elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-06-23 19:14:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: Filter the filesystem to check when the list is built. (#156)

Browse Source 
* feat: Attempt to filter-out filesystem that match exclusion regex.
This commit is contained in:
ymartin-ovh
2022-06-24 17:45:47 +02:00
committed by GitHub
parent 7a3145d7f1
commit 66ccc6316a
9 changed files with 49 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
bin/hardening/6.1.12_find_ungrouped_files.sh
View File

@ -23,14 +23,19 @@ EXCLUDED=''
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if there are ungrouped files"
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
if [ -n "$EXCLUDED" ]; then
# maybe EXCLUDED allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
fi
if [ -n "$RESULT" ]; then
crit "Some ungrouped files are present"
# shellcheck disable=SC2001
@ -45,7 +50,7 @@ audit() {
apply() {
if [ -n "$EXCLUDED" ]; then
# shellcheck disable=SC2086
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
else
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null)
fi