Update changelog

Fix race condition on /etc/passwd, /etc/shadow and /etc/group
IMP(5.2.3): 640 permission is now ok for the check
2025-07-15 21:32:17 +02:00 · 2020-11-16 14:21:47 +01:00 · 2020-11-16 14:09:12 +01:00 · 2020-11-16 14:08:42 +01:00 · 2020-11-16 14:06:39 +01:00 · 2020-11-12 10:17:32 +01:00
19 changed files with 190 additions and 63 deletions
--- a/bin/hardening/3.1.1_disable_ip_forwarding.sh
+++ b/bin/hardening/3.1.1_disable_ip_forwarding.sh
@ -21,9 +21,9 @@ SYSCTL_EXP_RESULT=0
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
-    does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
-        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        does_sysctl_param_exists "net.ipv6"
+        if [ $FNRET = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+            has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
            if [ $FNRET != 0 ]; then
                crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
            elif [ $FNRET = 255 ]; then
@ -37,16 +37,18 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-    if [ $FNRET != 0 ]; then
-        warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
-        set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
-        sysctl -w net.ipv4.route.flush=1 > /dev/null
-    elif [ $FNRET = 255 ]; then
-        warn "$SYSCTL_PARAM does not exist -- Typo?"
-    else
-        ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
-    fi
+    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
+        has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+        if [ $FNRET != 0 ]; then
+            warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
+            set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT
+            sysctl -w net.ipv4.route.flush=1 > /dev/null
+        elif [ $FNRET = 255 ]; then
+            warn "$SYSCTL_PARAM does not exist -- Typo?"
+        else
+            ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
+        fi
+    done
 }

 # This function will check config parameters required
--- a/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh
+++ b/bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh
@ -5,50 +5,113 @@
 #

 #
-# 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored)
+# 4.2.2.3 Create and Set Permissions on syslog-ng Log Files (Scored)
 #

 set -e # One error, it's over
 set -u # One variable unset, it's over

-HARDENING_LEVEL=3
-DESCRIPTION="Ensure logfile are created with root:640"
+# Note: this is not exacly the same check as the one described in CIS PDF

-PATTERN='options[[:space:]]*{[[:alnum:] ()_;"\t]*perm\(0640\);'
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Create and set permissions on syslog-ng logfiles."
+
+PERMISSIONS=''
+USER=''
+GROUP=''
+EXCEPTIONS=''

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L $SYSLOG_BASEDIR/conf.d/ -type f)"
+    FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
    for FILE in $FILES; do
-       does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            FOUND=1
+        does_file_exist "$FILE"
+        if [ "$FNRET" != 0 ]; then
+            warn "$FILE does not exist"
+        else
+            FOUND_EXC=0
+            if grep -q "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then
+                debug "$FILE is found in exceptions"
+                debug "Setting special user:group:perm"
+                FOUND_EXC=1
+                local user_bak="$USER"
+                local group_bak="$GROUP"
+                local perm_bak="$PERMISSIONS"
+                USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
+                GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
+                PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
+            fi
+            has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+            if [ "$FNRET" = 0 ]; then
+                ok "$FILE has correct ownership ($USER:$GROUP)"
+            else
+                crit "$FILE ownership was not set to $USER:$GROUP"
+            fi
+            has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            if [ "$FNRET" = 0 ]; then
+                ok "$FILE has correct permissions ($PERMISSIONS)"
+            else
+                crit "$FILE permissions were not set to $PERMISSIONS"
+            fi
+            if [ "$FOUND_EXC" = 1 ]; then
+                debug "Resetting user:group:perm"
+                USER="$user_bak"
+                GROUP="$group_bak"
+                PERMISSIONS="$perm_bak"
+            fi
        fi
    done
-
-    if [ $FOUND = 1 ]; then
-        ok "$PATTERN is present in $FILES"
-    else
-        crit "$PATTERN is not present in $FILES"
-    fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L $SYSLOG_BASEDIR/conf.d/ -type f)"
    for FILE in $FILES; do
-       does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
-        if [ $FNRET = 0 ]; then
-            FOUND=1
+        does_file_exist "$FILE"
+        if [ "$FNRET" != 0 ]; then
+            info "$FILE does not exist"
+            filedir=$(dirname "${FILE#/var/log/}")
+            if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
+                debug "Creating /var/log/$filedir for $FILE"
+                debug "mkdir -p /var/log/$filedir"
+                mkdir -p /var/log/"$filedir"
+            fi
+            touch "$FILE"
+        fi
+        FOUND_EXC=0
+        if grep "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then
+            debug "$FILE is found in exceptions"
+            debug "Setting special user:group:perm"
+            FOUND_EXC=1
+            local user_bak="$USER"
+            local group_bak="$GROUP"
+            local perm_bak="$PERMISSIONS"
+            USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
+            GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
+            PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+        if [ "$FOUND_EXC" = 1 ]; then
+            debug "Resetting user:group:perm"
+            USER="$user_bak"
+            GROUP="$group_bak"
+            PERMISSIONS="$perm_bak"
        fi
    done
-    if [ $FOUND = 1 ]; then
-        ok "$PATTERN is present in $FILES"
-    else
-        crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
-    fi
 }

 # This function will create the config file for this check with default values
@ -56,12 +119,27 @@ create_config() {
    cat <<EOF
 status=audit
 SYSLOG_BASEDIR='/etc/syslog-ng'
+PERMISSIONS='640'
+USER='root'
+GROUP='adm'
+# Put exceptions here with file:user:group:permissions
+# example: /dev/null:root:root:666
+EXCEPTIONS=''
 EOF
 }

 # This function will check config parameters required
 check_config() {
-    :
+    does_user_exist "$USER"
+    if [ "$FNRET" != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ "$FNRET" != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
 }

 # Source Root Dir Parameter
@ -75,8 +153,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi

 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
--- a/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
+++ b/bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh
@ -28,8 +28,13 @@ audit () {
        if [ $FNRET = 0 ]; then
            ok "$FILE permissions were set to $PERMISSIONS"
        else
-            ERRORS=$((ERRORS+1))
-            crit "$FILE permissions were not set to $PERMISSIONS"
+            has_file_correct_permissions $FILE 640
+            if [ $FNRET = 0 ]; then
+                ok "$FILE permissions were set to $PERMISSIONS"
+            else
+                ERRORS=$((ERRORS+1))
+                crit "$FILE permissions were not set to $PERMISSIONS"
+            fi
        fi

    done
@ -64,8 +69,13 @@ apply () {
        if [ $FNRET = 0 ]; then
            ok "$FILE permissions were set to $PERMISSIONS"
        else
-            warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
-            chmod 0$PERMISSIONS $FILE
+            has_file_correct_permissions $FILE 640
+            if [ $FNRET = 0 ]; then
+                ok "$FILE permissions were set to $PERMISSIONS"
+            else
+                warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
+                chmod 0$PERMISSIONS $FILE
+            fi
        fi
    done

--- a/bin/hardening/6.2.10_check_user_dot_file_perm.sh
+++ b/bin/hardening/6.2.10_check_user_dot_file_perm.sh
@ -18,7 +18,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
    debug "Working on $DIR"
        for FILE in $DIR/.[A-Za-z0-9]*; do
            if [ ! -h "$FILE" -a -f "$FILE" ]; then
@ -42,7 +42,7 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        for FILE in $DIR/.[A-Za-z0-9]*; do
            if [ ! -h "$FILE" -a -f "$FILE" ]; then
                FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")
--- a/bin/hardening/6.2.11_find_user_forward_files.sh
+++ b/bin/hardening/6.2.11_find_user_forward_files.sh
@ -19,7 +19,7 @@ FILENAME='.forward'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
    debug "Working on $DIR"
        for FILE in $DIR/$FILENAME; do
            if [ ! -h "$FILE" -a -f "$FILE" ]; then
--- a/bin/hardening/6.2.12_find_user_netrc_files.sh
+++ b/bin/hardening/6.2.12_find_user_netrc_files.sh
@ -19,7 +19,7 @@ FILENAME='.netrc'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
    debug "Working on $DIR"
        for FILE in $DIR/$FILENAME; do
            if [ ! -h "$FILE" -a -f "$FILE" ]; then
--- a/bin/hardening/6.2.13_set_perm_on_user_netrc.sh
+++ b/bin/hardening/6.2.13_set_perm_on_user_netrc.sh
@ -19,7 +19,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
    debug "Working on $DIR"
        for FILE in $DIR/.netrc; do
            if [ ! -h "$FILE" -a -f "$FILE" ]; then
--- a/bin/hardening/6.2.14_find_user_rhosts_files.sh
+++ b/bin/hardening/6.2.14_find_user_rhosts_files.sh
@ -19,7 +19,7 @@ FILENAME=".rhosts"

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
    debug "Working on $DIR"
        for FILE in $DIR/$FILENAME; do
            if [ ! -h "$FILE" -a -f "$FILE" ]; then
--- a/bin/hardening/6.2.16_check_duplicate_uid.sh
+++ b/bin/hardening/6.2.16_check_duplicate_uid.sh
@ -21,7 +21,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cut -f3 -d":" < /etc/passwd | sort -n | uniq -c | awk '{print $1":"$2}' )
+    RESULT=$(get_db passwd | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}' )
    FOUND_EXCEPTIONS=""
    for LINE in $RESULT; do
        debug "Working on line $LINE"
--- a/bin/hardening/6.2.17_check_duplicate_gid.sh
+++ b/bin/hardening/6.2.17_check_duplicate_gid.sh
@ -20,7 +20,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cut -f3 -d":" /etc/group | sort -n | uniq -c | awk '{print $1":"$2}' )
+    RESULT=$(get_db group | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}' )
    for LINE in $RESULT; do
        debug "Working on line $LINE"
        OCC_NUMBER=$(awk -F: '{print $1}' <<< "$LINE")
--- a/bin/hardening/6.2.18_check_duplicate_username.sh
+++ b/bin/hardening/6.2.18_check_duplicate_username.sh
@ -18,7 +18,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
+    RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
    for LINE in $RESULT; do 
        debug "Working on line $LINE"
        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
--- a/bin/hardening/6.2.19_check_duplicate_groupname.sh
+++ b/bin/hardening/6.2.19_check_duplicate_groupname.sh
@ -18,7 +18,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
+    RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
    for LINE in $RESULT; do 
        debug "Working on line $LINE"
        OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)
--- a/bin/hardening/6.2.1_remove_empty_password_field.sh
+++ b/bin/hardening/6.2.1_remove_empty_password_field.sh
@ -14,12 +14,11 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=1
 DESCRIPTION="Ensure password fields are not empty in /etc/shadow."

-FILE='/etc/shadow'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
    info "Checking if accounts have an empty password"
-    RESULT=$($SUDO_CMD cat $FILE | awk -F: '($2 == "" ) { print $1 }')
+    RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
    if [ ! -z "$RESULT" ]; then
        crit "Some accounts have an empty password"
        crit $RESULT
@ -30,7 +29,7 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
+    RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
    if [ ! -z "$RESULT" ]; then
        warn "Some accounts have an empty password"
        for ACCOUNT in $RESULT; do
--- a/bin/hardening/6.2.7_users_valid_homedir.sh
+++ b/bin/hardening/6.2.7_users_valid_homedir.sh
@ -18,7 +18,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
+    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
    for LINE in $RESULT; do 
        debug "Working on $LINE"
        USER=$(awk -F: {'print $1'} <<< $LINE)
--- a/bin/hardening/6.2.8_check_user_dir_perm.sh
+++ b/bin/hardening/6.2.8_check_user_dir_perm.sh
@ -18,7 +18,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        debug "Working on $dir"
        debug "Exceptions : $EXCEPTIONS"
        debug "echo \"$EXCEPTIONS\" | grep -q $dir"
@ -57,7 +57,7 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        debug "Working on $dir"
        debug "Exceptions : $EXCEPTIONS"
        debug "echo \"$EXCEPTIONS\" | grep -q $dir"
--- a/bin/hardening/6.2.9_users_valid_homedir.sh
+++ b/bin/hardening/6.2.9_users_valid_homedir.sh
@ -21,7 +21,7 @@ ERRORS=0
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    debug "Checking homedir exists"
-    RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
+    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
    for LINE in $RESULT; do
        debug "Working on $LINE"
        USER=$(awk -F: {'print $1'} <<< $LINE)
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,17 @@
+cis-hardening (2.0-6) unstable; urgency=medium
+
+  * Fix race condition issue with cat /etc/passwd, /etc/shadow, /etc/group
+  * Fix permissions in 5.2.3
+  * Revert 4.2.2.3 to old check (8.2.4)
+
+ -- Thibault Ayanides <tayanide@owhcloud.com>  Mon, 16 Nov 2020 14:19:35 +0100
+
+cis-hardening (2.0-5) unstable; urgency=medium
+
+  * Hotfix for 3.1.1 wich resulted to a fail check if ipv6 is disabled 
+
+ -- Thibault Ayanides <tayanide@ovhcloud.com>  Thu, 12 Nov 2020 10:15:46 +0100
+
 cis-hardening (2.0-4) unstable; urgency=medium
  * Add deleted checks during renaming which should be here (3.2.6, 3.2.7, 6.2.7)
  * Delete 4.2.2, duplicate with 4.2.3
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -126,6 +126,11 @@ _does_pattern_exist_in_file() {
    fi
 }

+get_db() {
+    local DB="$1"
+    $SUDO_CMD getent --service files "$DB"
+}
+
 # Look for pattern in file that can spread over multiple lines
 # The func will remove commented lines (that begin with '#')
 # and consider the file as one long line.
--- a/tests/hardening/3.1.1_disable_ip_forwarding.sh
+++ b/tests/hardening/3.1.1_disable_ip_forwarding.sh
@ -6,5 +6,23 @@ test_audit() {
    # shellcheck disable=2154
    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

-    # TODO fill comprehensive tests
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Tests purposely failing
+        sysctl -w net.ipv4.ip_forward=1 2>/dev/null
+        register_test retvalshouldbe 1
+        register_test contain "net.ipv4.ip_forward was not set to 0"
+        run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+        describe correcting situation
+        sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "correctly set to 0"
+        register_test contain "net.ipv4.ip_forward correctly set to 0"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
 }
Author	SHA1	Message	Date
Thibault Ayanides	e288835381	Update changelog	2020-11-16 14:21:47 +01:00
Thibault Ayanides	fbd26ceefa	Fix race condition on /etc/passwd, /etc/shadow and /etc/group	2020-11-16 14:09:12 +01:00
Thibault Ayanides	501ce8c651	IMP(5.2.3): 640 permission is now ok for the check	2020-11-16 14:08:42 +01:00
Thibault Ayanides	829ee8631f	Revert to previous check (8.2.4 in old num)	2020-11-16 14:06:39 +01:00
Thibault Ayanides	6620a82f34	Update changelog	2020-11-12 10:17:32 +01:00
Thibault	3c7a03445c	FIX(3.1.1): fix unbound variable issue	2020-11-12 10:15:41 +01:00