From be1ad3e581a6a962df71ce5ffc39324ba5887e3b Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Tue, 5 Mar 2019 10:49:45 +0100 Subject: [PATCH] IMP(99.5.4): add conf to check only listed users --- bin/hardening/99.5.4_ssh_keys_from.sh | 16 ++++++++++++---- tests/hardening/99.5.4_ssh_keys_from.sh | 9 +++++++++ 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/bin/hardening/99.5.4_ssh_keys_from.sh b/bin/hardening/99.5.4_ssh_keys_from.sh index b0f4b20..a760a5f 100755 --- a/bin/hardening/99.5.4_ssh_keys_from.sh +++ b/bin/hardening/99.5.4_ssh_keys_from.sh @@ -22,6 +22,7 @@ AUTHKEYFILE_PATTERN="" AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2" ALLOWED_IPS="" +USERS_TO_CHECK="" ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin" @@ -111,15 +112,21 @@ audit () { debug "Set default pattern for authorized_keys file." fi - for line in $($SUDO_CMD cat /etc/passwd | cut -d ":" -f 1,7); do + if [ -z "$USERS_TO_CHECK" ]; then + USERS_TO_CHECK=$($SUDO_CMD cat /etc/passwd | cut -d ":" -f 1) + debug "Checking all users: $USERS_TO_CHECK" + else + debug "Checking only selected users: $USERS_TO_CHECK" + fi + + for user in $USERS_TO_CHECK; do # Checking if at least one AuthKeyFile has been found for this user FOUND_AUTHKF=0 - user=$(echo "$line" | cut -d ":" -f 1); - shell=$(echo "$line" | cut -d ':' -f 2); + shell=$(getent passwd "$user" | cut -d ':' -f 7); if grep -q "$shell" <<< "$ALLOWED_NOLOGIN_SHELLS" ; then continue else - info "User $user has a valid shell."; + info "User $user has a valid shell ($shell)."; if [ "x$user" = "xroot" ]; then check_dir /root continue @@ -146,6 +153,7 @@ create_config() { status=audit # Put authorized IPs you want to allow in "from" field of authorized_keys ALLOWED_IPS="" +USERS_TO_CHECK="" EOF } diff --git a/tests/hardening/99.5.4_ssh_keys_from.sh b/tests/hardening/99.5.4_ssh_keys_from.sh index 85ebb1a..435f336 100644 --- a/tests/hardening/99.5.4_ssh_keys_from.sh +++ b/tests/hardening/99.5.4_ssh_keys_from.sh @@ -45,8 +45,17 @@ test_audit() { register_test retvalshouldbe 0 run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + useradd -s /bin/bash -m jeantest2 + # shellcheck disable=2016 + echo 'USERS_TO_CHECK="jeantest2 secaudit"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg + describe Check only specified user + register_test retvalshouldbe 0 + run checkuser /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # Cleanup userdel jeantestuser + userdel jeantest2 rm -f /tmp/key1 /tmp/key1.pub }