mirrors/linux-bench
1
0
Fork 1
mirror of https://github.com/aquasecurity/linux-bench.git synced 2025-02-22 14:15:32 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add scripts to audit

Browse source 
Bench-common is now supports scripts in audit 
https://github.com/aquasecurity/bench-common/pull/108
This commit is contained in:
Yoav Rotem 2020-11-22 13:49:18 +02:00 committed by GitHub
parent cc3954ef3f
commit 174b607c2b
Failed to generate hash of commit
1 changed files with 222 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

238
cfg/2.0.0/definitions.yaml
View file

@ -2806,7 +2806,7 @@ groups:
value: "(none)"
set: true
- flag: "Installed"
set: false
set: false
remediation: |
Remove the X Windows System packages using the appropriate package manager or manual installation:
@ -8136,7 +8136,15 @@ groups:
scored: true
- id: 5.4.1.5
description: "Ensure all users last password change date is in the past"
audit: "for usr in $(cut -d: -f1 /etc/shadow); do [[ $(chage --list $usr | grep '^Last password change' | cut -d: -f2) > $(date) ]] && echo \"$usr :$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\"; done"
audit: |
#!/bin/bash
for usr in $(cut -d: -f1 /etc/shadow | sort -u ); do
p=$(chage --list $usr | grep '^Last password change' | cut -d: -f2)
today=$(date +'%b %d %Y')
if [ $(date --date="$p" +%s) -gt $(date --date="$today" +%s) ]; then
echo "$usr : $p"
fi
done
tests:
test_items:
- flag: ""
@ -8772,7 +8780,40 @@ groups:
- id: 6.2.6
description: "Ensure root PATH Integrity"
audit: "./cfg/2.0.0/6.2.6.sh"
audit: |
#!/bin/bash
if [ "$(echo "$PATH" | grep ::)" != "" ]; then
echo "Empty Directory in PATH (::)"
fi
if [ "$(echo "$PATH" | grep :$)" != "" ]; then
echo "Trailing : in PATH"
fi
p=$(echo "$PATH" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
set -- $p
while [ "$1" != "" ]; do
if [ "$1" = "." ]; then
shift
continue
fi
if [ -d "$1" ]; then
dirperm=$(ls -ldH "$1" | cut -f1 -d" ")
if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
echo "Group Write permission set on directory $1"
fi
if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
echo "Other Write permission set on directory $1"
fi
dirown=$(ls -ldH "$1" | awk '{print $3}')
if [ "$dirown" != "root" ] ; then
echo "$1 is not owned by root"
fi
else
echo "$1 is not a directory"
fi
shift
done
tests:
test_items:
- flag: ""
@ -8787,7 +8828,14 @@ groups:
- id: 6.2.7
description: "Ensure all users' home directories exist"
audit: "./cfg/2.0.0/6.2.7.sh"
audit: |
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' |
while read -r user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
fi
done
tests:
test_items:
- flag: ""
@ -8801,7 +8849,28 @@ groups:
- id: 6.2.8
description: "Ensure users' home directories permissions are 750 or more restrictive"
audit: "./cfg/2.0.0/6.2.8.sh"
audit: |
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' |
while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
dirperm=$(ls -ld $dir | cut -f1 -d" ")
if [ $(echo $dirperm | cut -c6) != "-" ]; then
echo "Group Write permission set on the home directory ($dir) of user $user"
fi
if [ $(echo $dirperm | cut -c8) != "-" ]; then
echo "Other Read permission set on the home directory ($dir) of user $user"
fi
if [ $(echo $dirperm | cut -c9) != "-" ]; then
echo "Other Write permission set on the home directory ($dir) of user $user"
fi
if [ $(echo $dirperm | cut -c10) != "-" ]; then
echo "Other Execute permission set on the home directory ($dir) of user $user"
fi
fi
done
tests:
test_items:
- flag: ""
@ -8815,7 +8884,18 @@ groups:
- id: 6.2.9
description: "Ensure users own their home directories"
audit: "./cfg/2.0.0/6.2.9.sh"
audit: |
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
owner=$(stat -L -c "%U" "$dir")
if [ "$owner" != "$user" ]; then
echo "The home directory ($dir) of user $user is owned by $owner."
fi
fi
done
tests:
test_items:
- flag: ""
@ -8830,7 +8910,25 @@ groups:
- id: 6.2.10
description: "Ensure users' dot files are not group or world writable"
audit: "./cfg/2.0.0/6.2.10.sh"
audit: |
#!/bin/bash
grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.[A-Za-z0-9]*; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=$(ls -ld $file | cut -f1 -d" ")
if [ $(echo $fileperm | cut -c6) != "-" ]; then
echo "Group Write permission set on file $file"
fi
if [ $(echo $fileperm | cut -c9) != "-" ]; then
echo "Other Write permission set on file $file"
fi
fi
done
fi
done
tests:
test_items:
- flag: ""
@ -8844,7 +8942,17 @@ groups:
- id: 6.2.11
description: "Ensure no users have .forward files"
audit: "./cfg/2.0.0/6.2.11.sh"
audit: |
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then
echo ".forward file $dir/.forward exists"
fi
fi
done
tests:
test_items:
- flag: ""
@ -8859,7 +8967,17 @@ groups:
- id: 6.2.12
description: "Ensure no users have .netrc files"
audit: "./cfg/2.0.0/6.2.12.sh"
audit: |
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then
echo ".netrc file $dir/.netrc exists"
fi
fi
done
tests:
test_items:
- flag: ""
@ -8873,7 +8991,37 @@ groups:
- id: 6.2.13
description: "Ensure users' .netrc Files are not group or world accessible"
audit: "./cfg/2.0.0/6.2.13.sh"
audit: |
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.netrc; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=$(ls -ld $file | cut -f1 -d" ")
if [ $(echo $fileperm | cut -c5) != "-" ]; then
echo "Group Read set on $file"
fi
if [ $(echo $fileperm | cut -c6) != "-" ]; then
echo "Group Write set on $file"
fi
if [ $(echo $fileperm | cut -c7) != "-" ]; then
echo "Group Execute set on $file"
fi
if [ $(echo $fileperm | cut -c8) != "-" ]; then
echo "Other Read set on $file"
fi
if [ $(echo $fileperm | cut -c9) != "-" ]; then
echo "Other Write set on $file"
fi
if [ $(echo $fileperm | cut -c10) != "-" ]; then
echo "Other Execute set on $file"
fi
fi
done
fi
done
tests:
test_items:
- flag: ""
@ -8887,7 +9035,20 @@ groups:
- id: 6.2.14
description: "Ensure no users have .rhosts files"
audit: "./cfg/2.0.0/6.2.14.sh"
audit: |
#!/bin/bash
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
if [ ! -d "$dir" ]; then
echo "The home directory ($dir) of user $user does not exist."
else
for file in $dir/.rhosts; do
if [ ! -h "$file" -a -f "$file" ]; then
echo ".rhosts file in $dir"
fi
done
fi
done
tests:
test_items:
- flag: ""
@ -8901,7 +9062,15 @@ groups:
- id: 6.2.15
description: "Ensure all groups in /etc/passwd exist in /etc/group"
audit: "./cfg/2.0.0/6.2.15.sh"
audit: |
#!/bin/bash
for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
grep -q -P "^.*?:[^:]*:$i:" /etc/group
if [ $? -ne 0 ]; then
echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group"
fi
done
tests:
test_items:
- flag: ""
@ -8915,7 +9084,16 @@ groups:
- id: 6.2.16
description: "Ensure no duplicate UIDs exist"
audit: "./cfg/2.0.0/6.2.16.sh"
audit: |
#!/bin/bash
cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs)
echo "Duplicate UID ($2): $users"
fi
done
tests:
test_items:
- flag: ""
@ -8929,7 +9107,17 @@ groups:
- id: 6.2.17
description: "Ensure no duplicate GIDs exist"
audit: "./cfg/2.0.0/6.2.17.sh"
audit: |
#!/bin/bash
cut -f3 -d":" /etc/group | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
groups=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs)
echo "Duplicate GID ($2): $groups"
fi
done
tests:
test_items:
- flag: ""
@ -8943,7 +9131,16 @@ groups:
- id: 6.2.18
description: "Ensure no duplicate user names exist"
audit: "./cfg/2.0.0/6.2.18.sh"
audit: |
#!/bin/bash
cut -f1 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
uids=$(awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs)
echo "Duplicate User Name ($2): $uids"
fi
done
tests:
test_items:
- flag: ""
@ -8958,7 +9155,16 @@ groups:
- id: 6.2.19
description: "Ensure no duplicate group names exist"
audit: "./cfg/2.0.0/6.2.19.sh"
audit: |
#!/bin/bash
cut -f1 -d":" /etc/group | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if [ $1 -gt 1 ]; then
gids=$(gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs)
echo "Duplicate Group Name ($2): $gids"
fi
done
tests:
test_items:
- flag: ""