elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-06-23 19:14:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: Filter the filesystem to check when the list is built. (#156)

Browse Source 
* feat: Attempt to filter-out filesystem that match exclusion regex.
This commit is contained in:
ymartin-ovh
2022-06-24 17:45:47 +02:00
committed by GitHub
parent 7a3145d7f1
commit 66ccc6316a
9 changed files with 49 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
bin/hardening/6.1.13_find_suid_files.sh
View File

@ -21,13 +21,19 @@ IGNORED_PATH=''
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if there are suid files"
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
# shellcheck disable=2086
if [ -n "$IGNORED_PATH" ]; then
# maybe IGNORED_PATH allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
fi
BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then