mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 13:37:02 +01:00
b9e129d8fe
Shellcheck recommands to replace sed by shell expansions in 'simple' cases. However, the replacement here is likely to lead to erros, so we disable this rule. Moreover, it does'nt really add readability.
82 lines
2.6 KiB
Bash
Executable File
82 lines
2.6 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# run-shellcheck
|
|
#
|
|
# CIS Debian Hardening
|
|
#
|
|
|
|
#
|
|
# 6.1.11 Ensure no unowned files or directories exist
|
|
#
|
|
|
|
set -e # One error, it's over
|
|
set -u # One variable unset, it's over
|
|
|
|
# shellcheck disable=2034
|
|
HARDENING_LEVEL=2
|
|
# shellcheck disable=2034
|
|
DESCRIPTION="Ensure no unowned files or directories exist"
|
|
|
|
USER='root'
|
|
EXCLUDED=''
|
|
|
|
# This function will be called if the script status is on enabled / audit mode
|
|
audit() {
|
|
info "Checking if there are unowned files"
|
|
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
|
|
if [ -n "$EXCLUDED" ]; then
|
|
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
|
|
else
|
|
RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
|
|
fi
|
|
if [ -n "$RESULT" ]; then
|
|
crit "Some unowned files are present"
|
|
# shellcheck disable=SC2001
|
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<$RESULT | sort | uniq | tr '\n' ' ')
|
|
crit "$FORMATTED_RESULT"
|
|
else
|
|
ok "No unowned files found"
|
|
fi
|
|
}
|
|
|
|
# This function will be called if the script status is on enabled mode
|
|
apply() {
|
|
if [ -n "$EXCLUDED" ]; then
|
|
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
|
|
else
|
|
RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
|
|
fi
|
|
if [ -n "$RESULT" ]; then
|
|
warn "Applying chown on all unowned files in the system"
|
|
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER
|
|
else
|
|
ok "No unowned files found, nothing to apply"
|
|
fi
|
|
}
|
|
|
|
# This function will check config parameters required
|
|
check_config() {
|
|
# No param for this function
|
|
:
|
|
}
|
|
|
|
# Source Root Dir Parameter
|
|
if [ -r /etc/default/cis-hardening ]; then
|
|
# shellcheck source=../../debian/default
|
|
. /etc/default/cis-hardening
|
|
fi
|
|
if [ -z "$CIS_ROOT_DIR" ]; then
|
|
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
|
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
|
exit 128
|
|
fi
|
|
|
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
|
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
|
|
# shellcheck source=../../lib/main.sh
|
|
. "$CIS_ROOT_DIR"/lib/main.sh
|
|
else
|
|
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
|
exit 128
|
|
fi
|