#!/bin/bash # run-shellcheck # # CIS Debian Hardening # # # 13.13 Check User Home Directory Ownership (Scored) # set -e # One error, it's over set -u # One variable unset, it's over # shellcheck disable=2034 HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Check user home directory ownership." EXCEPTIONS="" ERRORS=0 # This function will be called if the script status is on enabled / audit mode audit () { RESULT=$(awk -F: '{ print $1 ":" $3 ":" $6 }' /etc/passwd ) for LINE in $RESULT; do debug "Working on $LINE" USER=$(awk -F: '{print $1}' <<< "$LINE") USERID=$(awk -F: '{print $2}' <<< "$LINE") DIR=$(awk -F: '{print $3}' <<< "$LINE") if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then OWNER=$(stat -L -c "%U" "$DIR") if [ "$OWNER" != "$USER" ]; then if grep -qw "$DIR:$USER:$OWNER" <<< "$EXCEPTIONS"; then ok "The home directory ($DIR) of user $USER is owned by $OWNER but is part of exceptions ($DIR:$USER:$OWNER)." else crit "The home directory ($DIR) of user $USER is owned by $OWNER." ERRORS=$((ERRORS+1)) fi fi fi done if [ $ERRORS = 0 ]; then ok "All home directories have correct ownership" fi } # This function will be called if the script status is on enabled mode apply () { awk -F: '{ print $1 " " $3 " " $6 }' /etc/passwd | while read -r USER USERID DIR; do if [ "$USERID" -ge 500 ] && [ -d "$DIR" ] && [ "$USER" != "nfsnobody" ]; then OWNER=$(stat -L -c "%U" "$DIR") if [ "$OWNER" != "$USER" ]; then warn "The home directory ($DIR) of user $USER is owned by $OWNER." chown "$USER" "$DIR" fi fi done } # This function will create the config file for this check with default values create_config() { cat <