elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP(99.5.4): add conf to check only listed users

Browse Source
This commit is contained in:
Charles Herlin 2019-03-05 10:49:45 +01:00
parent b4b7524156
commit be1ad3e581
2 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
bin/hardening/99.5.4_ssh_keys_from.sh
View File

@ -22,6 +22,7 @@ AUTHKEYFILE_PATTERN=""
AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2" AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"
ALLOWED_IPS="" ALLOWED_IPS=""
USERS_TO_CHECK=""
ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin" ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin"
@ -111,15 +112,21 @@ audit () {
debug "Set default pattern for authorized_keys file." debug "Set default pattern for authorized_keys file."
fi fi
for line in $($SUDO_CMD cat /etc/passwd | cut -d ":" -f 1,7); do if [ -z "$USERS_TO_CHECK" ]; then
USERS_TO_CHECK=$($SUDO_CMD cat /etc/passwd | cut -d ":" -f 1)
debug "Checking all users: $USERS_TO_CHECK"
else
debug "Checking only selected users: $USERS_TO_CHECK"
fi
for user in $USERS_TO_CHECK; do
# Checking if at least one AuthKeyFile has been found for this user # Checking if at least one AuthKeyFile has been found for this user
FOUND_AUTHKF=0 FOUND_AUTHKF=0
user=$(echo "$line" | cut -d ":" -f 1); shell=$(getent passwd "$user" | cut -d ':' -f 7);
shell=$(echo "$line" | cut -d ':' -f 2);
if grep -q "$shell" <<< "$ALLOWED_NOLOGIN_SHELLS" ; then if grep -q "$shell" <<< "$ALLOWED_NOLOGIN_SHELLS" ; then
continue continue
else else
info "User $user has a valid shell."; info "User $user has a valid shell ($shell).";
if [ "x$user" = "xroot" ]; then if [ "x$user" = "xroot" ]; then
check_dir /root check_dir /root
continue continue
@ -146,6 +153,7 @@ create_config() {
status=audit status=audit
# Put authorized IPs you want to allow in "from" field of authorized_keys # Put authorized IPs you want to allow in "from" field of authorized_keys
ALLOWED_IPS="" ALLOWED_IPS=""
USERS_TO_CHECK=""
EOF EOF
} }

9
tests/hardening/99.5.4_ssh_keys_from.sh
View File

@ -45,8 +45,17 @@ test_audit() {
register_test retvalshouldbe 0 register_test retvalshouldbe 0
run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
useradd -s /bin/bash -m jeantest2
# shellcheck disable=2016
echo 'USERS_TO_CHECK="jeantest2 secaudit"' >> /opt/debian-cis/etc/conf.d/"${script}".cfg
describe Check only specified user
register_test retvalshouldbe 0
run checkuser /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# Cleanup # Cleanup
userdel jeantestuser userdel jeantestuser
userdel jeantest2
rm -f /tmp/key1 /tmp/key1.pub rm -f /tmp/key1 /tmp/key1.pub
} }