elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-04 00:09:48 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
be33848d81c5244b2d0be4dba62a7d9809ff6ddd
debian-cis/bin/hardening/find_sgid_files.sh
damcav35 be33848d81 Damcava35/set version (#257) 
* feat: add "--set-version" option

This feature will allow to chose a specific cis version to run, like debian 11 or debian 12

* chore: configure current repository as a version

And use it as default version.

To this end, the scripts in bin/hardening have been made generic by removing the associated recommendation number.
Only impact is if you are used to execute scripts directly from bin/hardening.
In this case, please use the "bin/hardening.sh" wrapper as intended.

I had to rename 2.3.1_disable_nis.sh to uninstall_nis.sh, as it was conflicting with 2.3.1_disable_nis.sh

Also, there was a doublon between 1.1.1.8_disable_cramfs.sh and 99.1.1.1_disable_cramfs.sh ; the former was kept

* chore: remove CIS recommendation numbers from bin/hardening scripts

* fix: some tests are failing

find_ungrouped_files.sh and find_unowned_files.sh tests can not be executed multiple times:
- test repository is not cleaned
- configuration is updated multiple times

Those tests are also failing, because:
- the sed to change the status in the configuration was also changing the test folder path.
- missing /proc in EXCLUDED paths
- the EXCLUDED configuration doesn't have the correct format for egrep

---------

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-07-01 08:41:55 +02:00

104 lines
3.5 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
# run-shellcheck
#
# CIS Debian Hardening
#
#
# Audit SGID executables (Not Scored)
#
set -e # One error, it's over
set -u # One variable unset, it's over
# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Find SGID system executables."
IGNORED_PATH=''
# find emits following error if directory or file disappear during
# tree traversal: find: /tmp/xxx: No such file or directory
FIND_IGNORE_NOSUCHFILE_ERR=false
# This function will be called if the script status is on enabled / audit mode
audit() {
info "Checking if there are sgid files"
if [ -n "$IGNORED_PATH" ]; then
# maybe IGNORED_PATH allow us to filter out some FS
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH")
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
else
FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set +e
# shellcheck disable=2086
FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print)
[ "${FIND_IGNORE_NOSUCHFILE_ERR}" = true ] && set -e
fi
BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then
debug "$BINARY is confirmed as an exception"
else
BAD_BINARIES="$BAD_BINARIES $BINARY"
fi
done
if [ -n "$BAD_BINARIES" ]; then
crit "Some sgid files are present"
# shellcheck disable=SC2001
FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
crit "$FORMATTED_RESULT"
else
ok "No unknown sgid files found"
fi
}
# This function will be called if the script status is on enabled mode
apply() {
info "Removing sgid on valid binary may seriously harm your system, report only here"
}
# This function will create the config file for this check with default values
create_config() {
cat <<EOF
status=audit
# Put here valid binaries with sgid enabled separated by spaces
EXCEPTIONS="/sbin/unix_chkpwd /usr/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
EOF
}
# This function will check config parameters required
check_config() {
if [ -z "$EXCEPTIONS" ]; then
EXCEPTIONS="@"
fi
}
# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
# shellcheck source=../../debian/default
. /etc/default/cis-hardening
fi
if [ -z "$CIS_LIB_DIR" ]; then
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
echo "Cannot source CIS_LIB_DIR variable, aborting."
exit 128
fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
# shellcheck source=../../lib/main.sh
. "${CIS_LIB_DIR}"/main.sh
else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
exit 128
fi
Reference in New Issue View Git Blame Copy Permalink