mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-25 23:11:24 +01:00
IMP: enhance scripts that check duplicate UID
Add exception handling in 13.14_check_duplicate_uid Clarifies output message and explicitly displays found exceptions Add tests Apply shellcheck recommendation modified: bin/hardening/13.14_check_duplicate_uid.sh modified: bin/hardening/13.5_find_0_uid_non_root_account.sh new file: tests/hardening/13.14_check_duplicate_uid.sh new file: tests/hardening/13.5_find_0_uid_non_root_account.sh
This commit is contained in:
parent
7e3ee2eb93
commit
7ad0df963c
@ -1,5 +1,5 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
@ -11,28 +11,38 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
DESCRIPTION="There is no duplicate UIDs."
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Checking for duplicate UIDs."
|
||||
EXCEPTIONS=""
|
||||
|
||||
ERRORS=0
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
|
||||
for LINE in $RESULT; do
|
||||
RESULT=$(cut -f3 -d":" < /etc/passwd | sort -n | uniq -c | awk '{print $1":"$2}' )
|
||||
FOUND_EXCEPTIONS=""
|
||||
for LINE in $RESULT; do
|
||||
debug "Working on line $LINE"
|
||||
OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
|
||||
USERID=$(awk -F: {'print $2'} <<< $LINE)
|
||||
if [ $OCC_NUMBER -gt 1 ]; then
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs)
|
||||
ERRORS=$((ERRORS+1))
|
||||
crit "Duplicate UID ($USERID): ${USERS}"
|
||||
OCC_NUMBER=$(awk -F: '{print $1}' <<< "$LINE")
|
||||
USERID=$(awk -F: '{print $2}' <<< "$LINE")
|
||||
if [ "$OCC_NUMBER" -gt 1 ]; then
|
||||
USERS=$(awk -F: '($3 == n) { print $1 }' n="$USERID" /etc/passwd | xargs)
|
||||
ID_NAMES="($USERID): ${USERS}"
|
||||
if echo "$EXCEPTIONS" | grep -qw "$USERID"; then
|
||||
debug "$USERID is confirmed as an exception"
|
||||
FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ID_NAMES"
|
||||
else
|
||||
ERRORS=$((ERRORS+1))
|
||||
crit "Duplicate UID $ID_NAMES"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [ $ERRORS = 0 ]; then
|
||||
ok "No duplicate UIDs"
|
||||
fi
|
||||
ok "No duplicate UIDs${FOUND_EXCEPTIONS:+ apart from configured exceptions:}${FOUND_EXCEPTIONS}"
|
||||
fi
|
||||
}
|
||||
|
||||
# This function will be called if the script status is on enabled mode
|
||||
@ -40,9 +50,20 @@ apply () {
|
||||
info "Editing automatically uids may seriously harm your system, report only here"
|
||||
}
|
||||
|
||||
# This function will create the config file for this check with default values
|
||||
create_config() {
|
||||
cat <<EOF
|
||||
status=disabled
|
||||
# Put here valid UIDs for which multiple usernames are accepted
|
||||
EXCEPTIONS=""
|
||||
EOF
|
||||
}
|
||||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ -z "$EXCEPTIONS" ]; then
|
||||
EXCEPTIONS="@"
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
@ -56,8 +77,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=/opt/debian-cis/lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
|
@ -1,5 +1,5 @@
|
||||
#!/bin/bash
|
||||
|
||||
# run-shellcheck
|
||||
#
|
||||
# CIS Debian Hardening
|
||||
#
|
||||
@ -11,8 +11,11 @@
|
||||
set -e # One error, it's over
|
||||
set -u # One variable unset, it's over
|
||||
|
||||
# shellcheck disable=2034
|
||||
HARDENING_LEVEL=2
|
||||
# shellcheck disable=2034
|
||||
DESCRIPTION="Verify root is the only UID 0 account."
|
||||
EXCEPTIONS=""
|
||||
|
||||
FILE='/etc/passwd'
|
||||
RESULT=''
|
||||
@ -20,23 +23,24 @@ RESULT=''
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
info "Checking if accounts have uid 0"
|
||||
RESULT=$(cat $FILE | awk -F: '($3 == 0 && $1!="root" ) { print $1 }')
|
||||
RESULT=$(awk -F: '($3 == 0 && $1!="root" ) { print $1 }' "$FILE" )
|
||||
FOUND_EXCEPTIONS=""
|
||||
for ACCOUNT in $RESULT; do
|
||||
debug "Account : $ACCOUNT"
|
||||
debug "Exceptions : $EXCEPTIONS"
|
||||
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
|
||||
debug "echo \"$EXCEPTIONS\" | grep -qw $ACCOUNT"
|
||||
if echo "$EXCEPTIONS" | grep -qw "$ACCOUNT"; then
|
||||
debug "$ACCOUNT is confirmed as an exception"
|
||||
RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT")
|
||||
FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ACCOUNT"
|
||||
else
|
||||
debug "$ACCOUNT not found in exceptions"
|
||||
fi
|
||||
done
|
||||
if [ ! -z "$RESULT" ]; then
|
||||
crit "Some accounts have uid 0"
|
||||
crit $RESULT
|
||||
crit "Some accounts have uid 0: $(tr '\n' ' ' <<< "$RESULT")"
|
||||
else
|
||||
ok "No account with uid 0 appart from root and potential configured exceptions"
|
||||
ok "No account with uid 0 appart from root ${FOUND_EXCEPTIONS:+and configured exceptions:}$FOUND_EXCEPTIONS"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -72,8 +76,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
|
||||
fi
|
||||
|
||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
||||
. $CIS_ROOT_DIR/lib/main.sh
|
||||
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
||||
# shellcheck source=/opt/debian-cis/lib/main.sh
|
||||
. "$CIS_ROOT_DIR"/lib/main.sh
|
||||
else
|
||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
||||
exit 128
|
||||
|
33
tests/hardening/13.14_check_duplicate_uid.sh
Normal file
33
tests/hardening/13.14_check_duplicate_uid.sh
Normal file
@ -0,0 +1,33 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] No duplicate UIDs"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
useradd usertest1
|
||||
useradd usertest2
|
||||
sed -i 's/1001/1000/g' /etc/passwd
|
||||
|
||||
# Proceed to operation that will end up to a non compliant system
|
||||
describe Tests purposely failing
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "[ KO ] Duplicate UID (1000): usertest1 usertest2"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# shellcheck disable=2016
|
||||
echo 'EXCEPTIONS="$EXCEPTIONS 1000"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
describe Adding exceptions
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] No duplicate UIDs apart from configured exceptions: (1000): usertest1 usertest2"
|
||||
run exception /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# Cleanup
|
||||
userdel usertest1
|
||||
userdel usertest2
|
||||
sed -i '/usertest1/d' /etc/group
|
||||
sed -i '/usertest2/d' /etc/group
|
||||
}
|
||||
|
31
tests/hardening/13.5_find_0_uid_non_root_account.sh
Normal file
31
tests/hardening/13.5_find_0_uid_non_root_account.sh
Normal file
@ -0,0 +1,31 @@
|
||||
# run-shellcheck
|
||||
test_audit() {
|
||||
describe Running on blank host
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] No account with uid 0 appart from root"
|
||||
# shellcheck disable=2154
|
||||
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
useradd usertest1
|
||||
sed -i 's/1000/0/g' /etc/passwd
|
||||
|
||||
# Proceed to operation that will end up to a non compliant system
|
||||
describe Tests purposely failing
|
||||
register_test retvalshouldbe 1
|
||||
register_test contain "[ KO ] Some accounts have uid 0: usertest1"
|
||||
run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# shellcheck disable=2016
|
||||
echo 'EXCEPTIONS="$EXCEPTIONS usertest1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
|
||||
|
||||
describe Adding exceptions
|
||||
register_test retvalshouldbe 0
|
||||
register_test contain "[ OK ] No account with uid 0 appart from root and configured exceptions: usertest1"
|
||||
run exception /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||
|
||||
# Cleanup
|
||||
sed -i '/usertest1/d' /etc/passwd
|
||||
sed -i '/usertest1/d' /etc/shadow
|
||||
sed -i '/usertest1/d' /etc/group
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user