mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 13:37:02 +01:00
IMP(shellcheck): replace ls parsing by stat
This commit is contained in:
parent
cdaee7786a
commit
f4ba90352b
@ -19,7 +19,7 @@ DESCRIPTION="Collect use of privileged commands."
|
|||||||
|
|
||||||
# Find all files with setuid or setgid set
|
# Find all files with setuid or setgid set
|
||||||
SUDO_CMD='sudo -n'
|
SUDO_CMD='sudo -n'
|
||||||
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | \
|
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
|
||||||
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
|
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
|
||||||
FILE='/etc/audit/audit.rules'
|
FILE='/etc/audit/audit.rules'
|
||||||
|
|
||||||
|
@ -27,6 +27,7 @@ ACCEPTED_SHELLS_GREP=''
|
|||||||
audit() {
|
audit() {
|
||||||
shells_to_grep_helper
|
shells_to_grep_helper
|
||||||
info "Checking if admin accounts have a login shell different than $ACCEPTED_SHELLS"
|
info "Checking if admin accounts have a login shell different than $ACCEPTED_SHELLS"
|
||||||
|
# shellcheck disable=SC2086
|
||||||
RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true)
|
RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true)
|
||||||
IFS_BAK=$IFS
|
IFS_BAK=$IFS
|
||||||
IFS=$'\n'
|
IFS=$'\n'
|
||||||
@ -55,6 +56,7 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
|
# shellcheck disable=SC2086
|
||||||
RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true)
|
RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true)
|
||||||
IFS_BAK=$IFS
|
IFS_BAK=$IFS
|
||||||
IFS=$'\n'
|
IFS=$'\n'
|
||||||
|
@ -25,7 +25,7 @@ audit() {
|
|||||||
debug "Working on $DIR"
|
debug "Working on $DIR"
|
||||||
for FILE in "$DIR"/.[A-Za-z0-9]*; do
|
for FILE in "$DIR"/.[A-Za-z0-9]*; do
|
||||||
if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
|
if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
|
||||||
FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ")
|
FILEPERM=$(stat -c "%A" "$FILE")
|
||||||
if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
|
if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
|
||||||
crit "Group Write permission set on FILE $FILE"
|
crit "Group Write permission set on FILE $FILE"
|
||||||
ERRORS=$((ERRORS + 1))
|
ERRORS=$((ERRORS + 1))
|
||||||
@ -48,7 +48,7 @@ apply() {
|
|||||||
for DIR in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
for DIR in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
|
||||||
for FILE in "$DIR"/.[A-Za-z0-9]*; do
|
for FILE in "$DIR"/.[A-Za-z0-9]*; do
|
||||||
if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
|
if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
|
||||||
FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ")
|
FILEPERM=$(stat -c "%A" "$FILE")
|
||||||
if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
|
if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
|
||||||
warn "Group Write permission set on FILE $FILE"
|
warn "Group Write permission set on FILE $FILE"
|
||||||
chmod g-w "$FILE"
|
chmod g-w "$FILE"
|
||||||
|
@ -34,6 +34,7 @@ audit() {
|
|||||||
ERRORS=$((ERRORS + 1))
|
ERRORS=$((ERRORS + 1))
|
||||||
fi
|
fi
|
||||||
FORMATTED_PATH=$(echo "$path" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
|
FORMATTED_PATH=$(echo "$path" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
|
||||||
|
# shellcheck disable=SC2086
|
||||||
set -- $FORMATTED_PATH
|
set -- $FORMATTED_PATH
|
||||||
while [ "${1:-}" != "" ]; do
|
while [ "${1:-}" != "" ]; do
|
||||||
if [ "$1" = "." ]; then
|
if [ "$1" = "." ]; then
|
||||||
@ -41,7 +42,8 @@ audit() {
|
|||||||
ERRORS=$((ERRORS + 1))
|
ERRORS=$((ERRORS + 1))
|
||||||
else
|
else
|
||||||
if [ -d "$1" ]; then
|
if [ -d "$1" ]; then
|
||||||
dirperm=$(ls -ldH "$1" | cut -f1 -d" ")
|
dirperm=$(stat -L -c "%A" "$1")
|
||||||
|
dirown=$(stat -c "%U" "$1")
|
||||||
if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
|
if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
|
||||||
crit "Group Write permission set on directory $1"
|
crit "Group Write permission set on directory $1"
|
||||||
ERRORS=$((ERRORS + 1))
|
ERRORS=$((ERRORS + 1))
|
||||||
@ -50,7 +52,6 @@ audit() {
|
|||||||
crit "Other Write permission set on directory $1"
|
crit "Other Write permission set on directory $1"
|
||||||
ERRORS=$((ERRORS + 1))
|
ERRORS=$((ERRORS + 1))
|
||||||
fi
|
fi
|
||||||
dirown=$(ls -ldH "$1" | awk '{print $3}')
|
|
||||||
if [ "$dirown" != "root" ]; then
|
if [ "$dirown" != "root" ]; then
|
||||||
crit "$1 is not owned by root"
|
crit "$1 is not owned by root"
|
||||||
ERRORS=$((ERRORS + 1))
|
ERRORS=$((ERRORS + 1))
|
||||||
|
Loading…
Reference in New Issue
Block a user