bump to 3.6-1 (#157)

Signed-off-by: Tarik Megzari <tarik.megzari@corp.ovh.com>

.github/workflows/pre-release.yml

@@ -29,7 +29,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       # GET LATEST VERSION TAG
       - name: Get latest version tag
-        uses: actions-ecosystem/action-get-latest-tag@v1.5.0
+        uses: actions-ecosystem/action-get-latest-tag@v1.6.0
         id: get-latest-tag
       # GENERATE CHANGELOG CORRESPONDING TO COMMIT BETWEEN HEAD AND COMPUTED LAST TAG
       - name: Generate changelog

.github/workflows/shellcheck_and_shellfmt.yml

@@ -10,7 +10,7 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@v3
       - name: Run the sh-checker
-        uses: luizm/action-sh-checker@v0.3.0
+        uses: luizm/action-sh-checker@v0.4.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Optional if sh_checker_comment is false.
           SHFMT_OPTS: -l -i 4 -w # Optional: pass arguments to shfmt.

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -22,11 +22,15 @@ EXCEPTIONS=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if setuid is set on world writable Directories"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCEPTIONS" ]; then
+        # maybe EXCEPTIONS allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS")
+
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
     fi
@@ -45,7 +49,7 @@ audit() {
 apply() {
     if [ -n "$EXCEPTIONS" ]; then
         # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCEPTIONS" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex "$EXCEPTIONS" -print 2>/dev/null)
     else
         RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
     fi

bin/hardening/6.1.10_find_world_writable_file.sh

@@ -22,12 +22,15 @@ EXCLUDED=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are world writable files"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
-
     if [ -n "$EXCLUDED" ]; then
+        # maybe EXCLUDED allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
+
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
     fi
@@ -46,7 +49,7 @@ audit() {
 apply() {
     if [ -n "$EXCLUDED" ]; then
         # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
     else
         RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -type f -perm -0002 -print 2>/dev/null)
     fi

bin/hardening/6.1.11_find_unowned_files.sh

@@ -23,14 +23,19 @@ EXCLUDED=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are unowned files"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCLUDED" ]; then
+        # maybe EXCLUDED allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
+
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nouser -print 2>/dev/null)
     fi
+
     if [ -n "$RESULT" ]; then
         crit "Some unowned files are present"
         # shellcheck disable=SC2001
@@ -45,7 +50,7 @@ audit() {
 apply() {
     if [ -n "$EXCLUDED" ]; then
         # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
     else
         RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nouser -ls 2>/dev/null)
     fi

bin/hardening/6.1.12_find_ungrouped_files.sh

@@ -23,14 +23,19 @@ EXCLUDED=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are ungrouped files"
-    FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCLUDED" ]; then
+        # maybe EXCLUDED allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED")
+
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -nogroup -print 2>/dev/null)
     fi
+
     if [ -n "$RESULT" ]; then
         crit "Some ungrouped files are present"
         # shellcheck disable=SC2001
@@ -45,7 +50,7 @@ audit() {
 apply() {
     if [ -n "$EXCLUDED" ]; then
         # shellcheck disable=SC2086
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$EXCLUDED" | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
     else
         RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -ignore_readdir_race -nogroup -ls 2>/dev/null)
     fi

bin/hardening/6.1.13_find_suid_files.sh

@@ -21,13 +21,19 @@ IGNORED_PATH=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are suid files"
-    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
-    # shellcheck disable=2086
     if [ -n "$IGNORED_PATH" ]; then
+        # maybe IGNORED_PATH allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
+
+        # shellcheck disable=2086
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        # shellcheck disable=2086
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -4000 -print)
     fi
+
     BAD_BINARIES=""
     for BINARY in $FOUND_BINARIES; do
         if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then

bin/hardening/6.1.14_find_sgid_files.sh

@@ -21,13 +21,19 @@ IGNORED_PATH=''
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are sgid files"
-    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
-    # shellcheck disable=2086
     if [ -n "$IGNORED_PATH" ]; then
+        # maybe IGNORED_PATH allow us to filter out some FS
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
+
+        # shellcheck disable=2086
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
     else
+        FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
+
+        # shellcheck disable=2086
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
     fi
+
     BAD_BINARIES=""
     for BINARY in $FOUND_BINARIES; do
         if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then

bin/hardening/99.5.2.4_ssh_keys_from.sh

@@ -109,7 +109,7 @@ audit() {
         crit "/etc/ssh/sshd_config is not readable."
     else
         ret=$($SUDO_CMD grep -iP "^AuthorizedKeysFile" /etc/ssh/sshd_config || echo '#KO')
-        if [ "x$ret" = "x#KO" ]; then
+        if [ "$ret" = "#KO" ]; then
             debug "No AuthorizedKeysFile defined in sshd_config."
         else
             AUTHKEYFILE_PATTERN=$(echo "$ret" | sed 's/AuthorizedKeysFile//i' | sed 's#%h/##' | tr -s "[:space:]")
@@ -137,7 +137,7 @@ audit() {
             continue
         else
             info "User $user has a valid shell ($shell)."
-            if [ "x$user" = "xroot" ] && [ "$user" != "$EXCEPTION_USER" ]; then
+            if [ "$user" = "root" ] && [ "$user" != "$EXCEPTION_USER" ]; then
                 check_dir /root
                 continue
             elif $SUDO_CMD [ ! -d /home/"$user" ]; then

debian/changelog

@@ -1,3 +1,9 @@
+cis-hardening (3.6-1) unstable; urgency=medium
+
+  * feat: Filter the filesystem to check when the list is built. (#156)
+
+ -- Tarik Megzari <tarik.megzari@corp.ovh.com>  Fri, 24 Jun 2022 15:49:00 +0000
+
 cis-hardening (3.5-1) unstable; urgency=medium
 
   * fix: add 10s wait timeout on iptables command (#151)

lib/utils.sh

@@ -349,10 +349,10 @@ is_kernel_option_enabled() {
         fi
 
         ANSWER=$(cut -d = -f 2 <<<"$RESULT")
-        if [ "x$ANSWER" = "xy" ]; then
+        if [ "$ANSWER" = "y" ]; then
             debug "Kernel option $KERNEL_OPTION enabled"
             FNRET=0
-        elif [ "x$ANSWER" = "xn" ]; then
+        elif [ "$ANSWER" = "n" ]; then
             debug "Kernel option $KERNEL_OPTION disabled"
             FNRET=1
         else

tests/hardening/6.1.10_find_world_writable_file.sh

@@ -5,7 +5,9 @@ test_audit() {
     # shellcheck disable=2154
     /opt/debian-cis/bin/hardening/"${script}".sh || true
     # shellcheck disable=2016
-    echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/thisfileisignored.*|^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    touch /home/secaudit/thisfileisignored
+    chmod 777 /home/secaudit/thisfileisignored
 
     describe Running on blank host
     register_test retvalshouldbe 0