From d6e58032528ff946f8ba3e1f708b6e2ab391e40d Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Mon, 5 Oct 2020 13:17:44 +0200 Subject: [PATCH] 4.2.4_logs_permissions --- bin/hardening/4.2.4_logs_permissions.sh | 62 +++++++++++++++++++++++ lib/utils.sh | 16 +++++- tests/hardening/4.2.4_logs_permissions.sh | 10 ++++ 3 files changed, 87 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/4.2.4_logs_permissions.sh create mode 100755 tests/hardening/4.2.4_logs_permissions.sh diff --git a/bin/hardening/4.2.4_logs_permissions.sh b/bin/hardening/4.2.4_logs_permissions.sh new file mode 100755 index 0000000..774fdfa --- /dev/null +++ b/bin/hardening/4.2.4_logs_permissions.sh @@ -0,0 +1,62 @@ +#!/bin/bash + +# +# CIS Debian Hardening +# + +# +# 4.2.4 Ensure permissions on all logfiles are configured (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +HARDENING_LEVEL=2 +DESCRIPTION="Check permissions on logs (other has no permissions on any files andgroup does not have write or execute permissions on any file)" + +DIR='/var/log' +PERMISSIONS='640' + +# This function will be called if the script status is on enabled / audit mode +audit () { + have_files_in_dir_correct_permissions $DIR $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "Logs in $DIR have correct permissions" + else + crit "Some logs in $DIR permissions were not set to $PERMISSIONS" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + have_files_in_dir_correct_permissions $DIR $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $DIR logs permissions to $PERMISSIONS" + find $DIR -type f -exec chmod 0$PERMISSIONS {} \; + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ -r /etc/default/cis-hardening ]; then + . /etc/default/cis-hardening +fi +if [ -z "$CIS_ROOT_DIR" ]; then + echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." + echo "Cannot source CIS_ROOT_DIR variable, aborting." + exit 128 +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then + . $CIS_ROOT_DIR/lib/main.sh +else + echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" + exit 128 +fi diff --git a/lib/utils.sh b/lib/utils.sh index 3e7db46..5eaf134 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -88,13 +88,27 @@ has_file_correct_permissions() { local FILE=$1 local PERMISSIONS=$2 - if [ $($SUDO_CMD stat -L -c "%a" $1) = "$PERMISSIONS" ]; then + if [ $($SUDO_CMD stat -L -c "%a" $FILE) = "$PERMISSIONS" ]; then FNRET=0 else FNRET=1 fi } +have_files_in_dir_correct_permissions(){ + local DIR=$1 + local PERMISSIONS=$2 + + FNRET=0 + for perm in $($SUDO_CMD find "$DIR" -type f -exec stat -L -c "%a" {} \;); + do + if [ "$perm" != "$PERMISSIONS" ]; then + FNRET=1 + break + fi + done +} + does_pattern_exist_in_file_nocase() { _does_pattern_exist_in_file "-Ei" $* } diff --git a/tests/hardening/4.2.4_logs_permissions.sh b/tests/hardening/4.2.4_logs_permissions.sh new file mode 100755 index 0000000..b333419 --- /dev/null +++ b/tests/hardening/4.2.4_logs_permissions.sh @@ -0,0 +1,10 @@ +# run-shellcheck +test_audit() { + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + # TODO fill comprehensive tests +}