mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 05:27:01 +01:00
IMP(12.8,12.9,12.10,12.11): be able to exclude some paths
consider exclusions in apply() functions
This commit is contained in:
parent
413277d7eb
commit
70be679567
@ -14,13 +14,18 @@ set -u # One variable unset, it's over
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Find SUID system executables."
|
||||
IGNORED_PATH=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there are suid files"
|
||||
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
|
||||
# shellcheck disable=2086
|
||||
if [ ! -z $IGNORED_PATH ]; then
|
||||
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
|
||||
else
|
||||
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
|
||||
fi
|
||||
BAD_BINARIES=""
|
||||
for BINARY in $FOUND_BINARIES; do
|
||||
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
|
||||
|
@ -14,13 +14,18 @@ set -u # One variable unset, it's over
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="Find SGID system executables."
|
||||
IGNORED_PATH=''
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if there are sgid files"
|
||||
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
|
||||
# shellcheck disable=2086
|
||||
if [ ! -z $IGNORED_PATH ]; then
|
||||
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
|
||||
else
|
||||
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
|
||||
fi
|
||||
BAD_BINARIES=""
|
||||
for BINARY in $FOUND_BINARIES; do
|
||||
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
|
||||
|
@ -37,7 +37,11 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ ! -z $EXCLUDED ]; then
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
||||
fi
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
warn "Applying chown on all unowned files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
|
||||
|
@ -37,7 +37,11 @@ audit () {
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
apply () {
|
||||
if [ ! -z $EXCLUDED ]; then
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
||||
else
|
||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
|
||||
fi
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
warn "Applying chgrp on all ungrouped files in the system"
|
||||
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
|
||||
|
2
debian/changelog
vendored
2
debian/changelog
vendored
@ -1,7 +1,7 @@
|
||||
cis-hardening (1.3-3) unstable; urgency=medium
|
||||
|
||||
* changelog: update changelog
|
||||
* IMP(12.8,12.9): be able to exclude some paths
|
||||
* IMP(12.8,12.9,12.10,12.11): be able to exclude some paths
|
||||
|
||||
-- Benjamin MONTHOUËL <benjamin.monthouel@ovhcloud.com> Mon, 30 Mar 2020 19:12:03 +0200
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user