From 174b607c2bfaedeafa9de57ff204a1e0e45284bd Mon Sep 17 00:00:00 2001 From: Yoav Rotem Date: Sun, 22 Nov 2020 13:49:18 +0200 Subject: [PATCH 1/6] Add scripts to audit Bench-common is now supports scripts in audit https://github.com/aquasecurity/bench-common/pull/108 --- cfg/2.0.0/definitions.yaml | 238 ++++++++++++++++++++++++++++++++++--- 1 file changed, 222 insertions(+), 16 deletions(-) diff --git a/cfg/2.0.0/definitions.yaml b/cfg/2.0.0/definitions.yaml index 2cff40b..4eb664a 100644 --- a/cfg/2.0.0/definitions.yaml +++ b/cfg/2.0.0/definitions.yaml @@ -2806,7 +2806,7 @@ groups: value: "(none)" set: true - flag: "Installed" - set: false + set: false remediation: | Remove the X Windows System packages using the appropriate package manager or manual installation: @@ -8136,7 +8136,15 @@ groups: scored: true - id: 5.4.1.5 description: "Ensure all users last password change date is in the past" - audit: "for usr in $(cut -d: -f1 /etc/shadow); do [[ $(chage --list $usr | grep '^Last password change' | cut -d: -f2) > $(date) ]] && echo \"$usr :$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\"; done" + audit: | + #!/bin/bash + for usr in $(cut -d: -f1 /etc/shadow | sort -u ); do + p=$(chage --list $usr | grep '^Last password change' | cut -d: -f2) + today=$(date +'%b %d %Y') + if [ $(date --date="$p" +%s) -gt $(date --date="$today" +%s) ]; then + echo "$usr : $p" + fi + done tests: test_items: - flag: "" @@ -8772,7 +8780,40 @@ groups: - id: 6.2.6 description: "Ensure root PATH Integrity" - audit: "./cfg/2.0.0/6.2.6.sh" + audit: | + #!/bin/bash + if [ "$(echo "$PATH" | grep ::)" != "" ]; then + echo "Empty Directory in PATH (::)" + fi + + if [ "$(echo "$PATH" | grep :$)" != "" ]; then + echo "Trailing : in PATH" + fi + + p=$(echo "$PATH" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g') + set -- $p + while [ "$1" != "" ]; do + if [ "$1" = "." ]; then + shift + continue + fi + if [ -d "$1" ]; then + dirperm=$(ls -ldH "$1" | cut -f1 -d" ") + if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then + echo "Group Write permission set on directory $1" + fi + if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then + echo "Other Write permission set on directory $1" + fi + dirown=$(ls -ldH "$1" | awk '{print $3}') + if [ "$dirown" != "root" ] ; then + echo "$1 is not owned by root" + fi + else + echo "$1 is not a directory" + fi + shift + done tests: test_items: - flag: "" @@ -8787,7 +8828,14 @@ groups: - id: 6.2.7 description: "Ensure all users' home directories exist" - audit: "./cfg/2.0.0/6.2.7.sh" + audit: | + #!/bin/bash + grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | + while read -r user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + fi + done tests: test_items: - flag: "" @@ -8801,7 +8849,28 @@ groups: - id: 6.2.8 description: "Ensure users' home directories permissions are 750 or more restrictive" - audit: "./cfg/2.0.0/6.2.8.sh" + audit: | + #!/bin/bash + grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | + while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + dirperm=$(ls -ld $dir | cut -f1 -d" ") + if [ $(echo $dirperm | cut -c6) != "-" ]; then + echo "Group Write permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c8) != "-" ]; then + echo "Other Read permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c9) != "-" ]; then + echo "Other Write permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c10) != "-" ]; then + echo "Other Execute permission set on the home directory ($dir) of user $user" + fi + fi + done tests: test_items: - flag: "" @@ -8815,7 +8884,18 @@ groups: - id: 6.2.9 description: "Ensure users own their home directories" - audit: "./cfg/2.0.0/6.2.9.sh" + audit: | + #!/bin/bash + grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + owner=$(stat -L -c "%U" "$dir") + if [ "$owner" != "$user" ]; then + echo "The home directory ($dir) of user $user is owned by $owner." + fi + fi + done tests: test_items: - flag: "" @@ -8830,7 +8910,25 @@ groups: - id: 6.2.10 description: "Ensure users' dot files are not group or world writable" - audit: "./cfg/2.0.0/6.2.10.sh" + audit: | + #!/bin/bash + grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.[A-Za-z0-9]*; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=$(ls -ld $file | cut -f1 -d" ") + if [ $(echo $fileperm | cut -c6) != "-" ]; then + echo "Group Write permission set on file $file" + fi + if [ $(echo $fileperm | cut -c9) != "-" ]; then + echo "Other Write permission set on file $file" + fi + fi + done + fi + done tests: test_items: - flag: "" @@ -8844,7 +8942,17 @@ groups: - id: 6.2.11 description: "Ensure no users have .forward files" - audit: "./cfg/2.0.0/6.2.11.sh" + audit: | + #!/bin/bash + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then + echo ".forward file $dir/.forward exists" + fi + fi + done tests: test_items: - flag: "" @@ -8859,7 +8967,17 @@ groups: - id: 6.2.12 description: "Ensure no users have .netrc files" - audit: "./cfg/2.0.0/6.2.12.sh" + audit: | + #!/bin/bash + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then + echo ".netrc file $dir/.netrc exists" + fi + fi + done tests: test_items: - flag: "" @@ -8873,7 +8991,37 @@ groups: - id: 6.2.13 description: "Ensure users' .netrc Files are not group or world accessible" - audit: "./cfg/2.0.0/6.2.13.sh" + audit: | + #!/bin/bash + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.netrc; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=$(ls -ld $file | cut -f1 -d" ") + if [ $(echo $fileperm | cut -c5) != "-" ]; then + echo "Group Read set on $file" + fi + if [ $(echo $fileperm | cut -c6) != "-" ]; then + echo "Group Write set on $file" + fi + if [ $(echo $fileperm | cut -c7) != "-" ]; then + echo "Group Execute set on $file" + fi + if [ $(echo $fileperm | cut -c8) != "-" ]; then + echo "Other Read set on $file" + fi + if [ $(echo $fileperm | cut -c9) != "-" ]; then + echo "Other Write set on $file" + fi + if [ $(echo $fileperm | cut -c10) != "-" ]; then + echo "Other Execute set on $file" + fi + fi + done + fi + done tests: test_items: - flag: "" @@ -8887,7 +9035,20 @@ groups: - id: 6.2.14 description: "Ensure no users have .rhosts files" - audit: "./cfg/2.0.0/6.2.14.sh" + audit: | + #!/bin/bash + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.rhosts; do + if [ ! -h "$file" -a -f "$file" ]; then + echo ".rhosts file in $dir" + fi + done + fi + done + tests: test_items: - flag: "" @@ -8901,7 +9062,15 @@ groups: - id: 6.2.15 description: "Ensure all groups in /etc/passwd exist in /etc/group" - audit: "./cfg/2.0.0/6.2.15.sh" + audit: | + #!/bin/bash + for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + grep -q -P "^.*?:[^:]*:$i:" /etc/group + if [ $? -ne 0 ]; then + echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" + fi + done + tests: test_items: - flag: "" @@ -8915,7 +9084,16 @@ groups: - id: 6.2.16 description: "Ensure no duplicate UIDs exist" - audit: "./cfg/2.0.0/6.2.16.sh" + audit: | + #!/bin/bash + cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs) + echo "Duplicate UID ($2): $users" + fi + done tests: test_items: - flag: "" @@ -8929,7 +9107,17 @@ groups: - id: 6.2.17 description: "Ensure no duplicate GIDs exist" - audit: "./cfg/2.0.0/6.2.17.sh" + audit: | + #!/bin/bash + cut -f3 -d":" /etc/group | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + groups=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs) + echo "Duplicate GID ($2): $groups" + fi + done + tests: test_items: - flag: "" @@ -8943,7 +9131,16 @@ groups: - id: 6.2.18 description: "Ensure no duplicate user names exist" - audit: "./cfg/2.0.0/6.2.18.sh" + audit: | + #!/bin/bash + cut -f1 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + uids=$(awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs) + echo "Duplicate User Name ($2): $uids" + fi + done tests: test_items: - flag: "" @@ -8958,7 +9155,16 @@ groups: - id: 6.2.19 description: "Ensure no duplicate group names exist" - audit: "./cfg/2.0.0/6.2.19.sh" + audit: | + #!/bin/bash + cut -f1 -d":" /etc/group | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + gids=$(gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs) + echo "Duplicate Group Name ($2): $gids" + fi + done tests: test_items: - flag: "" From b801a976e7062ea6112c7fdf5b3a95c03bc03c7a Mon Sep 17 00:00:00 2001 From: Yoav Rotem Date: Sun, 22 Nov 2020 13:50:27 +0200 Subject: [PATCH 2/6] Delete 6.2.9.sh Now running it in definitions --- cfg/2.0.0/6.2.9.sh | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 cfg/2.0.0/6.2.9.sh diff --git a/cfg/2.0.0/6.2.9.sh b/cfg/2.0.0/6.2.9.sh deleted file mode 100644 index 1d90e23..0000000 --- a/cfg/2.0.0/6.2.9.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which -nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user -dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - owner=$(stat -L -c "%U" "$dir") - if [ "$owner" != "$user" ]; then - echo "The home directory ($dir) of user $user is owned by $owner." - fi - fi -done \ No newline at end of file From addb88dc4f16e7a3ef1238c9175c568acbab690d Mon Sep 17 00:00:00 2001 From: Yoav Rotem Date: Sun, 22 Nov 2020 13:50:37 +0200 Subject: [PATCH 3/6] Delete 6.2.8.sh Now running it in definitions --- cfg/2.0.0/6.2.8.sh | 24 ------------------------ 1 file changed, 24 deletions(-) delete mode 100644 cfg/2.0.0/6.2.8.sh diff --git a/cfg/2.0.0/6.2.8.sh b/cfg/2.0.0/6.2.8.sh deleted file mode 100644 index b58a266..0000000 --- a/cfg/2.0.0/6.2.8.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -grep -E -v '^$(halt|sync|shutdown)' /etc/passwd | awk -F: '$($7 != "'"$$(which -nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user -dir; do - if [ ! -d "$dir" ]; then - echo "The home directory $($dir) of user $user does not exist." - else - dirperm=$$(ls -ld $dir | cut -f1 -d" ") - if [ $(echo $dirperm | cut -c6) != "-" ]; then - echo "Group Write permission set on the home directory $($dir) of user $user" - fi - if [ $(echo $dirperm | cut -c8) != "-" ]; then - echo "Other Read permission set on the home directory $($dir) of user $user" - fi - if [ $(echo $dirperm | cut -c9) != "-" ]; then - echo "Other Write permission set on the home directory $($dir) of user $user" - fi - if [ $(echo $dirperm | cut -c10) != "-" ]; then - echo "Other Execute permission set on the home directory $($dir) of user $user" - fi - fi -done - \ No newline at end of file From e79d7411c500e696f240eacb663e5f687e3e2efb Mon Sep 17 00:00:00 2001 From: Yoav Rotem Date: Sun, 22 Nov 2020 13:50:50 +0200 Subject: [PATCH 4/6] Delete 6.2.7.sh Now running it in definitions --- cfg/2.0.0/6.2.7.sh | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 cfg/2.0.0/6.2.7.sh diff --git a/cfg/2.0.0/6.2.7.sh b/cfg/2.0.0/6.2.7.sh deleted file mode 100644 index 51b85c4..0000000 --- a/cfg/2.0.0/6.2.7.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which -nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read -r user -dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - fi -done \ No newline at end of file From 27e347f3bbf8b37939952035e253ab99090a5b9f Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Sun, 22 Nov 2020 14:01:20 +0200 Subject: [PATCH 5/6] Add support for scripts in definitions Now we can run scripts in audit field, so all of the old files are no longer needed. --- cfg/1.1.0/6.2.10.sh | 19 ---- cfg/1.1.0/6.2.11.sh | 11 -- cfg/1.1.0/6.2.12.sh | 11 -- cfg/1.1.0/6.2.13.sh | 31 ------ cfg/1.1.0/6.2.14.sh | 13 --- cfg/1.1.0/6.2.15.sh | 8 -- cfg/1.1.0/6.2.16.sh | 9 -- cfg/1.1.0/6.2.17.sh | 10 -- cfg/1.1.0/6.2.18.sh | 10 -- cfg/1.1.0/6.2.19.sh | 10 -- cfg/1.1.0/6.2.6.sh | 34 ------ cfg/1.1.0/6.2.7.sh | 7 -- cfg/1.1.0/6.2.8.sh | 24 ---- cfg/1.1.0/6.2.9.sh | 12 -- cfg/1.1.0/definitions.yaml | 223 ++++++++++++++++++++++++++++++++++--- cfg/2.0.0/6.2.10.sh | 21 ---- cfg/2.0.0/6.2.11.sh | 13 --- cfg/2.0.0/6.2.12.sh | 13 --- cfg/2.0.0/6.2.13.sh | 33 ------ cfg/2.0.0/6.2.14.sh | 15 --- cfg/2.0.0/6.2.15.sh | 8 -- cfg/2.0.0/6.2.16.sh | 10 -- cfg/2.0.0/6.2.17.sh | 10 -- cfg/2.0.0/6.2.18.sh | 10 -- cfg/2.0.0/6.2.19.sh | 10 -- cfg/2.0.0/6.2.6.sh | 32 ------ 26 files changed, 209 insertions(+), 398 deletions(-) delete mode 100644 cfg/1.1.0/6.2.10.sh delete mode 100644 cfg/1.1.0/6.2.11.sh delete mode 100644 cfg/1.1.0/6.2.12.sh delete mode 100644 cfg/1.1.0/6.2.13.sh delete mode 100644 cfg/1.1.0/6.2.14.sh delete mode 100644 cfg/1.1.0/6.2.15.sh delete mode 100644 cfg/1.1.0/6.2.16.sh delete mode 100644 cfg/1.1.0/6.2.17.sh delete mode 100644 cfg/1.1.0/6.2.18.sh delete mode 100644 cfg/1.1.0/6.2.19.sh delete mode 100644 cfg/1.1.0/6.2.6.sh delete mode 100644 cfg/1.1.0/6.2.7.sh delete mode 100644 cfg/1.1.0/6.2.8.sh delete mode 100644 cfg/1.1.0/6.2.9.sh delete mode 100644 cfg/2.0.0/6.2.10.sh delete mode 100644 cfg/2.0.0/6.2.11.sh delete mode 100644 cfg/2.0.0/6.2.12.sh delete mode 100644 cfg/2.0.0/6.2.13.sh delete mode 100644 cfg/2.0.0/6.2.14.sh delete mode 100644 cfg/2.0.0/6.2.15.sh delete mode 100644 cfg/2.0.0/6.2.16.sh delete mode 100644 cfg/2.0.0/6.2.17.sh delete mode 100644 cfg/2.0.0/6.2.18.sh delete mode 100644 cfg/2.0.0/6.2.19.sh delete mode 100644 cfg/2.0.0/6.2.6.sh diff --git a/cfg/1.1.0/6.2.10.sh b/cfg/1.1.0/6.2.10.sh deleted file mode 100644 index 71cceea..0000000 --- a/cfg/1.1.0/6.2.10.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - for file in $dir/.[A-Za-z0-9]*; do - if [ ! -h "$file" -a -f "$file" ]; then - fileperm=`ls -ld $file | cut -f1 -d" "` - if [ `echo $fileperm | cut -c6` != "-" ]; then - echo "Group Write permission set on file $file" - fi - if [ `echo $fileperm | cut -c9` != "-" ]; then - echo "Other Write permission set on file $file" - fi - fi - done - fi -done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.11.sh b/cfg/1.1.0/6.2.11.sh deleted file mode 100644 index 883e790..0000000 --- a/cfg/1.1.0/6.2.11.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then - echo ".forward file $dir/.forward exists" - fi - fi -done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.12.sh b/cfg/1.1.0/6.2.12.sh deleted file mode 100644 index 61147d7..0000000 --- a/cfg/1.1.0/6.2.12.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then - echo ".netrc file $dir/.netrc exists" - fi - fi -done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.13.sh b/cfg/1.1.0/6.2.13.sh deleted file mode 100644 index 44af2f4..0000000 --- a/cfg/1.1.0/6.2.13.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - for file in $dir/.netrc; do - if [ ! -h "$file" -a -f "$file" ]; then - fileperm=`ls -ld $file | cut -f1 -d" "` - if [ `echo $fileperm | cut -c5` != "-" ]; then - echo "Group Read set on $file" - fi - if [ `echo $fileperm | cut -c6` != "-" ]; then - echo "Group Write set on $file" - fi - if [ `echo $fileperm | cut -c7` != "-" ]; then - echo "Group Execute set on $file" - fi - if [ `echo $fileperm | cut -c8` != "-" ]; then - echo "Other Read set on $file" - fi - if [ `echo $fileperm | cut -c9` != "-" ]; then - echo "Other Write set on $file" - fi - if [ `echo $fileperm | cut -c10` != "-" ]; then - echo "Other Execute set on $file" - fi - fi - done - fi -done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.14.sh b/cfg/1.1.0/6.2.14.sh deleted file mode 100644 index 2ad7f97..0000000 --- a/cfg/1.1.0/6.2.14.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - for file in $dir/.rhosts; do - if [ ! -h "$file" -a -f "$file" ]; then - echo ".rhosts file in $dir" - fi - done - fi -done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.15.sh b/cfg/1.1.0/6.2.15.sh deleted file mode 100644 index c6790e8..0000000 --- a/cfg/1.1.0/6.2.15.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do - grep -q -P "^.*?:[^:]*:$i:" /etc/group - if [ $? -ne 0 ]; then - echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" - fi -done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.16.sh b/cfg/1.1.0/6.2.16.sh deleted file mode 100644 index 9e4d47a..0000000 --- a/cfg/1.1.0/6.2.16.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do - [ -z "${x}" ] && break set - $x - if [ $1 -gt 1 ]; then - users=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs` - echo "Duplicate UID ($2): ${users}" - fi -done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.17.sh b/cfg/1.1.0/6.2.17.sh deleted file mode 100644 index 060d055..0000000 --- a/cfg/1.1.0/6.2.17.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do - [ -z "${x}" ] && break - set - $x - if [ $1 -gt 1 ]; then - groups=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs` - echo "Duplicate GID ($2): ${groups}" - fi -done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.18.sh b/cfg/1.1.0/6.2.18.sh deleted file mode 100644 index 332dcf6..0000000 --- a/cfg/1.1.0/6.2.18.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do - [ -z "${x}" ] && break - set - $x - if [ $1 -gt 1 ]; then - uids=`awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs` - echo "Duplicate User Name ($2): ${uids}" - fi -done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.19.sh b/cfg/1.1.0/6.2.19.sh deleted file mode 100644 index 6a0260f..0000000 --- a/cfg/1.1.0/6.2.19.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do - [ -z "${x}" ] && break - set - $x - if [ $1 -gt 1 ]; then - gids=`gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` - echo "Duplicate Group Name ($2): ${gids}" - fi -done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.6.sh b/cfg/1.1.0/6.2.6.sh deleted file mode 100644 index 68f5338..0000000 --- a/cfg/1.1.0/6.2.6.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash -if [ "`echo $PATH | grep ::`" != "" ]; then - echo "Empty Directory in PATH (::)" -fi - -if [ "`echo $PATH | grep :$`" != "" ]; then - echo "Trailing : in PATH" -fi - -p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` -set -- $p -while [ "$1" != "" ]; do - if [ "$1" = "." ]; then - echo "PATH contains ." - shift - continue - fi - if [ -d $1 ]; then - dirperm=`ls -ldH $1 | cut -f1 -d" "` - if [ `echo $dirperm | cut -c6` != "-" ]; then - echo "Group Write permission set on directory $1" - fi - if [ `echo $dirperm | cut -c9` != "-" ]; then - echo "Other Write permission set on directory $1" - fi - dirown=`ls -ldH $1 | awk '{print $3}'` - if [ "$dirown" != "root" ] ; then - echo $1 is not owned by root - fi - else - echo $1 is not a directory - fi - shift -done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.7.sh b/cfg/1.1.0/6.2.7.sh deleted file mode 100644 index fcfc4f4..0000000 --- a/cfg/1.1.0/6.2.7.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - fi -done \ No newline at end of file diff --git a/cfg/1.1.0/6.2.8.sh b/cfg/1.1.0/6.2.8.sh deleted file mode 100644 index 36f39d9..0000000 --- a/cfg/1.1.0/6.2.8.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != -"/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user -dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - dirperm=`ls -ld $dir | cut -f1 -d" "` - if [ `echo $dirperm | cut -c6` != "-" ]; then - echo "Group Write permission set on the home directory ($dir) of user $user" - fi - if [ `echo $dirperm | cut -c8` != "-" ]; then - echo "Other Read permission set on the home directory ($dir) of user $user" - fi - if [ `echo $dirperm | cut -c9` != "-" ]; then - echo "Other Write permission set on the home directory ($dir) of user $user" - fi - if [ `echo $dirperm | cut -c10` != "-" ]; then - echo "Other Execute permission set on the home directory ($dir) of user $user" - fi - fi -done - \ No newline at end of file diff --git a/cfg/1.1.0/6.2.9.sh b/cfg/1.1.0/6.2.9.sh deleted file mode 100644 index 221c44a..0000000 --- a/cfg/1.1.0/6.2.9.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - owner=$(stat -L -c "%U" "$dir") - if [ "$owner" != "$user" ]; then - echo "The home directory ($dir) of user $user is owned by $owner." - fi - fi -done \ No newline at end of file diff --git a/cfg/1.1.0/definitions.yaml b/cfg/1.1.0/definitions.yaml index fcecf2c..19c3892 100644 --- a/cfg/1.1.0/definitions.yaml +++ b/cfg/1.1.0/definitions.yaml @@ -8419,7 +8419,40 @@ groups: - id: 6.2.6 description: "Ensure root PATH Integrity" - audit: "./6.2.6.sh" + audit: | + #!/bin/bash + if [ "$(echo "$PATH" | grep ::)" != "" ]; then + echo "Empty Directory in PATH (::)" + fi + + if [ "$(echo "$PATH" | grep :$)" != "" ]; then + echo "Trailing : in PATH" + fi + + p=$(echo "$PATH" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g') + set -- $p + while [ "$1" != "" ]; do + if [ "$1" = "." ]; then + shift + continue + fi + if [ -d "$1" ]; then + dirperm=$(ls -ldH "$1" | cut -f1 -d" ") + if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then + echo "Group Write permission set on directory $1" + fi + if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then + echo "Other Write permission set on directory $1" + fi + dirown=$(ls -ldH "$1" | awk '{print $3}') + if [ "$dirown" != "root" ] ; then + echo "$1 is not owned by root" + fi + else + echo "$1 is not a directory" + fi + shift + done tests: test_items: - flag: "" @@ -8434,7 +8467,14 @@ groups: - id: 6.2.7 description: "Ensure all users' home directories exist" - audit: "./6.2.7.sh" + audit: | + #!/bin/bash + grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | + while read -r user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + fi + done tests: test_items: - flag: "" @@ -8448,7 +8488,28 @@ groups: - id: 6.2.8 description: "Ensure users' home directories permissions are 750 or more restrictive" - audit: "./6.2.8.sh" + audit: | + #!/bin/bash + grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | + while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + dirperm=$(ls -ld $dir | cut -f1 -d" ") + if [ $(echo $dirperm | cut -c6) != "-" ]; then + echo "Group Write permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c8) != "-" ]; then + echo "Other Read permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c9) != "-" ]; then + echo "Other Write permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c10) != "-" ]; then + echo "Other Execute permission set on the home directory ($dir) of user $user" + fi + fi + done tests: test_items: - flag: "" @@ -8462,7 +8523,18 @@ groups: - id: 6.2.9 description: "Ensure users own their home directories" - audit: "./6.2.9.sh" + audit: | + #!/bin/bash + grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + owner=$(stat -L -c "%U" "$dir") + if [ "$owner" != "$user" ]; then + echo "The home directory ($dir) of user $user is owned by $owner." + fi + fi + done tests: test_items: - flag: "" @@ -8477,7 +8549,25 @@ groups: - id: 6.2.10 description: "Ensure users' dot files are not group or world writable" - audit: "./6.2.10.sh" + audit: | + #!/bin/bash + grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.[A-Za-z0-9]*; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=$(ls -ld $file | cut -f1 -d" ") + if [ $(echo $fileperm | cut -c6) != "-" ]; then + echo "Group Write permission set on file $file" + fi + if [ $(echo $fileperm | cut -c9) != "-" ]; then + echo "Other Write permission set on file $file" + fi + fi + done + fi + done tests: test_items: - flag: "" @@ -8491,7 +8581,17 @@ groups: - id: 6.2.11 description: "Ensure no users have .forward files" - audit: "./6.2.11.sh" + audit: | + #!/bin/bash + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then + echo ".forward file $dir/.forward exists" + fi + fi + done tests: test_items: - flag: "" @@ -8506,7 +8606,17 @@ groups: - id: 6.2.12 description: "Ensure no users have .netrc files" - audit: "./6.2.12.sh" + audit: | + #!/bin/bash + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then + echo ".netrc file $dir/.netrc exists" + fi + fi + done tests: test_items: - flag: "" @@ -8520,7 +8630,37 @@ groups: - id: 6.2.13 description: "Ensure users' .netrc Files are not group or world accessible" - audit: "./6.2.13.sh" + audit: | + #!/bin/bash + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.netrc; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=$(ls -ld $file | cut -f1 -d" ") + if [ $(echo $fileperm | cut -c5) != "-" ]; then + echo "Group Read set on $file" + fi + if [ $(echo $fileperm | cut -c6) != "-" ]; then + echo "Group Write set on $file" + fi + if [ $(echo $fileperm | cut -c7) != "-" ]; then + echo "Group Execute set on $file" + fi + if [ $(echo $fileperm | cut -c8) != "-" ]; then + echo "Other Read set on $file" + fi + if [ $(echo $fileperm | cut -c9) != "-" ]; then + echo "Other Write set on $file" + fi + if [ $(echo $fileperm | cut -c10) != "-" ]; then + echo "Other Execute set on $file" + fi + fi + done + fi + done tests: test_items: - flag: "" @@ -8534,7 +8674,19 @@ groups: - id: 6.2.14 description: "Ensure no users have .rhosts files" - audit: "./6.2.14.sh" + audit: | + #!/bin/bash + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.rhosts; do + if [ ! -h "$file" -a -f "$file" ]; then + echo ".rhosts file in $dir" + fi + done + fi + done tests: test_items: - flag: "" @@ -8548,7 +8700,14 @@ groups: - id: 6.2.15 description: "Ensure all groups in /etc/passwd exist in /etc/group" - audit: "./6.2.15.sh" + audit: | + #!/bin/bash + for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + grep -q -P "^.*?:[^:]*:$i:" /etc/group + if [ $? -ne 0 ]; then + echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" + fi + done tests: test_items: - flag: "" @@ -8562,7 +8721,16 @@ groups: - id: 6.2.16 description: "Ensure no duplicate UIDs exist" - audit: "./6.2.16.sh" + audit: | + #!/bin/bash + cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs) + echo "Duplicate UID ($2): $users" + fi + done tests: test_items: - flag: "" @@ -8576,7 +8744,16 @@ groups: - id: 6.2.17 description: "Ensure no duplicate GIDs exist" - audit: "./6.2.17.sh" + audit: | + #!/bin/bash + cut -f3 -d":" /etc/group | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + groups=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs) + echo "Duplicate GID ($2): $groups" + fi + done tests: test_items: - flag: "" @@ -8590,7 +8767,16 @@ groups: - id: 6.2.18 description: "Ensure no duplicate user names exist" - audit: "./6.2.18.sh" + audit: | + #!/bin/bash + cut -f1 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + uids=$(awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs) + echo "Duplicate User Name ($2): $uids" + fi + done tests: test_items: - flag: "" @@ -8605,7 +8791,16 @@ groups: - id: 6.2.19 description: "Ensure no duplicate group names exist" - audit: "./6.2.19.sh" + audit: | + #!/bin/bash + cut -f1 -d":" /etc/group | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + gids=$(gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs) + echo "Duplicate Group Name ($2): $gids" + fi + done tests: test_items: - flag: "" diff --git a/cfg/2.0.0/6.2.10.sh b/cfg/2.0.0/6.2.10.sh deleted file mode 100644 index 25f0578..0000000 --- a/cfg/2.0.0/6.2.10.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which -nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user -dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - for file in $dir/.[A-Za-z0-9]*; do - if [ ! -h "$file" -a -f "$file" ]; then - fileperm=$(ls -ld $file | cut -f1 -d" ") - if [ $(echo $fileperm | cut -c6) != "-" ]; then - echo "Group Write permission set on file $file" - fi - if [ $(echo $fileperm | cut -c9) != "-" ]; then - echo "Other Write permission set on file $file" - fi - fi - done - fi -done \ No newline at end of file diff --git a/cfg/2.0.0/6.2.11.sh b/cfg/2.0.0/6.2.11.sh deleted file mode 100644 index cf173fe..0000000 --- a/cfg/2.0.0/6.2.11.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != -"'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while -read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then - echo ".forward file $dir/.forward exists" - fi - fi -done \ No newline at end of file diff --git a/cfg/2.0.0/6.2.12.sh b/cfg/2.0.0/6.2.12.sh deleted file mode 100644 index bc442e1..0000000 --- a/cfg/2.0.0/6.2.12.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != -"'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while -read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then - echo ".netrc file $dir/.netrc exists" - fi - fi -done \ No newline at end of file diff --git a/cfg/2.0.0/6.2.13.sh b/cfg/2.0.0/6.2.13.sh deleted file mode 100644 index a4deb90..0000000 --- a/cfg/2.0.0/6.2.13.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != -"'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while -read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - for file in $dir/.netrc; do - if [ ! -h "$file" -a -f "$file" ]; then - fileperm=$(ls -ld $file | cut -f1 -d" ") - if [ $(echo $fileperm | cut -c5) != "-" ]; then - echo "Group Read set on $file" - fi - if [ $(echo $fileperm | cut -c6) != "-" ]; then - echo "Group Write set on $file" - fi - if [ $(echo $fileperm | cut -c7) != "-" ]; then - echo "Group Execute set on $file" - fi - if [ $(echo $fileperm | cut -c8) != "-" ]; then - echo "Other Read set on $file" - fi - if [ $(echo $fileperm | cut -c9) != "-" ]; then - echo "Other Write set on $file" - fi - if [ $(echo $fileperm | cut -c10) != "-" ]; then - echo "Other Execute set on $file" - fi - fi - done - fi -done \ No newline at end of file diff --git a/cfg/2.0.0/6.2.14.sh b/cfg/2.0.0/6.2.14.sh deleted file mode 100644 index e8cd2b7..0000000 --- a/cfg/2.0.0/6.2.14.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != -"'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while -read user dir; do - if [ ! -d "$dir" ]; then - echo "The home directory ($dir) of user $user does not exist." - else - for file in $dir/.rhosts; do - if [ ! -h "$file" -a -f "$file" ]; then - echo ".rhosts file in $dir" - fi - done - fi -done \ No newline at end of file diff --git a/cfg/2.0.0/6.2.15.sh b/cfg/2.0.0/6.2.15.sh deleted file mode 100644 index fca4d49..0000000 --- a/cfg/2.0.0/6.2.15.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do - grep -q -P "^.*?:[^:]*:$i:" /etc/group - if [ $? -ne 0 ]; then - echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" - fi -done \ No newline at end of file diff --git a/cfg/2.0.0/6.2.16.sh b/cfg/2.0.0/6.2.16.sh deleted file mode 100644 index fec549a..0000000 --- a/cfg/2.0.0/6.2.16.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do - [ -z "$x" ] && break - set - $x - if [ $1 -gt 1 ]; then - users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs) - echo "Duplicate UID ($2): $users" - fi -done \ No newline at end of file diff --git a/cfg/2.0.0/6.2.17.sh b/cfg/2.0.0/6.2.17.sh deleted file mode 100644 index 1fb4a37..0000000 --- a/cfg/2.0.0/6.2.17.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -cut -f3 -d":" /etc/group | sort -n | uniq -c | while read x ; do - [ -z "$x" ] && break - set - $x - if [ $1 -gt 1 ]; then - groups=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs) - echo "Duplicate GID ($2): $groups" - fi -done \ No newline at end of file diff --git a/cfg/2.0.0/6.2.18.sh b/cfg/2.0.0/6.2.18.sh deleted file mode 100644 index 8f7c09e..0000000 --- a/cfg/2.0.0/6.2.18.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -cut -f1 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do - [ -z "$x" ] && break - set - $x - if [ $1 -gt 1 ]; then - uids=$(awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs) - echo "Duplicate User Name ($2): $uids" - fi -done \ No newline at end of file diff --git a/cfg/2.0.0/6.2.19.sh b/cfg/2.0.0/6.2.19.sh deleted file mode 100644 index f2b926f..0000000 --- a/cfg/2.0.0/6.2.19.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -cut -f1 -d":" /etc/group | sort -n | uniq -c | while read x ; do - [ -z "$x" ] && break - set - $x - if [ $1 -gt 1 ]; then - gids=$(gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs) - echo "Duplicate Group Name ($2): $gids" - fi -done \ No newline at end of file diff --git a/cfg/2.0.0/6.2.6.sh b/cfg/2.0.0/6.2.6.sh deleted file mode 100644 index e3fd2ba..0000000 --- a/cfg/2.0.0/6.2.6.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash -if [ "$(echo "$PATH" | grep ::)" != "" ]; then - echo "Empty Directory in PATH (::)" -fi - -if [ "$(echo "$PATH" | grep :$)" != "" ]; then - echo "Trailing : in PATH" -fi - -p=$(echo "$PATH" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g') -set -- $p -while [ "$1" != "" ]; do - if [ "$1" = "." ]; then - shift - continue - fi - if [ -d "$1" ]; then - dirperm=$(ls -ldH "$1" | cut -f1 -d" ") - if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then - echo "Group Write permission set on directory $1" - fi - if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then - echo "Other Write permission set on directory $1" - fi dirown=$(ls -ldH "$1" | awk '{print $3}') - if [ "$dirown" != "root" ] ; then - echo "$1 is not owned by root" - fi - else - echo "$1 is not a directory" - fi - shift -done From 3b76409b45620b4248473ccfbdbf0cafbf15363a Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Mon, 30 Nov 2020 10:22:08 +0200 Subject: [PATCH 6/6] update go.mod Update bench-common version --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index b8b116c..a838cf5 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/aquasecurity/linux-bench go 1.12 require ( - github.com/aquasecurity/bench-common v0.4.1 + github.com/aquasecurity/bench-common v0.4.4 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b github.com/spf13/cobra v0.0.5 github.com/spf13/viper v1.4.0 diff --git a/go.sum b/go.sum index 61694e3..dbc126e 100644 --- a/go.sum +++ b/go.sum @@ -6,6 +6,8 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/aquasecurity/bench-common v0.4.1 h1:pk23TPeRFnpAroiCnds7qd8C61qB7XCyhvhPkKi67+g= github.com/aquasecurity/bench-common v0.4.1/go.mod h1:glope+l06WRCkeiKLcs0exibg3w0ZdXDpZJOSSuw+wg= +github.com/aquasecurity/bench-common v0.4.4 h1:gBs1ddFIviR5ZiNd02HkH+qwh5t2HbvJTK07N2Z5gaE= +github.com/aquasecurity/bench-common v0.4.4/go.mod h1:glope+l06WRCkeiKLcs0exibg3w0ZdXDpZJOSSuw+wg= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=