bump to 3.8-1

Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/luizm/action-sh-checker/releases)
- [Commits](https://github.com/luizm/action-sh-checker/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: luizm/action-sh-checker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>

.github/workflows/compile-manual.yml

@@ -10,7 +10,7 @@ jobs:
         uses: actions/checkout@v3
       - name: Produce debian man
         run: 'docker run --rm --volume "`pwd`:/data" --user `id -u`:`id -g` pandoc/latex:2.6 MANUAL.md -s -t man > debian/cis-hardening.8'
-      - uses: EndBug/add-and-commit@v8.0.2
+      - uses: EndBug/add-and-commit@v9
         with:
           add: 'debian/cis-hardening.8'
           message: 'Regenerate man pages (Github action)'

.github/workflows/pre-release.yml

@@ -21,7 +21,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.2.0
+        uses: dev-drprasad/delete-tag-and-release@v0.2.1
         with:
           delete_release: true
           tag_name: latest
@@ -29,12 +29,12 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       # GET LATEST VERSION TAG
       - name: Get latest version tag
-        uses: actions-ecosystem/action-get-latest-tag@v1.5.0
+        uses: actions-ecosystem/action-get-latest-tag@v1.6.0
         id: get-latest-tag
       # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
       - name: Generate changelog
         id: changelog
-        uses: metcalfc/changelog-generator@v3.0.0
+        uses: metcalfc/changelog-generator@v4.1.0
         with:
           myToken: ${{ secrets.GITHUB_TOKEN }}
           head-ref: ${{ github.sha }}

.github/workflows/shellcheck_and_shellfmt.yml

@@ -10,7 +10,7 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@v3
       - name: Run the sh-checker
-        uses: luizm/action-sh-checker@v0.3.0
+        uses: luizm/action-sh-checker@v0.5.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
           SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.

.github/workflows/tagged-release.yml

@@ -33,7 +33,7 @@ jobs:
           find ../ -name "*.deb" -exec mv {} cis-hardening.deb \;
       # DELETE THE TAG NAMED LATEST AND THE CORRESPONDING RELEASE
       - name: Delete the tag latest and the release latest
-        uses: dev-drprasad/delete-tag-and-release@v0.2.0
+        uses: dev-drprasad/delete-tag-and-release@v0.2.1
         with:
           delete_release: true
           tag_name: latest

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -19,16 +19,28 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from
 
 EXCEPTIONS=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if setuid is set on world writable Directories"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCEPTIONS" ]; then
+        # maybe EXCEPTIONS allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
 
     if [ -n "$RESULT" ]; then
@@ -45,7 +57,7 @@ audit() {
 apply() {
     if [ -n "$EXCEPTIONS" ]; then
         # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex "$EXCEPTIONS" -print 2>/dev/null)
     else
         RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
     fi

bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh

@@ -21,6 +21,7 @@ PACKAGE="iptables"
 FW_CHAINS="INPUT FORWARD"
 FW_POLICY="DROP"
 FW_CMD="iptables"
+FW_TIMEOUT="10"
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -28,7 +29,7 @@ audit() {
     if [ "$FNRET" != 0 ]; then
         crit "$PACKAGE is not installed!"
     else
-        ipt=$($SUDO_CMD "$FW_CMD" -nL 2>/dev/null || true)
+        ipt=$($SUDO_CMD "$FW_CMD" -w "$FW_TIMEOUT" -nL 2>/dev/null || true)
         if [[ -z "$ipt" ]]; then
             crit "Empty return from $FW_CMD command. Aborting..."
             return

bin/hardening/6.1.10_find_world_writable_file.sh

@@ -19,17 +19,28 @@ DESCRIPTION="Ensure no world writable files exist"
 
 EXCLUDED=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are world writable files"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
-
     if [ -n "$EXCLUDED" ]; then
+        # maybe EXCLUDED allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
 
     if [ -n "$RESULT" ]; then
@@ -46,7 +57,7 @@ audit() {
 apply() {
     if [ -n "$EXCLUDED" ]; then
         # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
     else
         RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
     fi

bin/hardening/6.1.11_find_unowned_files.sh

@@ -20,17 +20,30 @@ DESCRIPTION="Ensure no unowned files or directories exist."
 USER='root'
 EXCLUDED=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are unowned files"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCLUDED" ]; then
+        # maybe EXCLUDED allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
+
     if [ -n "$RESULT" ]; then
         crit "Some unowned files are present"
         # shellcheck disable=SC2001
@@ -45,7 +58,7 @@ audit() {
 apply() {
     if [ -n "$EXCLUDED" ]; then
         # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
     else
         RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null)
     fi

bin/hardening/6.1.12_find_ungrouped_files.sh

@@ -20,17 +20,31 @@ DESCRIPTION="Ensure no ungrouped files or directories exist"
 GROUP='root'
 EXCLUDED=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are ungrouped files"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCLUDED" ]; then
+        # maybe EXCLUDED allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
+
     if [ -n "$RESULT" ]; then
         crit "Some ungrouped files are present"
         # shellcheck disable=SC2001
@@ -45,7 +59,7 @@ audit() {
 apply() {
     if [ -n "$EXCLUDED" ]; then
         # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
     else
         RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null)
     fi

bin/hardening/6.1.13_find_suid_files.sh

@@ -18,16 +18,30 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find SUID system executables."
 IGNORED_PATH=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are suid files"
-    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
-    # shellcheck disable=2086
     if [ -n "$IGNORED_PATH" ]; then
+        # maybe IGNORED_PATH allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
+
     BAD_BINARIES=""
     for BINARY in $FOUND_BINARIES; do
         if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then

bin/hardening/6.1.14_find_sgid_files.sh

@@ -18,16 +18,31 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find SGID system executables."
 IGNORED_PATH=''
 
+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are sgid files"
-    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
-    # shellcheck disable=2086
     if [ -n "$IGNORED_PATH" ]; then
+        # maybe IGNORED_PATH allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
     fi
+
     BAD_BINARIES=""
     for BINARY in $FOUND_BINARIES; do
         if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then

bin/hardening/6.1.6_etc_passwd-_permissions.sh

@@ -19,6 +19,7 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/passwd-"
 
 FILE='/etc/passwd-'
 PERMISSIONS='600'
+PERMISSIONSOK='644 640 600'
 USER='root'
 GROUP='root'
 
@@ -28,7 +29,7 @@ audit() {
     if [ "$FNRET" != 0 ]; then
         ok "$FILE does not exist"
     else
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
         else

bin/hardening/6.1.7_etc_shadow-_permissions.sh

@@ -19,6 +19,7 @@ DESCRIPTION="Check 600 permissions and root:shadow ownership on /etc/shadow-"
 
 FILE='/etc/shadow-'
 PERMISSIONS='600'
+PERMISSIONSOK='640 600'
 USER='root'
 GROUP='shadow'
 
@@ -28,7 +29,7 @@ audit() {
     if [ "$FNRET" != 0 ]; then
         ok "$FILE does not exist"
     else
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
         else

bin/hardening/6.1.8_etc_group-_permissions.sh

@@ -19,6 +19,7 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/group-"
 
 FILE='/etc/group-'
 PERMISSIONS='600'
+PERMISSIONSOK='644 640 600'
 USER='root'
 GROUP='root'
 
@@ -28,7 +29,7 @@ audit() {
     if [ "$FNRET" != 0 ]; then
         ok "$FILE does not exist"
     else
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
         else

bin/hardening/6.2.9_users_homedir_ownership.sh

@@ -23,30 +23,13 @@ ERRORS=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    debug "Checking homedir exists"
-    RESULT=$(get_db passwd | awk -F: '{ print $1 ":" $3 ":" $6 }')
-    for LINE in $RESULT; do
-        debug "Working on $LINE"
-        USER=$(awk -F: '{print $1}' <<<"$LINE")
-        USERID=$(awk -F: '{print $2}' <<<"$LINE")
-        DIR=$(awk -F: '{print $3}' <<<"$LINE")
-        if [ "$USERID" -ge 1000 ] && [ ! -d "$DIR" ] && [ "$USER" != "nfsnobody" ] && [ "$USER" != "nobody" ] && [ "$DIR" != "/nonexistent" ]; then
-            crit "The home directory ($DIR) of user $USER does not exist."
-            ERRORS=$((ERRORS + 1))
-        fi
-    done
-
-    if [ "$ERRORS" = 0 ]; then
-        ok "All home directories exists"
-    fi
-    debug "Checking homedir ownership"
     RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd)
     for LINE in $RESULT; do
         debug "Working on $LINE"
         USER=$(awk -F: '{print $1}' <<<"$LINE")
         USERID=$(awk -F: '{print $2}' <<<"$LINE")
         DIR=$(awk -F: '{print $3}' <<<"$LINE")
-        if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
+        if [ "$USERID" -ge 1000 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then
             OWNER=$(stat -L -c "%U" "$DIR")
             if [ "$OWNER" != "$USER" ]; then
                 EXCEP_FOUND=0

bin/hardening/99.1.3_acc_sudoers_no_all.sh

@@ -19,13 +19,32 @@ DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s).
 
 FILE="/etc/sudoers"
 DIRECTORY="/etc/sudoers.d"
-# spaces will be expanded to [:space:]* when using the regex
+# spaces will be expanded to [[:space:]]* when using the regex
 # improves readability in audit report
 REGEX="ALL = \( ALL( : ALL)? \)( NOPASSWD:)? ALL"
 EXCEPT=""
+MAX_FILES_TO_LOG=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    # expand spaces to [[:space:]]*
+    # shellcheck disable=2001
+    REGEX="$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')"
+
+    local skiplog
+    skiplog=0
+    if [ $MAX_FILES_TO_LOG != 0 ]; then
+        # if we have more than $MAX_FILES_TO_LOG files in $DIRECTORY, we'll reduce
+        # logging in the loop, to avoid flooding the logs and getting timed out
+        local nbfiles
+        # shellcheck disable=2012 # (find is too slow and calls fstatat() for each file)
+        nbfiles=$(ls -f "$DIRECTORY" | wc -l)
+        if [ "$nbfiles" -gt "$MAX_FILES_TO_LOG" ]; then
+            skiplog=1
+            info "Found $nbfiles files in $DIRECTORY (> $MAX_FILES_TO_LOG), we won't log every file we check"
+        fi
+    fi
+
     FILES=""
     if $SUDO_CMD [ ! -r "$FILE" ]; then
         crit "$FILE is not readable"
@@ -43,12 +62,12 @@ audit() {
         if $SUDO_CMD [ ! -r "$file" ]; then
             crit "$file is not readable"
         else
-            # shellcheck disable=2001
+            if ! $SUDO_CMD grep -E "$REGEX" "$file" &>/dev/null; then
-            if ! $SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" &>/dev/null; then
+                if [ $skiplog = 0 ]; then
-                ok "There is no carte-blanche sudo permission in $file"
+                    ok "There is no carte-blanche sudo permission in $file"
+                fi
             else
-                # shellcheck disable=2001
+                RET=$($SUDO_CMD grep -E "$REGEX" "$file" | sed 's/\t/#/g;s/ /#/g')
-                RET=$($SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" | sed 's/\t/#/g;s/ /#/g')
                 for line in $RET; do
                     if grep -q "$(echo "$line" | cut -d '#' -f 1)" <<<"$EXCEPT"; then
                         # shellcheck disable=2001
@@ -73,8 +92,16 @@ apply() {
 create_config() {
     cat <<EOF
 status=audit
+
 # Put EXCEPTION account names here, space separated
 EXCEPT="root %root %sudo %wheel"
+
+# If we find more than this amount of files in sudoers.d/,
+# we'll reduce the logging in the loop to avoid getting
+# timed out because we spend too much time logging.
+# Using 0 disables this feature and will never reduce the
+# logging, regardless of the number of files.
+MAX_FILES_TO_LOG=0
 EOF
 }
 # This function will check config parameters required

bin/hardening/99.5.2.4_ssh_keys_from.sh

@@ -109,7 +109,7 @@ audit() {
         crit "/etc/ssh/sshd_config is not readable."
     else
         ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO')
-        if [ "x$ret" = "x#KO" ]; then
+        if [ "$ret" = "#KO" ]; then
             debug "No AuthorizedKeysFile defined in sshd_config."
         else
             AUTHKEYFILE_PATTERN=$(echo "$ret" | sed 's/AuthorizedKeysFile//i' | sed 's#%h/##' | tr -s "[:space:]")
@@ -137,7 +137,7 @@ audit() {
             continue
         else
             info "User $user has a valid shell ($shell)."
-            if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then
+            if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then
                 check_dir /root
                 continue
             elif $SUDO_CMD [ ! -d /home/"$user" ]; then

debian/changelog

@@ -1,3 +1,33 @@
+cis-hardening (3.8-1) unstable; urgency=medium
+
+  * fix: timeout of 99.1.3 (#168)
+
+ -- Thibault Dewailly <thibault.dewailly@ovhcloud.com>  Thu, 23 Mar 2023 10:00:06 +0000
+
+cis-hardening (3.7-1) unstable; urgency=medium
+
+  * feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159)
+
+ -- Yannick Martin <yannick.martin@ovhcloud.com>  Mon, 04 Jul 2022 14:34:03 +0200
+
+cis-hardening (3.6-1) unstable; urgency=medium
+
+  * feat: Filter the filesystem to check when the list is built. (#156)
+
+ -- Tarik Megzari <tarik.megzari@corp.ovh.com>  Fri, 24 Jun 2022 15:49:00 +0000
+
+cis-hardening (3.5-1) unstable; urgency=medium
+
+  * fix: add 10s wait timeout on iptables command (#151)
+
+ -- Tarik Megzari <tarik.megzari@corp.ovh.com>  Wed, 23 Mar 2022 17:28:08 +0100
+
+cis-hardening (3.4-1) unstable; urgency=medium
+
+  * fix: allow passwd-, group- and shadow- debian default permissions (#149)
+
+ -- Thibault Dewailly <thibault.dewailly@ovhcloud.com>  Fri, 18 Mar 2022 15:43:24 +0000
+
 cis-hardening (3.3-1) unstable; urgency=medium
 
   * fix: missing shadowtools backup files is ok (#132)

lib/utils.sh

@@ -349,10 +349,10 @@ is_kernel_option_enabled() {
         fi
 
         ANSWER=$(cut -d = -f 2 <<<"$RESULT")
-        if [ "x$ANSWER" = "xy" ]; then
+        if [ "$ANSWER" = "y" ]; then
             debug "Kernel option $KERNEL_OPTION enabled"
             FNRET=0
-        elif [ "x$ANSWER" = "xn" ]; then
+        elif [ "$ANSWER" = "n" ]; then
             debug "Kernel option $KERNEL_OPTION disabled"
             FNRET=1
         else

tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -23,6 +23,12 @@ test_audit() {
     register_test contain "Some world writable directories are not on sticky bit mode"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some world writable directories are not on sticky bit mode"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe correcting situation
     sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
     /opt/debian-cis/bin/hardening/"${script}".sh --apply || true

tests/hardening/6.1.10_find_world_writable_file.sh

@@ -5,7 +5,9 @@ test_audit() {
     # shellcheck disable=2154
     /opt/debian-cis/bin/hardening/"${script}".sh || true
     # shellcheck disable=2016
-    echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/thisfileisignored.*|^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    touch /home/secaudit/thisfileisignored
+    chmod 777 /home/secaudit/thisfileisignored
 
     describe Running on blank host
     register_test retvalshouldbe 0
@@ -21,6 +23,12 @@ test_audit() {
     register_test contain "Some world writable files are present"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some world writable files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe correcting situation
     sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
     /opt/debian-cis/bin/hardening/"${script}".sh --apply || true

tests/hardening/6.1.11_find_unowned_files.sh

@@ -24,6 +24,12 @@ test_audit() {
     register_test contain "Some unowned files are present"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some unowned files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe correcting situation
     sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
     /opt/debian-cis/bin/hardening/"${script}".sh || true

tests/hardening/6.1.12_find_ungrouped_files.sh

@@ -24,6 +24,12 @@ test_audit() {
     register_test contain "Some ungrouped files are present"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some ungrouped files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe correcting situation
     sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
     /opt/debian-cis/bin/hardening/"${script}".sh --apply || true

tests/hardening/6.1.13_find_suid_files.sh

@@ -21,6 +21,12 @@ test_audit() {
     register_test contain "$targetfile"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some suid files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe correcting situation
     chmod 700 $targetfile
 

tests/hardening/6.1.14_find_sgid_files.sh

@@ -22,6 +22,12 @@ test_audit() {
     register_test contain "$targetfile"
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some sgid files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe correcting situation
     chmod 700 $targetfile
 

tests/hardening/6.1.6_etc_passwd-_permissions.sh

@@ -10,6 +10,13 @@ test_audit() {
     local test_user="testetcpasswd-user"
     local test_file="/etc/passwd-"
 
+    describe Debian default right shall be accepted
+    chmod 644 "$test_file"
+    chown root:root "$test_file"
+    register_test retvalshouldbe 0
+    register_test contain "has correct permissions"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe Tests purposely failing
     chmod 777 "$test_file"
     register_test retvalshouldbe 1

tests/hardening/6.1.7_etc_shadow-_permissions.sh

@@ -10,6 +10,13 @@ test_audit() {
     local test_user="testetcshadow-user"
     local test_file="/etc/shadow-"
 
+    describe Debian default right shall be accepted
+    chmod 640 "$test_file"
+    chown root:shadow "$test_file"
+    register_test retvalshouldbe 0
+    register_test contain "has correct permissions"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe Tests purposely failing
     chmod 777 "$test_file"
     register_test retvalshouldbe 1

tests/hardening/6.1.8_etc_group-_permissions.sh

@@ -10,6 +10,13 @@ test_audit() {
     local test_user="testetcgroup--user"
     local test_file="/etc/group-"
 
+    describe Debian default right shall be accepted
+    chmod 644 "$test_file"
+    chown root:root "$test_file"
+    register_test retvalshouldbe 0
+    register_test contain "has correct permissions"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe Tests purposely failing
     chmod 777 "$test_file"
     register_test retvalshouldbe 1

tests/hardening/6.2.3_users_homedir_exist.sh

@@ -3,7 +3,6 @@
 test_audit() {
     describe Running on blank host
     register_test retvalshouldbe 0
-    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 

tests/hardening/6.2.9_users_homedir_ownership.sh

@@ -1,14 +1,8 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
-    describe Running void to generate the conf file that will later be edited
-    # shellcheck disable=2154
-    /opt/debian-cis/bin/hardening/"${script}".sh || true
-    echo "EXCEPTIONS=\"/:systemd-coredump:root\"" >>/opt/debian-cis/etc/conf.d/"${script}".cfg
-
     describe Running on blank host
     register_test retvalshouldbe 0
-    dismiss_count_for_test
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
@@ -22,7 +16,7 @@ test_audit() {
     run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
     describe correcting situation
-    echo "EXCEPTIONS=\"/:systemd-coredump:root /home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg
+    echo "EXCEPTIONS=\"/home/$test_user:$test_user:root\"" >/opt/debian-cis/etc/conf.d/"${script}".cfg
 
     describe Checking resolved state
     register_test retvalshouldbe 0

tests/hardening/99.1.3_acc_sudoers_no_all.sh

@@ -28,6 +28,19 @@ test_audit() {
     register_test contain "[ OK ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser but was EXCUSED because jeantestuser is part of exceptions"
     run userexcept /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    # testing the MAX_FILES_TO_LOG config option
+    echo 'MAX_FILES_TO_LOG=1' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    describe Testing with MAX_FILES_TO_LOG=1
+    register_test retvalshouldbe 0
+    register_test contain "won't log every file we check"
+    run maxlogfiles_1 /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    echo 'MAX_FILES_TO_LOG=9999' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    describe Testing with MAX_FILES_TO_LOG=9999
+    register_test retvalshouldbe 0
+    register_test contain "There is no carte-blanche sudo permission in"
+    run maxlogfiles_9999 /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     rm -f /etc/sudoers.d/jeantestuser
     userdel jeantestuser
 }