IMP(99.5.4): add conf to check only listed users

2024-11-22 13:37:02 +01:00 · 2019-03-05 10:49:45 +01:00 · 2019-03-05 10:49:45 +01:00 · be1ad3e581
commit be1ad3e581
parent b4b7524156
2 changed files with 21 additions and 4 deletions
--- a/bin/hardening/99.5.4_ssh_keys_from.sh
+++ b/bin/hardening/99.5.4_ssh_keys_from.sh
@ -22,6 +22,7 @@ AUTHKEYFILE_PATTERN=""
 AUTHKEYFILE_PATTERN_DEFAULT=".ssh/authorized_keys .ssh/authorized_keys2"

 ALLOWED_IPS=""
+USERS_TO_CHECK=""

 ALLOWED_NOLOGIN_SHELLS="/bin/false /usr/sbin/nologin"

@ -111,15 +112,21 @@ audit () {
        debug "Set default pattern for authorized_keys file."
    fi

-    for line in $($SUDO_CMD cat /etc/passwd | cut -d ":" -f 1,7); do
+    if [ -z "$USERS_TO_CHECK" ]; then
+        USERS_TO_CHECK=$($SUDO_CMD cat /etc/passwd | cut -d ":" -f 1)
+        debug "Checking all users: $USERS_TO_CHECK"
+    else
+        debug "Checking only selected users: $USERS_TO_CHECK"
+    fi
+
+    for user in $USERS_TO_CHECK; do
        # Checking if at least one AuthKeyFile has been found for this user
        FOUND_AUTHKF=0
-        user=$(echo "$line" | cut -d ":" -f 1);
-        shell=$(echo "$line" | cut -d ':' -f 2);
+        shell=$(getent passwd "$user" | cut -d ':' -f 7);
        if grep -q "$shell" <<< "$ALLOWED_NOLOGIN_SHELLS" ; then
            continue
        else
-            info "User $user has a valid shell.";
+            info "User $user has a valid shell ($shell).";
            if [ "x$user" = "xroot" ]; then
                check_dir /root
                continue
@ -146,6 +153,7 @@ create_config() {
 status=audit
 # Put authorized IPs you want to allow in "from" field of authorized_keys
 ALLOWED_IPS=""
+USERS_TO_CHECK=""
 EOF
 }

--- a/tests/hardening/99.5.4_ssh_keys_from.sh
+++ b/tests/hardening/99.5.4_ssh_keys_from.sh
@ -45,8 +45,17 @@ test_audit()  {
    register_test retvalshouldbe 0
    run allwdfromip /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    useradd -s /bin/bash -m jeantest2
+    # shellcheck disable=2016
+    echo 'USERS_TO_CHECK="jeantest2 secaudit"' >>  /opt/debian-cis/etc/conf.d/"${script}".cfg
+    describe Check only specified user
+    register_test retvalshouldbe 0
+    run checkuser /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+
    # Cleanup
    userdel jeantestuser
+    userdel jeantest2
    rm -f /tmp/key1 /tmp/key1.pub
 }