From aad764bb1b133c16106171b51b9b09de584dfa3b Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sun, 17 Apr 2016 19:53:47 +0200 Subject: [PATCH] 13.14_check_duplicate_uid.sh 13.15_check_duplicate_gid.sh^C --- ...13.11_find_passwd_group_inconsistencies.sh | 14 +---- bin/hardening/13.12_users_valid_homedir.sh | 12 ++-- .../13.13_check_user_homedir_ownership.sh | 10 +++- bin/hardening/13.14_check_duplicate_uid.sh | 58 +++++++++++++++++++ bin/hardening/13.15_check_duplicate_gid.sh | 58 +++++++++++++++++++ etc/conf.d/13.14_check_duplicate_uid.cfg | 2 + etc/conf.d/13.15_check_duplicate_gid.cfg | 2 + 7 files changed, 136 insertions(+), 20 deletions(-) create mode 100755 bin/hardening/13.14_check_duplicate_uid.sh create mode 100755 bin/hardening/13.15_check_duplicate_gid.sh create mode 100644 etc/conf.d/13.14_check_duplicate_uid.cfg create mode 100644 etc/conf.d/13.15_check_duplicate_gid.cfg diff --git a/bin/hardening/13.11_find_passwd_group_inconsistencies.sh b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh index cac5469..d16fed3 100755 --- a/bin/hardening/13.11_find_passwd_group_inconsistencies.sh +++ b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh @@ -21,7 +21,7 @@ audit () { debug "Working on group $GROUP" if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group" - ERRORS=$(($ERRORS+1)) + ERRORS=$((ERRORS+1)) fi done @@ -32,17 +32,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u ); do - debug "Working on group $GROUP" - if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then - crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group" - ERRORS=$(($ERRORS+1)) - fi - done - - if [ $ERRORS != 0 ]; then - warn "Consider creating missing group" - fi + info "Solving passwd and group consistency automatically may seriously harm your system, report only here" } # This function will check config parameters required diff --git a/bin/hardening/13.12_users_valid_homedir.sh b/bin/hardening/13.12_users_valid_homedir.sh index e94db47..e0fd8e9 100755 --- a/bin/hardening/13.12_users_valid_homedir.sh +++ b/bin/hardening/13.12_users_valid_homedir.sh @@ -16,7 +16,12 @@ ERRORS=0 # This function will be called if the script status is on enabled / audit mode audit () { - cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do + RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') + for LINE in $RESULT; do + debug "Working on $LINE" + USER=$(awk -F: {'print $1'} <<< $LINE) + USERID=$(awk -F: {'print $2'} <<< $LINE) + DIR=$(awk -F: {'print $3'} <<< $LINE) if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then crit "The home directory ($DIR) of user $USER does not exist." ERRORS=$((ERRORS+1)) @@ -30,10 +35,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $ERRORS != 0 ]; then - warn "Consider creating missing home directories" - fi - : + info "Modifying home directories may seriously harm your system, report only here" } # This function will check config parameters required diff --git a/bin/hardening/13.13_check_user_homedir_ownership.sh b/bin/hardening/13.13_check_user_homedir_ownership.sh index 28e3aea..6adc24e 100755 --- a/bin/hardening/13.13_check_user_homedir_ownership.sh +++ b/bin/hardening/13.13_check_user_homedir_ownership.sh @@ -16,13 +16,17 @@ ERRORS=0 # This function will be called if the script status is on enabled / audit mode audit () { - - cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do + RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') + for LINE in $RESULT; do + debug "Working on $LINE" + USER=$(awk -F: {'print $1'} <<< $LINE) + USERID=$(awk -F: {'print $2'} <<< $LINE) + DIR=$(awk -F: {'print $3'} <<< $LINE) if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then OWNER=$(stat -L -c "%U" "$DIR") if [ "$OWNER" != "$USER" ]; then crit "The home directory ($DIR) of user $USER is owned by $OWNER." - ERRORS=$(($ERRORS+1)) + ERRORS=$((ERRORS+1)) fi fi done diff --git a/bin/hardening/13.14_check_duplicate_uid.sh b/bin/hardening/13.14_check_duplicate_uid.sh new file mode 100755 index 0000000..fc79b7e --- /dev/null +++ b/bin/hardening/13.14_check_duplicate_uid.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.14 Check for Duplicate UIDs (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) + for LINE in $RESULT; do + debug "Working on line $LINE" + OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) + USERID=$(awk -F: {'print $2'} <<< $LINE) + if [ $OCC_NUMBER -gt 1 ]; then + USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs) + ERRORS=$((ERRORS+1)) + crit "Duplicate UID ($USERID): ${USERS}" + fi + done + + if [ $ERRORS = 0 ]; then + ok "No duplicate UIDs" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing automatically uids may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.15_check_duplicate_gid.sh b/bin/hardening/13.15_check_duplicate_gid.sh new file mode 100755 index 0000000..e74ec56 --- /dev/null +++ b/bin/hardening/13.15_check_duplicate_gid.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.15 Check for Duplicate GIDs (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) + for LINE in $RESULT; do + debug "Working on line $LINE" + OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) + GROUPID=$(awk -F: {'print $2'} <<< $LINE) + if [ $OCC_NUMBER -gt 1 ]; then + USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPID /etc/passwd | xargs) + ERRORS=$((ERRORS+1)) + crit "Duplicate UID ($GROUPID): ${USERS}" + fi + done + + if [ $ERRORS = 0 ]; then + ok "No duplicate GIDss" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing automatically gids may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/13.14_check_duplicate_uid.cfg b/etc/conf.d/13.14_check_duplicate_uid.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.14_check_duplicate_uid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.15_check_duplicate_gid.cfg b/etc/conf.d/13.15_check_duplicate_gid.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.15_check_duplicate_gid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled