elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-16 22:02:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: elie:v1.3
Branches Tags
elie:master elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1
..
compare: elie:v1.3-3
Branches Tags
elie:damcava35/deb12_scripts_2 elie:damcava35/update_lib elie:damcava35/new_scripts elie:master elie:damcava35/issue_249 elie:damcava35/drop_debian10 elie:damcava35/is_ip_v6_enabled elie:damcava35/issue_195 elie:damcava35/fix_only elie:damcava35/fix_packaging elie:damcava35/set_version elie:damcava35/test_pre_commit elie:dev/thibault.dewailly/deb12 elie:dependabot/github_actions/luizm/action-sh-checker-0.9.0 elie:dev/thibault.dewailly/set_hardening_level elie:dev/thibault.dewailly/syslogng_remotecheck
elie:latest elie:v4.1-5 elie:v4.1-4 elie:v4.1-3 elie:v4.1-2 elie:v4.1-1 elie:v4.0-1 elie:v3.8-1 elie:v3.7-1 elie:v3.6-1 elie:v3.5-1 elie:v3.4-1 elie:v3.3-1 elie:v3.2-2 elie:v3.2-1 elie:v3.2-0 elie:v3.1-6 elie:v3.1-5 elie:v3.1-4 elie:v3.1-3 elie:v3.1-2 elie:v3.1-1 elie:v3.1-0 elie:v3.0-1 elie:v3.0 elie:v2.1-6 elie:v2.1-5 elie:v2.1-4 elie:v2.1-3 elie:v2.1-2 elie:v2.1-1 elie:v2.0-6 elie:v2.0-5 elie:v2.0-4 elie:v1.3-4 elie:v1.3-3 elie:v1.3-2 elie:v1.3 elie:v1.2-1 elie:v1.1-1

4 Commits
v1.3 ... v1.3-3

Author SHA1 Message Date
Benjamin MONTHOUEL
70be679567 IMP(12.8,12.9,12.10,12.11): be able to exclude some paths 
consider exclusions in apply() functions
 2020-03-31 14:22:24 +02:00
Benjamin MONTHOUEL
413277d7eb IMP(12.8,12.9): be able to exclude some paths 2020-03-30 19:11:07 +02:00
Stéphane Lesimple
e62648d6a4 release 1.3.1-1 2019-10-22 15:08:56 +02:00
Stéphane Lesimple
ef5c00fef5 enh: 13.12_users_valid_homedir.sh: ignore /nonexistent special home folder 2019-10-22 14:14:32 +02:00
6 changed files with 48 additions and 7 deletions
Expand all files Collapse all files

5
bin/hardening/12.10_find_suid_files.sh
View File

@ -14,13 +14,18 @@ set -u # One variable unset, it's over
# shellcheck disable=2034 # shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
DESCRIPTION="Find SUID system executables." DESCRIPTION="Find SUID system executables."
IGNORED_PATH=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if there are suid files" info "Checking if there are suid files"
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' ) FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
# shellcheck disable=2086 # shellcheck disable=2086
if [ ! -z $IGNORED_PATH ]; then
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
else
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print) FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
fi
BAD_BINARIES="" BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then

5
bin/hardening/12.11_find_sgid_files.sh
View File

@ -14,13 +14,18 @@ set -u # One variable unset, it's over
# shellcheck disable=2034 # shellcheck disable=2034
HARDENING_LEVEL=2 HARDENING_LEVEL=2
DESCRIPTION="Find SGID system executables." DESCRIPTION="Find SGID system executables."
IGNORED_PATH=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if there are sgid files" info "Checking if there are sgid files"
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' ) FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
# shellcheck disable=2086 # shellcheck disable=2086
if [ ! -z $IGNORED_PATH ]; then
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
else
FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print) FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
fi
BAD_BINARIES="" BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then

9
bin/hardening/12.8_find_unowned_files.sh
View File

@ -15,12 +15,17 @@ HARDENING_LEVEL=2
DESCRIPTION="Find un-owned files and directories." DESCRIPTION="Find un-owned files and directories."
USER='root' USER='root'
EXCLUDED=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if there are unowned files" info "Checking if there are unowned files"
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
if [ ! -z $EXCLUDED ]; then
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
else
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null) RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
fi
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
crit "Some unowned files are present" crit "Some unowned files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
@ -32,7 +37,11 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ ! -z $EXCLUDED ]; then
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
else
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
fi
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
warn "Applying chown on all unowned files in the system" warn "Applying chown on all unowned files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER

9
bin/hardening/12.9_find_ungrouped_files.sh
View File

@ -15,12 +15,17 @@ HARDENING_LEVEL=2
DESCRIPTION="Find un-grouped files and directories." DESCRIPTION="Find un-grouped files and directories."
GROUP='root' GROUP='root'
EXCLUDED=''
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
info "Checking if there are ungrouped files" info "Checking if there are ungrouped files"
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
if [ ! -z $EXCLUDED ]; then
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
else
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null) RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
fi
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
crit "Some ungrouped files are present" crit "Some ungrouped files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
@ -32,7 +37,11 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ ! -z $EXCLUDED ]; then
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
else
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
fi
if [ ! -z "$RESULT" ]; then if [ ! -z "$RESULT" ]; then
warn "Applying chgrp on all ungrouped files in the system" warn "Applying chgrp on all ungrouped files in the system"
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP

2
bin/hardening/13.12_users_valid_homedir.sh
View File

@ -24,7 +24,7 @@ audit () {
USER=$(awk -F: {'print $1'} <<< $LINE) USER=$(awk -F: {'print $1'} <<< $LINE)
USERID=$(awk -F: {'print $2'} <<< $LINE) USERID=$(awk -F: {'print $2'} <<< $LINE)
DIR=$(awk -F: {'print $3'} <<< $LINE) DIR=$(awk -F: {'print $3'} <<< $LINE)
if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" -a "$DIR" != "/nonexistent" ]; then
crit "The home directory ($DIR) of user $USER does not exist." crit "The home directory ($DIR) of user $USER does not exist."
ERRORS=$((ERRORS+1)) ERRORS=$((ERRORS+1))
fi fi

13
debian/changelog vendored
View File

@ -1,3 +1,16 @@
cis-hardening (1.3-3) unstable; urgency=medium
* changelog: update changelog
* IMP(12.8,12.9,12.10,12.11): be able to exclude some paths
-- Benjamin MONTHOUËL <benjamin.monthouel@ovhcloud.com> Mon, 30 Mar 2020 19:12:03 +0200
cis-hardening (1.3-2) unstable; urgency=medium
* IMP(test/13.12): ignore the phony '/nonexistent' home folder
-- Stéphane Lesimple <stephane.lesimple@corp.ovh.com> Tue, 22 Oct 2019 15:15:34 +0200
cis-hardening (1.3-1) unstable; urgency=medium cis-hardening (1.3-1) unstable; urgency=medium
* Change of version numbering * Change of version numbering