#!/bin/bash # run-shellcheck # # CIS Debian Hardening # # # 6.2.5 Ensure root is the only UID 0 account (Scored) # set -e # One error, it's over set -u # One variable unset, it's over # shellcheck disable=2034 # shellcheck disable=2034 HARDENING_LEVEL=2 # shellcheck disable=2034 # shellcheck disable=2034 DESCRIPTION="Verify root is the only UID 0 account." EXCEPTIONS="" FILE='/etc/passwd' RESULT='' # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if accounts have uid 0" RESULT=$(awk -F: '($3 == 0 && $1!="root" ) { print $1 }' "$FILE" ) FOUND_EXCEPTIONS="" for ACCOUNT in $RESULT; do debug "Account : $ACCOUNT" debug "Exceptions : $EXCEPTIONS" debug "echo \"$EXCEPTIONS\" | grep -qw $ACCOUNT" if echo "$EXCEPTIONS" | grep -qw "$ACCOUNT"; then debug "$ACCOUNT is confirmed as an exception" RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT") FOUND_EXCEPTIONS="$FOUND_EXCEPTIONS $ACCOUNT" else debug "$ACCOUNT not found in exceptions" fi done if [ ! -z "$RESULT" ]; then crit "Some accounts have uid 0: $(tr '\n' ' ' <<< "$RESULT")" else ok "No account with uid 0 appart from root ${FOUND_EXCEPTIONS:+and configured exceptions:}$FOUND_EXCEPTIONS" fi } # This function will be called if the script status is on enabled mode apply () { info "Removing accounts with uid 0 may seriously harm your system, report only here" } # This function will create the config file for this check with default values create_config() { cat <