-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path02_home_files.sh
executable file
·176 lines (156 loc) · 4.21 KB
/
02_home_files.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
#!/usr/bin/env bash
# ----------------------------------------------------------- #
# Copyright (C) 2008 Red Hat, Inc. #
# Written by Michel Samia <msamia@redhat.com> #
# home_files.sh #
# more info in home_files.dsc #
# ----------------------------------------------------------- #
RET=$XCCDF_RESULT_PASS
# test of permissions and owner of some interesting files and dirs in ~
# (.ssh, private keys, .bashrc, .bash_profile...)
#constants
passwd=/etc/passwd
useradd=/etc/default/useradd
default_homedir=/home
# files that should not be owned by someone other than the home directory owner, or readable
# even read permission can be dangerous for these files
NO_READ_NO_WRITE_FILES="\
.netrc \
.rhosts \
.shosts \
.Xauthority \
.gnupg/secring.gpg \
.pgp/secring.pgp \
.ssh/identity \
.ssh/id_dsa \
.ssh/id_rsa \
.ssh/random_seed \
.pgp/randseed.bin"
# files that should not be owned by someone other than the home directory owner, or writeable
# write permission to these files is dangerous
NO_WRITE_FILES="\
.bashrc \
.bash_profile \
.bash_login \
.bash_logout \
.cshrc \
.emacs \
.exrc \
.forward \
.gdbrc \
.klogin \
.login \
.logout \
.profile \
.tcshrc \
.fvwmrc \
.inputrc \
.kshrc \
.nexrc \
.screenrc \
.ssh \
.ssh/config \
.ssh/authorized_keys \
.ssh/environment \
.ssh/known_hosts \
.ssh/rc \
.twmrc \
.vimrc \
.viminfo \
.xsession \
.xinitrc \
.Xdefaults \
.zshenv \
.zprofile \
.zshrc \
.zlogin \
.zlogout"
if [[ $UID -ne '0' ]]
then
echo "You have to be logged as root to run this test!"
exit $XCCDF_RESULT_ERROR
fi
#### tries to find default home directory ####
if [[ `egrep 'HOME=.+' $useradd|wc -l` -eq "1" ]]
then
homedir=`egrep 'HOME=.+' $useradd|awk -F= '{print $2}'`
#DEBUGMSG "Detected $homedir as users' home directory"
else
echo "Could not detect users' home directory in $useradd, the default will be used"
homedir=$defaulthomedir # not found, uses standard /home
fi
#### test permissions of sensitive files ####
i=2 # passwd line number
# go thru users
while read line # of passwd
do
i=$[ i+1 ]
if [[ `echo $line| egrep ':/sbin/nologin$'|wc -l` -eq "0" ]]
then
# user is 'normal' :-)
line_home=`echo $line | awk -F: '{print $6}'`
line_username=`echo $line | awk -F: '{print $1}'`
line_userID=`echo $line | awk -F: '{print $3}'`
if [[ -d $line_home ]]
then
for files in noreadnowrite nowrite
do
if [[ $files == "noreadnowrite" ]]
then
pole=$NO_READ_NO_WRITE_FILES
elif [[ $files == "nowrite" ]]
then
pole=$NO_WRITE_FILES
fi
# go thru files
for tested_file in $pole
do
fullpath=$line_home/$tested_file
if ! [[ -f $fullpath ]]
then
continue
fi
perm=`stat -c '%A' $fullpath`
ownerID=`stat -c '%u' $fullpath`
ownerName=`stat -c '%U' $fullpath`
# ownership
if [ $ownerID -ne $line_userID ]
then
echo "\"$line_username\"'s file $tested_file is owned by user \"$ownerName\"!"
fi
# user - do we want to warn about this???
if [[ ${perm:1:1} != 'r' ]]
then
echo "User \"$line_username\" can't read his $tested_file!"
[ "$RET" == $XCCDF_RESULT_FAIL ] || RET=$XCCDF_RESULT_INFORMATIONAL
fi
#group
if [[ ${perm:4:1} != '-' ]] && [[ $files == "noreadnowrite" ]]
then
echo "User \"$line_username\" allows users from his group to read his $tested_file!"
[ "$RET" == $XCCDF_RESULT_FAIL ] || RET=$XCCDF_RESULT_INFORMATIONAL
fi
if [[ ${perm:5:1} != '-' ]]
then
echo "User \"$line_username\" allows users from his group to write to his $tested_file!"
RET=$XCCDF_RESULT_FAIL
fi
# others
if [[ ${perm:7:1} != '-' ]] && [[ $files == "noreadnowrite" ]]
then
echo "User \"$line_username\" allows other users to read his $tested_file!"
RET=$XCCDF_RESULT_FAIL
fi
if [[ ${perm:8:1} != '-' ]]
then
echo "User \"$line_username\" allows other users to write to his $tested_file!"
RET=$XCCDF_RESULT_FAIL
fi
done
done
fi
fi
done<<EOF
`cat $passwd`
EOF
exit $RET