mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-25 23:11:24 +01:00
Renum User and Groups settings 13.x to 6.2.x
renamed: bin/hardening/13.8_check_user_dot_file_perm.sh -> bin/hardening/6.2.10_check_user_dot_file_perm.sh renamed: bin/hardening/13.19_find_user_forward_files.sh -> bin/hardening/6.2.11_find_user_forward_files.sh renamed: bin/hardening/13.18_find_user_netrc_files.sh -> bin/hardening/6.2.12_find_user_netrc_files.sh renamed: bin/hardening/13.9_set_perm_on_user_netrc.sh -> bin/hardening/6.2.13_set_perm_on_user_netrc.sh renamed: bin/hardening/13.10_find_user_rhosts_files.sh -> bin/hardening/6.2.14_find_user_rhosts_files.sh renamed: bin/hardening/13.11_find_passwd_group_inconsistencies.sh -> bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh renamed: bin/hardening/13.14_check_duplicate_uid.sh -> bin/hardening/6.2.16_check_duplicate_uid.sh renamed: bin/hardening/13.15_check_duplicate_gid.sh -> bin/hardening/6.2.17_check_duplicate_gid.sh renamed: bin/hardening/13.16_check_duplicate_username.sh -> bin/hardening/6.2.18_check_duplicate_username.sh renamed: bin/hardening/13.17_check_duplicate_groupname.sh -> bin/hardening/6.2.19_check_duplicate_groupname.sh renamed: bin/hardening/13.1_remove_empty_password_field.sh -> bin/hardening/6.2.1_remove_empty_password_field.sh renamed: bin/hardening/13.20_shadow_group_empty.sh -> bin/hardening/6.2.20_shadow_group_empty.sh renamed: bin/hardening/13.2_remove_legacy_passwd_entries.sh -> bin/hardening/6.2.2_remove_legacy_passwd_entries.sh renamed: bin/hardening/13.3_remove_legacy_shadow_entries.sh -> bin/hardening/6.2.3_remove_legacy_shadow_entries.sh renamed: bin/hardening/13.4_remove_legacy_group_entries.sh -> bin/hardening/6.2.4_remove_legacy_group_entries.sh renamed: bin/hardening/13.5_find_0_uid_non_root_account.sh -> bin/hardening/6.2.5_find_0_uid_non_root_account.sh renamed: bin/hardening/13.6_sanitize_root_path.sh -> bin/hardening/6.2.6_sanitize_root_path.sh renamed: bin/hardening/13.7_check_user_dir_perm.sh -> bin/hardening/6.2.8_check_user_dir_perm.sh renamed: bin/hardening/13.12_users_valid_homedir.sh -> bin/hardening/6.2.9_users_valid_homedir.sh renamed: tests/hardening/13.9_set_perm_on_user_netrc.sh -> tests/hardening/6.2.10_check_user_dot_file_perm.sh renamed: tests/hardening/13.8_check_user_dot_file_perm.sh -> tests/hardening/6.2.11_find_user_forward_files.sh renamed: tests/hardening/13.7_check_user_dir_perm.sh -> tests/hardening/6.2.12_find_user_netrc_files.sh renamed: tests/hardening/13.6_sanitize_root_path.sh -> tests/hardening/6.2.13_set_perm_on_user_netrc.sh renamed: tests/hardening/13.4_remove_legacy_group_entries.sh -> tests/hardening/6.2.15_find_passwd_group_inconsistencies.sh renamed: tests/hardening/13.14_check_duplicate_uid.sh -> tests/hardening/6.2.16_check_duplicate_uid.sh renamed: tests/hardening/13.15_check_duplicate_gid.sh -> tests/hardening/6.2.17_check_duplicate_gid.sh renamed: tests/hardening/13.3_remove_legacy_shadow_entries.sh -> tests/hardening/6.2.18_check_duplicate_username.sh renamed: tests/hardening/13.2_remove_legacy_passwd_entries.sh -> tests/hardening/6.2.19_check_duplicate_groupname.sh renamed: tests/hardening/13.20_shadow_group_empty.sh -> tests/hardening/6.2.1_remove_empty_password_field.sh renamed: tests/hardening/13.1_remove_empty_password_field.sh -> tests/hardening/6.2.20_shadow_group_empty.sh renamed: tests/hardening/13.19_find_user_forward_files.sh -> tests/hardening/6.2.2_remove_legacy_passwd_entries.sh renamed: tests/hardening/13.18_find_user_netrc_files.sh -> tests/hardening/6.2.3_remove_legacy_shadow_entries.sh renamed: tests/hardening/13.17_check_duplicate_groupname.sh -> tests/hardening/6.2.4_remove_legacy_group_entries.sh renamed: tests/hardening/13.5_find_0_uid_non_root_account.sh -> tests/hardening/6.2.5_find_0_uid_non_root_account.sh renamed: tests/hardening/13.16_check_duplicate_username.sh -> tests/hardening/6.2.6_sanitize_root_path.sh renamed: tests/hardening/13.12_users_valid_homedir.sh -> tests/hardening/6.2.8_check_user_dir_perm.sh renamed: tests/hardening/13.11_find_passwd_group_inconsistencies.sh -> tests/hardening/6.2.9_users_valid_homedir.sh
This commit is contained in:
parent
440aeaf45f
commit
609444a47f
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.8 Check User Dot File Permissions (Scored)
|
# 6.2.10 Ensure users' dot files are not group or world writable (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.19 Check for Presence of User .forward Files (Scored)
|
# 6.2.11 Ensure no users have .forward files (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.18 Check for Presence of User .netrc Files (Scored)
|
# 6.2.12 Ensure no users have .netrc files (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,14 +5,14 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.9 Check Permissions on User .netrc Files (Scored)
|
# 6.2.13 Ensure users' .netrc Files are not group or world accessible (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
HARDENING_LEVEL=2
|
HARDENING_LEVEL=2
|
||||||
DESCRIPTION="Check user permissions on .netrc file."
|
DESCRIPTION="Ensure users' .netrc Files are not group or world accessible"
|
||||||
|
|
||||||
PERMISSIONS="600"
|
PERMISSIONS="600"
|
||||||
ERRORS=0
|
ERRORS=0
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.10 Check for Presence of User .rhosts Files (Scored)
|
# 6.2.14 Ensure no users have .rhosts files (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.11 Check Groups in /etc/passwd (Scored)
|
# 6.2.15 Ensure all groups in /etc/passwd exist in /etc/group (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.14 Check for Duplicate UIDs (Scored)
|
# 6.2.16 Ensure no duplicate UIDs exist (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
@ -14,7 +14,7 @@ set -u # One variable unset, it's over
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
HARDENING_LEVEL=2
|
HARDENING_LEVEL=2
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="Checking for duplicate UIDs."
|
DESCRIPTION="Ensure no duplicate UIDs exist"
|
||||||
EXCEPTIONS=""
|
EXCEPTIONS=""
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.15 Check for Duplicate GIDs (Scored)
|
# 6.2.17 Ensure no duplicate GIDs exist (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
@ -14,7 +14,7 @@ set -u # One variable unset, it's over
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
HARDENING_LEVEL=2
|
HARDENING_LEVEL=2
|
||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
DESCRIPTION="There is no duplicate GIDs."
|
DESCRIPTION="Ensure no duplicate GIDs exist"
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
|
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.16 Check for Duplicate User Names (Scored)
|
# 6.2.18 Ensure no duplicate user names exist (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.17 Check for Duplicate Group Names (Scored)
|
# 6.2.19 Ensure no duplicate group names exist (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.1 Ensure Password Fields are Not Empty (Scored)
|
# 6.2.1 Ensure Password Fields are Not Empty (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.20 Ensure shadow group is empty (Scored)
|
# 6.2.20 Ensure shadow group is empty (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
|
# 6.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
|
# 6.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
|
# 6.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
|
# 6.2.5 Ensure root is the only UID 0 account (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.6 Ensure root PATH Integrity (Scored)
|
# 6.2.6 Ensure root PATH Integrity (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.7 Check Permissions on User Home Directories (Scored)
|
# 6.2.8 Check Permissions on User Home Directories (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
@ -5,19 +5,20 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 13.12 Check That Users Are Assigned Valid Home Directories (Scored)
|
# 6.2.9 Ensure users own their home directories (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
set -u # One variable unset, it's over
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
HARDENING_LEVEL=2
|
HARDENING_LEVEL=2
|
||||||
DESCRIPTION="Users are assigned valid home directories."
|
DESCRIPTION="Ensure users own their home directories"
|
||||||
|
|
||||||
ERRORS=0
|
ERRORS=0
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
|
debug "Checking homedir exists"
|
||||||
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
||||||
for LINE in $RESULT; do
|
for LINE in $RESULT; do
|
||||||
debug "Working on $LINE"
|
debug "Working on $LINE"
|
||||||
@ -33,6 +34,35 @@ audit () {
|
|||||||
if [ $ERRORS = 0 ]; then
|
if [ $ERRORS = 0 ]; then
|
||||||
ok "All home directories exists"
|
ok "All home directories exists"
|
||||||
fi
|
fi
|
||||||
|
debug "Checking homedir ownership"
|
||||||
|
RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd )
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
debug "Working on $LINE"
|
||||||
|
USER=$(awk -F: '{print $1}' <<< "$LINE")
|
||||||
|
USERID=$(awk -F: '{print $2}' <<< "$LINE")
|
||||||
|
DIR=$(awk -F: '{print $3}' <<< "$LINE")
|
||||||
|
if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
|
||||||
|
OWNER=$(stat -L -c "%U" "$DIR")
|
||||||
|
if [ "$OWNER" != "$USER" ]; then
|
||||||
|
EXCEP_FOUND=0
|
||||||
|
for excep in $EXCEPTIONS; do
|
||||||
|
if [ "$DIR:$USER:$OWNER" = "$excep" ]; then
|
||||||
|
ok "The home directory ($DIR) of user $USER is owned by $OWNER but is part of exceptions ($DIR:$USER:$OWNER)."
|
||||||
|
EXCEP_FOUND=1
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$EXCEP_FOUND" -eq 0 ]; then
|
||||||
|
crit "The home directory ($DIR) of user $USER is owned by $OWNER."
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "All home directories have correct ownership"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
Loading…
Reference in New Issue
Block a user