12.11_find_sgid_files.sh

bin/hardening/10.2_disable_system_accounts.sh

@@ -19,7 +19,20 @@ RESULT=''
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if admin accounts have login different from $SHELL"
-    eval $(RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}' | grep -v "$EXCEPTIONS"))
+    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}') 
+    for LINE in $RESULT; do
+        debug "line : $LINE"
+        ACCOUNT=$( echo $LINE | cut -d: -f 1 )
+        debug "Account : $ACCOUNT"
+        debug "Exceptions : $EXCEPTIONS"
+        debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
+        if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
+            debug "$ACCOUNT is confirmed as an exception"
+            RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
+        else
+            debug "$ACCOUNT not found in exceptions" 
+        fi
+    done
     if [ ! -z "$RESULT" ]; then
         crit "Some admin accounts have not $SHELL as shell"
         crit "$RESULT"
@@ -30,7 +43,20 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    eval $(RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}' | grep -v "$EXCEPTIONS"))
+    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
+    for LINE in $RESULT; do
+        debug "line : $LINE"
+        ACCOUNT=$( echo $LINE | cut -d: -f 1 )
+        debug "Account : $ACCOUNT"
+        debug "Exceptions : $EXCEPTIONS"
+        debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
+        if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
+            debug "$ACCOUNT is confirmed as an exception"
+            RESULT=$(sed "s!$LINE!!" <<< "$RESULT")
+        else
+            debug "$ACCOUNT not found in exceptions"
+        fi
+    done
     if [ ! -z "$RESULT" ]; then
         warn "Some admin accounts have not $SHELL as shell"
         warn "$RESULT"
@@ -45,7 +71,7 @@ apply () {
 
 # This function will check config parameters required
 check_config() {
-    if [ -z $EXCEPTIONS ]; then
+    if [ -z "$EXCEPTIONS" ]; then
         EXCEPTIONS="@"
     fi
 }

bin/hardening/12.10_find_suid_files.sh

@@ -19,16 +19,15 @@ audit () {
     for BINARY in $RESULT; do
         if grep -q $BINARY <<< "$EXCEPTIONS"; then
             debug "$BINARY is confirmed as an exception"
-            
-            RESULT=$(sed '!'"$BINARY"'!d' <<< $RESULT)
+            RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
         fi
     done
     if [ ! -z "$RESULT" ]; then
-        crit "Some world writable file are present"
+        crit "Some suid files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"
     else
-        ok "No world writable files found"
+        ok "No unknown suid files found"
     fi
 }
 

bin/hardening/12.11_find_sgid_files.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+#
+# CIS Debian 7 Hardening
+# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
+#
+
+#
+# 12.11 Find SGID System Executables (Not Scored)
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    info "Checking if there is sgid files"
+    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print)
+    for BINARY in $RESULT; do
+        if grep -q $BINARY <<< "$EXCEPTIONS"; then
+            debug "$BINARY is confirmed as an exception"
+            RESULT=$(sed "s!$BINARY!!" <<< $RESULT)
+        fi
+    done
+    if [ ! -z "$RESULT" ]; then
+        crit "Some sgid files are present"
+        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
+        crit "$FORMATTED_RESULT"
+    else
+        ok "No unknown sgid files found"
+    fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    info "Removing sgid on valid binary may seriously harm your system, report only here"
+}
+
+# This function will check config parameters required
+check_config() {
+    if [ -z "$EXCEPTIONS" ]; then
+        EXCEPTIONS="@"
+    fi
+}
+
+# Source Root Dir Parameter
+if [ ! -r /etc/default/cis-hardenning ]; then
+    echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
+    exit 128
+else
+    . /etc/default/cis-hardenning
+    if [ -z $CIS_ROOT_DIR ]; then
+        echo "No CIS_ROOT_DIR variable, aborting"
+    fi
+fi 
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh

etc/conf.d/10.2_disable_system_accounts.cfg

@@ -1,4 +1,4 @@
 # Configuration for script of same name
 status=enabled
-# Put here your exceptions concerning admin shells
+# Put here your exceptions concerning admin accounts shells separated by spaces
 EXCEPTIONS=""

etc/conf.d/12.11_find_sgid_files.cfg

@@ -0,0 +1,4 @@
+# Configuration for script of same name
+status=enabled
+# Put here valid binaries with sgid enabled separated by spaces
+EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue"