mirror of
https://github.com/ovh/debian-cis.git
synced 2025-06-22 02:33:42 +02:00
IMP(12.8,12.9,12.10,12.11): be able to exclude some paths
consider exclusions in apply() functions
This commit is contained in:
@ -14,13 +14,18 @@ set -u # One variable unset, it's over
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Find SUID system executables."
|
||||
IGNORED_PATH=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there are suid files"
|
||||
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
|
||||
# shellcheck disable=2086
|
||||
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
|
||||
if [ ! -z $IGNORED_PATH ]; then
|
||||
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
|
||||
else
|
||||
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
|
||||
fi
|
||||
BAD_BINARIES=""
|
||||
for BINARY in $FOUND_BINARIES; do
|
||||
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
|
||||
|
@ -14,13 +14,18 @@ set -u # One variable unset, it's over
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Find SGID system executables."
|
||||
IGNORED_PATH=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there are sgid files"
|
||||
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
|
||||
# shellcheck disable=2086
|
||||
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
|
||||
if [ ! -z $IGNORED_PATH ]; then
|
||||
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
|
||||
else
|
||||
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
|
||||
fi
|
||||
BAD_BINARIES=""
|
||||
for BINARY in $FOUND_BINARIES; do
|
||||
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
|
||||
|
@ -37,7 +37,11 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
||||
if [ ! -z $EXCLUDED ]; then
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
||||
fi
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
warn "Applying chown on all unowned files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
|
||||
|
@ -37,7 +37,11 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
||||
if [ ! -z $EXCLUDED ]; then
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
||||
fi
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
warn "Applying chgrp on all ungrouped files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
|
||||
|
Reference in New Issue
Block a user