From f82a4382469ad130b92a08b156ff5937b23158a9 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sat, 16 Apr 2016 18:11:53 +0200 Subject: [PATCH] 13.7_check_user_dir_perm.sh --- bin/{hardenning.sh => hardening.sh} | 0 bin/hardening/13.7_check_user_dir_perm.sh | 101 ++++++++++++++++++++++ etc/conf.d/13.7_check_user_dir_perm.cfg | 4 + 3 files changed, 105 insertions(+) rename bin/{hardenning.sh => hardening.sh} (100%) create mode 100755 bin/hardening/13.7_check_user_dir_perm.sh create mode 100644 etc/conf.d/13.7_check_user_dir_perm.cfg diff --git a/bin/hardenning.sh b/bin/hardening.sh similarity index 100% rename from bin/hardenning.sh rename to bin/hardening.sh diff --git a/bin/hardening/13.7_check_user_dir_perm.sh b/bin/hardening/13.7_check_user_dir_perm.sh new file mode 100755 index 0000000..bad4299 --- /dev/null +++ b/bin/hardening/13.7_check_user_dir_perm.sh @@ -0,0 +1,101 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.7 Check Permissions on User Home Directories (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +PERMISSION="750" + +# This function will be called if the script status is on enabled / audit mode +audit () { + for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $dir" + debug "Exceptions : $EXCEPTIONS" + debug "echo \"$EXCEPTIONS\" | grep -q $dir" + if echo "$EXCEPTIONS" | grep -q $dir; then + debug "$dir is confirmed as an exception" + RESULT=$(sed "s!$dir!!" <<< "$RESULT") + else + debug "$dir not found in exceptions" + fi + if [ -d $dir ]; then + dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ") + if [ $(echo $dirperm | cut -c6 ) != "-" ]; then + crit "Group Write permission set on directory $dir" + fi + if [ $(echo $dirperm | cut -c8 ) != "-" ]; then + crit "Other Read permission set on directory $dir" + fi + if [ $(echo $dirperm | cut -c9 ) != "-" ]; then + crit "Other Write permission set on directory $dir" + fi + if [ $(echo $dirperm | cut -c10 ) != "-" ]; then + crit "Other Execute permission set on directory $dir" + fi + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $dir" + debug "Exceptions : $EXCEPTIONS" + debug "echo \"$EXCEPTIONS\" | grep -q $dir" + if echo "$EXCEPTIONS" | grep -q $dir; then + debug "$dir is confirmed as an exception" + RESULT=$(sed "s!$dir!!" <<< "$RESULT") + else + debug "$dir not found in exceptions" + fi + if [ -d $dir ]; then + dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ") + if [ $(echo $dirperm | cut -c6 ) != "-" ]; then + warn "Group Write permission set on directory $dir" + chmod g-w $dir + fi + if [ $(echo $dirperm | cut -c8 ) != "-" ]; then + warn "Other Read permission set on directory $dir" + chmod o-r $dir + fi + if [ $(echo $dirperm | cut -c9 ) != "-" ]; then + warn "Other Write permission set on directory $dir" + chmod o-w $dir + fi + if [ $(echo $dirperm | cut -c10 ) != "-" ]; then + warn "Other Execute permission set on directory $dir" + chmod o-x $dir + fi + fi + done +} + +# This function will check config parameters required +check_config() { + if [ -z "$EXCEPTIONS" ]; then + EXCEPTIONS="@" + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/13.7_check_user_dir_perm.cfg b/etc/conf.d/13.7_check_user_dir_perm.cfg new file mode 100644 index 0000000..cfad1b4 --- /dev/null +++ b/etc/conf.d/13.7_check_user_dir_perm.cfg @@ -0,0 +1,4 @@ +# Configuration for script of same name +status=enabled +# Put here user home directories exceptions, separated by spaces +EXCEPTIONS=""