Update changelog

bin/hardening/3.1.1_disable_ip_forwarding.sh

@@ -22,7 +22,7 @@ SYSCTL_EXP_RESULT=0
 audit () {
     for SYSCTL_PARAM in $SYSCTL_PARAMS; do
         does_sysctl_param_exists "net.ipv6"
-    if [ $FNRET = 0 ] || [[ ! $SYSCTL_VALUES =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
+        if [ $FNRET = 0 ] || [[ ! $SYSCTL_PARAM =~ .*ipv6.* ]]; then # IPv6 is enabled or SYSCTL_VALUES doesn't contain ipv6
             has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
             if [ $FNRET != 0 ]; then
                 crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
@@ -37,6 +37,7 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
+    for SYSCTL_PARAM in $SYSCTL_PARAMS; do
         has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT
         if [ $FNRET != 0 ]; then
             warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT -- Fixing"
@@ -47,6 +48,7 @@ apply () {
         else
             ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
         fi
+    done
 }
 
 # This function will check config parameters required

bin/hardening/4.2.2.3_syslog_ng_logfiles_perm.sh

@@ -5,50 +5,113 @@
 #
 
 #
-# 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored)
+# 4.2.2.3 Create and Set Permissions on syslog-ng Log Files (Scored)
 #
 
 set -e # One error, it's over
 set -u # One variable unset, it's over
 
-HARDENING_LEVEL=3
+# Note: this is not exacly the same check as the one described in CIS PDF
-DESCRIPTION="Ensure logfile are created with root:640"
 
-PATTERN='options[[:space:]]*{[[:alnum:] ()_;"\t]*perm\(0640\);'
+# shellcheck disable=2034
+HARDENING_LEVEL=3
+# shellcheck disable=2034
+DESCRIPTION="Create and set permissions on syslog-ng logfiles."
+
+PERMISSIONS=''
+USER=''
+GROUP=''
+EXCEPTIONS=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    FOUND=0
+    FILES=$(grep "file(" "$SYSLOG_BASEDIR"/syslog-ng.conf | grep '"' | cut -d'"' -f 2)
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $($SUDO_CMD find -L $SYSLOG_BASEDIR/conf.d/ -type f)"
     for FILE in $FILES; do
-       does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+        does_file_exist "$FILE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" != 0 ]; then
-            FOUND=1
+            warn "$FILE does not exist"
+        else
+            FOUND_EXC=0
+            if grep -q "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then
+                debug "$FILE is found in exceptions"
+                debug "Setting special user:group:perm"
+                FOUND_EXC=1
+                local user_bak="$USER"
+                local group_bak="$GROUP"
+                local perm_bak="$PERMISSIONS"
+                USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
+                GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
+                PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
+            fi
+            has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+            if [ "$FNRET" = 0 ]; then
+                ok "$FILE has correct ownership ($USER:$GROUP)"
+            else
+                crit "$FILE ownership was not set to $USER:$GROUP"
+            fi
+            has_file_correct_permissions "$FILE" "$PERMISSIONS"
+            if [ "$FNRET" = 0 ]; then
+                ok "$FILE has correct permissions ($PERMISSIONS)"
+            else
+                crit "$FILE permissions were not set to $PERMISSIONS"
+            fi
+            if [ "$FOUND_EXC" = 1 ]; then
+                debug "Resetting user:group:perm"
+                USER="$user_bak"
+                GROUP="$group_bak"
+                PERMISSIONS="$perm_bak"
+            fi
         fi
     done
-
-    if [ $FOUND = 1 ]; then
-        ok "$PATTERN is present in $FILES"
-    else
-        crit "$PATTERN is not present in $FILES"
-    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    FOUND=0
-    FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find -L $SYSLOG_BASEDIR/conf.d/ -type f)"
     for FILE in $FILES; do
-       does_pattern_exist_in_file_multiline "$FILE" "$PATTERN"
+        does_file_exist "$FILE"
-        if [ $FNRET = 0 ]; then
+        if [ "$FNRET" != 0 ]; then
-            FOUND=1
+            info "$FILE does not exist"
+            filedir=$(dirname "${FILE#/var/log/}")
+            if [ ! "$filedir" = "." ] && [ ! -d /var/log/"$filedir" ]; then
+                debug "Creating /var/log/$filedir for $FILE"
+                debug "mkdir -p /var/log/$filedir"
+                mkdir -p /var/log/"$filedir"
+            fi
+            touch "$FILE"
+        fi
+        FOUND_EXC=0
+        if grep "$FILE" <(tr ' ' '\n' <<< "$EXCEPTIONS" | cut -d ":" -f 1); then
+            debug "$FILE is found in exceptions"
+            debug "Setting special user:group:perm"
+            FOUND_EXC=1
+            local user_bak="$USER"
+            local group_bak="$GROUP"
+            local perm_bak="$PERMISSIONS"
+            USER="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 2)"
+            GROUP="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 3)"
+            PERMISSIONS="$(tr ' ' '\n' <<< "$EXCEPTIONS" | grep "$FILE" | cut -d':' -f 4)"
+        fi
+        has_file_correct_ownership "$FILE" "$USER" "$GROUP"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct ownership"
+        else
+            warn "fixing $FILE ownership to $USER:$GROUP"
+            chown "$USER":"$GROUP" "$FILE"
+        fi
+        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        if [ "$FNRET" = 0 ]; then
+            ok "$FILE has correct permissions"
+        else
+            info "fixing $FILE permissions to $PERMISSIONS"
+            chmod 0"$PERMISSIONS" "$FILE"
+        fi
+        if [ "$FOUND_EXC" = 1 ]; then
+            debug "Resetting user:group:perm"
+            USER="$user_bak"
+            GROUP="$group_bak"
+            PERMISSIONS="$perm_bak"
         fi
     done
-    if [ $FOUND = 1 ]; then
-        ok "$PATTERN is present in $FILES"
-    else
-        crit "$PATTERN is not present in $FILES, please set a remote host to send your logs"
-    fi
 }
 
 # This function will create the config file for this check with default values
@@ -56,12 +119,27 @@ create_config() {
     cat <<EOF
 status=audit
 SYSLOG_BASEDIR='/etc/syslog-ng'
+PERMISSIONS='640'
+USER='root'
+GROUP='adm'
+# Put exceptions here with file:user:group:permissions
+# example: /dev/null:root:root:666
+EXCEPTIONS=''
 EOF
 }
 
 # This function will check config parameters required
 check_config() {
-    :
+    does_user_exist "$USER"
+    if [ "$FNRET" != 0 ]; then
+        crit "$USER does not exist"
+        exit 128
+    fi
+    does_group_exist $GROUP
+    if [ "$FNRET" != 0 ]; then
+        crit "$GROUP does not exist"
+        exit 128
+    fi
 }
 
 # Source Root Dir Parameter
@@ -75,8 +153,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
 fi
 
 # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
-if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
-    . $CIS_ROOT_DIR/lib/main.sh
+    # shellcheck source=/opt/debian-cis/lib/main.sh
+    . "$CIS_ROOT_DIR"/lib/main.sh
 else
     echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
     exit 128

bin/hardening/5.2.3_ssh_host_public_keys_perm_ownership.sh

@@ -25,12 +25,17 @@ audit () {
     for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
     do
         has_file_correct_permissions $FILE $PERMISSIONS
+        if [ $FNRET = 0 ]; then
+            ok "$FILE permissions were set to $PERMISSIONS"
+        else
+            has_file_correct_permissions $FILE 640
             if [ $FNRET = 0 ]; then
                 ok "$FILE permissions were set to $PERMISSIONS"
             else
                 ERRORS=$((ERRORS+1))
                 crit "$FILE permissions were not set to $PERMISSIONS"
             fi
+        fi
 
     done
 
@@ -61,12 +66,17 @@ apply () {
     for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');
     do
         has_file_correct_permissions $FILE $PERMISSIONS
+        if [ $FNRET = 0 ]; then
+            ok "$FILE permissions were set to $PERMISSIONS"
+        else
+            has_file_correct_permissions $FILE 640
             if [ $FNRET = 0 ]; then
                 ok "$FILE permissions were set to $PERMISSIONS"
             else
                 warn "fixing $DIR SSH public keys permissions to $USER:$GROUP"
                 chmod 0$PERMISSIONS $FILE
             fi
+        fi
     done
 
     for FILE in $($SUDO_CMD find $DIR -xdev -type f -name 'ssh_host_*_key.pub');

bin/hardening/6.2.10_check_user_dot_file_perm.sh

@@ -18,7 +18,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
     debug "Working on $DIR"
         for FILE in $DIR/.[A-Za-z0-9]*; do
             if [ ! -h "$FILE" -a -f "$FILE" ]; then
@@ -42,7 +42,7 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
         for FILE in $DIR/.[A-Za-z0-9]*; do
             if [ ! -h "$FILE" -a -f "$FILE" ]; then
                 FILEPERM=$(ls -ld $FILE | cut -f1 -d" ")

bin/hardening/6.2.11_find_user_forward_files.sh

@@ -19,7 +19,7 @@ FILENAME='.forward'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
     debug "Working on $DIR"
         for FILE in $DIR/$FILENAME; do
             if [ ! -h "$FILE" -a -f "$FILE" ]; then

bin/hardening/6.2.12_find_user_netrc_files.sh

@@ -19,7 +19,7 @@ FILENAME='.netrc'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
     debug "Working on $DIR"
         for FILE in $DIR/$FILENAME; do
             if [ ! -h "$FILE" -a -f "$FILE" ]; then

bin/hardening/6.2.13_set_perm_on_user_netrc.sh

@@ -19,7 +19,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
     debug "Working on $DIR"
         for FILE in $DIR/.netrc; do
             if [ ! -h "$FILE" -a -f "$FILE" ]; then

bin/hardening/6.2.14_find_user_rhosts_files.sh

@@ -19,7 +19,7 @@ FILENAME=".rhosts"
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for DIR in $(get_db passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
     debug "Working on $DIR"
         for FILE in $DIR/$FILENAME; do
             if [ ! -h "$FILE" -a -f "$FILE" ]; then

bin/hardening/6.2.16_check_duplicate_uid.sh

@@ -21,7 +21,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cut -f3 -d":" < /etc/passwd | sort -n | uniq -c | awk '{print $1":"$2}' )
+    RESULT=$(get_db passwd | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}' )
     FOUND_EXCEPTIONS=""
     for LINE in $RESULT; do
         debug "Working on line $LINE"

bin/hardening/6.2.17_check_duplicate_gid.sh

@@ -20,7 +20,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cut -f3 -d":" /etc/group | sort -n | uniq -c | awk '{print $1":"$2}' )
+    RESULT=$(get_db group | cut -f3 -d":" | sort -n | uniq -c | awk '{print $1":"$2}' )
     for LINE in $RESULT; do
         debug "Working on line $LINE"
         OCC_NUMBER=$(awk -F: '{print $1}' <<< "$LINE")

bin/hardening/6.2.18_check_duplicate_username.sh

@@ -18,7 +18,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
+    RESULT=$(get_db passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
     for LINE in $RESULT; do 
         debug "Working on line $LINE"
         OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)

bin/hardening/6.2.19_check_duplicate_groupname.sh

@@ -18,7 +18,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
+    RESULT=$(get_db group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} )
     for LINE in $RESULT; do 
         debug "Working on line $LINE"
         OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE)

bin/hardening/6.2.1_remove_empty_password_field.sh

@@ -14,12 +14,11 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=1
 DESCRIPTION="Ensure password fields are not empty in /etc/shadow."
 
-FILE='/etc/shadow'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if accounts have an empty password"
-    RESULT=$($SUDO_CMD cat $FILE | awk -F: '($2 == "" ) { print $1 }')
+    RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
     if [ ! -z "$RESULT" ]; then
         crit "Some accounts have an empty password"
         crit $RESULT
@@ -30,7 +29,7 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
+    RESULT=$(get_db shadow | awk -F: '($2 == "" ) { print $1 }')
     if [ ! -z "$RESULT" ]; then
         warn "Some accounts have an empty password"
         for ACCOUNT in $RESULT; do

bin/hardening/6.2.7_users_valid_homedir.sh

@@ -18,7 +18,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
+    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
     for LINE in $RESULT; do 
         debug "Working on $LINE"
         USER=$(awk -F: {'print $1'} <<< $LINE)

bin/hardening/6.2.8_check_user_dir_perm.sh

@@ -18,7 +18,7 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
         debug "Working on $dir"
         debug "Exceptions : $EXCEPTIONS"
         debug "echo \"$EXCEPTIONS\" | grep -q $dir"
@@ -57,7 +57,7 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(get_db passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
         debug "Working on $dir"
         debug "Exceptions : $EXCEPTIONS"
         debug "echo \"$EXCEPTIONS\" | grep -q $dir"

bin/hardening/6.2.9_users_valid_homedir.sh

@@ -21,7 +21,7 @@ ERRORS=0
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     debug "Checking homedir exists"
-    RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
+    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
     for LINE in $RESULT; do
         debug "Working on $LINE"
         USER=$(awk -F: {'print $1'} <<< $LINE)

debian/changelog

@@ -1,3 +1,17 @@
+cis-hardening (2.0-6) unstable; urgency=medium
+
+  * Fix race condition issue with cat /etc/passwd, /etc/shadow, /etc/group
+  * Fix permissions in 5.2.3
+  * Revert 4.2.2.3 to old check (8.2.4)
+
+ -- Thibault Ayanides <tayanide@owhcloud.com>  Mon, 16 Nov 2020 14:19:35 +0100
+
+cis-hardening (2.0-5) unstable; urgency=medium
+
+  * Hotfix for 3.1.1 wich resulted to a fail check if ipv6 is disabled 
+
+ -- Thibault Ayanides <tayanide@ovhcloud.com>  Thu, 12 Nov 2020 10:15:46 +0100
+
 cis-hardening (2.0-4) unstable; urgency=medium
   * Add deleted checks during renaming which should be here (3.2.6, 3.2.7, 6.2.7)
   * Delete 4.2.2, duplicate with 4.2.3

lib/utils.sh

@@ -126,6 +126,11 @@ _does_pattern_exist_in_file() {
     fi
 }
 
+get_db() {
+    local DB="$1"
+    $SUDO_CMD getent --service files "$DB"
+}
+
 # Look for pattern in file that can spread over multiple lines
 # The func will remove commented lines (that begin with '#')
 # and consider the file as one long line.

tests/hardening/3.1.1_disable_ip_forwarding.sh

@@ -6,5 +6,23 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Tests purposely failing
+        sysctl -w net.ipv4.ip_forward=1 2>/dev/null
+        register_test retvalshouldbe 1
+        register_test contain "net.ipv4.ip_forward was not set to 0"
+        run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+        describe correcting situation
+        sed  -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "correctly set to 0"
+        register_test contain "net.ipv4.ip_forward correctly set to 0"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
 }