From 66ccc6316a7f39e43d269091fb016e1e051abd8c Mon Sep 17 00:00:00 2001 From: ymartin-ovh <69240594+ymartin-ovh@users.noreply.github.com> Date: Fri, 24 Jun 2022 17:45:47 +0200 Subject: [PATCH] feat: Filter the filesystem to check when the list is built. (#156) * feat: Attempt to filter-out filesystem that match exclusion regex. --- .../1.1.21_sticky_bit_world_writable_folder.sh | 8 ++++++-- bin/hardening/6.1.10_find_world_writable_file.sh | 9 ++++++--- bin/hardening/6.1.11_find_unowned_files.sh | 9 +++++++-- bin/hardening/6.1.12_find_ungrouped_files.sh | 9 +++++++-- bin/hardening/6.1.13_find_suid_files.sh | 10 ++++++++-- bin/hardening/6.1.14_find_sgid_files.sh | 10 ++++++++-- bin/hardening/99.5.2.4_ssh_keys_from.sh | 4 ++-- lib/utils.sh | 4 ++-- tests/hardening/6.1.10_find_world_writable_file.sh | 4 +++- 9 files changed, 49 insertions(+), 18 deletions(-) diff --git a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh index 2c68272..49750dc 100755 --- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -22,11 +22,15 @@ EXCEPTIONS='' # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if setuid is set on world writable Directories" - FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') if [ -n "$EXCEPTIONS" ]; then + # maybe EXCEPTIONS allow us to filter out some FS + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS") + # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null) else + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') + # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) fi @@ -45,7 +49,7 @@ audit() { apply() { if [ -n "$EXCEPTIONS" ]; then # shellcheck disable=SC2086 - RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null) + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex "$EXCEPTIONS" -print 2>/dev/null) else RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) fi diff --git a/bin/hardening/6.1.10_find_world_writable_file.sh b/bin/hardening/6.1.10_find_world_writable_file.sh index 2ab5b56..74cc957 100755 --- a/bin/hardening/6.1.10_find_world_writable_file.sh +++ b/bin/hardening/6.1.10_find_world_writable_file.sh @@ -22,12 +22,15 @@ EXCLUDED='' # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are world writable files" - FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') - if [ -n "$EXCLUDED" ]; then + # maybe EXCLUDED allow us to filter out some FS + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED") + # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) else + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') + # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null) fi @@ -46,7 +49,7 @@ audit() { apply() { if [ -n "$EXCLUDED" ]; then # shellcheck disable=SC2086 - RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null) else RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null) fi diff --git a/bin/hardening/6.1.11_find_unowned_files.sh b/bin/hardening/6.1.11_find_unowned_files.sh index 2495541..10fe5fb 100755 --- a/bin/hardening/6.1.11_find_unowned_files.sh +++ b/bin/hardening/6.1.11_find_unowned_files.sh @@ -23,14 +23,19 @@ EXCLUDED='' # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are unowned files" - FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') if [ -n "$EXCLUDED" ]; then + # maybe EXCLUDED allow us to filter out some FS + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED") + # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) else + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') + # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null) fi + if [ -n "$RESULT" ]; then crit "Some unowned files are present" # shellcheck disable=SC2001 @@ -45,7 +50,7 @@ audit() { apply() { if [ -n "$EXCLUDED" ]; then # shellcheck disable=SC2086 - RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null) + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) else RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null) fi diff --git a/bin/hardening/6.1.12_find_ungrouped_files.sh b/bin/hardening/6.1.12_find_ungrouped_files.sh index 680a07a..379f6d3 100755 --- a/bin/hardening/6.1.12_find_ungrouped_files.sh +++ b/bin/hardening/6.1.12_find_ungrouped_files.sh @@ -23,14 +23,19 @@ EXCLUDED='' # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are ungrouped files" - FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') if [ -n "$EXCLUDED" ]; then + # maybe EXCLUDED allow us to filter out some FS + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED") + # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null) else + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') + # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null) fi + if [ -n "$RESULT" ]; then crit "Some ungrouped files are present" # shellcheck disable=SC2001 @@ -45,7 +50,7 @@ audit() { apply() { if [ -n "$EXCLUDED" ]; then # shellcheck disable=SC2086 - RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null) + RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) else RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null) fi diff --git a/bin/hardening/6.1.13_find_suid_files.sh b/bin/hardening/6.1.13_find_suid_files.sh index 592d3f0..f142673 100755 --- a/bin/hardening/6.1.13_find_suid_files.sh +++ b/bin/hardening/6.1.13_find_suid_files.sh @@ -21,13 +21,19 @@ IGNORED_PATH='' # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are suid files" - FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }') - # shellcheck disable=2086 if [ -n "$IGNORED_PATH" ]; then + # maybe IGNORED_PATH allow us to filter out some FS + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH") + + # shellcheck disable=2086 FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print) else + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') + + # shellcheck disable=2086 FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print) fi + BAD_BINARIES="" for BINARY in $FOUND_BINARIES; do if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then diff --git a/bin/hardening/6.1.14_find_sgid_files.sh b/bin/hardening/6.1.14_find_sgid_files.sh index 1bb0d89..0387d1b 100755 --- a/bin/hardening/6.1.14_find_sgid_files.sh +++ b/bin/hardening/6.1.14_find_sgid_files.sh @@ -21,13 +21,19 @@ IGNORED_PATH='' # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are sgid files" - FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }') - # shellcheck disable=2086 if [ -n "$IGNORED_PATH" ]; then + # maybe IGNORED_PATH allow us to filter out some FS + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH") + + # shellcheck disable=2086 FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print) else + FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') + + # shellcheck disable=2086 FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print) fi + BAD_BINARIES="" for BINARY in $FOUND_BINARIES; do if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then diff --git a/bin/hardening/99.5.2.4_ssh_keys_from.sh b/bin/hardening/99.5.2.4_ssh_keys_from.sh index 6377a44..274053d 100755 --- a/bin/hardening/99.5.2.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.2.4_ssh_keys_from.sh @@ -109,7 +109,7 @@ audit() { crit "/etc/ssh/sshd_config is not readable." else ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO') - if [ "x$ret" = "x#KO" ]; then + if [ "$ret" = "#KO" ]; then debug "No AuthorizedKeysFile defined in sshd_config." else AUTHKEYFILE_PATTERN=$(echo "$ret" | sed 's/AuthorizedKeysFile//i' | sed 's#%h/##' | tr -s "[:space:]") @@ -137,7 +137,7 @@ audit() { continue else info "User $user has a valid shell ($shell)." - if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then + if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then check_dir /root continue elif $SUDO_CMD [ ! -d /home/"$user" ]; then diff --git a/lib/utils.sh b/lib/utils.sh index 7d22f8f..590e78e 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -349,10 +349,10 @@ is_kernel_option_enabled() { fi ANSWER=$(cut -d = -f 2 <<<"$RESULT") - if [ "x$ANSWER" = "xy" ]; then + if [ "$ANSWER" = "y" ]; then debug "Kernel option $KERNEL_OPTION enabled" FNRET=0 - elif [ "x$ANSWER" = "xn" ]; then + elif [ "$ANSWER" = "n" ]; then debug "Kernel option $KERNEL_OPTION disabled" FNRET=1 else diff --git a/tests/hardening/6.1.10_find_world_writable_file.sh b/tests/hardening/6.1.10_find_world_writable_file.sh index faf9229..2ee621f 100644 --- a/tests/hardening/6.1.10_find_world_writable_file.sh +++ b/tests/hardening/6.1.10_find_world_writable_file.sh @@ -5,7 +5,9 @@ test_audit() { # shellcheck disable=2154 /opt/debian-cis/bin/hardening/"${script}".sh || true # shellcheck disable=2016 - echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg + echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/thisfileisignored.*|^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg + touch /home/secaudit/thisfileisignored + chmod 777 /home/secaudit/thisfileisignored describe Running on blank host register_test retvalshouldbe 0