From 76abf8da36a84caa07137738a932cb392fae9c59 Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Mon, 12 Feb 2018 15:37:12 +0100 Subject: [PATCH] resolve #SOC-30 Also check /etc/security/limits.d/ for core dump limit --- bin/hardening/4.1_restrict_core_dumps.sh | 26 +++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/bin/hardening/4.1_restrict_core_dumps.sh b/bin/hardening/4.1_restrict_core_dumps.sh index 2fec2fa..f8fa343 100755 --- a/bin/hardening/4.1_restrict_core_dumps.sh +++ b/bin/hardening/4.1_restrict_core_dumps.sh @@ -14,17 +14,33 @@ set -u # One variable unset, it's over HARDENING_LEVEL=2 LIMIT_FILE='/etc/security/limits.conf' +LIMIT_DIR='/etc/security/limits.d' LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$' SYSCTL_PARAM='fs.suid_dumpable' SYSCTL_EXP_RESULT=0 # This function will be called if the script status is on enabled / audit mode audit () { - does_pattern_exist_in_file $LIMIT_FILE $LIMIT_PATTERN - if [ $FNRET != 0 ]; then - crit "$LIMIT_PATTERN not present in $LIMIT_FILE" - else - ok "$LIMIT_PATTERN present in $LIMIT_FILE" + SEARCH_RES=0 + LIMIT_FILES="" + if $SUDO_CMD [ -d $LIMIT_DIR ]; then + for file in $($SUDO_CMD ls $LIMIT_DIR/*.conf); do + LIMIT_FILES="$LIMIT_FILES $LIMIT_DIR/$file" + done + fi + debug "Files to search $LIMIT_FILE $LIMIT_FILES" + for file in $LIMIT_FILE $LIMIT_FILES; do + does_pattern_exist_in_file $file $LIMIT_PATTERN + if [ $FNRET != 0 ]; then + debug "$LIMIT_PATTERN not present in $file" + else + ok "$LIMIT_PATTERN present in $file" + SEARCH_RES=1 + break + fi + done + if [ $SEARCH_RES = 0 ]; then + crit "$LIMIT_PATTERN is not present in $LIMIT_FILE $LIMIT_FILES" fi has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" if [ $FNRET != 0 ]; then