Grimmauld/linux-bench
1
0
Fork 0
forked from mirrors/linux-bench
Code Pull requests Activity

Merge pull request #65 from aquasecurity/Support-audit-shell-script

Browse source 
Add scripts to audit
This commit is contained in:
Liz Rice 2020-12-01 14:23:42 +00:00 committed by GitHub
commit 5048909587
Failed to generate hash of commit
32 changed files with 434 additions and 463 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
cfg/1.1.0/6.2.10.sh
View file

@ -1,19 +0,0 @@
#!/bin/bash
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.[A-Za-z0-9]*; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=`ls -ld $file | cut -f1 -d" "`
if [ `echo $fileperm | cut -c6` != "-" ]; then
echo "Group Write permission set on file $file"
fi
if [ `echo $fileperm | cut -c9` != "-" ]; then
echo "Other Write permission set on file $file"
fi
fi
done
fi
done

11
cfg/1.1.0/6.2.11.sh
View file

@ -1,11 +0,0 @@
#!/bin/bash
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then
echo ".forward file $dir/.forward exists"
fi
fi
done

11
cfg/1.1.0/6.2.12.sh
View file

@ -1,11 +0,0 @@
#!/bin/bash
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then
echo ".netrc file $dir/.netrc exists"
fi
fi
done

31
cfg/1.1.0/6.2.13.sh
View file

@ -1,31 +0,0 @@
#!/bin/bash
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.netrc; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=`ls -ld $file | cut -f1 -d" "`
if [ `echo $fileperm | cut -c5` != "-" ]; then
echo "Group Read set on $file"
fi
if [ `echo $fileperm | cut -c6` != "-" ]; then
echo "Group Write set on $file"
fi
if [ `echo $fileperm | cut -c7` != "-" ]; then
echo "Group Execute set on $file"
fi
if [ `echo $fileperm | cut -c8` != "-" ]; then
echo "Other Read set on $file"
fi
if [ `echo $fileperm | cut -c9` != "-" ]; then
echo "Other Write set on $file"
fi
if [ `echo $fileperm | cut -c10` != "-" ]; then
echo "Other Execute set on $file"
fi
fi
done
fi
done

13
cfg/1.1.0/6.2.14.sh
View file

@ -1,13 +0,0 @@
#!/bin/bash
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.rhosts; do
if [ ! -h "$file" -a -f "$file" ]; then
echo ".rhosts file in $dir"
fi
done
fi
done

8
cfg/1.1.0/6.2.15.sh
View file

@ -1,8 +0,0 @@
#!/bin/bash
for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
grep -q -P "^.*?:[^:]*:$i:" /etc/group
if [ $? -ne 0 ]; then
echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group"
fi
done

9
cfg/1.1.0/6.2.16.sh
View file

@ -1,9 +0,0 @@
#!/bin/bash
cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do
[ -z "${x}" ] && break set - $x
if [ $1 -gt 1 ]; then
users=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs`
echo "Duplicate UID ($2): ${users}"
fi
done

10
cfg/1.1.0/6.2.17.sh
View file

@ -1,10 +0,0 @@
#!/bin/bash
cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do
[ -z "${x}" ] && break
set - $x
if [ $1 -gt 1 ]; then
groups=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs`
echo "Duplicate GID ($2): ${groups}"
fi
done

10
cfg/1.1.0/6.2.18.sh
View file

@ -1,10 +0,0 @@
#!/bin/bash
cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do
[ -z "${x}" ] && break
set - $x
if [ $1 -gt 1 ]; then
uids=`awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs`
echo "Duplicate User Name ($2): ${uids}"
fi
done

10
cfg/1.1.0/6.2.19.sh
View file

@ -1,10 +0,0 @@
#!/bin/bash
cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do
[ -z "${x}" ] && break
set - $x
if [ $1 -gt 1 ]; then
gids=`gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs`
echo "Duplicate Group Name ($2): ${gids}"
fi
done

34
cfg/1.1.0/6.2.6.sh
View file

@ -1,34 +0,0 @@
#!/bin/bash
if [ "`echo $PATH | grep ::`" != "" ]; then
echo "Empty Directory in PATH (::)"
fi
if [ "`echo $PATH | grep :$`" != "" ]; then
echo "Trailing : in PATH"
fi
p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'`
set -- $p
while [ "$1" != "" ]; do
if [ "$1" = "." ]; then
echo "PATH contains ."
shift
continue
fi
if [ -d $1 ]; then
dirperm=`ls -ldH $1 | cut -f1 -d" "`
if [ `echo $dirperm | cut -c6` != "-" ]; then
echo "Group Write permission set on directory $1"
fi
if [ `echo $dirperm | cut -c9` != "-" ]; then
echo "Other Write permission set on directory $1"
fi
dirown=`ls -ldH $1 | awk '{print $3}'`
if [ "$dirown" != "root" ] ; then
echo $1 is not owned by root
fi
else
echo $1 is not a directory
fi
shift
done

7
cfg/1.1.0/6.2.7.sh
View file

@ -1,7 +0,0 @@
#!/bin/bash
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
fi
done

24
cfg/1.1.0/6.2.8.sh
View file

@ -1,24 +0,0 @@
#!/bin/bash
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 !=
"/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user
dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
dirperm=`ls -ld $dir | cut -f1 -d" "`
if [ `echo $dirperm | cut -c6` != "-" ]; then
echo "Group Write permission set on the home directory ($dir) of user $user"
fi
if [ `echo $dirperm | cut -c8` != "-" ]; then
echo "Other Read permission set on the home directory ($dir) of user $user"
fi
if [ `echo $dirperm | cut -c9` != "-" ]; then
echo "Other Write permission set on the home directory ($dir) of user $user"
fi
if [ `echo $dirperm | cut -c10` != "-" ]; then
echo "Other Execute permission set on the home directory ($dir) of user $user"
fi
fi
done

12
cfg/1.1.0/6.2.9.sh
View file

@ -1,12 +0,0 @@
#!/bin/bash
cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
owner=$(stat -L -c "%U" "$dir")
if [ "$owner" != "$user" ]; then
echo "The home directory ($dir) of user $user is owned by $owner."
fi
fi
done

223
cfg/1.1.0/definitions.yaml
View file

@ -8419,7 +8419,40 @@ groups:
- id: 6.2.6
description: "Ensure root PATH Integrity"
audit: "./6.2.6.sh"
audit: |
#!/bin/bash
if [ "$(echo "$PATH" | grep ::)" != "" ]; then
echo "Empty Directory in PATH (::)"
fi
if [ "$(echo "$PATH" | grep :$)" != "" ]; then
echo "Trailing : in PATH"
fi
p=$(echo "$PATH" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
set -- $p
while [ "$1" != "" ]; do
if [ "$1" = "." ]; then
shift
continue
fi
if [ -d "$1" ]; then
dirperm=$(ls -ldH "$1" | cut -f1 -d" ")
if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
echo "Group Write permission set on directory $1"
fi
if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
echo "Other Write permission set on directory $1"
fi
dirown=$(ls -ldH "$1" | awk '{print $3}')
if [ "$dirown" != "root" ] ; then
echo "$1 is not owned by root"
fi
else
echo "$1 is not a directory"
fi
shift
done
tests:
test_items:
- flag: ""
@ -8434,7 +8467,14 @@ groups:
- id: 6.2.7
description: "Ensure all users' home directories exist"
audit: "./6.2.7.sh"
audit: |
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' |
while read -r user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
fi
done
tests:
test_items:
- flag: ""
@ -8448,7 +8488,28 @@ groups:
- id: 6.2.8
description: "Ensure users' home directories permissions are 750 or more restrictive"
audit: "./6.2.8.sh"
audit: |
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' |
while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
dirperm=$(ls -ld $dir | cut -f1 -d" ")
if [ $(echo $dirperm | cut -c6) != "-" ]; then
echo "Group Write permission set on the home directory ($dir) of user $user"
fi
if [ $(echo $dirperm | cut -c8) != "-" ]; then
echo "Other Read permission set on the home directory ($dir) of user $user"
fi
if [ $(echo $dirperm | cut -c9) != "-" ]; then
echo "Other Write permission set on the home directory ($dir) of user $user"
fi
if [ $(echo $dirperm | cut -c10) != "-" ]; then
echo "Other Execute permission set on the home directory ($dir) of user $user"
fi
fi
done
tests:
test_items:
- flag: ""
@ -8462,7 +8523,18 @@ groups:
- id: 6.2.9
description: "Ensure users own their home directories"
audit: "./6.2.9.sh"
audit: |
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
owner=$(stat -L -c "%U" "$dir")
if [ "$owner" != "$user" ]; then
echo "The home directory ($dir) of user $user is owned by $owner."
fi
fi
done
tests:
test_items:
- flag: ""
@ -8477,7 +8549,25 @@ groups:
- id: 6.2.10
description: "Ensure users' dot files are not group or world writable"
audit: "./6.2.10.sh"
audit: |
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.[A-Za-z0-9]*; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=$(ls -ld $file | cut -f1 -d" ")
if [ $(echo $fileperm | cut -c6) != "-" ]; then
echo "Group Write permission set on file $file"
fi
if [ $(echo $fileperm | cut -c9) != "-" ]; then
echo "Other Write permission set on file $file"
fi
fi
done
fi
done
tests:
test_items:
- flag: ""
@ -8491,7 +8581,17 @@ groups:
- id: 6.2.11
description: "Ensure no users have .forward files"
audit: "./6.2.11.sh"
audit: |
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then
echo ".forward file $dir/.forward exists"
fi
fi
done
tests:
test_items:
- flag: ""
@ -8506,7 +8606,17 @@ groups:
- id: 6.2.12
description: "Ensure no users have .netrc files"
audit: "./6.2.12.sh"
audit: |
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then
echo ".netrc file $dir/.netrc exists"
fi
fi
done
tests:
test_items:
- flag: ""
@ -8520,7 +8630,37 @@ groups:
- id: 6.2.13
description: "Ensure users' .netrc Files are not group or world accessible"
audit: "./6.2.13.sh"
audit: |
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.netrc; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=$(ls -ld $file | cut -f1 -d" ")
if [ $(echo $fileperm | cut -c5) != "-" ]; then
echo "Group Read set on $file"
fi
if [ $(echo $fileperm | cut -c6) != "-" ]; then
echo "Group Write set on $file"
fi
if [ $(echo $fileperm | cut -c7) != "-" ]; then
echo "Group Execute set on $file"
fi
if [ $(echo $fileperm | cut -c8) != "-" ]; then
echo "Other Read set on $file"
fi
if [ $(echo $fileperm | cut -c9) != "-" ]; then
echo "Other Write set on $file"
fi
if [ $(echo $fileperm | cut -c10) != "-" ]; then
echo "Other Execute set on $file"
fi
fi
done
fi
done
tests:
test_items:
- flag: ""
@ -8534,7 +8674,19 @@ groups:
- id: 6.2.14
description: "Ensure no users have .rhosts files"
audit: "./6.2.14.sh"
audit: |
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.rhosts; do
if [ ! -h "$file" -a -f "$file" ]; then
echo ".rhosts file in $dir"
fi
done
fi
done
tests:
test_items:
- flag: ""
@ -8548,7 +8700,14 @@ groups:
- id: 6.2.15
description: "Ensure all groups in /etc/passwd exist in /etc/group"
audit: "./6.2.15.sh"
audit: |
#!/bin/bash
for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
grep -q -P "^.*?:[^:]*:$i:" /etc/group
if [ $? -ne 0 ]; then
echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group"
fi
done
tests:
test_items:
- flag: ""
@ -8562,7 +8721,16 @@ groups:
- id: 6.2.16
description: "Ensure no duplicate UIDs exist"
audit: "./6.2.16.sh"
audit: |
#!/bin/bash
cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs)
echo "Duplicate UID ($2): $users"
fi
done
tests:
test_items:
- flag: ""
@ -8576,7 +8744,16 @@ groups:
- id: 6.2.17
description: "Ensure no duplicate GIDs exist"
audit: "./6.2.17.sh"
audit: |
#!/bin/bash
cut -f3 -d":" /etc/group | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
groups=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs)
echo "Duplicate GID ($2): $groups"
fi
done
tests:
test_items:
- flag: ""
@ -8590,7 +8767,16 @@ groups:
- id: 6.2.18
description: "Ensure no duplicate user names exist"
audit: "./6.2.18.sh"
audit: |
#!/bin/bash
cut -f1 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
uids=$(awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs)
echo "Duplicate User Name ($2): $uids"
fi
done
tests:
test_items:
- flag: ""
@ -8605,7 +8791,16 @@ groups:
- id: 6.2.19
description: "Ensure no duplicate group names exist"
audit: "./6.2.19.sh"
audit: |
#!/bin/bash
cut -f1 -d":" /etc/group | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
gids=$(gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs)
echo "Duplicate Group Name ($2): $gids"
fi
done
tests:
test_items:
- flag: ""

21
cfg/2.0.0/6.2.10.sh
View file

@ -1,21 +0,0 @@
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which
nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user
dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.[A-Za-z0-9]*; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=$(ls -ld $file | cut -f1 -d" ")
if [ $(echo $fileperm | cut -c6) != "-" ]; then
echo "Group Write permission set on file $file"
fi
if [ $(echo $fileperm | cut -c9) != "-" ]; then
echo "Other Write permission set on file $file"
fi
fi
done
fi
done

13
cfg/2.0.0/6.2.11.sh
View file

@ -1,13 +0,0 @@
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 !=
"'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while
read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then
echo ".forward file $dir/.forward exists"
fi
fi
done

13
cfg/2.0.0/6.2.12.sh
View file

@ -1,13 +0,0 @@
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 !=
"'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while
read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then
echo ".netrc file $dir/.netrc exists"
fi
fi
done

33
cfg/2.0.0/6.2.13.sh
View file

@ -1,33 +0,0 @@
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 !=
"'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while
read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.netrc; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=$(ls -ld $file | cut -f1 -d" ")
if [ $(echo $fileperm | cut -c5) != "-" ]; then
echo "Group Read set on $file"
fi
if [ $(echo $fileperm | cut -c6) != "-" ]; then
echo "Group Write set on $file"
fi
if [ $(echo $fileperm | cut -c7) != "-" ]; then
echo "Group Execute set on $file"
fi
if [ $(echo $fileperm | cut -c8) != "-" ]; then
echo "Other Read set on $file"
fi
if [ $(echo $fileperm | cut -c9) != "-" ]; then
echo "Other Write set on $file"
fi
if [ $(echo $fileperm | cut -c10) != "-" ]; then
echo "Other Execute set on $file"
fi
fi
done
fi
done

15
cfg/2.0.0/6.2.14.sh
View file

@ -1,15 +0,0 @@
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 !=
"'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while
read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.rhosts; do
if [ ! -h "$file" -a -f "$file" ]; then
echo ".rhosts file in $dir"
fi
done
fi
done

8
cfg/2.0.0/6.2.15.sh
View file

@ -1,8 +0,0 @@
#!/bin/bash
for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
grep -q -P "^.*?:[^:]*:$i:" /etc/group
if [ $? -ne 0 ]; then
echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group"
fi
done

10
cfg/2.0.0/6.2.16.sh
View file

@ -1,10 +0,0 @@
#!/bin/bash
cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs)
echo "Duplicate UID ($2): $users"
fi
done

10
cfg/2.0.0/6.2.17.sh
View file

@ -1,10 +0,0 @@
#!/bin/bash
cut -f3 -d":" /etc/group | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
groups=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs)
echo "Duplicate GID ($2): $groups"
fi
done

10
cfg/2.0.0/6.2.18.sh
View file

@ -1,10 +0,0 @@
#!/bin/bash
cut -f1 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
uids=$(awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs)
echo "Duplicate User Name ($2): $uids"
fi
done

10
cfg/2.0.0/6.2.19.sh
View file

@ -1,10 +0,0 @@
#!/bin/bash
cut -f1 -d":" /etc/group | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
gids=$(gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs)
echo "Duplicate Group Name ($2): $gids"
fi
done

32
cfg/2.0.0/6.2.6.sh
View file

@ -1,32 +0,0 @@
#!/bin/bash
if [ "$(echo "$PATH" | grep ::)" != "" ]; then
echo "Empty Directory in PATH (::)"
fi
if [ "$(echo "$PATH" | grep :$)" != "" ]; then
echo "Trailing : in PATH"
fi
p=$(echo "$PATH" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
set -- $p
while [ "$1" != "" ]; do
if [ "$1" = "." ]; then
shift
continue
fi
if [ -d "$1" ]; then
dirperm=$(ls -ldH "$1" | cut -f1 -d" ")
if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
echo "Group Write permission set on directory $1"
fi
if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
echo "Other Write permission set on directory $1"
fi dirown=$(ls -ldH "$1" | awk '{print $3}')
if [ "$dirown" != "root" ] ; then
echo "$1 is not owned by root"
fi
else
echo "$1 is not a directory"
fi
shift
done

8
cfg/2.0.0/6.2.7.sh
View file

@ -1,8 +0,0 @@
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which
nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read -r user
dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
fi
done

24
cfg/2.0.0/6.2.8.sh
View file

@ -1,24 +0,0 @@
#!/bin/bash
grep -E -v '^$(halt|sync|shutdown)' /etc/passwd | awk -F: '$($7 != "'"$$(which
nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user
dir; do
if [ ! -d "$dir" ]; then
echo "The home directory $($dir) of user $user does not exist."
else
dirperm=$$(ls -ld $dir | cut -f1 -d" ")
if [ $(echo $dirperm | cut -c6) != "-" ]; then
echo "Group Write permission set on the home directory $($dir) of user $user"
fi
if [ $(echo $dirperm | cut -c8) != "-" ]; then
echo "Other Read permission set on the home directory $($dir) of user $user"
fi
if [ $(echo $dirperm | cut -c9) != "-" ]; then
echo "Other Write permission set on the home directory $($dir) of user $user"
fi
if [ $(echo $dirperm | cut -c10) != "-" ]; then
echo "Other Execute permission set on the home directory $($dir) of user $user"
fi
fi
done

14
cfg/2.0.0/6.2.9.sh
View file

@ -1,14 +0,0 @@
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which
nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user
dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
owner=$(stat -L -c "%U" "$dir")
if [ "$owner" != "$user" ]; then
echo "The home directory ($dir) of user $user is owned by $owner."
fi
fi
done

238
cfg/2.0.0/definitions.yaml
View file

@ -2806,7 +2806,7 @@ groups:
value: "(none)"
set: true
- flag: "Installed"
set: false
set: false
remediation: |
Remove the X Windows System packages using the appropriate package manager or manual installation:
@ -8136,7 +8136,15 @@ groups:
scored: true
- id: 5.4.1.5
description: "Ensure all users last password change date is in the past"
audit: "for usr in $(cut -d: -f1 /etc/shadow); do [[ $(chage --list $usr | grep '^Last password change' | cut -d: -f2) > $(date) ]] && echo \"$usr :$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\"; done"
audit: |
#!/bin/bash
for usr in $(cut -d: -f1 /etc/shadow | sort -u ); do
p=$(chage --list $usr | grep '^Last password change' | cut -d: -f2)
today=$(date +'%b %d %Y')
if [ $(date --date="$p" +%s) -gt $(date --date="$today" +%s) ]; then
echo "$usr : $p"
fi
done
tests:
test_items:
- flag: ""
@ -8772,7 +8780,40 @@ groups:
- id: 6.2.6
description: "Ensure root PATH Integrity"
audit: "./cfg/2.0.0/6.2.6.sh"
audit: |
#!/bin/bash
if [ "$(echo "$PATH" | grep ::)" != "" ]; then
echo "Empty Directory in PATH (::)"
fi
if [ "$(echo "$PATH" | grep :$)" != "" ]; then
echo "Trailing : in PATH"
fi
p=$(echo "$PATH" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
set -- $p
while [ "$1" != "" ]; do
if [ "$1" = "." ]; then
shift
continue
fi
if [ -d "$1" ]; then
dirperm=$(ls -ldH "$1" | cut -f1 -d" ")
if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
echo "Group Write permission set on directory $1"
fi
if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
echo "Other Write permission set on directory $1"
fi
dirown=$(ls -ldH "$1" | awk '{print $3}')
if [ "$dirown" != "root" ] ; then
echo "$1 is not owned by root"
fi
else
echo "$1 is not a directory"
fi
shift
done
tests:
test_items:
- flag: ""
@ -8787,7 +8828,14 @@ groups:
- id: 6.2.7
description: "Ensure all users' home directories exist"
audit: "./cfg/2.0.0/6.2.7.sh"
audit: |
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' |
while read -r user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
fi
done
tests:
test_items:
- flag: ""
@ -8801,7 +8849,28 @@ groups:
- id: 6.2.8
description: "Ensure users' home directories permissions are 750 or more restrictive"
audit: "./cfg/2.0.0/6.2.8.sh"
audit: |
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' |
while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
dirperm=$(ls -ld $dir | cut -f1 -d" ")
if [ $(echo $dirperm | cut -c6) != "-" ]; then
echo "Group Write permission set on the home directory ($dir) of user $user"
fi
if [ $(echo $dirperm | cut -c8) != "-" ]; then
echo "Other Read permission set on the home directory ($dir) of user $user"
fi
if [ $(echo $dirperm | cut -c9) != "-" ]; then
echo "Other Write permission set on the home directory ($dir) of user $user"
fi
if [ $(echo $dirperm | cut -c10) != "-" ]; then
echo "Other Execute permission set on the home directory ($dir) of user $user"
fi
fi
done
tests:
test_items:
- flag: ""
@ -8815,7 +8884,18 @@ groups:
- id: 6.2.9
description: "Ensure users own their home directories"
audit: "./cfg/2.0.0/6.2.9.sh"
audit: |
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
owner=$(stat -L -c "%U" "$dir")
if [ "$owner" != "$user" ]; then
echo "The home directory ($dir) of user $user is owned by $owner."
fi
fi
done
tests:
test_items:
- flag: ""
@ -8830,7 +8910,25 @@ groups:
- id: 6.2.10
description: "Ensure users' dot files are not group or world writable"
audit: "./cfg/2.0.0/6.2.10.sh"
audit: |
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.[A-Za-z0-9]*; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=$(ls -ld $file | cut -f1 -d" ")
if [ $(echo $fileperm | cut -c6) != "-" ]; then
echo "Group Write permission set on file $file"
fi
if [ $(echo $fileperm | cut -c9) != "-" ]; then
echo "Other Write permission set on file $file"
fi
fi
done
fi
done
tests:
test_items:
- flag: ""
@ -8844,7 +8942,17 @@ groups:
- id: 6.2.11
description: "Ensure no users have .forward files"
audit: "./cfg/2.0.0/6.2.11.sh"
audit: |
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then
echo ".forward file $dir/.forward exists"
fi
fi
done
tests:
test_items:
- flag: ""
@ -8859,7 +8967,17 @@ groups:
- id: 6.2.12
description: "Ensure no users have .netrc files"
audit: "./cfg/2.0.0/6.2.12.sh"
audit: |
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then
echo ".netrc file $dir/.netrc exists"
fi
fi
done
tests:
test_items:
- flag: ""
@ -8873,7 +8991,37 @@ groups:
- id: 6.2.13
description: "Ensure users' .netrc Files are not group or world accessible"
audit: "./cfg/2.0.0/6.2.13.sh"
audit: |
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.netrc; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=$(ls -ld $file | cut -f1 -d" ")
if [ $(echo $fileperm | cut -c5) != "-" ]; then
echo "Group Read set on $file"
fi
if [ $(echo $fileperm | cut -c6) != "-" ]; then
echo "Group Write set on $file"
fi
if [ $(echo $fileperm | cut -c7) != "-" ]; then
echo "Group Execute set on $file"
fi
if [ $(echo $fileperm | cut -c8) != "-" ]; then
echo "Other Read set on $file"
fi
if [ $(echo $fileperm | cut -c9) != "-" ]; then
echo "Other Write set on $file"
fi
if [ $(echo $fileperm | cut -c10) != "-" ]; then
echo "Other Execute set on $file"
fi
fi
done
fi
done
tests:
test_items:
- flag: ""
@ -8887,7 +9035,20 @@ groups:
- id: 6.2.14
description: "Ensure no users have .rhosts files"
audit: "./cfg/2.0.0/6.2.14.sh"
audit: |
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.rhosts; do
if [ ! -h "$file" -a -f "$file" ]; then
echo ".rhosts file in $dir"
fi
done
fi
done
tests:
test_items:
- flag: ""
@ -8901,7 +9062,15 @@ groups:
- id: 6.2.15
description: "Ensure all groups in /etc/passwd exist in /etc/group"
audit: "./cfg/2.0.0/6.2.15.sh"
audit: |
#!/bin/bash
for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
grep -q -P "^.*?:[^:]*:$i:" /etc/group
if [ $? -ne 0 ]; then
echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group"
fi
done
tests:
test_items:
- flag: ""
@ -8915,7 +9084,16 @@ groups:
- id: 6.2.16
description: "Ensure no duplicate UIDs exist"
audit: "./cfg/2.0.0/6.2.16.sh"
audit: |
#!/bin/bash
cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs)
echo "Duplicate UID ($2): $users"
fi
done
tests:
test_items:
- flag: ""
@ -8929,7 +9107,17 @@ groups:
- id: 6.2.17
description: "Ensure no duplicate GIDs exist"
audit: "./cfg/2.0.0/6.2.17.sh"
audit: |
#!/bin/bash
cut -f3 -d":" /etc/group | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
groups=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs)
echo "Duplicate GID ($2): $groups"
fi
done
tests:
test_items:
- flag: ""
@ -8943,7 +9131,16 @@ groups:
- id: 6.2.18
description: "Ensure no duplicate user names exist"
audit: "./cfg/2.0.0/6.2.18.sh"
audit: |
#!/bin/bash
cut -f1 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
uids=$(awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs)
echo "Duplicate User Name ($2): $uids"
fi
done
tests:
test_items:
- flag: ""
@ -8958,7 +9155,16 @@ groups:
- id: 6.2.19
description: "Ensure no duplicate group names exist"
audit: "./cfg/2.0.0/6.2.19.sh"
audit: |
#!/bin/bash
cut -f1 -d":" /etc/group | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
gids=$(gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs)
echo "Duplicate Group Name ($2): $gids"
fi
done
tests:
test_items:
- flag: ""

2
go.mod
View file

@ -3,7 +3,7 @@ module github.com/aquasecurity/linux-bench
go 1.13
require (
github.com/aquasecurity/bench-common v0.4.3
github.com/aquasecurity/bench-common v0.4.4
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
github.com/spf13/cobra v1.1.1
github.com/spf13/viper v1.7.1

4
go.sum
View file

@ -17,8 +17,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
github.com/aquasecurity/bench-common v0.4.3 h1:Cym3+jHYIyLPDzkjWojca5+RyjW2/3LAfq/BI6MsZU4=
github.com/aquasecurity/bench-common v0.4.3/go.mod h1:glope+l06WRCkeiKLcs0exibg3w0ZdXDpZJOSSuw+wg=
github.com/aquasecurity/bench-common v0.4.4 h1:gBs1ddFIviR5ZiNd02HkH+qwh5t2HbvJTK07N2Z5gaE=
github.com/aquasecurity/bench-common v0.4.4/go.mod h1:glope+l06WRCkeiKLcs0exibg3w0ZdXDpZJOSSuw+wg=
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=