elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX: sed that was too greedy

Browse Source 
Used to sed 's!/usr/bin/su!!' /usr/bin/sudo leaving only "do"
that lead to misinterpreting result

Change algorithm to avoid partial sed in the result list
Now the not compliant list is built out of the find results
instead of items being removed from them.
Allow better control of grep inside this list.

Chore: apply shellcheck recommendations
This commit is contained in:
Charles Herlin 2019-01-02 13:02:02 +01:00
parent e72c7aae15
commit c51a8ee9b8
2 changed files with 24 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
bin/hardening/12.10_find_suid_files.sh
View File

@ -11,22 +11,25 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
DESCRIPTION="Find SUID system executables." DESCRIPTION="Find SUID system executables."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if there are suid files" info "Checking if there are suid files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -4000 -print) FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -4000 -print)
for BINARY in $RESULT; do BAD_BINARIES=""
if grep -q $BINARY <<< "$EXCEPTIONS"; then for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
debug "$BINARY is confirmed as an exception" debug "$BINARY is confirmed as an exception"
RESULT=$(sed "s!$BINARY!!" <<< $RESULT) else
BAD_BINARIES="$BAD_BINARIES $BINARY"
fi fi
done done
if [ ! -z "$RESULT" ]; then if [ ! -z "$BAD_BINARIES" ]; then
crit "Some suid files are present" crit "Some suid files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<< "$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else
ok "No unknown suid files found" ok "No unknown suid files found"
@ -64,8 +67,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=/opt/debian-cis/lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128

20
bin/hardening/12.11_find_sgid_files.sh
View File

@ -11,22 +11,25 @@
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
DESCRIPTION="Find SGID system executables." DESCRIPTION="Find SGID system executables."
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if there are sgid files" info "Checking if there are sgid files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -2000 -print) FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -2000 -print)
for BINARY in $RESULT; do BAD_BINARIES=""
if grep -q $BINARY <<< "$EXCEPTIONS"; then for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
debug "$BINARY is confirmed as an exception" debug "$BINARY is confirmed as an exception"
RESULT=$(sed "s!$BINARY!!" <<< $RESULT) else
BAD_BINARIES="$BAD_BINARIES $BINARY"
fi fi
done done
if [ ! -z "$RESULT" ]; then if [ ! -z "$BAD_BINARIES" ]; then
crit "Some sgid files are present" crit "Some sgid files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<< "$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT" crit "$FORMATTED_RESULT"
else else
ok "No unknown sgid files found" ok "No unknown sgid files found"
@ -65,8 +68,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
. $CIS_ROOT_DIR/lib/main.sh # shellcheck source=/opt/debian-cis/lib/main.sh
. "$CIS_ROOT_DIR"/lib/main.sh
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128