From 77f01d2709bebb46728533ef47783fca1088cfc9 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sat, 16 Apr 2016 18:32:09 +0200 Subject: [PATCH] 13.8_check_user_dot_file_perm.sh 13.9_set_perm_on_user_netrc.sh --- bin/hardening/13.7_check_user_dir_perm.sh | 10 ++- .../13.8_check_user_dot_file_perm.sh | 77 +++++++++++++++++++ bin/hardening/13.9_set_perm_on_user_netrc.sh | 70 +++++++++++++++++ etc/conf.d/13.8_check_user_dot_file_perm.cfg | 2 + etc/conf.d/13.9_set_perm_on_user_netrc.cfg | 2 + 5 files changed, 160 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/13.8_check_user_dot_file_perm.sh create mode 100755 bin/hardening/13.9_set_perm_on_user_netrc.sh create mode 100644 etc/conf.d/13.8_check_user_dot_file_perm.cfg create mode 100644 etc/conf.d/13.9_set_perm_on_user_netrc.cfg diff --git a/bin/hardening/13.7_check_user_dir_perm.sh b/bin/hardening/13.7_check_user_dir_perm.sh index bad4299..bd8eb5f 100755 --- a/bin/hardening/13.7_check_user_dir_perm.sh +++ b/bin/hardening/13.7_check_user_dir_perm.sh @@ -13,7 +13,6 @@ set -e # One error, it's over set -u # One variable unset, it's over ERRORS=0 -PERMISSION="750" # This function will be called if the script status is on enabled / audit mode audit () { @@ -31,18 +30,27 @@ audit () { dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ") if [ $(echo $dirperm | cut -c6 ) != "-" ]; then crit "Group Write permission set on directory $dir" + ERRORS=$((ERRORS+1)) fi if [ $(echo $dirperm | cut -c8 ) != "-" ]; then crit "Other Read permission set on directory $dir" + ERRORS=$((ERRORS+1)) fi if [ $(echo $dirperm | cut -c9 ) != "-" ]; then crit "Other Write permission set on directory $dir" + ERRORS=$((ERRORS+1)) fi if [ $(echo $dirperm | cut -c10 ) != "-" ]; then crit "Other Execute permission set on directory $dir" + ERRORS=$((ERRORS+1)) fi fi done + + if [ $ERRORS = 0 ]; then + ok "No incorrect permissions on home directories" + fi + } # This function will be called if the script status is on enabled mode diff --git a/bin/hardening/13.8_check_user_dot_file_perm.sh b/bin/hardening/13.8_check_user_dot_file_perm.sh new file mode 100755 index 0000000..0f2024d --- /dev/null +++ b/bin/hardening/13.8_check_user_dot_file_perm.sh @@ -0,0 +1,77 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.8 Check User Dot File Permissions (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/.[A-Za-z0-9]*; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") + if [ $(echo $FILEPERM | cut -c6) != "-" ]; then + crit "Group Write permission set on FILE $FILE" + ERRORS=$((ERRORS+1)) + fi + if [ $(echo $FILEPERM | cut -c9) != "-" ]; then + crit "Other Write permission set on FILE $FILE" + ERRORS=$((ERRORS+1)) + fi + fi + done + done + + if [ $ERRORS = 0 ]; then + ok "Dot file permission in users directories are correct" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + for FILE in $DIR/.[A-Za-z0-9]*; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") + if [ $(echo $FILEPERM | cut -c6) != "-" ]; then + warn "Group Write permission set on FILE $FILE" + chmod g-w $FILE + fi + if [ $(echo $FILEPERM | cut -c9) != "-" ]; then + warn "Other Write permission set on FILE $FILE" + chmod o-w $FILE + fi + fi + done + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.9_set_perm_on_user_netrc.sh b/bin/hardening/13.9_set_perm_on_user_netrc.sh new file mode 100755 index 0000000..420e2f3 --- /dev/null +++ b/bin/hardening/13.9_set_perm_on_user_netrc.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.8 Check User Dot File Permissions (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +PERMISSIONS="600" + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/.netrc; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi + fi + done + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/.netrc; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + warn "$FILE has not $PERMISSIONS permissions set" + chmod 600 $FILE + fi + fi + done + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/13.8_check_user_dot_file_perm.cfg b/etc/conf.d/13.8_check_user_dot_file_perm.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.8_check_user_dot_file_perm.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.9_set_perm_on_user_netrc.cfg b/etc/conf.d/13.9_set_perm_on_user_netrc.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.9_set_perm_on_user_netrc.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled