Renum 12.x checks to 6.1.x Verify_System_File_Permissions

modified:   bin/hardening/12.4_etc_passwd_ownership.sh
	modified:   bin/hardening/12.5_etc_shadow_ownership.sh
	modified:   bin/hardening/12.6_etc_group_ownership.sh
	renamed:    bin/hardening/12.7_find_world_writable_file.sh -> bin/hardening/6.1.10_find_world_writable_file.sh
	renamed:    bin/hardening/12.8_find_unowned_files.sh -> bin/hardening/6.1.11_find_unowned_files.sh
	renamed:    bin/hardening/12.9_find_ungrouped_files.sh -> bin/hardening/6.1.12_find_ungrouped_files.sh
	renamed:    bin/hardening/12.10_find_suid_files.sh -> bin/hardening/6.1.13_find_suid_files.sh
	renamed:    bin/hardening/12.11_find_sgid_files.sh -> bin/hardening/6.1.14_find_sgid_files.sh
	renamed:    bin/hardening/12.1_etc_passwd_permissions.sh -> bin/hardening/6.1.2_etc_passwd_permissions.sh
	renamed:    bin/hardening/12.2_etc_shadow_permissions.sh -> bin/hardening/6.1.3_etc_shadow_permissions.sh
	renamed:    bin/hardening/12.3_etc_group_permissions.sh -> bin/hardening/6.1.4_etc_group_permissions.sh
	deleted:    tests/hardening/12.1_etc_passwd_permissions.sh
	deleted:    tests/hardening/12.2_etc_shadow_permissions.sh
	deleted:    tests/hardening/12.3_etc_group_permissions.sh
	renamed:    tests/hardening/12.7_find_world_writable_file.sh -> tests/hardening/6.1.10_find_world_writable_file.sh
	renamed:    tests/hardening/12.8_find_unowned_files.sh -> tests/hardening/6.1.11_find_unowned_files.sh
	renamed:    tests/hardening/12.9_find_ungrouped_files.sh -> tests/hardening/6.1.12_find_ungrouped_files.sh
	renamed:    tests/hardening/12.10_find_suid_files.sh -> tests/hardening/6.1.13_find_suid_files.sh
	renamed:    tests/hardening/12.11_find_sgid_files.sh -> tests/hardening/6.1.14_find_sgid_files.sh
	renamed:    tests/hardening/12.6_etc_group_ownership.sh -> tests/hardening/6.1.2_etc_passwd_permissions.sh
	renamed:    tests/hardening/12.5_etc_shadow_ownership.sh -> tests/hardening/6.1.3_etc_shadow_permissions.sh
	renamed:    tests/hardening/12.4_etc_passwd_ownership.sh -> tests/hardening/6.1.4_etc_group_permissions.sh
This commit is contained in:
Charles Herlin 2019-09-12 16:44:45 +02:00 committed by Thibault Ayanides
parent a085785321
commit 440aeaf45f
22 changed files with 65 additions and 50 deletions

View file

@ -5,14 +5,14 @@
# #
# #
# 12.7 Find World Writable Files (Not Scored) # 6.1.10 Ensure no world writable files exist (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=3 HARDENING_LEVEL=3
DESCRIPTION="Find world writable files." DESCRIPTION="Ensure no world writable files exist"
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {

View file

@ -5,14 +5,14 @@
# #
# #
# 12.8 Find Un-owned Files and Directories (Scored) # 6.1.11 Ensure no unowned files or directories exist
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
DESCRIPTION="Find un-owned files and directories." DESCRIPTION="Ensure no unowned files or directories exist"
USER='root' USER='root'
EXCLUDED='' EXCLUDED=''

View file

@ -5,14 +5,14 @@
# #
# #
# 12.9 Find Un-grouped Files and Directories (Scored) # 6.1.12 Ensure no ungrouped files or directories exist (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=2 HARDENING_LEVEL=2
DESCRIPTION="Find un-grouped files and directories." DESCRIPTION="Ensure no ungrouped files or directories exist"
GROUP='root' GROUP='root'
EXCLUDED='' EXCLUDED=''

View file

@ -5,7 +5,7 @@
# #
# #
# 12.10 Find SUID System Executables (Not Scored) # 6.1.13 Audit SUID executables (Not Scored)
# #
set -e # One error, it's over set -e # One error, it's over

View file

@ -5,7 +5,7 @@
# #
# #
# 12.11 Find SGID System Executables (Not Scored) # 6.1.14 Audit SGID executables (Not Scored)
# #
set -e # One error, it's over set -e # One error, it's over

View file

@ -5,17 +5,19 @@
# #
# #
# 12.1 Verify Permissions on /etc/passwd (Scored) # 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=1 HARDENING_LEVEL=1
DESCRIPTION="Check permissions on /etc/passwd to 644." DESCRIPTION="Check 644 permissions and root:root ownership on /etc/passwd"
FILE='/etc/passwd' FILE='/etc/passwd'
PERMISSIONS='644' PERMISSIONS='644'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -25,6 +27,12 @@ audit () {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -36,6 +44,13 @@ apply () {
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE chmod 0$PERMISSIONS $FILE
fi fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
} }
# This function will check config parameters required # This function will check config parameters required

View file

@ -5,17 +5,19 @@
# #
# #
# 12.2 Verify Permissions on /etc/shadow (Scored) # 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=1 HARDENING_LEVEL=1
DESCRIPTION="Check permissions on /etc/shadow to 640." DESCRIPTION="Check 644 permissions and root:root ownership on /etc/shadow"
FILE='/etc/shadow' FILE='/etc/shadow'
PERMISSIONS='640' PERMISSIONS='640'
USER='root'
GROUP='shadow'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -25,6 +27,12 @@ audit () {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -36,6 +44,13 @@ apply () {
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE chmod 0$PERMISSIONS $FILE
fi fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
} }
# This function will check config parameters required # This function will check config parameters required

View file

@ -5,17 +5,19 @@
# #
# #
# 12.3 Verify Permissions on /etc/group (Scored) # 6.1.4 Ensure permissions on /etc/group are configured (Scored)
# #
set -e # One error, it's over set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=1 HARDENING_LEVEL=1
DESCRIPTION="Check permissions on /etc/group to 644." DESCRIPTION="Check 644 permissions and root:root ownership on /etc/group"
FILE='/etc/group' FILE='/etc/group'
PERMISSIONS='644' PERMISSIONS='644'
USER='root'
GROUP='root'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -25,6 +27,12 @@ audit () {
else else
crit "$FILE permissions were not set to $PERMISSIONS" crit "$FILE permissions were not set to $PERMISSIONS"
fi fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
crit "$FILE ownership was not set to $USER:$GROUP"
fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -36,6 +44,13 @@ apply () {
info "fixing $FILE permissions to $PERMISSIONS" info "fixing $FILE permissions to $PERMISSIONS"
chmod 0$PERMISSIONS $FILE chmod 0$PERMISSIONS $FILE
fi fi
has_file_correct_ownership $FILE $USER $GROUP
if [ $FNRET = 0 ]; then
ok "$FILE has correct ownership"
else
info "fixing $FILE ownership to $USER:$GROUP"
chown $USER:$GROUP $FILE
fi
} }
# This function will check config parameters required # This function will check config parameters required

View file

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

View file

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}

View file

@ -1,10 +0,0 @@
# run-shellcheck
test_audit() {
describe Running on blank host
register_test retvalshouldbe 0
dismiss_count_for_test
# shellcheck disable=2154
run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
# TODO fill comprehensive tests
}