mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 13:37:02 +01:00
IMP(12.8,12.9,12.10,12.11): be able to exclude some paths
consider exclusions in apply() functions
This commit is contained in:
parent
413277d7eb
commit
70be679567
@ -14,13 +14,18 @@ set -u # One variable unset, it's over
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
HARDENING_LEVEL=2
|
HARDENING_LEVEL=2
|
||||||
DESCRIPTION="Find SUID system executables."
|
DESCRIPTION="Find SUID system executables."
|
||||||
|
IGNORED_PATH=''
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if there are suid files"
|
info "Checking if there are suid files"
|
||||||
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
|
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
|
||||||
# shellcheck disable=2086
|
# shellcheck disable=2086
|
||||||
|
if [ ! -z $IGNORED_PATH ]; then
|
||||||
|
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
|
||||||
|
else
|
||||||
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
|
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
|
||||||
|
fi
|
||||||
BAD_BINARIES=""
|
BAD_BINARIES=""
|
||||||
for BINARY in $FOUND_BINARIES; do
|
for BINARY in $FOUND_BINARIES; do
|
||||||
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
|
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
|
||||||
|
@ -14,13 +14,18 @@ set -u # One variable unset, it's over
|
|||||||
# shellcheck disable=2034
|
# shellcheck disable=2034
|
||||||
HARDENING_LEVEL=2
|
HARDENING_LEVEL=2
|
||||||
DESCRIPTION="Find SGID system executables."
|
DESCRIPTION="Find SGID system executables."
|
||||||
|
IGNORED_PATH=''
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if there are sgid files"
|
info "Checking if there are sgid files"
|
||||||
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
|
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
|
||||||
# shellcheck disable=2086
|
# shellcheck disable=2086
|
||||||
|
if [ ! -z $IGNORED_PATH ]; then
|
||||||
|
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
|
||||||
|
else
|
||||||
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
|
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
|
||||||
|
fi
|
||||||
BAD_BINARIES=""
|
BAD_BINARIES=""
|
||||||
for BINARY in $FOUND_BINARIES; do
|
for BINARY in $FOUND_BINARIES; do
|
||||||
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
|
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
|
||||||
|
@ -37,7 +37,11 @@ audit () {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply () {
|
||||||
|
if [ ! -z $EXCLUDED ]; then
|
||||||
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||||
|
else
|
||||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
||||||
|
fi
|
||||||
if [ ! -z "$RESULT" ]; then
|
if [ ! -z "$RESULT" ]; then
|
||||||
warn "Applying chown on all unowned files in the system"
|
warn "Applying chown on all unowned files in the system"
|
||||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
|
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
|
||||||
|
@ -37,7 +37,11 @@ audit () {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply () {
|
||||||
|
if [ ! -z $EXCLUDED ]; then
|
||||||
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||||
|
else
|
||||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
||||||
|
fi
|
||||||
if [ ! -z "$RESULT" ]; then
|
if [ ! -z "$RESULT" ]; then
|
||||||
warn "Applying chgrp on all ungrouped files in the system"
|
warn "Applying chgrp on all ungrouped files in the system"
|
||||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
|
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
|
||||||
|
2
debian/changelog
vendored
2
debian/changelog
vendored
@ -1,7 +1,7 @@
|
|||||||
cis-hardening (1.3-3) unstable; urgency=medium
|
cis-hardening (1.3-3) unstable; urgency=medium
|
||||||
|
|
||||||
* changelog: update changelog
|
* changelog: update changelog
|
||||||
* IMP(12.8,12.9): be able to exclude some paths
|
* IMP(12.8,12.9,12.10,12.11): be able to exclude some paths
|
||||||
|
|
||||||
-- Benjamin MONTHOUËL <benjamin.monthouel@ovhcloud.com> Mon, 30 Mar 2020 19:12:03 +0200
|
-- Benjamin MONTHOUËL <benjamin.monthouel@ovhcloud.com> Mon, 30 Mar 2020 19:12:03 +0200
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user