From f829cdacf2be15e85bd1ccdcea9a6ad39dcd37a2 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sun, 17 Apr 2016 22:30:20 +0200 Subject: [PATCH] 13.16_check_duplicate_username.sh 13.17_check_duplicate_groupname.sh 13.18_find_user_netrc_files.sh 13.19_find_user_forward_files.sh 13.20_shadow_group_empty.sh --- bin/hardening/13.10_find_user_rhosts_files.sh | 5 +- bin/hardening/13.15_check_duplicate_gid.sh | 4 +- .../13.16_check_duplicate_username.sh | 58 ++++++++++++++++ .../13.17_check_duplicate_groupname.sh | 58 ++++++++++++++++ bin/hardening/13.18_find_user_netrc_files.sh | 57 ++++++++++++++++ .../13.19_find_user_forward_files.sh | 57 ++++++++++++++++ bin/hardening/13.20_shadow_group_empty.sh | 67 +++++++++++++++++++ etc/conf.d/13.16_check_duplicate_username.cfg | 2 + .../13.17_check_duplicate_groupname.cfg | 2 + etc/conf.d/13.18_find_user_netrc_files.cfg | 2 + etc/conf.d/13.19_find_user_forward_files.cfg | 2 + etc/conf.d/13.20_shadow_group_empty.cfg | 2 + 12 files changed, 312 insertions(+), 4 deletions(-) create mode 100755 bin/hardening/13.16_check_duplicate_username.sh create mode 100755 bin/hardening/13.17_check_duplicate_groupname.sh create mode 100755 bin/hardening/13.18_find_user_netrc_files.sh create mode 100755 bin/hardening/13.19_find_user_forward_files.sh create mode 100755 bin/hardening/13.20_shadow_group_empty.sh create mode 100644 etc/conf.d/13.16_check_duplicate_username.cfg create mode 100644 etc/conf.d/13.17_check_duplicate_groupname.cfg create mode 100644 etc/conf.d/13.18_find_user_netrc_files.cfg create mode 100644 etc/conf.d/13.19_find_user_forward_files.cfg create mode 100644 etc/conf.d/13.20_shadow_group_empty.cfg diff --git a/bin/hardening/13.10_find_user_rhosts_files.sh b/bin/hardening/13.10_find_user_rhosts_files.sh index 9e01752..8fa7ea9 100755 --- a/bin/hardening/13.10_find_user_rhosts_files.sh +++ b/bin/hardening/13.10_find_user_rhosts_files.sh @@ -13,12 +13,13 @@ set -e # One error, it's over set -u # One variable unset, it's over ERRORS=0 +FILENAME=".rhosts" # This function will be called if the script status is on enabled / audit mode audit () { for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do debug "Working on $DIR" - for FILE in $DIR/.rhosts; do + for FILE in $DIR/$FILENAME; do if [ ! -h "$FILE" -a -f "$FILE" ]; then crit "$FILE present" ERRORS=$((ERRORS+1)) @@ -27,7 +28,7 @@ audit () { done if [ $ERRORS = 0 ]; then - ok "No .rhosts present in users files" + ok "No $FILENAME present in users files" fi } diff --git a/bin/hardening/13.15_check_duplicate_gid.sh b/bin/hardening/13.15_check_duplicate_gid.sh index e74ec56..b07b5b7 100755 --- a/bin/hardening/13.15_check_duplicate_gid.sh +++ b/bin/hardening/13.15_check_duplicate_gid.sh @@ -24,12 +24,12 @@ audit () { if [ $OCC_NUMBER -gt 1 ]; then USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPID /etc/passwd | xargs) ERRORS=$((ERRORS+1)) - crit "Duplicate UID ($GROUPID): ${USERS}" + crit "Duplicate GID ($GROUPID): ${USERS}" fi done if [ $ERRORS = 0 ]; then - ok "No duplicate GIDss" + ok "No duplicate GIDs" fi } diff --git a/bin/hardening/13.16_check_duplicate_username.sh b/bin/hardening/13.16_check_duplicate_username.sh new file mode 100755 index 0000000..172198b --- /dev/null +++ b/bin/hardening/13.16_check_duplicate_username.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.16 Check for Duplicate User Names (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) + for LINE in $RESULT; do + debug "Working on line $LINE" + OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) + USERNAME=$(awk -F: {'print $2'} <<< $LINE) + if [ $OCC_NUMBER -gt 1 ]; then + USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs) + ERRORS=$((ERRORS+1)) + crit "Duplicate username $USERNAME" + fi + done + + if [ $ERRORS = 0 ]; then + ok "No duplicate usernames" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing automatically username may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.17_check_duplicate_groupname.sh b/bin/hardening/13.17_check_duplicate_groupname.sh new file mode 100755 index 0000000..ab1e36b --- /dev/null +++ b/bin/hardening/13.17_check_duplicate_groupname.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.17 Check for Duplicate Group Names (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) + for LINE in $RESULT; do + debug "Working on line $LINE" + OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) + GROUPNAME=$(awk -F: {'print $2'} <<< $LINE) + if [ $OCC_NUMBER -gt 1 ]; then + USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs) + ERRORS=$((ERRORS+1)) + crit "Duplicate groupname $GROUPNAME" + fi + done + + if [ $ERRORS = 0 ]; then + ok "No duplicate groupnames" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing automatically groupname may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.18_find_user_netrc_files.sh b/bin/hardening/13.18_find_user_netrc_files.sh new file mode 100755 index 0000000..64986ce --- /dev/null +++ b/bin/hardening/13.18_find_user_netrc_files.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.18 Check for Presence of User .netrc Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +FILENAME='.netrc' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/$FILENAME; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + crit "$FILE present" + ERRORS=$((ERRORS+1)) + fi + done + done + + if [ $ERRORS = 0 ]; then + ok "No $FILENAME present in users files" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "If the audit returns something, please check with the user why he has this file" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.19_find_user_forward_files.sh b/bin/hardening/13.19_find_user_forward_files.sh new file mode 100755 index 0000000..920ad49 --- /dev/null +++ b/bin/hardening/13.19_find_user_forward_files.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.18 Check for Presence of User .netrc Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +FILENAME='.forward' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/$FILENAME; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + crit "$FILE present" + ERRORS=$((ERRORS+1)) + fi + done + done + + if [ $ERRORS = 0 ]; then + ok "No $FILENAME present in users files" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "If the audit returns something, please check with the user why he has this file" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.20_shadow_group_empty.sh b/bin/hardening/13.20_shadow_group_empty.sh new file mode 100755 index 0000000..bc07033 --- /dev/null +++ b/bin/hardening/13.20_shadow_group_empty.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.18 Check for Presence of User .netrc Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +FILEGROUP='/etc/group' +PATTERN='^shadow:x:[[:digit:]]+:' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file $FILEGROUP $PATTERN + if [ $FNRET = 0 ]; then + info "shadow group exists" + RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4) + GROUPID=$(getent group shadow | cut -d: -f3) + debug "$RESULT $GROUPID" + if [ ! -z "$RESULT" ]; then + crit "Some user belong to shadow group : $RESULT" + else + ok "No one belongs to shadow group" + fi + + info "Checking if a user has $GROUPID as primary group" + RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd) + if [ ! -z "$RESULT" ]; then + crit "Some user have shadow id to their primary group : $RESULT" + else + ok "No one have shadow id to their primary group" + fi + else + crit "shadow group doesn't exist" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "If the audit returns something, please check with the user why he has this file" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/13.16_check_duplicate_username.cfg b/etc/conf.d/13.16_check_duplicate_username.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.16_check_duplicate_username.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.17_check_duplicate_groupname.cfg b/etc/conf.d/13.17_check_duplicate_groupname.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.17_check_duplicate_groupname.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.18_find_user_netrc_files.cfg b/etc/conf.d/13.18_find_user_netrc_files.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.18_find_user_netrc_files.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.19_find_user_forward_files.cfg b/etc/conf.d/13.19_find_user_forward_files.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.19_find_user_forward_files.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.20_shadow_group_empty.cfg b/etc/conf.d/13.20_shadow_group_empty.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.20_shadow_group_empty.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled