From 9ada868f43050020e2bcc20a2e978bdeddf9e2f4 Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Fri, 1 Mar 2019 12:12:42 +0100 Subject: [PATCH] IMP(8.2.4): add exceptions in check and apply Apply shellcheck recommendations --- bin/hardening/8.2.4_set_logfile_perm.sh | 101 ++++++++++++++++------ tests/hardening/8.2.4_set_logfile_perm.sh | 19 +++- 2 files changed, 92 insertions(+), 28 deletions(-) diff --git a/bin/hardening/8.2.4_set_logfile_perm.sh b/bin/hardening/8.2.4_set_logfile_perm.sh index 7d0ed25..72257e5 100755 --- a/bin/hardening/8.2.4_set_logfile_perm.sh +++ b/bin/hardening/8.2.4_set_logfile_perm.sh @@ -1,5 +1,6 @@ #!/bin/bash +# run-shellcheck # # CIS Debian Hardening # @@ -11,33 +12,54 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=3 +# shellcheck disable=2034 DESCRIPTION="Create and set permissions on syslog-ng logfiles." -PERMISSIONS='640' -USER='root' -GROUP='adm' +PERMISSIONS='' +USER='' +GROUP='' +EXCEPTIONS='' # This function will be called if the script status is on enabled / audit mode audit () { - FILES=$(grep "file(" $SYSLOG_BASEDIR/syslog-ng.conf | grep '"' | cut -d'"' -f 2) + FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2) for FILE in $FILES; do - does_file_exist $FILE - if [ $FNRET != 0 ]; then + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then warn "$FILE does not exist" else - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then - ok "$FILE has correct ownership" + FOUND_EXC=0 + if grep "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then + debug "$FILE is found in exceptions" + debug "Setting special user:group:perm" + FOUND_EXC=1 + local user_bak="$USER" + local group_bak="$GROUP" + local perm_bak="$PERMISSIONS" + USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)" + GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)" + PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct ownership ($USER:$GROUP)" else crit "$FILE ownership was not set to $USER:$GROUP" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then - ok "$FILE has correct permissions" + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then + ok "$FILE has correct permissions ($PERMISSIONS)" else crit "$FILE permissions were not set to $PERMISSIONS" - fi + fi + if [ "$FOUND_EXC" = 1 ]; then + debug "Resetting user:group:perm" + USER="$user_bak" + GROUP="$group_bak" + PERMISSIONS="$perm_bak" + fi fi done } @@ -45,24 +67,42 @@ audit () { # This function will be called if the script status is on enabled mode apply () { for FILE in $FILES; do - does_file_exist $FILE - if [ $FNRET != 0 ]; then + does_file_exist "$FILE" + if [ "$FNRET" != 0 ]; then info "$FILE does not exist" - touch $FILE + touch "$FILE" fi - has_file_correct_ownership $FILE $USER $GROUP - if [ $FNRET = 0 ]; then + FOUND_EXC=0 + if grep "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then + debug "$FILE is found in exceptions" + debug "Setting special user:group:perm" + FOUND_EXC=1 + local user_bak="$USER" + local group_bak="$GROUP" + local perm_bak="$PERMISSIONS" + USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)" + GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)" + PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)" + fi + has_file_correct_ownership "$FILE" "$USER" "$GROUP" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct ownership" else warn "fixing $FILE ownership to $USER:$GROUP" - chown $USER:$GROUP $FILE + chown "$USER":"$GROUP" "$FILE" fi - has_file_correct_permissions $FILE $PERMISSIONS - if [ $FNRET = 0 ]; then + has_file_correct_permissions "$FILE" "$PERMISSIONS" + if [ "$FNRET" = 0 ]; then ok "$FILE has correct permissions" else info "fixing $FILE permissions to $PERMISSIONS" - chmod 0$PERMISSIONS $FILE + chmod 0"$PERMISSIONS" "$FILE" + fi + if [ "$FOUND_EXC" = 1 ]; then + debug "Resetting user:group:perm" + USER="$user_bak" + GROUP="$group_bak" + PERMISSIONS="$perm_bak" fi done } @@ -72,18 +112,24 @@ create_config() { cat <> /opt/debian-cis/etc/conf.d/"${script}".cfg + register_test retvalshouldbe 1 + run excepandfail /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + describe Correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh || true + + register_test retvalshouldbe 0 + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all }