bump to 3.7-1 (#160 )

feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159 )
This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)
2025-07-15 21:32:17 +02:00 · 2022-07-04 15:37:08 +02:00 · 2022-07-04 14:29:25 +02:00 · 2022-06-27 12:13:01 +02:00 · 2022-06-26 16:58:46 +02:00 · 2022-06-24 17:55:26 +02:00
18 changed files with 157 additions and 21 deletions
--- a/.github/workflows/pre-release.yml
+++ b/.github/workflows/pre-release.yml
@ -29,7 +29,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # GET LATEST VERSION TAG
      - name: Get latest version tag
-        uses: actions-ecosystem/action-get-latest-tag@v1.5.0
+        uses: actions-ecosystem/action-get-latest-tag@v1.6.0
        id: get-latest-tag
      # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
      - name: Generate changelog
--- a/.github/workflows/shellcheck_and_shellfmt.yml
+++ b/.github/workflows/shellcheck_and_shellfmt.yml
@ -10,7 +10,7 @@ jobs:
      - name: Checkout repo
        uses: actions/checkout@v3
      - name: Run the sh-checker
-        uses: luizm/action-sh-checker@v0.3.0
+        uses: luizm/action-sh-checker@v0.4.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
          SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.
--- a/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
+++ b/bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh
@ -19,16 +19,28 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from

 EXCEPTIONS=''

+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if setuid is set on world writable Directories"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
    if [ -n "$EXCEPTIONS" ]; then
+        # maybe EXCEPTIONS allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    fi

    if [ -n "$RESULT" ]; then
@ -45,7 +57,7 @@ audit() {
 apply() {
    if [ -n "$EXCEPTIONS" ]; then
        # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex "$EXCEPTIONS" -print 2>/dev/null)
    else
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
    fi
--- a/bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
+++ b/bin/hardening/3.5.4.1.1_net_fw_default_policy_drop.sh
@ -21,6 +21,7 @@ PACKAGE="iptables"
 FW_CHAINS="INPUT FORWARD"
 FW_POLICY="DROP"
 FW_CMD="iptables"
+FW_TIMEOUT="10"

 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -28,7 +29,7 @@ audit() {
    if [ "$FNRET" != 0 ]; then
        crit "$PACKAGE is not installed!"
    else
-        ipt=$($SUDO_CMD "$FW_CMD" -nL 2>/dev/null || true)
+        ipt=$($SUDO_CMD "$FW_CMD" -w "$FW_TIMEOUT" -nL 2>/dev/null || true)
        if [[ -z "$ipt" ]]; then
            crit "Empty return from $FW_CMD command. Aborting..."
            return
--- a/bin/hardening/6.1.10_find_world_writable_file.sh
+++ b/bin/hardening/6.1.10_find_world_writable_file.sh
@ -19,17 +19,28 @@ DESCRIPTION="Ensure no world writable files exist"

 EXCLUDED=''

+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if there are world writable files"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
-
    if [ -n "$EXCLUDED" ]; then
+        # maybe EXCLUDED allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    fi

    if [ -n "$RESULT" ]; then
@ -46,7 +57,7 @@ audit() {
 apply() {
    if [ -n "$EXCLUDED" ]; then
        # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
    else
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
    fi
--- a/bin/hardening/6.1.11_find_unowned_files.sh
+++ b/bin/hardening/6.1.11_find_unowned_files.sh
@ -20,17 +20,30 @@ DESCRIPTION="Ensure no unowned files or directories exist."
 USER='root'
 EXCLUDED=''

+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if there are unowned files"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
    if [ -n "$EXCLUDED" ]; then
+        # maybe EXCLUDED allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    fi
+
    if [ -n "$RESULT" ]; then
        crit "Some unowned files are present"
        # shellcheck disable=SC2001
@ -45,7 +58,7 @@ audit() {
 apply() {
    if [ -n "$EXCLUDED" ]; then
        # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
    else
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null)
    fi
--- a/bin/hardening/6.1.12_find_ungrouped_files.sh
+++ b/bin/hardening/6.1.12_find_ungrouped_files.sh
@ -20,17 +20,31 @@ DESCRIPTION="Ensure no ungrouped files or directories exist"
 GROUP='root'
 EXCLUDED=''

+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if there are ungrouped files"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
    if [ -n "$EXCLUDED" ]; then
+        # maybe EXCLUDED allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+
    else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
        # shellcheck disable=SC2086
        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    fi
+
    if [ -n "$RESULT" ]; then
        crit "Some ungrouped files are present"
        # shellcheck disable=SC2001
@ -45,7 +59,7 @@ audit() {
 apply() {
    if [ -n "$EXCLUDED" ]; then
        # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
    else
        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null)
    fi
--- a/bin/hardening/6.1.13_find_suid_files.sh
+++ b/bin/hardening/6.1.13_find_suid_files.sh
@ -18,16 +18,30 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find SUID system executables."
 IGNORED_PATH=''

+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if there are suid files"
-    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
-    # shellcheck disable=2086
    if [ -n "$IGNORED_PATH" ]; then
+        # maybe IGNORED_PATH allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    fi
+
    BAD_BINARIES=""
    for BINARY in $FOUND_BINARIES; do
        if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then
--- a/bin/hardening/6.1.14_find_sgid_files.sh
+++ b/bin/hardening/6.1.14_find_sgid_files.sh
@ -18,16 +18,31 @@ HARDENING_LEVEL=2
 DESCRIPTION="Find SGID system executables."
 IGNORED_PATH=''

+# find emits following error if directory or file disappear during
+# tree traversal: find: ‘/tmp/xxx’: No such file or directory
+FIND_IGNORE_NOSUCHFILE_ERR=false
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    info "Checking if there are sgid files"
-    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
-    # shellcheck disable=2086
    if [ -n "$IGNORED_PATH" ]; then
+        # maybe IGNORED_PATH allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
+
    else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
+        # shellcheck disable=2086
        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
+        [ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
    fi
+
    BAD_BINARIES=""
    for BINARY in $FOUND_BINARIES; do
        if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then
--- a/bin/hardening/99.5.2.4_ssh_keys_from.sh
+++ b/bin/hardening/99.5.2.4_ssh_keys_from.sh
@ -109,7 +109,7 @@ audit() {
        crit "/etc/ssh/sshd_config is not readable."
    else
        ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO')
-        if [ "x$ret" = "x#KO" ]; then
+        if [ "$ret" = "#KO" ]; then
            debug "No AuthorizedKeysFile defined in sshd_config."
        else
            AUTHKEYFILE_PATTERN=$(echo "$ret" | sed 's/AuthorizedKeysFile//i' | sed 's#%h/##' | tr -s "[:space:]")
@ -137,7 +137,7 @@ audit() {
            continue
        else
            info "User $user has a valid shell ($shell)."
-            if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then
+            if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then
                check_dir /root
                continue
            elif $SUDO_CMD [ ! -d /home/"$user" ]; then
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,21 @@
+cis-hardening (3.7-1) unstable; urgency=medium
+
+  * feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159)
+
+ -- Yannick Martin <yannick.martin@ovhcloud.com>  Mon, 04 Jul 2022 14:34:03 +0200
+
+cis-hardening (3.6-1) unstable; urgency=medium
+
+  * feat: Filter the filesystem to check when the list is built. (#156)
+
+ -- Tarik Megzari <tarik.megzari@corp.ovh.com>  Fri, 24 Jun 2022 15:49:00 +0000
+
+cis-hardening (3.5-1) unstable; urgency=medium
+
+  * fix: add 10s wait timeout on iptables command (#151)
+
+ -- Tarik Megzari <tarik.megzari@corp.ovh.com>  Wed, 23 Mar 2022 17:28:08 +0100
+
 cis-hardening (3.4-1) unstable; urgency=medium

  * fix: allow passwd-, group- and shadow- debian default permissions (#149)
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -349,10 +349,10 @@ is_kernel_option_enabled() {
        fi

        ANSWER=$(cut -d = -f 2 <<<"$RESULT")
-        if [ "x$ANSWER" = "xy" ]; then
+        if [ "$ANSWER" = "y" ]; then
            debug "Kernel option $KERNEL_OPTION enabled"
            FNRET=0
-        elif [ "x$ANSWER" = "xn" ]; then
+        elif [ "$ANSWER" = "n" ]; then
            debug "Kernel option $KERNEL_OPTION disabled"
            FNRET=1
        else
--- a/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh
+++ b/tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh
@ -23,6 +23,12 @@ test_audit() {
    register_test contain "Some world writable directories are not on sticky bit mode"
    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some world writable directories are not on sticky bit mode"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
    describe correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
--- a/tests/hardening/6.1.10_find_world_writable_file.sh
+++ b/tests/hardening/6.1.10_find_world_writable_file.sh
@ -5,7 +5,9 @@ test_audit() {
    # shellcheck disable=2154
    /opt/debian-cis/bin/hardening/"${script}".sh || true
    # shellcheck disable=2016
-    echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/thisfileisignored.*|^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    touch /home/secaudit/thisfileisignored
+    chmod 777 /home/secaudit/thisfileisignored

    describe Running on blank host
    register_test retvalshouldbe 0
@ -21,6 +23,12 @@ test_audit() {
    register_test contain "Some world writable files are present"
    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some world writable files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
    describe correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
--- a/tests/hardening/6.1.11_find_unowned_files.sh
+++ b/tests/hardening/6.1.11_find_unowned_files.sh
@ -24,6 +24,12 @@ test_audit() {
    register_test contain "Some unowned files are present"
    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some unowned files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
    describe correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh || true
--- a/tests/hardening/6.1.12_find_ungrouped_files.sh
+++ b/tests/hardening/6.1.12_find_ungrouped_files.sh
@ -24,6 +24,12 @@ test_audit() {
    register_test contain "Some ungrouped files are present"
    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some ungrouped files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
    describe correcting situation
    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
--- a/tests/hardening/6.1.13_find_suid_files.sh
+++ b/tests/hardening/6.1.13_find_suid_files.sh
@ -21,6 +21,12 @@ test_audit() {
    register_test contain "$targetfile"
    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some suid files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
    describe correcting situation
    chmod 700 $targetfile

--- a/tests/hardening/6.1.14_find_sgid_files.sh
+++ b/tests/hardening/6.1.14_find_sgid_files.sh
@ -22,6 +22,12 @@ test_audit() {
    register_test contain "$targetfile"
    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all

+    describe Tests failing with find ignore flag
+    echo 'FIND_IGNORE_NOSUCHFILE_ERR=true' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    register_test retvalshouldbe 1
+    register_test contain "Some sgid files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
    describe correcting situation
    chmod 700 $targetfile
Author	SHA1	Message	Date
ymartin-ovh	e478a89bad	bump to 3.7-1 (#160 )	2022-07-04 15:37:08 +02:00
ymartin-ovh	371c23cd52	feat: add FIND_IGNORE_NOSUCHFILE_ERR flag (#159 ) This flag can be used to prevent find-related checks to fail because one part of filesystem disappear (ie. ephemeral directories or files)	2022-07-04 14:29:25 +02:00
Tarik Megzari	ea8334d516	bump to 3.6-1 (#157 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-06-27 12:13:01 +02:00
dependabot[bot]	987bb9c975	Bump luizm/action-sh-checker from 0.3.0 to 0.4.0 (#154 ) Bumps [luizm/action-sh-checker](https://github.com/luizm/action-sh-checker) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/luizm/action-sh-checker/releases) - [Commits](https://github.com/luizm/action-sh-checker/compare/v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: luizm/action-sh-checker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-06-26 16:58:46 +02:00
dependabot[bot]	3031bb55d1	Bump actions-ecosystem/action-get-latest-tag from 1.5.0 to 1.6.0 (#153 ) Bumps [actions-ecosystem/action-get-latest-tag](https://github.com/actions-ecosystem/action-get-latest-tag) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/actions-ecosystem/action-get-latest-tag/releases) - [Commits](https://github.com/actions-ecosystem/action-get-latest-tag/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: actions-ecosystem/action-get-latest-tag dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-06-24 17:55:26 +02:00
ymartin-ovh	66ccc6316a	feat: Filter the filesystem to check when the list is built. (#156 ) * feat: Attempt to filter-out filesystem that match exclusion regex.	2022-06-24 17:45:47 +02:00
Tarik Megzari	7a3145d7f1	bump to 3.5-1 (#152 ) Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>	2022-03-23 18:40:25 +01:00
GoldenKiwi	5c072668d5	fix: add 10s wait timeout on iptables command (#151 ) When the tested server has its iptables heavily manipulated (e.g Kubernetes) The lock aquirement can sometimes fail, hence generating false positives The command will retry 10 times with a 1 second interval	2022-03-23 16:56:38 +01:00