mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-22 05:55:24 +01:00
feat: Filter the filesystem to check when the list is built. (#156)
* feat: Attempt to filter-out filesystem that match exclusion regex.
This commit is contained in:
parent
7a3145d7f1
commit
66ccc6316a
@ -22,11 +22,15 @@ EXCEPTIONS=''
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if setuid is set on world writable Directories"
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
if [ -n "$EXCEPTIONS" ]; then
|
||||
# maybe EXCEPTIONS allow us to filter out some FS
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS")
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
|
||||
else
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
fi
|
||||
@ -45,7 +49,7 @@ audit() {
|
||||
apply() {
|
||||
if [ -n "$EXCEPTIONS" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex "$EXCEPTIONS" -print 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||
fi
|
||||
|
@ -22,12 +22,15 @@ EXCLUDED=''
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if there are world writable files"
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
# maybe EXCLUDED allow us to filter out some FS
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
|
||||
else
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
|
||||
fi
|
||||
@ -46,7 +49,7 @@ audit() {
|
||||
apply() {
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
|
||||
fi
|
||||
|
@ -23,14 +23,19 @@ EXCLUDED=''
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if there are unowned files"
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
# maybe EXCLUDED allow us to filter out some FS
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
|
||||
else
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null)
|
||||
fi
|
||||
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some unowned files are present"
|
||||
# shellcheck disable=SC2001
|
||||
@ -45,7 +50,7 @@ audit() {
|
||||
apply() {
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null)
|
||||
fi
|
||||
|
@ -23,14 +23,19 @@ EXCLUDED=''
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if there are ungrouped files"
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
# maybe EXCLUDED allow us to filter out some FS
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
|
||||
else
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
|
||||
fi
|
||||
|
||||
if [ -n "$RESULT" ]; then
|
||||
crit "Some ungrouped files are present"
|
||||
# shellcheck disable=SC2001
|
||||
@ -45,7 +50,7 @@ audit() {
|
||||
apply() {
|
||||
if [ -n "$EXCLUDED" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null)
|
||||
fi
|
||||
|
@ -21,13 +21,19 @@ IGNORED_PATH=''
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if there are suid files"
|
||||
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
|
||||
# shellcheck disable=2086
|
||||
if [ -n "$IGNORED_PATH" ]; then
|
||||
# maybe IGNORED_PATH allow us to filter out some FS
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
|
||||
|
||||
# shellcheck disable=2086
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
|
||||
else
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
|
||||
# shellcheck disable=2086
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
|
||||
fi
|
||||
|
||||
BAD_BINARIES=""
|
||||
for BINARY in $FOUND_BINARIES; do
|
||||
if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then
|
||||
|
@ -21,13 +21,19 @@ IGNORED_PATH=''
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit() {
|
||||
info "Checking if there are sgid files"
|
||||
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
|
||||
# shellcheck disable=2086
|
||||
if [ -n "$IGNORED_PATH" ]; then
|
||||
# maybe IGNORED_PATH allow us to filter out some FS
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
|
||||
|
||||
# shellcheck disable=2086
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
|
||||
else
|
||||
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
||||
|
||||
# shellcheck disable=2086
|
||||
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
|
||||
fi
|
||||
|
||||
BAD_BINARIES=""
|
||||
for BINARY in $FOUND_BINARIES; do
|
||||
if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then
|
||||
|
@ -109,7 +109,7 @@ audit() {
|
||||
crit "/etc/ssh/sshd_config is not readable."
|
||||
else
|
||||
ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO')
|
||||
if [ "x$ret" = "x#KO" ]; then
|
||||
if [ "$ret" = "#KO" ]; then
|
||||
debug "No AuthorizedKeysFile defined in sshd_config."
|
||||
else
|
||||
AUTHKEYFILE_PATTERN=$(echo "$ret" | sed 's/AuthorizedKeysFile//i' | sed 's#%h/##' | tr -s "[:space:]")
|
||||
@ -137,7 +137,7 @@ audit() {
|
||||
continue
|
||||
else
|
||||
info "User $user has a valid shell ($shell)."
|
||||
if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then
|
||||
if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then
|
||||
check_dir /root
|
||||
continue
|
||||
elif $SUDO_CMD [ ! -d /home/"$user" ]; then
|
||||
|
@ -349,10 +349,10 @@ is_kernel_option_enabled() {
|
||||
fi
|
||||
|
||||
ANSWER=$(cut -d = -f 2 <<<"$RESULT")
|
||||
if [ "x$ANSWER" = "xy" ]; then
|
||||
if [ "$ANSWER" = "y" ]; then
|
||||
debug "Kernel option $KERNEL_OPTION enabled"
|
||||
FNRET=0
|
||||
elif [ "x$ANSWER" = "xn" ]; then
|
||||
elif [ "$ANSWER" = "n" ]; then
|
||||
debug "Kernel option $KERNEL_OPTION disabled"
|
||||
FNRET=1
|
||||
else
|
||||
|
@ -5,7 +5,9 @@ test_audit() {
|
||||
# shellcheck disable=2154
|
||||
/opt/debian-cis/bin/hardening/"${script}".sh || true
|
||||
# shellcheck disable=2016
|
||||
echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/thisfileisignored.*|^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
touch /home/secaudit/thisfileisignored
|
||||
chmod 777 /home/secaudit/thisfileisignored
|
||||
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
|
Loading…
Reference in New Issue
Block a user