From b266982a3c5fe4e9e02c0f84066edca10cc4327d Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Fri, 30 Oct 2020 16:01:18 +0100 Subject: [PATCH] ADD(6.2.7): add check mysteriously deleted during renaming --- bin/hardening/6.2.7_users_valid_homedir.sh | 64 ++++++++++++++++++++ tests/hardening/6.2.7_users_valid_homedir.sh | 18 ++++++ 2 files changed, 82 insertions(+) create mode 100755 bin/hardening/6.2.7_users_valid_homedir.sh create mode 100755 tests/hardening/6.2.7_users_valid_homedir.sh diff --git a/bin/hardening/6.2.7_users_valid_homedir.sh b/bin/hardening/6.2.7_users_valid_homedir.sh new file mode 100755 index 0000000..a29c798 --- /dev/null +++ b/bin/hardening/6.2.7_users_valid_homedir.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# +# CIS Debian Hardening +# + +# +# 6.2.7 Ensure all users' home directories exist (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=2 +DESCRIPTION="Users are assigned valid home directories." + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') + for LINE in $RESULT; do + debug "Working on $LINE" + USER=$(awk -F: {'print $1'} <<< $LINE) + USERID=$(awk -F: {'print $2'} <<< $LINE) + DIR=$(awk -F: {'print $3'} <<< $LINE) + if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then + crit "The home directory ($DIR) of user $USER does not exist." + ERRORS=$((ERRORS+1)) + fi + done + + if [ $ERRORS = 0 ]; then + ok "All home directories exists" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Modifying home directories may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/tests/hardening/6.2.7_users_valid_homedir.sh b/tests/hardening/6.2.7_users_valid_homedir.sh new file mode 100755 index 0000000..19229d5 --- /dev/null +++ b/tests/hardening/6.2.7_users_valid_homedir.sh @@ -0,0 +1,18 @@ +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + local test_user="userwithouthome" + useradd $test_user + describe Tests purposely failing + register_test retvalshouldbe 1 + register_test contain "does not exist." + run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # cleanup + userdel $test_user +} \ No newline at end of file