diff --git a/bin/hardening/12.10_find_suid_files.sh b/bin/hardening/12.10_find_suid_files.sh index 5acea74..8891832 100755 --- a/bin/hardening/12.10_find_suid_files.sh +++ b/bin/hardening/12.10_find_suid_files.sh @@ -14,13 +14,18 @@ set -u # One variable unset, it's over # shellcheck disable=2034 HARDENING_LEVEL=2 DESCRIPTION="Find SUID system executables." +IGNORED_PATH='' # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are suid files" FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' ) # shellcheck disable=2086 - FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print) + if [ ! -z $IGNORED_PATH ]; then + FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) + else + FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print) + fi BAD_BINARIES="" for BINARY in $FOUND_BINARIES; do if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then diff --git a/bin/hardening/12.11_find_sgid_files.sh b/bin/hardening/12.11_find_sgid_files.sh index 17ddedf..b636c4f 100755 --- a/bin/hardening/12.11_find_sgid_files.sh +++ b/bin/hardening/12.11_find_sgid_files.sh @@ -14,13 +14,18 @@ set -u # One variable unset, it's over # shellcheck disable=2034 HARDENING_LEVEL=2 DESCRIPTION="Find SGID system executables." +IGNORED_PATH='' # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are sgid files" FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' ) # shellcheck disable=2086 - FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print) + if [ ! -z $IGNORED_PATH ]; then + FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print) + else + FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print) + fi BAD_BINARIES="" for BINARY in $FOUND_BINARIES; do if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then diff --git a/bin/hardening/12.8_find_unowned_files.sh b/bin/hardening/12.8_find_unowned_files.sh index 33167c8..81a09b7 100755 --- a/bin/hardening/12.8_find_unowned_files.sh +++ b/bin/hardening/12.8_find_unowned_files.sh @@ -37,7 +37,11 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) + if [ ! -z $EXCLUDED ]; then + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) + else + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) + fi if [ ! -z "$RESULT" ]; then warn "Applying chown on all unowned files in the system" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER diff --git a/bin/hardening/12.9_find_ungrouped_files.sh b/bin/hardening/12.9_find_ungrouped_files.sh index 2df8095..e0e8876 100755 --- a/bin/hardening/12.9_find_ungrouped_files.sh +++ b/bin/hardening/12.9_find_ungrouped_files.sh @@ -37,7 +37,11 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) + if [ ! -z $EXCLUDED ]; then + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null) + else + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) + fi if [ ! -z "$RESULT" ]; then warn "Applying chgrp on all ungrouped files in the system" df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP diff --git a/debian/changelog b/debian/changelog index 30bd107..ce4ba0f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,7 @@ cis-hardening (1.3-3) unstable; urgency=medium * changelog: update changelog - * IMP(12.8,12.9): be able to exclude some paths + * IMP(12.8,12.9,12.10,12.11): be able to exclude some paths -- Benjamin MONTHOUËL Mon, 30 Mar 2020 19:12:03 +0200