Renum User and Groups settings 13.x to 6.2.x

renamed:    bin/hardening/13.8_check_user_dot_file_perm.sh -> bin/hardening/6.2.10_check_user_dot_file_perm.sh
	renamed:    bin/hardening/13.19_find_user_forward_files.sh -> bin/hardening/6.2.11_find_user_forward_files.sh
	renamed:    bin/hardening/13.18_find_user_netrc_files.sh -> bin/hardening/6.2.12_find_user_netrc_files.sh
	renamed:    bin/hardening/13.9_set_perm_on_user_netrc.sh -> bin/hardening/6.2.13_set_perm_on_user_netrc.sh
	renamed:    bin/hardening/13.10_find_user_rhosts_files.sh -> bin/hardening/6.2.14_find_user_rhosts_files.sh
	renamed:    bin/hardening/13.11_find_passwd_group_inconsistencies.sh -> bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh
	renamed:    bin/hardening/13.14_check_duplicate_uid.sh -> bin/hardening/6.2.16_check_duplicate_uid.sh
	renamed:    bin/hardening/13.15_check_duplicate_gid.sh -> bin/hardening/6.2.17_check_duplicate_gid.sh
	renamed:    bin/hardening/13.16_check_duplicate_username.sh -> bin/hardening/6.2.18_check_duplicate_username.sh
	renamed:    bin/hardening/13.17_check_duplicate_groupname.sh -> bin/hardening/6.2.19_check_duplicate_groupname.sh
	renamed:    bin/hardening/13.1_remove_empty_password_field.sh -> bin/hardening/6.2.1_remove_empty_password_field.sh
	renamed:    bin/hardening/13.20_shadow_group_empty.sh -> bin/hardening/6.2.20_shadow_group_empty.sh
	renamed:    bin/hardening/13.2_remove_legacy_passwd_entries.sh -> bin/hardening/6.2.2_remove_legacy_passwd_entries.sh
	renamed:    bin/hardening/13.3_remove_legacy_shadow_entries.sh -> bin/hardening/6.2.3_remove_legacy_shadow_entries.sh
	renamed:    bin/hardening/13.4_remove_legacy_group_entries.sh -> bin/hardening/6.2.4_remove_legacy_group_entries.sh
	renamed:    bin/hardening/13.5_find_0_uid_non_root_account.sh -> bin/hardening/6.2.5_find_0_uid_non_root_account.sh
	renamed:    bin/hardening/13.6_sanitize_root_path.sh -> bin/hardening/6.2.6_sanitize_root_path.sh
	renamed:    bin/hardening/13.7_check_user_dir_perm.sh -> bin/hardening/6.2.8_check_user_dir_perm.sh
	renamed:    bin/hardening/13.12_users_valid_homedir.sh -> bin/hardening/6.2.9_users_valid_homedir.sh
	renamed:    tests/hardening/13.9_set_perm_on_user_netrc.sh -> tests/hardening/6.2.10_check_user_dot_file_perm.sh
	renamed:    tests/hardening/13.8_check_user_dot_file_perm.sh -> tests/hardening/6.2.11_find_user_forward_files.sh
	renamed:    tests/hardening/13.7_check_user_dir_perm.sh -> tests/hardening/6.2.12_find_user_netrc_files.sh
	renamed:    tests/hardening/13.6_sanitize_root_path.sh -> tests/hardening/6.2.13_set_perm_on_user_netrc.sh
	renamed:    tests/hardening/13.4_remove_legacy_group_entries.sh -> tests/hardening/6.2.15_find_passwd_group_inconsistencies.sh
	renamed:    tests/hardening/13.14_check_duplicate_uid.sh -> tests/hardening/6.2.16_check_duplicate_uid.sh
	renamed:    tests/hardening/13.15_check_duplicate_gid.sh -> tests/hardening/6.2.17_check_duplicate_gid.sh
	renamed:    tests/hardening/13.3_remove_legacy_shadow_entries.sh -> tests/hardening/6.2.18_check_duplicate_username.sh
	renamed:    tests/hardening/13.2_remove_legacy_passwd_entries.sh -> tests/hardening/6.2.19_check_duplicate_groupname.sh
	renamed:    tests/hardening/13.20_shadow_group_empty.sh -> tests/hardening/6.2.1_remove_empty_password_field.sh
	renamed:    tests/hardening/13.1_remove_empty_password_field.sh -> tests/hardening/6.2.20_shadow_group_empty.sh
	renamed:    tests/hardening/13.19_find_user_forward_files.sh -> tests/hardening/6.2.2_remove_legacy_passwd_entries.sh
	renamed:    tests/hardening/13.18_find_user_netrc_files.sh -> tests/hardening/6.2.3_remove_legacy_shadow_entries.sh
	renamed:    tests/hardening/13.17_check_duplicate_groupname.sh -> tests/hardening/6.2.4_remove_legacy_group_entries.sh
	renamed:    tests/hardening/13.5_find_0_uid_non_root_account.sh -> tests/hardening/6.2.5_find_0_uid_non_root_account.sh
	renamed:    tests/hardening/13.16_check_duplicate_username.sh -> tests/hardening/6.2.6_sanitize_root_path.sh
	renamed:    tests/hardening/13.12_users_valid_homedir.sh -> tests/hardening/6.2.8_check_user_dir_perm.sh
	renamed:    tests/hardening/13.11_find_passwd_group_inconsistencies.sh -> tests/hardening/6.2.9_users_valid_homedir.sh

bin/hardening/6.2.10_check_user_dot_file_perm.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.8 Check User Dot File Permissions (Scored)
+# 6.2.10 Ensure users' dot files are not group or world writable (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.11_find_user_forward_files.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.19 Check for Presence of User .forward Files (Scored)
+# 6.2.11 Ensure no users have .forward files (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.12_find_user_netrc_files.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.18 Check for Presence of User .netrc Files (Scored)
+# 6.2.12 Ensure no users have .netrc files (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.13_set_perm_on_user_netrc.sh

@@ -5,14 +5,14 @@
 #
 
 #
-# 13.9 Check Permissions on User .netrc Files (Scored)
+# 6.2.13 Ensure users' .netrc Files are not group or world accessible (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
-DESCRIPTION="Check user permissions on .netrc file."
+DESCRIPTION="Ensure users' .netrc Files are not group or world accessible"
 
 PERMISSIONS="600"
 ERRORS=0

bin/hardening/6.2.14_find_user_rhosts_files.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.10 Check for Presence of User .rhosts Files (Scored)
+# 6.2.14 Ensure no users have .rhosts files (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.11 Check Groups in /etc/passwd (Scored)
+# 6.2.15 Ensure all groups in /etc/passwd exist in /etc/group (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.16_check_duplicate_uid.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.14 Check for Duplicate UIDs (Scored)
+# 6.2.16 Ensure no duplicate UIDs exist (Scored)
 #
 
 set -e # One error, it's over
@@ -14,7 +14,7 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
-DESCRIPTION="Checking for duplicate UIDs."
+DESCRIPTION="Ensure no duplicate UIDs exist"
 EXCEPTIONS=""
 
 ERRORS=0

bin/hardening/6.2.17_check_duplicate_gid.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.15 Check for Duplicate GIDs (Scored)
+# 6.2.17 Ensure no duplicate GIDs exist (Scored)
 #
 
 set -e # One error, it's over
@@ -14,7 +14,7 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 # shellcheck disable=2034
-DESCRIPTION="There is no duplicate GIDs."
+DESCRIPTION="Ensure no duplicate GIDs exist"
 
 ERRORS=0
 

bin/hardening/6.2.18_check_duplicate_username.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.16 Check for Duplicate User Names (Scored)
+# 6.2.18 Ensure no duplicate user names exist (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.19_check_duplicate_groupname.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.17 Check for Duplicate Group Names (Scored)
+# 6.2.19 Ensure no duplicate group names exist (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.1_remove_empty_password_field.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.1 Ensure Password Fields are Not Empty (Scored)
+# 6.2.1 Ensure Password Fields are Not Empty (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.20_shadow_group_empty.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.20 Ensure shadow group is empty (Scored)
+# 6.2.20 Ensure shadow group is empty (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.2_remove_legacy_passwd_entries.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
+# 6.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.3_remove_legacy_shadow_entries.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
+# 6.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.4_remove_legacy_group_entries.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
+# 6.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.5_find_0_uid_non_root_account.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
+# 6.2.5 Ensure root is the only UID 0 account (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.6_sanitize_root_path.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.6 Ensure root PATH Integrity (Scored)
+# 6.2.6 Ensure root PATH Integrity (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.8_check_user_dir_perm.sh

@@ -5,7 +5,7 @@
 #
 
 #
-# 13.7 Check Permissions on User Home Directories (Scored)
+# 6.2.8 Check Permissions on User Home Directories (Scored)
 #
 
 set -e # One error, it's over

bin/hardening/6.2.9_users_valid_homedir.sh

@@ -5,34 +5,64 @@
 #
 
 #
-# 13.12 Check That Users Are Assigned Valid Home Directories (Scored)
+# 6.2.9 Ensure users own their home directories (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
-DESCRIPTION="Users are assigned valid home directories."
+DESCRIPTION="Ensure users own their home directories"
 
 ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
+    debug "Checking homedir exists"
     RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
-    for LINE in $RESULT; do 
+    for LINE in $RESULT; do
         debug "Working on $LINE"
         USER=$(awk -F: {'print $1'} <<< $LINE)
         USERID=$(awk -F: {'print $2'} <<< $LINE)
         DIR=$(awk -F: {'print $3'} <<< $LINE)
         if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then
             crit "The home directory ($DIR) of user $USER does not exist."
-            ERRORS=$((ERRORS+1))    
+            ERRORS=$((ERRORS+1))
         fi
     done
 
     if [ $ERRORS = 0 ]; then
         ok "All home directories exists"
-    fi 
+    fi
+    debug "Checking homedir ownership"
+    RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd )
+    for LINE in $RESULT; do
+        debug "Working on $LINE"
+        USER=$(awk -F: '{print $1}' <<< "$LINE")
+        USERID=$(awk -F: '{print $2}' <<< "$LINE")
+        DIR=$(awk -F: '{print $3}' <<< "$LINE")
+        if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
+            OWNER=$(stat -L -c "%U" "$DIR")
+            if [ "$OWNER" != "$USER" ]; then
+                EXCEP_FOUND=0
+                for excep in $EXCEPTIONS; do
+                    if [ "$DIR:$USER:$OWNER" = "$excep" ]; then
+                        ok "The home directory ($DIR) of user $USER is owned by $OWNER but is part of exceptions ($DIR:$USER:$OWNER)."
+                        EXCEP_FOUND=1
+                        break
+                    fi
+                done
+                if [ "$EXCEP_FOUND" -eq 0 ]; then
+                    crit "The home directory ($DIR) of user $USER is owned by $OWNER."
+                    ERRORS=$((ERRORS+1))
+                fi
+            fi
+        fi
+    done
+
+    if [ $ERRORS = 0 ]; then
+        ok "All home directories have correct ownership"
+    fi
 }
 
 # This function will be called if the script status is on enabled mode