#!/bin/bash # # CIS Debian Hardening # # # 12.11 Find SGID System Executables (Not Scored) # set -e # One error, it's over set -u # One variable unset, it's over # shellcheck disable=2034 HARDENING_LEVEL=2 DESCRIPTION="Find SGID system executables." # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are sgid files" FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' ) # shellcheck disable=2086 FOUND_BINARIES=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print) BAD_BINARIES="" for BINARY in $FOUND_BINARIES; do if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then debug "$BINARY is confirmed as an exception" else BAD_BINARIES="$BAD_BINARIES $BINARY" fi done if [ ! -z "$BAD_BINARIES" ]; then crit "Some sgid files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< "$BAD_BINARIES" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "No unknown sgid files found" fi } # This function will be called if the script status is on enabled mode apply () { info "Removing sgid on valid binary may seriously harm your system, report only here" } # This function will create the config file for this check with default values create_config() { cat <