From cadc25c28c8da91ffa8ddec489078ee6600329c0 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Mon, 26 Apr 2021 17:05:22 +0200 Subject: [PATCH] Dir exceptions (#96) * IMP(1.1.21): add EXCEPTIONS * IMP(6.1.10): add EXCEPTIONS --- ...1.1.21_sticky_bit_world_writable_folder.sh | 41 ++++++++++++++++++- .../6.1.10_find_world_writable_file.sh | 40 +++++++++++++++++- 2 files changed, 77 insertions(+), 4 deletions(-) diff --git a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh index f5396f6..6e1c64d 100755 --- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh @@ -23,6 +23,19 @@ audit() { FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') # shellcheck disable=SC2086 RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) + IFS_BAK=$IFS + IFS=$'\n' + for LINE in $RESULT; do + debug "line : $LINE" + if echo "$EXCEPTIONS" | grep -q "$LINE"; then + debug "$LINE is confirmed as an exception" + # shellcheck disable=SC2001 + RESULT=$(sed "s!$LINE!!" <<<"$RESULT") + else + debug "$LINE not found in exceptions" + fi + done + IFS=$IFS_BAK if [ -n "$RESULT" ]; then crit "Some world writable directories are not on sticky bit mode!" # shellcheck disable=SC2001 @@ -36,17 +49,41 @@ audit() { # This function will be called if the script status is on enabled mode apply() { RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) + IFS_BAK=$IFS + IFS=$'\n' + for LINE in $RESULT; do + debug "line : $LINE" + if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then + debug "$ACCOUNT is confirmed as an exception" + # shellcheck disable=SC2001 + RESULT=$(sed "s!$LINE!!" <<<"$RESULT") + else + debug "$ACCOUNT not found in exceptions" + fi + done + IFS=$IFS_BAK if [ -n "$RESULT" ]; then + warn "Setting sticky bit on world writable directories" df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t else ok "All world writable directories have a sticky bit, nothing to apply" fi } +# This function will create the config file for this check with default values +create_config() { + cat </dev/null) + IFS_BAK=$IFS + IFS=$'\n' + for LINE in $RESULT; do + debug "line : $LINE" + if echo "$EXCEPTIONS" | grep -q "$LINE"; then + debug "$LINE is confirmed as an exception" + # shellcheck disable=SC2001 + RESULT=$(sed "s!$LINE!!" <<<"$RESULT") + else + debug "$LINE not found in exceptions" + fi + done + IFS=$IFS_BAK if [ -n "$RESULT" ]; then crit "Some world writable files are present" # shellcheck disable=SC2001 @@ -36,6 +49,19 @@ audit() { # This function will be called if the script status is on enabled mode apply() { RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) + IFS_BAK=$IFS + IFS=$'\n' + for LINE in $RESULT; do + debug "line : $LINE" + if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then + debug "$ACCOUNT is confirmed as an exception" + # shellcheck disable=SC2001 + RESULT=$(sed "s!$LINE!!" <<<"$RESULT") + else + debug "$ACCOUNT not found in exceptions" + fi + done + IFS=$IFS_BAK if [ -n "$RESULT" ]; then warn "chmoding o-w all files in the system" df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w @@ -44,10 +70,20 @@ apply() { fi } +# This function will create the config file for this check with default values +create_config() { + cat <