mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 13:37:02 +01:00
Renum User and Groups settings 13.x to 6.2.x
renamed: bin/hardening/13.8_check_user_dot_file_perm.sh -> bin/hardening/6.2.10_check_user_dot_file_perm.sh renamed: bin/hardening/13.19_find_user_forward_files.sh -> bin/hardening/6.2.11_find_user_forward_files.sh renamed: bin/hardening/13.18_find_user_netrc_files.sh -> bin/hardening/6.2.12_find_user_netrc_files.sh renamed: bin/hardening/13.9_set_perm_on_user_netrc.sh -> bin/hardening/6.2.13_set_perm_on_user_netrc.sh renamed: bin/hardening/13.10_find_user_rhosts_files.sh -> bin/hardening/6.2.14_find_user_rhosts_files.sh renamed: bin/hardening/13.11_find_passwd_group_inconsistencies.sh -> bin/hardening/6.2.15_find_passwd_group_inconsistencies.sh renamed: bin/hardening/13.14_check_duplicate_uid.sh -> bin/hardening/6.2.16_check_duplicate_uid.sh renamed: bin/hardening/13.15_check_duplicate_gid.sh -> bin/hardening/6.2.17_check_duplicate_gid.sh renamed: bin/hardening/13.16_check_duplicate_username.sh -> bin/hardening/6.2.18_check_duplicate_username.sh renamed: bin/hardening/13.17_check_duplicate_groupname.sh -> bin/hardening/6.2.19_check_duplicate_groupname.sh renamed: bin/hardening/13.1_remove_empty_password_field.sh -> bin/hardening/6.2.1_remove_empty_password_field.sh renamed: bin/hardening/13.20_shadow_group_empty.sh -> bin/hardening/6.2.20_shadow_group_empty.sh renamed: bin/hardening/13.2_remove_legacy_passwd_entries.sh -> bin/hardening/6.2.2_remove_legacy_passwd_entries.sh renamed: bin/hardening/13.3_remove_legacy_shadow_entries.sh -> bin/hardening/6.2.3_remove_legacy_shadow_entries.sh renamed: bin/hardening/13.4_remove_legacy_group_entries.sh -> bin/hardening/6.2.4_remove_legacy_group_entries.sh renamed: bin/hardening/13.5_find_0_uid_non_root_account.sh -> bin/hardening/6.2.5_find_0_uid_non_root_account.sh renamed: bin/hardening/13.6_sanitize_root_path.sh -> bin/hardening/6.2.6_sanitize_root_path.sh renamed: bin/hardening/13.7_check_user_dir_perm.sh -> bin/hardening/6.2.8_check_user_dir_perm.sh renamed: bin/hardening/13.12_users_valid_homedir.sh -> bin/hardening/6.2.9_users_valid_homedir.sh renamed: tests/hardening/13.9_set_perm_on_user_netrc.sh -> tests/hardening/6.2.10_check_user_dot_file_perm.sh renamed: tests/hardening/13.8_check_user_dot_file_perm.sh -> tests/hardening/6.2.11_find_user_forward_files.sh renamed: tests/hardening/13.7_check_user_dir_perm.sh -> tests/hardening/6.2.12_find_user_netrc_files.sh renamed: tests/hardening/13.6_sanitize_root_path.sh -> tests/hardening/6.2.13_set_perm_on_user_netrc.sh renamed: tests/hardening/13.4_remove_legacy_group_entries.sh -> tests/hardening/6.2.15_find_passwd_group_inconsistencies.sh renamed: tests/hardening/13.14_check_duplicate_uid.sh -> tests/hardening/6.2.16_check_duplicate_uid.sh renamed: tests/hardening/13.15_check_duplicate_gid.sh -> tests/hardening/6.2.17_check_duplicate_gid.sh renamed: tests/hardening/13.3_remove_legacy_shadow_entries.sh -> tests/hardening/6.2.18_check_duplicate_username.sh renamed: tests/hardening/13.2_remove_legacy_passwd_entries.sh -> tests/hardening/6.2.19_check_duplicate_groupname.sh renamed: tests/hardening/13.20_shadow_group_empty.sh -> tests/hardening/6.2.1_remove_empty_password_field.sh renamed: tests/hardening/13.1_remove_empty_password_field.sh -> tests/hardening/6.2.20_shadow_group_empty.sh renamed: tests/hardening/13.19_find_user_forward_files.sh -> tests/hardening/6.2.2_remove_legacy_passwd_entries.sh renamed: tests/hardening/13.18_find_user_netrc_files.sh -> tests/hardening/6.2.3_remove_legacy_shadow_entries.sh renamed: tests/hardening/13.17_check_duplicate_groupname.sh -> tests/hardening/6.2.4_remove_legacy_group_entries.sh renamed: tests/hardening/13.5_find_0_uid_non_root_account.sh -> tests/hardening/6.2.5_find_0_uid_non_root_account.sh renamed: tests/hardening/13.16_check_duplicate_username.sh -> tests/hardening/6.2.6_sanitize_root_path.sh renamed: tests/hardening/13.12_users_valid_homedir.sh -> tests/hardening/6.2.8_check_user_dir_perm.sh renamed: tests/hardening/13.11_find_passwd_group_inconsistencies.sh -> tests/hardening/6.2.9_users_valid_homedir.sh
This commit is contained in:
Charles Herlin
Thibault Ayanides
parent
440aeaf45f
commit
609444a47f
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.8 Check User Dot File Permissions (Scored)
|
||||
# 6.2.10 Ensure users' dot files are not group or world writable (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.19 Check for Presence of User .forward Files (Scored)
|
||||
# 6.2.11 Ensure no users have .forward files (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.18 Check for Presence of User .netrc Files (Scored)
|
||||
# 6.2.12 Ensure no users have .netrc files (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,14 +5,14 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.9 Check Permissions on User .netrc Files (Scored)
|
||||
# 6.2.13 Ensure users' .netrc Files are not group or world accessible (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Check user permissions on .netrc file."
|
||||
DESCRIPTION="Ensure users' .netrc Files are not group or world accessible"
|
||||
|
||||
PERMISSIONS="600"
|
||||
ERRORS=0
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.10 Check for Presence of User .rhosts Files (Scored)
|
||||
# 6.2.14 Ensure no users have .rhosts files (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.11 Check Groups in /etc/passwd (Scored)
|
||||
# 6.2.15 Ensure all groups in /etc/passwd exist in /etc/group (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.14 Check for Duplicate UIDs (Scored)
|
||||
# 6.2.16 Ensure no duplicate UIDs exist (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -14,7 +14,7 @@ set -u # One variable unset, it's over
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Checking for duplicate UIDs."
|
||||
DESCRIPTION="Ensure no duplicate UIDs exist"
|
||||
EXCEPTIONS=""
|
||||
|
||||
ERRORS=0
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.15 Check for Duplicate GIDs (Scored)
|
||||
# 6.2.17 Ensure no duplicate GIDs exist (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -14,7 +14,7 @@ set -u # One variable unset, it's over
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="There is no duplicate GIDs."
|
||||
DESCRIPTION="Ensure no duplicate GIDs exist"
|
||||
|
||||
ERRORS=0
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.16 Check for Duplicate User Names (Scored)
|
||||
# 6.2.18 Ensure no duplicate user names exist (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.17 Check for Duplicate Group Names (Scored)
|
||||
# 6.2.19 Ensure no duplicate group names exist (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.1 Ensure Password Fields are Not Empty (Scored)
|
||||
# 6.2.1 Ensure Password Fields are Not Empty (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.20 Ensure shadow group is empty (Scored)
|
||||
# 6.2.20 Ensure shadow group is empty (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
|
||||
# 6.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
|
||||
# 6.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
|
||||
# 6.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
|
||||
# 6.2.5 Ensure root is the only UID 0 account (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.6 Ensure root PATH Integrity (Scored)
|
||||
# 6.2.6 Ensure root PATH Integrity (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,7 +5,7 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.7 Check Permissions on User Home Directories (Scored)
|
||||
# 6.2.8 Check Permissions on User Home Directories (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
@ -5,34 +5,64 @@
|
||||
#
|
||||
|
||||
#
|
||||
# 13.12 Check That Users Are Assigned Valid Home Directories (Scored)
|
||||
# 6.2.9 Ensure users own their home directories (Scored)
|
||||
#
|
||||
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Users are assigned valid home directories."
|
||||
DESCRIPTION="Ensure users own their home directories"
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
debug "Checking homedir exists"
|
||||
RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
|
||||
for LINE in $RESULT; do
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on $LINE"
|
||||
USER=$(awk -F: {'print $1'} <<< $LINE)
|
||||
USERID=$(awk -F: {'print $2'} <<< $LINE)
|
||||
DIR=$(awk -F: {'print $3'} <<< $LINE)
|
||||
if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then
|
||||
crit "The home directory ($DIR) of user $USER does not exist."
|
||||
ERRORS=$((ERRORS+1))
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "All home directories exists"
|
||||
fi
|
||||
fi
|
||||
debug "Checking homedir ownership"
|
||||
RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd )
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on $LINE"
|
||||
USER=$(awk -F: '{print $1}' <<< "$LINE")
|
||||
USERID=$(awk -F: '{print $2}' <<< "$LINE")
|
||||
DIR=$(awk -F: '{print $3}' <<< "$LINE")
|
||||
if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
|
||||
OWNER=$(stat -L -c "%U" "$DIR")
|
||||
if [ "$OWNER" != "$USER" ]; then
|
||||
EXCEP_FOUND=0
|
||||
for excep in $EXCEPTIONS; do
|
||||
if [ "$DIR:$USER:$OWNER" = "$excep" ]; then
|
||||
ok "The home directory ($DIR) of user $USER is owned by $OWNER but is part of exceptions ($DIR:$USER:$OWNER)."
|
||||
EXCEP_FOUND=1
|
||||
break
|
||||
fi
|
||||
done
|
||||
if [ "$EXCEP_FOUND" -eq 0 ]; then
|
||||
crit "The home directory ($DIR) of user $USER is owned by $OWNER."
|
||||
ERRORS=$((ERRORS+1))
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "All home directories have correct ownership"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
Loading…
Reference in New Issue
Block a user