IMP(12.8,12.9,12.10,12.11): be able to exclude some paths

consider exclusions in apply() functions
2025-06-22 02:33:42 +02:00 · 2020-03-31 14:22:24 +02:00
parent 413277d7eb
commit 70be679567
5 changed files with 23 additions and 5 deletions
--- a/bin/hardening/12.10_find_suid_files.sh
+++ b/bin/hardening/12.10_find_suid_files.sh
@ -14,13 +14,18 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 DESCRIPTION="Find SUID system executables."
+IGNORED_PATH=''

 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if there are suid files"
    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
    # shellcheck disable=2086
-    FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
+    if [ ! -z $IGNORED_PATH ]; then
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+    else
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
+    fi
    BAD_BINARIES=""
    for BINARY in $FOUND_BINARIES; do
        if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
--- a/bin/hardening/12.11_find_sgid_files.sh
+++ b/bin/hardening/12.11_find_sgid_files.sh
@ -14,13 +14,18 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 DESCRIPTION="Find SGID system executables."
+IGNORED_PATH=''

 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if there are sgid files"
    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
    # shellcheck disable=2086
-    FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
+    if [ ! -z $IGNORED_PATH ]; then
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+    else
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
+    fi
    BAD_BINARIES=""
    for BINARY in $FOUND_BINARIES; do
        if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
--- a/bin/hardening/12.8_find_unowned_files.sh
+++ b/bin/hardening/12.8_find_unowned_files.sh
@ -37,7 +37,11 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
+    fi
    if [ ! -z "$RESULT" ]; then
        warn "Applying chown on all unowned files in the system"
        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
--- a/bin/hardening/12.9_find_ungrouped_files.sh
+++ b/bin/hardening/12.9_find_ungrouped_files.sh
@ -37,7 +37,11 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
+    fi
    if [ ! -z "$RESULT" ]; then
        warn "Applying chgrp on all ungrouped files in the system"
        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP