IMP(12.8,12.9,12.10,12.11): be able to exclude some paths

consider exclusions in apply() functions

bin/hardening/10.2_disable_system_accounts.sh

@@ -14,14 +14,18 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=3
 DESCRIPTION="Disable system accounts, preventing them from interactive login."
 
-SHELL='/bin/false'
+ACCEPTED_SHELLS='/bin/false /usr/sbin/nologin /sbin/nologin'
+SHELL_TO_APPLY='/bin/false'
 FILE='/etc/passwd'
 RESULT=''
 
+ACCEPTED_SHELLS_GREP=''
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    info "Checking if admin accounts have a login shell different than $SHELL"
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
+    shells_to_grep_helper
+    info "Checking if admin accounts have a login shell different than $ACCEPTED_SHELLS"
+    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true )
+    IFS_BAK=$IFS
     IFS=$'\n'
     for LINE in $RESULT; do
         debug "line : $LINE"
@@ -36,8 +40,9 @@ audit () {
             debug "$ACCOUNT not found in exceptions"
         fi
     done
+    IFS=$IFS_BAK
     if [ ! -z "$RESULT" ]; then
-        crit "Some admin accounts don't have $SHELL as their login shell"
+        crit "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell"
         crit "$RESULT"
     else
         ok "All admin accounts deactivated"
@@ -46,7 +51,8 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
+    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 ) {print}' | grep -v $ACCEPTED_SHELLS_GREP || true )
+    IFS_BAK=$IFS
     IFS=$'\n'
     for LINE in $RESULT; do
         debug "line : $LINE"
@@ -61,18 +67,25 @@ apply () {
             debug "$ACCOUNT not found in exceptions"
         fi
     done
+    IFS=$IFS_BAK
     if [ ! -z "$RESULT" ]; then
-        warn "Some admin accounts don't have $SHELL as their login shell -- Fixing"
+        warn "Some admin accounts don't have any of $ACCEPTED_SHELLS as their login shell -- Fixing"
         warn "$RESULT"
         for USER in $( echo "$RESULT" | cut -d: -f 1 ); do
-            info "Setting $SHELL as $USER login shell"
-            usermod -s $SHELL $USER
+            info "Setting $SHELL_TO_APPLY as $USER login shell"
+            usermod -s "$SHELL_TO_APPLY" "$USER"
         done
     else
         ok "All admin accounts deactivated, nothing to apply"
     fi
 }
 
+shells_to_grep_helper(){
+    for shell in $ACCEPTED_SHELLS; do
+        ACCEPTED_SHELLS_GREP+=" -e $shell"
+    done
+}
+
 # This function will create the config file for this check with default values
 create_config() {
     cat <<EOF

bin/hardening/12.10_find_suid_files.sh

@@ -14,13 +14,18 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 DESCRIPTION="Find SUID system executables."
+IGNORED_PATH=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if there are suid files"
     FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
     # shellcheck disable=2086
+    if [ ! -z $IGNORED_PATH ]; then
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+    else
         FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
+    fi
     BAD_BINARIES=""
     for BINARY in $FOUND_BINARIES; do
         if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then

bin/hardening/12.11_find_sgid_files.sh

@@ -14,13 +14,18 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 DESCRIPTION="Find SGID system executables."
+IGNORED_PATH=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if there are sgid files"
     FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
     # shellcheck disable=2086
+    if [ ! -z $IGNORED_PATH ]; then
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+    else
         FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
+    fi
     BAD_BINARIES=""
     for BINARY in $FOUND_BINARIES; do
         if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then

bin/hardening/12.8_find_unowned_files.sh

@@ -15,12 +15,17 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find un-owned files and directories."
 
 USER='root'
+EXCLUDED=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if there are unowned files"
     FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+    else
         RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
+    fi
     if [ ! -z "$RESULT" ]; then
         crit "Some unowned files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
@@ -32,7 +37,11 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+    else
         RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
+    fi
     if [ ! -z "$RESULT" ]; then
         warn "Applying chown on all unowned files in the system"
         df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER

bin/hardening/12.9_find_ungrouped_files.sh

@@ -15,12 +15,17 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find un-grouped files and directories."
 
 GROUP='root'
+EXCLUDED=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if there are ungrouped files"
     FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+    else
         RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
+    fi
     if [ ! -z "$RESULT" ]; then
         crit "Some ungrouped files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
@@ -32,7 +37,11 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+    else
         RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
+    fi
     if [ ! -z "$RESULT" ]; then
         warn "Applying chgrp on all ungrouped files in the system"
         df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP

bin/hardening/13.12_users_valid_homedir.sh

@@ -24,7 +24,7 @@ audit () {
         USER=$(awk -F: {'print $1'} <<< $LINE)
         USERID=$(awk -F: {'print $2'} <<< $LINE)
         DIR=$(awk -F: {'print $3'} <<< $LINE)
-        if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then
+        if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then
             crit "The home directory ($DIR) of user $USER does not exist."
             ERRORS=$((ERRORS+1))    
         fi

bin/hardening/99.3.1_acc_shadow_sha512.sh

@@ -31,6 +31,9 @@ audit () {
         passwd=$(echo "$line" | cut -d ":" -f 2)
         if [[ $passwd = '!' || $passwd = '*' ]]; then
             continue
+        elif [[ $passwd =~ ^!.*$ ]]; then
+            pw_found+="$user "
+            ok "User $user has a disabled password."
         # Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
         elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
             pw_found+="$user "

debian/changelog

@@ -1,3 +1,30 @@
+cis-hardening (1.3-3) unstable; urgency=medium
+
+  * changelog: update changelog
+  * IMP(12.8,12.9,12.10,12.11): be able to exclude some paths
+
+ -- Benjamin MONTHOUËL <benjamin.monthouel@ovhcloud.com>  Mon, 30 Mar 2020 19:12:03 +0200
+
+cis-hardening (1.3-2) unstable; urgency=medium
+
+  * IMP(test/13.12): ignore the phony '/nonexistent' home folder
+
+ -- Stéphane Lesimple <stephane.lesimple@corp.ovh.com>  Tue, 22 Oct 2019 15:15:34 +0200
+
+cis-hardening (1.3-1) unstable; urgency=medium
+
+  * Change of version numbering
+
+ -- Charles Herlin <charles.herlin@corp.ovh.com>  Wed, 28 Aug 2019 14:57:33 +0200
+
+cis-hardening (1.2-6) unstable; urgency=medium
+
+  * FIX(test/10.2): backup and restore /etc/passwd after test
+  * IMP(99.3.1): improve check with disabled passwords
+  * FIX(10.2): improve test to check multiple login shells
+
+ -- Charles Herlin <charles.herlin@corp.ovh.com>  Wed, 28 Aug 2019 12:34:52 +0200
+
 cis-hardening (1.2-5) unstable; urgency=medium
 
   * fix(99.4): do not stderr iptables warning on buster

tests/hardening/10.2_disable_system_accounts.sh

@@ -1,10 +1,19 @@
 # run-shellcheck
 test_audit() {
+    cp -a /etc/passwd /tmp/passwd.bak
+
     describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
+    register_test retvalshouldbe 1
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe correcting situation
+    sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    mv /tmp/passwd.bak /etc/passwd
 }

tests/hardening/99.3.1_acc_shadow_sha512.sh

@@ -13,6 +13,12 @@ test_audit() {
     register_test contain "User secaudit has a password that is not SHA512 hashed"
     run unsecpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow
+    describe Fail: Found disabled password
+    register_test retvalshouldbe 0
+    register_test contain "User secaudit has a disabled password"
+    run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     mv /tmp/shadow.bak /etc/shadow
     chpasswd << EOF
 secaudit:mypassword