elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-21 21:17:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

Dir exceptions (#96)

Browse Source 
* IMP(1.1.21): add EXCEPTIONS
* IMP(6.1.10): add EXCEPTIONS
This commit is contained in:
Thibault Ayanides 2021-04-26 17:05:22 +02:00 committed by GitHub
parent 8c6c9a7571
commit cadc25c28c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 77 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
View File

@ -23,6 +23,19 @@ audit() {
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
IFS_BAK=$IFS
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
if echo "$EXCEPTIONS" | grep -q "$LINE"; then
debug "$LINE is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$LINE not found in exceptions"
fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!" crit "Some world writable directories are not on sticky bit mode!"
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -36,17 +49,41 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
IFS_BAK=$IFS
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
warn "Setting sticky bit on world writable directories"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
else else
ok "All world writable directories have a sticky bit, nothing to apply" ok "All world writable directories have a sticky bit, nothing to apply"
fi fi
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Put here your exceptions separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
# No param for this function if [ -z "$EXCEPTIONS" ]; then
: EXCEPTIONS="@"
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

40
bin/hardening/6.1.10_find_world_writable_file.sh
View File

@ -23,6 +23,19 @@ audit() {
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
# shellcheck disable=SC2086 # shellcheck disable=SC2086
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null) RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
IFS_BAK=$IFS
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
if echo "$EXCEPTIONS" | grep -q "$LINE"; then
debug "$LINE is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$LINE not found in exceptions"
fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
crit "Some world writable files are present" crit "Some world writable files are present"
# shellcheck disable=SC2001 # shellcheck disable=SC2001
@ -36,6 +49,19 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
IFS_BAK=$IFS
IFS=$'\n'
for LINE in $RESULT; do
debug "line : $LINE"
if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
debug "$ACCOUNT is confirmed as an exception"
# shellcheck disable=SC2001
RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
else
debug "$ACCOUNT not found in exceptions"
fi
done
IFS=$IFS_BAK
if [ -n "$RESULT" ]; then if [ -n "$RESULT" ]; then
warn "chmoding o-w all files in the system" warn "chmoding o-w all files in the system"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
@ -44,10 +70,20 @@ apply() {
fi fi
} }
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Put here your exceptions separated by spaces
EXCEPTIONS=""
EOF
}
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
# No param for this function if [ -z "$EXCEPTIONS" ]; then
: EXCEPTIONS="@"
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter