No more wildcards in file list to be more resilient

This commit is contained in:
thibault.dewailly 2017-06-13 15:36:06 +02:00
parent 02f643f390
commit a4dc5bdaf5
3 changed files with 162 additions and 28 deletions

View File

@ -13,29 +13,73 @@ set -u # One variable unset, it's over
USER='root' USER='root'
PATTERN='umask 077' PATTERN='umask 077'
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile' FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile'
FILE='/etc/profile.d/CIS_10.4_umask.sh' FILE='/etc/profile.d/CIS_10.4_umask.sh'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN" SEARCH_RES=0
if [ $FNRET != 0 ]; then for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1
break
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
SEARCH_RES=1
fi
fi
done
if [ $SEARCH_RES = 0 ]; then
crit "$PATTERN is not present in $FILES_TO_SEARCH" crit "$PATTERN is not present in $FILES_TO_SEARCH"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN" SEARCH_RES=0
if [ $FNRET != 0 ]; then for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1
break
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
SEARCH_RES=1
fi
fi
done
if [ $SEARCH_RES = 0 ]; then
warn "$PATTERN is not present in $FILES_TO_SEARCH" warn "$PATTERN is not present in $FILES_TO_SEARCH"
touch $FILE touch $FILE
chmod 644 $FILE chmod 644 $FILE
add_end_of_file $FILE "$PATTERN" add_end_of_file $FILE "$PATTERN"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
fi fi
} }
@ -54,7 +98,7 @@ else
echo "No CIS_ROOT_DIR variable, aborting" echo "No CIS_ROOT_DIR variable, aborting"
exit 128 exit 128
fi fi
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then

View File

@ -14,23 +14,69 @@ set -u # One variable unset, it's over
USER='root' USER='root'
PATTERN='TMOUT=' PATTERN='TMOUT='
VALUE='600' VALUE='600'
FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile' FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d /etc/profile'
FILE='/etc/profile.d/CIS_99.1_timeout.sh' FILE='/etc/profile.d/CIS_99.1_timeout.sh'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN" SEARCH_RES=0
if [ $FNRET != 0 ]; then for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1
break
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
SEARCH_RES=1
fi
fi
done
if [ $SEARCH_RES = 0 ]; then
crit "$PATTERN is not present in $FILES_TO_SEARCH" crit "$PATTERN is not present in $FILES_TO_SEARCH"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN" SEARCH_RES=0
if [ $FNRET != 0 ]; then for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1
break
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
SEARCH_RES=1
fi
fi
done
if [ $SEARCH_RES = 0 ]; then
warn "$PATTERN is not present in $FILES_TO_SEARCH" warn "$PATTERN is not present in $FILES_TO_SEARCH"
touch $FILE touch $FILE
chmod 644 $FILE chmod 644 $FILE
@ -57,7 +103,7 @@ else
echo "No CIS_ROOT_DIR variable, aborting" echo "No CIS_ROOT_DIR variable, aborting"
exit 128 exit 128
fi fi
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then

View File

@ -13,23 +13,69 @@ set -u # One variable unset, it's over
USER='root' USER='root'
PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you
FILES_TO_SEARCH='/etc/udev/rules.d/*' FILES_TO_SEARCH='/etc/udev/rules.d'
FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh' FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN" SEARCH_RES=0
if [ $FNRET != 0 ]; then for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1
break
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
SEARCH_RES=1
fi
fi
done
if [ $SEARCH_RES = 0 ]; then
crit "$PATTERN is not present in $FILES_TO_SEARCH" crit "$PATTERN is not present in $FILES_TO_SEARCH"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
does_pattern_exist_in_file "$FILES_TO_SEARCH" "^$PATTERN" SEARCH_RES=0
if [ $FNRET != 0 ]; then for FILE_SEARCHED in $FILES_TO_SEARCH; do
if [ $SEARCH_RES = 1 ]; then break; fi
if test -d $FILE_SEARCHED; then
debug "$FILE_SEARCHED is a directory"
for file_in_dir in $(ls $FILE_SEARCHED); do
does_pattern_exist_in_file "$FILE_SEARCHED/$file_in_dir" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED/$file_in_dir"
else
ok "$PATTERN is present in $FILE_SEARCHED/$file_in_dir"
SEARCH_RES=1
break
fi
done
else
does_pattern_exist_in_file "$FILE_SEARCHED" "^$PATTERN"
if [ $FNRET != 0 ]; then
debug "$PATTERN is not present in $FILE_SEARCHED"
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
SEARCH_RES=1
fi
fi
done
if [ $SEARCH_RES = 0 ]; then
warn "$PATTERN is not present in $FILES_TO_SEARCH" warn "$PATTERN is not present in $FILES_TO_SEARCH"
touch $FILE touch $FILE
chmod 644 $FILE chmod 644 $FILE
@ -46,8 +92,6 @@ ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authoriz
# PS2-USB converter # PS2-USB converter
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1" ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
' '
else
ok "$PATTERN is present in $FILES_TO_SEARCH"
fi fi
} }
@ -66,7 +110,7 @@ else
echo "No CIS_ROOT_DIR variable, aborting" echo "No CIS_ROOT_DIR variable, aborting"
exit 128 exit 128
fi fi
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then