From 174b607c2bfaedeafa9de57ff204a1e0e45284bd Mon Sep 17 00:00:00 2001 From: Yoav Rotem Date: Sun, 22 Nov 2020 13:49:18 +0200 Subject: [PATCH] Add scripts to audit Bench-common is now supports scripts in audit https://github.com/aquasecurity/bench-common/pull/108 --- cfg/2.0.0/definitions.yaml | 238 ++++++++++++++++++++++++++++++++++--- 1 file changed, 222 insertions(+), 16 deletions(-) diff --git a/cfg/2.0.0/definitions.yaml b/cfg/2.0.0/definitions.yaml index 2cff40b..4eb664a 100644 --- a/cfg/2.0.0/definitions.yaml +++ b/cfg/2.0.0/definitions.yaml @@ -2806,7 +2806,7 @@ groups: value: "(none)" set: true - flag: "Installed" - set: false + set: false remediation: | Remove the X Windows System packages using the appropriate package manager or manual installation: @@ -8136,7 +8136,15 @@ groups: scored: true - id: 5.4.1.5 description: "Ensure all users last password change date is in the past" - audit: "for usr in $(cut -d: -f1 /etc/shadow); do [[ $(chage --list $usr | grep '^Last password change' | cut -d: -f2) > $(date) ]] && echo \"$usr :$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\"; done" + audit: | + #!/bin/bash + for usr in $(cut -d: -f1 /etc/shadow | sort -u ); do + p=$(chage --list $usr | grep '^Last password change' | cut -d: -f2) + today=$(date +'%b %d %Y') + if [ $(date --date="$p" +%s) -gt $(date --date="$today" +%s) ]; then + echo "$usr : $p" + fi + done tests: test_items: - flag: "" @@ -8772,7 +8780,40 @@ groups: - id: 6.2.6 description: "Ensure root PATH Integrity" - audit: "./cfg/2.0.0/6.2.6.sh" + audit: | + #!/bin/bash + if [ "$(echo "$PATH" | grep ::)" != "" ]; then + echo "Empty Directory in PATH (::)" + fi + + if [ "$(echo "$PATH" | grep :$)" != "" ]; then + echo "Trailing : in PATH" + fi + + p=$(echo "$PATH" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g') + set -- $p + while [ "$1" != "" ]; do + if [ "$1" = "." ]; then + shift + continue + fi + if [ -d "$1" ]; then + dirperm=$(ls -ldH "$1" | cut -f1 -d" ") + if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then + echo "Group Write permission set on directory $1" + fi + if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then + echo "Other Write permission set on directory $1" + fi + dirown=$(ls -ldH "$1" | awk '{print $3}') + if [ "$dirown" != "root" ] ; then + echo "$1 is not owned by root" + fi + else + echo "$1 is not a directory" + fi + shift + done tests: test_items: - flag: "" @@ -8787,7 +8828,14 @@ groups: - id: 6.2.7 description: "Ensure all users' home directories exist" - audit: "./cfg/2.0.0/6.2.7.sh" + audit: | + #!/bin/bash + grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | + while read -r user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + fi + done tests: test_items: - flag: "" @@ -8801,7 +8849,28 @@ groups: - id: 6.2.8 description: "Ensure users' home directories permissions are 750 or more restrictive" - audit: "./cfg/2.0.0/6.2.8.sh" + audit: | + #!/bin/bash + grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | + while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + dirperm=$(ls -ld $dir | cut -f1 -d" ") + if [ $(echo $dirperm | cut -c6) != "-" ]; then + echo "Group Write permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c8) != "-" ]; then + echo "Other Read permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c9) != "-" ]; then + echo "Other Write permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c10) != "-" ]; then + echo "Other Execute permission set on the home directory ($dir) of user $user" + fi + fi + done tests: test_items: - flag: "" @@ -8815,7 +8884,18 @@ groups: - id: 6.2.9 description: "Ensure users own their home directories" - audit: "./cfg/2.0.0/6.2.9.sh" + audit: | + #!/bin/bash + grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + owner=$(stat -L -c "%U" "$dir") + if [ "$owner" != "$user" ]; then + echo "The home directory ($dir) of user $user is owned by $owner." + fi + fi + done tests: test_items: - flag: "" @@ -8830,7 +8910,25 @@ groups: - id: 6.2.10 description: "Ensure users' dot files are not group or world writable" - audit: "./cfg/2.0.0/6.2.10.sh" + audit: | + #!/bin/bash + grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.[A-Za-z0-9]*; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=$(ls -ld $file | cut -f1 -d" ") + if [ $(echo $fileperm | cut -c6) != "-" ]; then + echo "Group Write permission set on file $file" + fi + if [ $(echo $fileperm | cut -c9) != "-" ]; then + echo "Other Write permission set on file $file" + fi + fi + done + fi + done tests: test_items: - flag: "" @@ -8844,7 +8942,17 @@ groups: - id: 6.2.11 description: "Ensure no users have .forward files" - audit: "./cfg/2.0.0/6.2.11.sh" + audit: | + #!/bin/bash + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then + echo ".forward file $dir/.forward exists" + fi + fi + done tests: test_items: - flag: "" @@ -8859,7 +8967,17 @@ groups: - id: 6.2.12 description: "Ensure no users have .netrc files" - audit: "./cfg/2.0.0/6.2.12.sh" + audit: | + #!/bin/bash + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then + echo ".netrc file $dir/.netrc exists" + fi + fi + done tests: test_items: - flag: "" @@ -8873,7 +8991,37 @@ groups: - id: 6.2.13 description: "Ensure users' .netrc Files are not group or world accessible" - audit: "./cfg/2.0.0/6.2.13.sh" + audit: | + #!/bin/bash + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.netrc; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=$(ls -ld $file | cut -f1 -d" ") + if [ $(echo $fileperm | cut -c5) != "-" ]; then + echo "Group Read set on $file" + fi + if [ $(echo $fileperm | cut -c6) != "-" ]; then + echo "Group Write set on $file" + fi + if [ $(echo $fileperm | cut -c7) != "-" ]; then + echo "Group Execute set on $file" + fi + if [ $(echo $fileperm | cut -c8) != "-" ]; then + echo "Other Read set on $file" + fi + if [ $(echo $fileperm | cut -c9) != "-" ]; then + echo "Other Write set on $file" + fi + if [ $(echo $fileperm | cut -c10) != "-" ]; then + echo "Other Execute set on $file" + fi + fi + done + fi + done tests: test_items: - flag: "" @@ -8887,7 +9035,20 @@ groups: - id: 6.2.14 description: "Ensure no users have .rhosts files" - audit: "./cfg/2.0.0/6.2.14.sh" + audit: | + #!/bin/bash + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.rhosts; do + if [ ! -h "$file" -a -f "$file" ]; then + echo ".rhosts file in $dir" + fi + done + fi + done + tests: test_items: - flag: "" @@ -8901,7 +9062,15 @@ groups: - id: 6.2.15 description: "Ensure all groups in /etc/passwd exist in /etc/group" - audit: "./cfg/2.0.0/6.2.15.sh" + audit: | + #!/bin/bash + for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + grep -q -P "^.*?:[^:]*:$i:" /etc/group + if [ $? -ne 0 ]; then + echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" + fi + done + tests: test_items: - flag: "" @@ -8915,7 +9084,16 @@ groups: - id: 6.2.16 description: "Ensure no duplicate UIDs exist" - audit: "./cfg/2.0.0/6.2.16.sh" + audit: | + #!/bin/bash + cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs) + echo "Duplicate UID ($2): $users" + fi + done tests: test_items: - flag: "" @@ -8929,7 +9107,17 @@ groups: - id: 6.2.17 description: "Ensure no duplicate GIDs exist" - audit: "./cfg/2.0.0/6.2.17.sh" + audit: | + #!/bin/bash + cut -f3 -d":" /etc/group | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + groups=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs) + echo "Duplicate GID ($2): $groups" + fi + done + tests: test_items: - flag: "" @@ -8943,7 +9131,16 @@ groups: - id: 6.2.18 description: "Ensure no duplicate user names exist" - audit: "./cfg/2.0.0/6.2.18.sh" + audit: | + #!/bin/bash + cut -f1 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + uids=$(awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs) + echo "Duplicate User Name ($2): $uids" + fi + done tests: test_items: - flag: "" @@ -8958,7 +9155,16 @@ groups: - id: 6.2.19 description: "Ensure no duplicate group names exist" - audit: "./cfg/2.0.0/6.2.19.sh" + audit: | + #!/bin/bash + cut -f1 -d":" /etc/group | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + gids=$(gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs) + echo "Duplicate Group Name ($2): $gids" + fi + done tests: test_items: - flag: ""