From f1dcd7431a68b710cbdfb5dca1781c7212b99f6a Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 7 Apr 2016 08:43:37 +0200 Subject: [PATCH] 3.1_bootloader_ownership.sh --- bin/hardening/3.1_bootloader_ownership.sh | 72 +++++++++++++++++++++++ etc/conf.d/3.1_bootloader_ownership.cfg | 2 + lib/utils.sh | 49 +++++++++++++++ 3 files changed, 123 insertions(+) create mode 100755 bin/hardening/3.1_bootloader_ownership.sh create mode 100644 etc/conf.d/3.1_bootloader_ownership.cfg diff --git a/bin/hardening/3.1_bootloader_ownership.sh b/bin/hardening/3.1_bootloader_ownership.sh new file mode 100755 index 0000000..b31250d --- /dev/null +++ b/bin/hardening/3.1_bootloader_ownership.sh @@ -0,0 +1,72 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 3.1 Set User/Group Owner on bootloader config (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assertion : Grub Based. + +FILE='/boot/grub/grub.cfg' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/3.1_bootloader_ownership.cfg b/etc/conf.d/3.1_bootloader_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/3.1_bootloader_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 5d534b3..b04f2bc 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -1,5 +1,54 @@ # CIS Debian 7 Hardening Utility functions +# +# File manipulation +# + +does_file_exist() { + local FILE=$1 + if [ -e $FILE ]; then + FNRET=0 + else + FNRET=1 + fi +} + +has_file_correct_ownership() { + local FILE=$1 + local USER=$2 + local GROUP=$3 + local USERID=$(id -u $USER) + local GROUPID=$(id -u $GROUP) + + if [ "$(stat -c "%u %g" /boot/grub/grub.cfg)" = "$USERID $GROUPID" ]; then + FNRET=0 + else + FNRET=1 + fi +} + +# +# User manipulation +# + +does_user_exist() { + local USER=$1 + if $(getent passwd $USER >/dev/null 2>&1); then + FNRET=0 + else + FNRET=1 + fi +} + +does_group_exist() { + local GROUP=$1 + if $(getent group $GROUP >/dev/null 2>&1); then + FNRET=0 + else + FNRET=1 + fi +} + # # Service Boot Checks #