elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP(12.8,12.9,12.10,12.11): be able to exclude some paths

Browse Source 
consider exclusions in apply() functions
This commit is contained in:
Benjamin MONTHOUEL 2020-03-31 14:22:24 +02:00
parent 413277d7eb
commit 70be679567
5 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
bin/hardening/12.10_find_suid_files.sh
View File

@ -14,13 +14,18 @@ set -u # One variable unset, it's over
# shellcheck disable=2034 # shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
DESCRIPTION="Find SUID system executables." DESCRIPTION="Find SUID system executables."
IGNORED_PATH=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if there are suid files" info "Checking if there are suid files"
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' ) FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
# shellcheck disable=2086 # shellcheck disable=2086
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print) if [ ! -z $IGNORED_PATH ]; then
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
else
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
fi
BAD_BINARIES="" BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then

7
bin/hardening/12.11_find_sgid_files.sh
View File

@ -14,13 +14,18 @@ set -u # One variable unset, it's over
# shellcheck disable=2034 # shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
DESCRIPTION="Find SGID system executables." DESCRIPTION="Find SGID system executables."
IGNORED_PATH=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if there are sgid files" info "Checking if there are sgid files"
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' ) FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
# shellcheck disable=2086 # shellcheck disable=2086
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print) if [ ! -z $IGNORED_PATH ]; then
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
else
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
fi
BAD_BINARIES="" BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then

6
bin/hardening/12.8_find_unowned_files.sh
View File

@ -37,7 +37,11 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) if [ ! -z $EXCLUDED ]; then
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
else
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
fi
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
warn "Applying chown on all unowned files in the system" warn "Applying chown on all unowned files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER

6
bin/hardening/12.9_find_ungrouped_files.sh
View File

@ -37,7 +37,11 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) if [ ! -z $EXCLUDED ]; then
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
else
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
fi
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
warn "Applying chgrp on all ungrouped files in the system" warn "Applying chgrp on all ungrouped files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP

2
debian/changelog vendored
View File

@ -1,7 +1,7 @@
cis-hardening (1.3-3) unstable; urgency=medium cis-hardening (1.3-3) unstable; urgency=medium
* changelog: update changelog * changelog: update changelog
* IMP(12.8,12.9): be able to exclude some paths * IMP(12.8,12.9,12.10,12.11): be able to exclude some paths
-- Benjamin MONTHOUËL <benjamin.monthouel@ovhcloud.com> Mon, 30 Mar 2020 19:12:03 +0200 -- Benjamin MONTHOUËL <benjamin.monthouel@ovhcloud.com> Mon, 30 Mar 2020 19:12:03 +0200