From 82a217032d81130b2755f42127317ef0d81f7566 Mon Sep 17 00:00:00 2001
From: Tarik Megzari <tarik.megzari@corp.ovh.com>
Date: Fri, 30 Sep 2022 10:28:48 +0200
Subject: [PATCH] fix(6.2.9): Start from UID 1000 for home ownership check
 (#164)

Rename 6.2.3 and 6.2.9 checks to be more accurate
Remove home existence check from 6.2.9 as it's handled by 6.2.3
Update tests accordingly
Fixes #163

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>
---
 ...omedir.sh => 6.2.3_users_homedir_exist.sh} |  0
 ...ir.sh => 6.2.9_users_homedir_ownership.sh} | 19 +------------------
 ...omedir.sh => 6.2.3_users_homedir_exist.sh} |  1 -
 ...ir.sh => 6.2.9_users_homedir_ownership.sh} |  8 +-------
 4 files changed, 2 insertions(+), 26 deletions(-)
 rename bin/hardening/{6.2.3_users_valid_homedir.sh => 6.2.3_users_homedir_exist.sh} (100%)
 rename bin/hardening/{6.2.9_users_valid_homedir.sh => 6.2.9_users_homedir_ownership.sh} (75%)
 rename tests/hardening/{6.2.3_users_valid_homedir.sh => 6.2.3_users_homedir_exist.sh} (95%)
 rename tests/hardening/{6.2.9_users_valid_homedir.sh => 6.2.9_users_homedir_ownership.sh} (67%)

diff --git a/bin/hardening/6.2.3_users_valid_homedir.sh b/bin/hardening/6.2.3_users_homedir_exist.sh
similarity index 100%
rename from bin/hardening/6.2.3_users_valid_homedir.sh
rename to bin/hardening/6.2.3_users_homedir_exist.sh
diff --git a/bin/hardening/6.2.9_users_valid_homedir.sh b/bin/hardening/6.2.9_users_homedir_ownership.sh
similarity index 75%
rename from bin/hardening/6.2.9_users_valid_homedir.sh
rename to bin/hardening/6.2.9_users_homedir_ownership.sh
index 715f81d..3467d49 100755
--- a/bin/hardening/6.2.9_users_valid_homedir.sh
+++ b/bin/hardening/6.2.9_users_homedir_ownership.sh
@@ -23,30 +23,13 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    debug "Checking homedir exists"
-    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
-    for LINE in $RESULT; do
-        debug "Working on $LINE"
-        USER=$(awk -F: '{print $1}' <<<"$LINE")
-        USERID=$(awk -F: '{print $2}' <<<"$LINE")
-        DIR=$(awk -F: '{print $3}' <<<"$LINE")
-        if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
-            crit "The home directory ($DIR) of user $USER does not exist."
-            ERRORS=$((ERRORS + 1))
-        fi
-    done
-
-    if [ "$ERRORS" = 0 ]; then
-        ok "All home directories exists"
-    fi
-    debug "Checking homedir ownership"
     RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd)
     for LINE in $RESULT; do
         debug "Working on $LINE"
         USER=$(awk -F: '{print $1}' <<<"$LINE")
         USERID=$(awk -F: '{print $2}' <<<"$LINE")
         DIR=$(awk -F: '{print $3}' <<<"$LINE")
-        if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
+        if [ "$USERID" -ge 1000 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
             OWNER=$(stat -L -c "%U" "$DIR")
             if [ "$OWNER" != "$USER" ]; then
                 EXCEP_FOUND=0
diff --git a/tests/hardening/6.2.3_users_valid_homedir.sh b/tests/hardening/6.2.3_users_homedir_exist.sh
similarity index 95%
rename from tests/hardening/6.2.3_users_valid_homedir.sh
rename to tests/hardening/6.2.3_users_homedir_exist.sh
index f406dde..4e41040 100644
--- a/tests/hardening/6.2.3_users_valid_homedir.sh
+++ b/tests/hardening/6.2.3_users_homedir_exist.sh
@@ -3,7 +3,6 @@
 test_audit() {
     describe Running on blank host
     register_test retvalshouldbe 0
-    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
diff --git a/tests/hardening/6.2.9_users_valid_homedir.sh b/tests/hardening/6.2.9_users_homedir_ownership.sh
similarity index 67%
rename from tests/hardening/6.2.9_users_valid_homedir.sh
rename to tests/hardening/6.2.9_users_homedir_ownership.sh
index 4082d63..f0e52d3 100644
--- a/tests/hardening/6.2.9_users_valid_homedir.sh
+++ b/tests/hardening/6.2.9_users_homedir_ownership.sh
@@ -1,14 +1,8 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
-    describe Running void to generate the conf file that will later be edited
-    # shellcheck disable=2154
-    /opt/debian-cis/bin/hardening/"${script}".sh || true
-    echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >>/opt/debian-cis/etc/conf.d/"${script}".cfg
-
     describe Running on blank host
     register_test retvalshouldbe 0
-    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
@@ -22,7 +16,7 @@ test_audit() {
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     describe correcting situation
-    echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg
+    echo "EXCEPTIONS=\"/home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg
 
     describe Checking resolved state
     register_test retvalshouldbe 0