IMP(12.8,12.9,12.10,12.11): be able to exclude some paths

consider exclusions in apply() functions
IMP(12.8,12.9): be able to exclude some paths
2025-07-15 21:32:17 +02:00 · 2020-03-31 14:22:24 +02:00 · 2020-03-30 19:11:07 +02:00 · 2019-10-22 15:08:56 +02:00 · 2019-10-22 14:14:32 +02:00
6 changed files with 48 additions and 7 deletions
--- a/bin/hardening/12.10_find_suid_files.sh
+++ b/bin/hardening/12.10_find_suid_files.sh
@ -14,13 +14,18 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 DESCRIPTION="Find SUID system executables."
+IGNORED_PATH=''

 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if there are suid files"
    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
    # shellcheck disable=2086
-    FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
+    if [ ! -z $IGNORED_PATH ]; then
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+    else
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
+    fi
    BAD_BINARIES=""
    for BINARY in $FOUND_BINARIES; do
        if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
--- a/bin/hardening/12.11_find_sgid_files.sh
+++ b/bin/hardening/12.11_find_sgid_files.sh
@ -14,13 +14,18 @@ set -u # One variable unset, it's over
 # shellcheck disable=2034
 HARDENING_LEVEL=2
 DESCRIPTION="Find SGID system executables."
+IGNORED_PATH=''

 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if there are sgid files"
    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
    # shellcheck disable=2086
-    FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
+    if [ ! -z $IGNORED_PATH ]; then
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+    else
+        FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
+    fi
    BAD_BINARIES=""
    for BINARY in $FOUND_BINARIES; do
        if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
--- a/bin/hardening/12.8_find_unowned_files.sh
+++ b/bin/hardening/12.8_find_unowned_files.sh
@ -15,12 +15,17 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find un-owned files and directories."

 USER='root'
+EXCLUDED=''

 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if there are unowned files"
    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
-    RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+    else
+        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
+    fi
    if [ ! -z "$RESULT" ]; then
        crit "Some unowned files are present"
        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
@ -32,7 +37,11 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
+    fi
    if [ ! -z "$RESULT" ]; then
        warn "Applying chown on all unowned files in the system"
        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
--- a/bin/hardening/12.9_find_ungrouped_files.sh
+++ b/bin/hardening/12.9_find_ungrouped_files.sh
@ -15,12 +15,17 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find un-grouped files and directories."

 GROUP='root'
+EXCLUDED=''

 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if there are ungrouped files"
    FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
-    RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+    else
+        RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
+    fi
    if [ ! -z "$RESULT" ]; then
        crit "Some ungrouped files are present"
        FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
@ -32,7 +37,11 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
+    if [ ! -z $EXCLUDED ]; then
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
+    fi
    if [ ! -z "$RESULT" ]; then
        warn "Applying chgrp on all ungrouped files in the system"
        df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP
--- a/bin/hardening/13.12_users_valid_homedir.sh
+++ b/bin/hardening/13.12_users_valid_homedir.sh
@ -24,7 +24,7 @@ audit () {
        USER=$(awk -F: {'print $1'} <<< $LINE)
        USERID=$(awk -F: {'print $2'} <<< $LINE)
        DIR=$(awk -F: {'print $3'} <<< $LINE)
-        if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then
+        if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then
            crit "The home directory ($DIR) of user $USER does not exist."
            ERRORS=$((ERRORS+1))    
        fi
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,16 @@
+cis-hardening (1.3-3) unstable; urgency=medium
+
+  * changelog: update changelog
+  * IMP(12.8,12.9,12.10,12.11): be able to exclude some paths
+
+ -- Benjamin MONTHOUËL <benjamin.monthouel@ovhcloud.com>  Mon, 30 Mar 2020 19:12:03 +0200
+
+cis-hardening (1.3-2) unstable; urgency=medium
+
+  * IMP(test/13.12): ignore the phony '/nonexistent' home folder
+
+ -- Stéphane Lesimple <stephane.lesimple@corp.ovh.com>  Tue, 22 Oct 2019 15:15:34 +0200
+
 cis-hardening (1.3-1) unstable; urgency=medium

  * Change of version numbering
Author	SHA1	Message	Date
Benjamin MONTHOUEL	70be679567	IMP(12.8,12.9,12.10,12.11): be able to exclude some paths consider exclusions in apply() functions	2020-03-31 14:22:24 +02:00
Benjamin MONTHOUEL	413277d7eb	IMP(12.8,12.9): be able to exclude some paths	2020-03-30 19:11:07 +02:00
Stéphane Lesimple	e62648d6a4	release 1.3.1-1	2019-10-22 15:08:56 +02:00
Stéphane Lesimple	ef5c00fef5	enh: 13.12_users_valid_homedir.sh: ignore /nonexistent special home folder	2019-10-22 14:14:32 +02:00