elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2024-11-22 13:37:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

IMP(shellcheck): replace ls parsing by stat

Browse Source
This commit is contained in:
Thibault Ayanides 2020-12-14 16:14:37 +01:00
parent cdaee7786a
commit f4ba90352b
6 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bin/hardening/4.1.12_record_privileged_commands.sh
View File

@ -19,8 +19,8 @@ DESCRIPTION="Collect use of privileged commands."
# Find all files with setuid or setgid set # Find all files with setuid or setgid set
SUDO_CMD='sudo -n' SUDO_CMD='sudo -n'
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | \ AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f |
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }') awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
FILE='/etc/audit/audit.rules' FILE='/etc/audit/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode

2
bin/hardening/5.4.2_disable_system_accounts.sh
View File

@ -27,6 +27,7 @@ ACCEPTED_SHELLS_GREP=''
audit() { audit() {
shells_to_grep_helper shells_to_grep_helper
info "Checking if admin accounts have a login shell different than $ACCEPTED_SHELLS" info "Checking if admin accounts have a login shell different than $ACCEPTED_SHELLS"
# shellcheck disable=SC2086
RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true) RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true)
IFS_BAK=$IFS IFS_BAK=$IFS
IFS=$'\n' IFS=$'\n'
@ -55,6 +56,7 @@ audit() {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
# shellcheck disable=SC2086
RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true) RESULT=$(grep -Ev "^\+" "$FILE" | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true)
IFS_BAK=$IFS IFS_BAK=$IFS
IFS=$'\n' IFS=$'\n'

4
bin/hardening/5.4.4_default_umask.sh
View File

@ -30,7 +30,7 @@ audit() {
if test -d "$FILE_SEARCHED"; then if test -d "$FILE_SEARCHED"; then
debug "$FILE_SEARCHED is a directory" debug "$FILE_SEARCHED is a directory"
for file_in_dir in "$FILE_SEARCHED"/*; do for file_in_dir in "$FILE_SEARCHED"/*; do
[[ -e "$file_in_dir" ]] || break # handle the case of no file in dir [[ -e "$file_in_dir" ]] || break # handle the case of no file in dir
does_pattern_exist_in_file "$file_in_dir" "^$PATTERN" does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $file_in_dir" debug "$PATTERN is not present in $file_in_dir"
@ -63,7 +63,7 @@ apply() {
if test -d "$FILE_SEARCHED"; then if test -d "$FILE_SEARCHED"; then
debug "$FILE_SEARCHED is a directory" debug "$FILE_SEARCHED is a directory"
for file_in_dir in "$FILE_SEARCHED"/*; do for file_in_dir in "$FILE_SEARCHED"/*; do
[[ -e "$file_in_dir" ]] || break # handle the case of no file in dir [[ -e "$file_in_dir" ]] || break # handle the case of no file in dir
does_pattern_exist_in_file "$file_in_dir" "^$PATTERN" does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $file_in_dir" debug "$PATTERN is not present in $file_in_dir"

4
bin/hardening/6.2.10_check_user_dot_file_perm.sh
View File

@ -25,7 +25,7 @@ audit() {
debug "Working on $DIR" debug "Working on $DIR"
for FILE in "$DIR"/.[A-Za-z0-9]*; do for FILE in "$DIR"/.[A-Za-z0-9]*; do
if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ") FILEPERM=$(stat -c "%A" "$FILE")
if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
crit "Group Write permission set on FILE $FILE" crit "Group Write permission set on FILE $FILE"
ERRORS=$((ERRORS + 1)) ERRORS=$((ERRORS + 1))
@ -48,7 +48,7 @@ apply() {
for DIR in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do for DIR in $(get_db passwd | grep -Ev '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
for FILE in "$DIR"/.[A-Za-z0-9]*; do for FILE in "$DIR"/.[A-Za-z0-9]*; do
if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then if [ ! -h "$FILE" ] && [ -f "$FILE" ]; then
FILEPERM=$(ls -ld "$FILE" | cut -f1 -d" ") FILEPERM=$(stat -c "%A" "$FILE")
if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then if [ "$(echo "$FILEPERM" | cut -c6)" != "-" ]; then
warn "Group Write permission set on FILE $FILE" warn "Group Write permission set on FILE $FILE"
chmod g-w "$FILE" chmod g-w "$FILE"

5
bin/hardening/6.2.6_sanitize_root_path.sh
View File

@ -34,6 +34,7 @@ audit() {
ERRORS=$((ERRORS + 1)) ERRORS=$((ERRORS + 1))
fi fi
FORMATTED_PATH=$(echo "$path" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g') FORMATTED_PATH=$(echo "$path" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
# shellcheck disable=SC2086
set -- $FORMATTED_PATH set -- $FORMATTED_PATH
while [ "${1:-}" != "" ]; do while [ "${1:-}" != "" ]; do
if [ "$1" = "." ]; then if [ "$1" = "." ]; then
@ -41,7 +42,8 @@ audit() {
ERRORS=$((ERRORS + 1)) ERRORS=$((ERRORS + 1))
else else
if [ -d "$1" ]; then if [ -d "$1" ]; then
dirperm=$(ls -ldH "$1" | cut -f1 -d" ") dirperm=$(stat -L -c "%A" "$1")
dirown=$(stat -c "%U" "$1")
if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
crit "Group Write permission set on directory $1" crit "Group Write permission set on directory $1"
ERRORS=$((ERRORS + 1)) ERRORS=$((ERRORS + 1))
@ -50,7 +52,6 @@ audit() {
crit "Other Write permission set on directory $1" crit "Other Write permission set on directory $1"
ERRORS=$((ERRORS + 1)) ERRORS=$((ERRORS + 1))
fi fi
dirown=$(ls -ldH "$1" | awk '{print $3}')
if [ "$dirown" != "root" ]; then if [ "$dirown" != "root" ]; then
crit "$1 is not owned by root" crit "$1 is not owned by root"
ERRORS=$((ERRORS + 1)) ERRORS=$((ERRORS + 1))

2
bin/hardening/99.2_disable_usb_devices.sh
View File

@ -61,7 +61,7 @@ apply() {
debug "$FILE_SEARCHED is a directory" debug "$FILE_SEARCHED is a directory"
for file_in_dir in "$FILE_SEARCHED"/*; do for file_in_dir in "$FILE_SEARCHED"/*; do
[[ -e "$file_in_dir" ]] || break # handle the case of no file in dir [[ -e "$file_in_dir" ]] || break # handle the case of no file in dir
does_pattern_exist_in_file "$file_in_dir" "^$PATTERN" does_pattern_exist_in_file "$file_in_dir" "^$PATTERN"
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$PATTERN is not present in $file_in_dir" debug "$PATTERN is not present in $file_in_dir"