hardening/13.2_remove_legacy_passwd_entries.sh -> bin/hardening/6.2.2_remove_legacy_passwd_entries.sh
	renamed:    bin/hardening/13.3_remove_legacy_shadow_entries.sh -> bin/hardening/6.2.3_remove_legacy_shadow_entries.sh
	renamed:    bin/hardening/13.4_remove_legacy_group_entries.sh -> bin/hardening/6.2.4_remove_legacy_group_entries.sh
	renamed:    bin/hardening/13.5_find_0_uid_non_root_account.sh -> bin/hardening/6.2.5_find_0_uid_non_root_account.sh
	renamed:    bin/hardening/13.6_sanitize_root_path.sh -> bin/hardening/6.2.6_sanitize_root_path.sh
	renamed:    bin/hardening/13.7_check_user_dir_perm.sh -> bin/hardening/6.2.8_check_user_dir_perm.sh
	renamed:    bin/hardening/13.12_users_valid_homedir.sh -> bin/hardening/6.2.9_users_valid_homedir.sh
	renamed:    tests/hardening/13.9_set_perm_on_user_netrc.sh -> tests/hardening/6.2.10_check_user_dot_file_perm.sh
	renamed:    tests/hardening/13.8_check_user_dot_file_perm.sh -> tests/hardening/6.2.11_find_user_forward_files.sh
	renamed:    tests/hardening/13.7_check_user_dir_perm.sh -> tests/hardening/6.2.12_find_user_netrc_files.sh
	renamed:    tests/hardening/13.6_sanitize_root_path.sh -> tests/hardening/6.2.13_set_perm_on_user_netrc.sh
	renamed:    tests/hardening/13.4_remove_legacy_group_entries.sh -> tests/hardening/6.2.15_find_passwd_group_inconsistencies.sh
	renamed:    tests/hardening/13.14_check_duplicate_uid.sh -> tests/hardening/6.2.16_check_duplicate_uid.sh
	renamed:    tests/hardening/13.15_check_duplicate_gid.sh -> tests/hardening/6.2.17_check_duplicate_gid.sh
	renamed:    tests/hardening/13.3_remove_legacy_shadow_entries.sh -> tests/hardening/6.2.18_check_duplicate_username.sh
	renamed:    tests/hardening/13.2_remove_legacy_passwd_entries.sh -> tests/hardening/6.2.19_check_duplicate_groupname.sh
	renamed:    tests/hardening/13.20_shadow_group_empty.sh -> tests/hardening/6.2.1_remove_empty_password_field.sh
	renamed:    tests/hardening/13.1_remove_empty_password_field.sh -> tests/hardening/6.2.20_shadow_group_empty.sh
	renamed:    tests/hardening/13.19_find_user_forward_files.sh -> tests/hardening/6.2.2_remove_legacy_passwd_entries.sh
	renamed:    tests/hardening/13.18_find_user_netrc_files.sh -> tests/hardening/6.2.3_remove_legacy_shadow_entries.sh
	renamed:    tests/hardening/13.17_check_duplicate_groupname.sh -> tests/hardening/6.2.4_remove_legacy_group_entries.sh
	renamed:    tests/hardening/13.5_find_0_uid_non_root_account.sh -> tests/hardening/6.2.5_find_0_uid_non_root_account.sh
	renamed:    tests/hardening/13.16_check_duplicate_username.sh -> tests/hardening/6.2.6_sanitize_root_path.sh
	renamed:    tests/hardening/13.12_users_valid_homedir.sh -> tests/hardening/6.2.8_check_user_dir_perm.sh
	renamed:    tests/hardening/13.11_find_passwd_group_inconsistencies.sh -> tests/hardening/6.2.9_users_valid_homedir.sh
This commit is contained in:
Charles Herlin
2019-09-12 17:43:12 +02:00
committed by Thibault Ayanides
parent 440aeaf45f
commit 609444a47f
37 changed files with 56 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
bin/hardening/6.2.20_shadow_group_empty.sh Executable file
View File

@ -0,0 +1,73 @@
#!/bin/bash
#
# CIS Debian Hardening
#
#
# 6.2.20 Ensure shadow group is empty (Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
HARDENING_LEVEL=1
DESCRIPTION="There is no user in shadow group (that can read /etc/shadow file)."
ERRORS=0
FILEGROUP='/etc/group'
PATTERN='^shadow:x:[[:digit:]]+:'
# This function will be called if the script status is on enabled / audit mode
audit () {
does_pattern_exist_in_file $FILEGROUP $PATTERN
if [ $FNRET = 0 ]; then
info "shadow group exists"
RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
GROUPID=$(getent group shadow | cut -d: -f3)
debug "$RESULT $GROUPID"
if [ ! -z "$RESULT" ]; then
crit "Some users belong to shadow group: $RESULT"
else
ok "No user belongs to shadow group"
fi
info "Checking if a user has $GROUPID as primary group"
RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
if [ ! -z "$RESULT" ]; then
crit "Some users have shadow id as their primary group: $RESULT"
else
ok "No user has shadow id as their primary group"
fi
else
crit "shadow group doesn't exist"
fi
}
# This function will be called if the script status is on enabled mode
apply () {
info "Editing automatically users/groups may seriously harm your system, report only here"
}
# This function will check config parameters required
check_config() {
:
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
. /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_ROOT_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128
fi