From 7ad0df963ce3e55f40f00048ef2fa5814fb55269 Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Wed, 13 Feb 2019 16:07:06 +0100 Subject: [PATCH] IMP: enhance scripts that check duplicate UID Add exception handling in 13.14_check_duplicate_uid Clarifies output message and explicitly displays found exceptions Add tests Apply shellcheck recommendation modified: bin/hardening/13.14_check_duplicate_uid.sh modified: bin/hardening/13.5_find_0_uid_non_root_account.sh new file: tests/hardening/13.14_check_duplicate_uid.sh new file: tests/hardening/13.5_find_0_uid_non_root_account.sh --- bin/hardening/13.14_check_duplicate_uid.sh | 54 +++++++++++++------ .../13.5_find_0_uid_non_root_account.sh | 23 ++++---- tests/hardening/13.14_check_duplicate_uid.sh | 33 ++++++++++++ .../13.5_find_0_uid_non_root_account.sh | 31 +++++++++++ 4 files changed, 116 insertions(+), 25 deletions(-) create mode 100644 tests/hardening/13.14_check_duplicate_uid.sh create mode 100644 tests/hardening/13.5_find_0_uid_non_root_account.sh diff --git a/bin/hardening/13.14_check_duplicate_uid.sh b/bin/hardening/13.14_check_duplicate_uid.sh index 945aa36..592409d 100755 --- a/bin/hardening/13.14_check_duplicate_uid.sh +++ b/bin/hardening/13.14_check_duplicate_uid.sh @@ -1,5 +1,5 @@ #!/bin/bash - +# run-shellcheck # # CIS Debian Hardening # @@ -11,28 +11,38 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 -DESCRIPTION="There is no duplicate UIDs." +# shellcheck disable=2034 +DESCRIPTION="Checking for duplicate UIDs." +EXCEPTIONS="" ERRORS=0 # This function will be called if the script status is on enabled / audit mode audit () { - RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) - for LINE in $RESULT; do + RESULT=$(cut -f3 -d":" < /etc/passwd | sort -n | uniq -c | awk '{print $1":"$2}' ) + FOUND_EXCEPTIONS="" + for LINE in $RESULT; do debug "Working on line $LINE" - OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) - USERID=$(awk -F: {'print $2'} <<< $LINE) - if [ $OCC_NUMBER -gt 1 ]; then - USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs) - ERRORS=$((ERRORS+1)) - crit "Duplicate UID ($USERID): ${USERS}" + OCC_NUMBER=$(awk -F: '{print $1}' <<< "$LINE") + USERID=$(awk -F: '{print $2}' <<< "$LINE") + if [ "$OCC_NUMBER" -gt 1 ]; then + USERS=$(awk -F: '($3 == n) { print $1 }' n="$USERID" /etc/passwd | xargs) + ID_NAMES="($USERID): ${USERS}" + if echo "$EXCEPTIONS" | grep -qw "$USERID"; then + debug "$USERID is confirmed as an exception" + FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ID_NAMES" + else + ERRORS=$((ERRORS+1)) + crit "Duplicate UID $ID_NAMES" + fi fi - done + done if [ $ERRORS = 0 ]; then - ok "No duplicate UIDs" - fi + ok "No duplicate UIDs${FOUND_EXCEPTIONS:+ apart from configured exceptions:}${FOUND_EXCEPTIONS}" + fi } # This function will be called if the script status is on enabled mode @@ -40,9 +50,20 @@ apply () { info "Editing automatically uids may seriously harm your system, report only here" } +# This function will create the config file for this check with default values +create_config() { + cat <> /opt/debian-cis/etc/conf.d/"${script}".cfg + + describe Adding exceptions + register_test retvalshouldbe 0 + register_test contain "[ OK ] No duplicate UIDs apart from configured exceptions: (1000): usertest1 usertest2" + run exception /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + userdel usertest1 + userdel usertest2 + sed -i '/usertest1/d' /etc/group + sed -i '/usertest2/d' /etc/group +} + diff --git a/tests/hardening/13.5_find_0_uid_non_root_account.sh b/tests/hardening/13.5_find_0_uid_non_root_account.sh new file mode 100644 index 0000000..fe6635d --- /dev/null +++ b/tests/hardening/13.5_find_0_uid_non_root_account.sh @@ -0,0 +1,31 @@ +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + register_test contain "[ OK ] No account with uid 0 appart from root" + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + useradd usertest1 + sed -i 's/1000/0/g' /etc/passwd + + # Proceed to operation that will end up to a non compliant system + describe Tests purposely failing + register_test retvalshouldbe 1 + register_test contain "[ KO ] Some accounts have uid 0: usertest1" + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # shellcheck disable=2016 + echo 'EXCEPTIONS="$EXCEPTIONS usertest1"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + + describe Adding exceptions + register_test retvalshouldbe 0 + register_test contain "[ OK ] No account with uid 0 appart from root and configured exceptions: usertest1" + run exception /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup + sed -i '/usertest1/d' /etc/passwd + sed -i '/usertest1/d' /etc/shadow + sed -i '/usertest1/d' /etc/group +} +