diff --git a/README.md b/README.md index 875220c..cee5ffb 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # SeBAz ## Tool to check compliance with CIS Benchmarks -Current version SeBAz v0.2.4 +Current version [SeBAz v0.3.3](https://github.com/Deepak710/SeBAz/releases "SeBAz releases") Made by [Deepak](https://t.me/AzorAhoy "Telegram") @@ -24,6 +24,11 @@ And if you are the **system administrator** in your organization, then this tool * Generate report(s) from the modified spreadsheets * Logs of all the commands performed by the tool +## Download + +* [SeBAz](https://github.com/Deepak710/SeBAz/releases/download/v0.3.3/SeBAz-amd64 "SeBAz-amd64") - For 64-bit systems +* [SeBAz](https://github.com/Deepak710/SeBAz/releases/download/v0.3.3/SeBAz-i386 "SeBAz-i386") - For 32-bit systems + ## How to use Check out the [wiki](https://github.com/Deepak710/SeBAz/wiki#how-to-use-sebaz "How to use") page for comprehensive instructions diff --git a/linux/SeBAz.py b/linux/SeBAz.py index a4aa75a..751adef 100644 --- a/linux/SeBAz.py +++ b/linux/SeBAz.py @@ -76,9 +76,9 @@ bold(yellow('chek')) + u':{count_2:{len_total}d} ' + \ u'[{elapsed}<{eta}, {rate:.1f}{unit_pad}{unit}/s]' passd = manager.counter(total=length, unit='tests', - color='bright_white', bar_format=bar_format) -faild = passd.add_subcounter('bright_white') -check = passd.add_subcounter('bright_white') + color='white', bar_format=bar_format) +faild = passd.add_subcounter('white') +check = passd.add_subcounter('white') # SeBAz.log file log_file = path.dirname(path.abspath(__file__)) + '/' + \ diff --git a/linux/modules/benchmarks.py b/linux/modules/benchmarks.py index e8a2328..fba421a 100644 --- a/linux/modules/benchmarks.py +++ b/linux/modules/benchmarks.py @@ -500,6 +500,40 @@ ['5.4.5', 1, 2, 2, 'Ensure default user shell timeout is 900 seconds or less'], ['5.5', 0, 1, 1, 'Ensure root login is restricted to system console'], ['5.6', 1, 1, 1, 'Ensure access to the su command is restricted'], + ['6.1.1', 0, 2, 2, 'Audit system file permissions'], + ['6.1.2', 1, 1, 1, 'Ensure permissions on /etc/gshadow are configured'], + ['6.1.3', 1, 1, 1, 'Ensure permissions on /etc/shadow- are configured'], + ['6.1.4', 1, 1, 1, 'Ensure permissions on /etc/gshadow- are configured'], + ['6.1.5', 1, 1, 1, 'Ensure permissions on /etc/passwd are configured'], + ['6.1.6', 1, 1, 1, 'Ensure permissions on /etc/shadow are configured'], + ['6.1.7', 1, 1, 1, 'Ensure permissions on /etc/group are configured'], + ['6.1.8', 1, 1, 1, 'Ensure permissions on /etc/passwd- are configured'], + ['6.1.9', 1, 1, 1, 'Ensure permissions on /etc/group- are configured'], + ['6.1.10', 1, 1, 1, 'Ensure no world writable files exist'], + ['6.1.11', 1, 1, 1, 'Ensure no unowned files or directories exist'], + ['6.1.12', 1, 1, 1, 'Ensure no ungrouped files or directories exist'], + ['6.1.13', 0, 1, 1, 'Audit SUID executables'], + ['6.1.14', 0, 1, 1, 'Audit SGID executables'], + ['6.2.1', 1, 1, 1, 'Ensure password fields are not empty'], + ['6.2.2', 1, 1, 1, 'Ensure no legacy "+" entries exist in /etc/passwd'], + ['6.2.3', 1, 1, 1, 'Ensure no legacy "+" entries exist in /etc/shadow'], + ['6.2.4', 1, 1, 1, 'Ensure no legacy "+" entries exist in /etc/group'], + ['6.2.5', 1, 1, 1, 'Ensure root is the only UID 0 account'], + ['6.2.6', 1, 1, 1, 'Ensure root PATH Integrity'], + ['6.2.7', 1, 1, 1, "Ensure all users' home directories exist"], + ['6.2.8', 1, 1, 1, "Ensure users' home directories permissions are 750 or more restrictive"], + ['6.2.9', 1, 1, 1, 'Ensure users own their home directories'], + ['6.2.10', 1, 1, 1, "Ensure users' dot files are not group or world writable"], + ['6.2.11', 1, 1, 1, 'Ensure no users have .forward files'], + ['6.2.12', 1, 1, 1, 'Ensure no users have .netrc files'], + ['6.2.13', 1, 1, 1, "Ensure users' .netrc Files are not group or world accessible"], + ['6.2.14', 1, 1, 1, 'Ensure no users have .rhosts files'], + ['6.2.15', 1, 1, 1, 'Ensure all groups in /etc/passwd exist in /etc/group'], + ['6.2.16', 1, 1, 1, 'Ensure no duplicate UIDs exist'], + ['6.2.17', 1, 1, 1, 'Ensure no duplicate GIDs exist'], + ['6.2.18', 1, 1, 1, 'Ensure no duplicate user names exist'], + ['6.2.19', 1, 1, 1, 'Ensure no duplicate group names exist'], + ['6.2.20', 1, 1, 1, 'Ensure shadow group is empty'], ] benchmark_fed = [ ['1.1.1.1', 1, 1, 1, 'Ensure mounting of cramfs filesystems is disabled'], @@ -6414,7 +6448,7 @@ def _6_1_1_ind(): return return_value global log_file write_log = log_file.split( - '_SeBAz_logs/')[0] + 'system_file_permissions.SeBAz.log' + '_SeBAz_logs/')[0] + '.system_file_permissions.SeBAz.log' success, error = check('dpkg --verify > ' + write_log) return_value.append('Audit system file permissions') return_value.append('CHEK') @@ -6940,7 +6974,7 @@ def _6_2_6_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/root_path_integrity.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_6.sh') check('sudo cat ' + script + ' > ./root_path_integrity.sh') check('chmod +x ./root_path_integrity.sh') success, error = check('./root_path_integrity.sh') @@ -6948,7 +6982,7 @@ def _6_2_6_ind(): return_value.append('root PATH Integrity maintained') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/root_path_integrity.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_6.sh returned the following\n' + error) else: return_value.append('writable dir in root\'s executable path') return_value.append('FAIL') @@ -6962,7 +6996,7 @@ def _6_2_7_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/home_directories.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_7.sh') check('sudo cat ' + script + ' > ./home_directories.sh') check('chmod +x ./home_directories.sh') success, error = check('./home_directories.sh') @@ -6970,7 +7004,7 @@ def _6_2_7_ind(): return_value.append('all users\' home directories exist') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/home_directories.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_7.sh returned the following\n' + error) else: return_value.append('users without home directory') return_value.append('FAIL') @@ -6984,7 +7018,7 @@ def _6_2_8_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/home_directory_permissions.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_8.sh') check('sudo cat ' + script + ' > ./home_directory_permissions.sh') check('chmod +x ./home_directory_permissions.sh') success, error = check('./home_directory_permissions.sh') @@ -6992,7 +7026,7 @@ def _6_2_8_ind(): return_value.append('home directories permissions are gt 750') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/home_directory_permissions.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_8.sh returned the following\n' + error) else: return_value.append('Group or world-writable home directories') return_value.append('FAIL') @@ -7006,7 +7040,7 @@ def _6_2_9_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/own_home_directory.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_9.sh') check('sudo cat ' + script + ' > ./own_home_directory.sh') check('chmod +x ./own_home_directory.sh') success, error = check('./own_home_directory.sh') @@ -7014,7 +7048,7 @@ def _6_2_9_ind(): return_value.append('users own their home directories') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/own_home_directory.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_9.sh returned the following\n' + error) else: return_value.append('user not owner of home directory') return_value.append('FAIL') @@ -7028,7 +7062,7 @@ def _6_2_10_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/user_dot_file.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_10.sh') check('sudo cat ' + script + ' > ./user_dot_file.sh') check('chmod +x ./user_dot_file.sh') success, error = check('./user_dot_file.sh') @@ -7036,7 +7070,7 @@ def _6_2_10_ind(): return_value.append('users\' . files not group or world-writable') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/user_dot_file.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_10.sh returned the following\n' + error) else: return_value.append('users\' . files group or world-writable') return_value.append('FAIL') @@ -7050,7 +7084,7 @@ def _6_2_11_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/user_forward_file.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_11.sh') check('sudo cat ' + script + ' > ./user_forward_file.sh') check('chmod +x ./user_forward_file.sh') success, error = check('./user_forward_file.sh') @@ -7058,7 +7092,7 @@ def _6_2_11_ind(): return_value.append('no users have .forward files') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/user_forward_file.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_11.sh returned the following\n' + error) else: return_value.append('users have .forward files') return_value.append('FAIL') @@ -7072,7 +7106,7 @@ def _6_2_12_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/user_netrc_file.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_12.sh') check('sudo cat ' + script + ' > ./user_netrc_file.sh') check('chmod +x ./user_netrc_file.sh') success, error = check('./user_netrc_file.sh') @@ -7080,7 +7114,7 @@ def _6_2_12_ind(): return_value.append('no users have .netrc files') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/user_netrc_file.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_12.sh returned the following\n' + error) else: return_value.append('users have .netrc files') return_value.append('FAIL') @@ -7094,7 +7128,7 @@ def _6_2_13_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/user_netrc_writable.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_13.sh') check('sudo cat ' + script + ' > ./user_netrc_writable.sh') check('chmod +x ./user_netrc_writable.sh') success, error = check('./user_netrc_writable.sh') @@ -7102,7 +7136,7 @@ def _6_2_13_ind(): return_value.append('users\' .netrc not group or world accessible') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/user_netrc_writable.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_13.sh returned the following\n' + error) else: return_value.append('users\' .netrc group or world accessible') return_value.append('FAIL') @@ -7116,7 +7150,7 @@ def _6_2_14_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/user_rhosts_file.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_14.sh') check('sudo cat ' + script + ' > ./user_rhosts_file.sh') check('chmod +x ./user_rhosts_file.sh') success, error = check('./user_rhosts_file.sh') @@ -7124,7 +7158,7 @@ def _6_2_14_ind(): return_value.append('no users have .rhosts files') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/user_rhosts_file.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_14.sh returned the following\n' + error) else: return_value.append('users have .rhosts files') return_value.append('FAIL') @@ -7138,7 +7172,7 @@ def _6_2_15_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/group_passwd.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_15.sh') check('sudo cat ' + script + ' > ./group_passwd.sh') check('chmod +x ./group_passwd.sh') success, error = check('./group_passwd.sh') @@ -7146,7 +7180,7 @@ def _6_2_15_ind(): return_value.append('all groups in passwd exist in group') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/group_passwd.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_15.sh returned the following\n' + error) else: return_value.append('groups in passwd don\'t exist in group') return_value.append('FAIL') @@ -7160,7 +7194,7 @@ def _6_2_16_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/duplicate_uid.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_16.sh') check('sudo cat ' + script + ' > ./duplicate_uid.sh') check('chmod +x ./duplicate_uid.sh') success, error = check('./duplicate_uid.sh') @@ -7168,7 +7202,7 @@ def _6_2_16_ind(): return_value.append('no duplicate UIDs exist') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/duplicate_uid.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_16.sh returned the following\n' + error) else: return_value.append('duplicate UIDs exist') return_value.append('FAIL') @@ -7181,7 +7215,7 @@ def _6_2_17_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/duplicate_gid.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_17.sh') check('sudo cat ' + script + ' > ./duplicate_gid.sh') check('chmod +x ./duplicate_gid.sh') success, error = check('./duplicate_gid.sh') @@ -7189,7 +7223,7 @@ def _6_2_17_ind(): return_value.append('no duplicate GIDs exist') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/duplicate_gid.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_17.sh returned the following\n' + error) else: return_value.append('duplicate GIDs exist') return_value.append('FAIL') @@ -7202,7 +7236,7 @@ def _6_2_18_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/duplicate_user_name.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_18.sh') check('sudo cat ' + script + ' > ./duplicate_user_name.sh') check('chmod +x ./duplicate_user_name.sh') success, error = check('./duplicate_user_name.sh') @@ -7210,7 +7244,7 @@ def _6_2_18_ind(): return_value.append('no duplicate user names exist') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/duplicate_user_name.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_18.sh returned the following\n' + error) else: return_value.append('duplicate user names exist') return_value.append('FAIL') @@ -7224,7 +7258,7 @@ def _6_2_19_ind(): return_value = list() from sys import _MEIPASS from os.path import join - script = join(_MEIPASS, 'scripts/duplicate_group_name.sh') + script = join(_MEIPASS, 'scripts/ind/6_2_19.sh') check('sudo cat ' + script + ' > ./duplicate_group_name.sh') check('chmod +x ./duplicate_group_name.sh') success, error = check('./duplicate_group_name.sh') @@ -7232,7 +7266,7 @@ def _6_2_19_ind(): return_value.append('no duplicate group names exist') return_value.append('PASS') return_value.append( - 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/duplicate_group_name.sh returned the following\n' + error) + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/ind/6_2_19.sh returned the following\n' + error) else: return_value.append('duplicate group names exist') return_value.append('FAIL') @@ -9483,7 +9517,6 @@ def _2_2_17_deb(): def _2_3_1_deb(): return_value = list() - return_value.append('NIS Client not checked (ind distro)') success, error = check('dpkg -s nis') if 'Status: install ok installed' in success: return_value.append('NIS Client installed') @@ -12753,6 +12786,870 @@ def _5_6_deb(): return return_value +def _6_1_1_deb(): + return_value = list() + global log_file + write_log = log_file.split( + '_SeBAz_logs/')[0] + '.system_file_permissions.SeBAz.log' + success, error = check('dpkg --verify > ' + write_log) + return_value.append('Audit system file permissions') + return_value.append('CHEK') + return_value.append('Verify the contents of ' + + write_log.split('/')[-1] + '\n' + success + '\n' + error) + return return_value + + +def _6_1_2_deb(): + return_value = list() + success, error = check('stat /etc/gshadow | grep Access') + if success: + if 'Uid: ( 0/ root) Gid: (' in success: + if success.splitlines()[0].endswith('shadow)'): + allowed_access = [ + '(0640/-rw-r-----)', '(0600/-rw-------)', '(0440/-r--r-----)', '(0400/-r--------)'] + if any(a in success for a in allowed_access): + return_value.append('/etc/gshadow permissions configured') + return_value.append('PASS') + return_value.append(success) + else: + return_value.append( + '/etc/gshadow permits group and others') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/gshadow invalid gid') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/gshadow invalid uid') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/gshadow not found') + return_value.append('CHEK') + return_value.append( + 'stat /etc/gshadow | grep Access did not return anything\n' + error) + return return_value + + +def _6_1_3_deb(): + return_value = list() + success, error = check('stat /etc/shadow- | grep Access') + if success: + if 'Uid: ( 0/ root) Gid: (' in success: + if success.splitlines()[0].endswith('shadow)'): + allowed_access = [ + '(0640/-rw-r-----)', '(0600/-rw-------)', '(0440/-r--r-----)', '(0400/-r--------)'] + if any(a in success for a in allowed_access): + return_value.append('/etc/shadow- permissions configured') + return_value.append('PASS') + return_value.append(success) + else: + return_value.append( + '/etc/shadow- permits group and others') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/shadow- invalid gid') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/shadow- invalid uid') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/shadow- not found') + return_value.append('CHEK') + return_value.append( + 'stat /etc/shadow- | grep Access did not return anything\n' + error) + return return_value + + +def _6_1_4_deb(): + return_value = list() + success, error = check('stat /etc/gshadow- | grep Access') + if success: + if 'Uid: ( 0/ root) Gid: (' in success: + if success.splitlines()[0].endswith('shadow)'): + allowed_access = [ + '(0640/-rw-r-----)', '(0600/-rw-------)', '(0440/-r--r-----)', '(0400/-r--------)'] + if any(a in success for a in allowed_access): + return_value.append('/etc/gshadow- permissions configured') + return_value.append('PASS') + return_value.append(success) + else: + return_value.append( + '/etc/gshadow- permits group and others') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/gshadow- invalid gid') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/gshadow- invalid uid') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/gshadow- not found') + return_value.append('CHEK') + return_value.append( + 'stat /etc/gshadow- | grep Access did not return anything\n' + error) + return return_value + + +def _6_1_5_deb(): + return_value = list() + success, error = check('stat /etc/passwd | grep Access') + if success: + if 'Uid: ( 0/ root) Gid: ( 0/ root)' in success: + if '(0644/-rw-r--r--)' in success: + return_value.append('/etc/passwd permissions configured') + return_value.append('PASS') + return_value.append(success) + else: + return_value.append( + '/etc/passwd permits group and others') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/passwd invalid uid and gid') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/passwd not found') + return_value.append('CHEK') + return_value.append( + 'stat /etc/passwd | grep Access did not return anything\n' + error) + return return_value + + +def _6_1_6_deb(): + return_value = list() + success, error = check('stat /etc/shadow | grep Access') + if success: + if 'Uid: ( 0/ root) Gid: (' in success: + if success.splitlines()[0].endswith('shadow)'): + allowed_access = ['(0640/-rw-r-----)', '(0600/-rw-------)', + '(0440/-r--r-----)', '(0400/-r--------)'] + if any(a in success for a in allowed_access): + return_value.append('/etc/shadow permissions configured') + return_value.append('PASS') + return_value.append(success) + else: + return_value.append( + '/etc/shadow permits group and others') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/shadow invalid gid') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/shadow invalid uid') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/shadow not found') + return_value.append('CHEK') + return_value.append( + 'stat /etc/shadow | grep Access did not return anything\n' + error) + return return_value + + +def _6_1_7_deb(): + return_value = list() + success, error = check('stat /etc/group | grep Access') + if success: + if 'Uid: ( 0/ root) Gid: ( 0/ root)' in success: + if '(0644/-rw-r--r--)' in success: + return_value.append('/etc/group permissions configured') + return_value.append('PASS') + return_value.append(success) + else: + return_value.append( + '/etc/group permits group and others') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/group invalid uid and gid') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/group not found') + return_value.append('CHEK') + return_value.append( + 'stat /etc/group | grep Access did not return anything\n' + error) + return return_value + + +def _6_1_8_deb(): + return_value = list() + success, error = check('stat /etc/passwd- | grep Access') + if success: + if 'Uid: ( 0/ root) Gid: ( 0/ root)' in success: + allowed_access = ['(0644/-rw-r--r--)', '(0640/-rw-r-----)', '(0600/-rw-------)', + '(0444/-r--r--r--)', '(0440/-r--r-----)', '(0400/-r--------)'] + if any(a in success for a in allowed_access): + return_value.append('/etc/passwd- permissions configured') + return_value.append('PASS') + return_value.append(success) + else: + return_value.append( + '/etc/passwd- permits group and others') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/passwd- invalid uid and gid') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/passwd- not found') + return_value.append('CHEK') + return_value.append( + 'stat /etc/passwd- | grep Access did not return anything\n' + error) + return return_value + + +def _6_1_9_deb(): + return_value = list() + success, error = check('stat /etc/group- | grep Access') + if success: + if 'Uid: ( 0/ root) Gid: ( 0/ root)' in success: + allowed_access = ['(0644/-rw-r--r--)', '(0640/-rw-r-----)', '(0600/-rw-------)', + '(0444/-r--r--r--)', '(0440/-r--r-----)', '(0400/-r--------)'] + if any(a in success for a in allowed_access): + return_value.append('/etc/group- permissions configured') + return_value.append('PASS') + return_value.append(success) + else: + return_value.append( + '/etc/group- permits group and others') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/group- invalid uid and gid') + return_value.append('FAIL') + return_value.append(success) + else: + return_value.append('/etc/group- not found') + return_value.append('CHEK') + return_value.append( + 'stat /etc/group- | grep Access did not return anything\n' + error) + return return_value + + +def _6_1_10_deb(): + return_value = list() + success, error = check( + "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002") + if not success: + result_error = error + success, error = check('mount | grep -e "/dev/sd"') + partitions = [s.split()[0] for s in success.splitlines()] + if len(partitions): + result_success = '' + for p in partitions: + success, error = check( + 'find ' + p + ' -xdev -type f -perm -0002') + result_success += success if success else '' + result_error += error + if not result_success: + return_value.append('world writable files does not exist') + return_value.append('PASS') + return_value.append( + "running df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 confirms that all world writable directories have the sticky variable set\n" + result_error) + else: + return_value.append('world writable files exist in partitions') + return_value.append('FAIL') + return_value.append( + 'The following world writable files exist\n' + result_success + '\n' + result_error) + else: + return_value.append('world writable files does not exist') + return_value.append('PASS') + return_value.append( + "running df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 confirms that all world writable directories have the sticky variable set\n" + result_error + '\n' + error) + else: + return_value.append('world writable files exist') + return_value.append('FAIL') + return_value.append( + 'The following world writable files exist\n' + success) + return return_value + + +def _6_1_11_deb(): + return_value = list() + success, error = check( + "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser") + if not success: + result_error = error + success, error = check('mount | grep -e "/dev/sd"') + partitions = [s.split()[0] for s in success.splitlines()] + if len(partitions): + result_success = '' + for p in partitions: + success, error = check('find ' + p + ' -xdev -nouser') + result_success += success if success else '' + result_error += error + if not result_success: + return_value.append('no unowned files or directories exist') + return_value.append('PASS') + return_value.append( + "running df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser confirms that no unowned files or directories exist\n" + result_error) + else: + return_value.append('unowned files or directories exist') + return_value.append('FAIL') + return_value.append( + 'The following unowned files or directories exist\n' + result_success + '\n' + result_error) + else: + return_value.append('no unowned files or directories exist') + return_value.append('PASS') + return_value.append( + "running df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser confirms that no unowned files or directories exist\n" + result_error + '\n' + error) + else: + return_value.append('unowned files or directories exist') + return_value.append('FAIL') + return_value.append( + 'The following unowned files or directories exist\n' + success) + return return_value + + +def _6_1_12_deb(): + return_value = list() + success, error = check( + "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup") + if not success: + result_error = error + success, error = check('mount | grep -e "/dev/sd"') + partitions = [s.split()[0] for s in success.splitlines()] + if len(partitions): + result_success = '' + for p in partitions: + success, error = check('find ' + p + ' -xdev -nogroup') + result_success += success if success else '' + result_error += error + if not result_success: + return_value.append('no ungrouped files or directories exist') + return_value.append('PASS') + return_value.append( + "running df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup confirms that no ungrouped files or directories exist\n" + result_error) + else: + return_value.append('ungrouped files or directories exist') + return_value.append('FAIL') + return_value.append( + 'The following ungrouped files or directories exist\n' + result_success + '\n' + result_error) + else: + return_value.append('no ungrouped files or directories exist') + return_value.append('PASS') + return_value.append( + "running df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup confirms that no ungrouped files or directories exist\n" + result_error + '\n' + error) + else: + return_value.append('ungrouped files or directories exist') + return_value.append('FAIL') + return_value.append( + 'The following ungrouped files or directories exist\n' + success) + return return_value + + +def _6_1_13_deb(): + return_value = list() + success, error = check( + "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000") + if not success: + result_error = error + success, error = check('mount | grep -e "/dev/sd"') + partitions = [s.split()[0] for s in success.splitlines()] + if len(partitions): + result_success = '' + for p in partitions: + success, error = check( + 'find ' + p + ' -xdev -type f -perm -4000') + result_success += success if success else '' + result_error += error + if not result_success: + return_value.append('SUID executables does not exist') + return_value.append('PASS') + return_value.append( + "running df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 confirms that SUID executables does not exist\n" + result_error) + else: + return_value.append('SUID executables found') + return_value.append('FAIL') + return_value.append( + 'The following SUID executables exist\n' + result_success + '\n' + result_error) + else: + return_value.append('SUID executables does not exist') + return_value.append('PASS') + return_value.append( + "running df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 confirms that SUID executables does not exist\n" + result_error + '\n' + error) + else: + return_value.append('SUID executables found') + return_value.append('FAIL') + return_value.append( + 'The following SUID executables exist\n' + success) + return return_value + + +def _6_1_14_deb(): + return_value = list() + success, error = check( + "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -2000") + if not success: + result_error = error + success, error = check('mount | grep -e "/dev/sd"') + partitions = [s.split()[0] for s in success.splitlines()] + if len(partitions): + result_success = '' + for p in partitions: + success, error = check( + 'find ' + p + ' -xdev -type f -perm -2000') + result_success += success if success else '' + result_error += error + if not result_success: + return_value.append('SGID executables does not exist') + return_value.append('PASS') + return_value.append( + "running df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -2000 confirms that SGID executables does not exist\n" + result_error) + else: + return_value.append('SGID executables found') + return_value.append('FAIL') + return_value.append( + 'The following SGID executables exist\n' + result_success + '\n' + result_error) + else: + return_value.append('SGID executables does not exist') + return_value.append('PASS') + return_value.append( + "running df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -2000 confirms that SGID executables does not exist\n" + result_error + '\n' + error) + else: + return_value.append('SGID executables found') + return_value.append('FAIL') + return_value.append( + 'The following SGID executables exist\n' + success) + return return_value + + +def _6_2_1_deb(): + return_value = list() + success, error = check( + 'cat /etc/shadow | awk -F: \'($2 == "" ) { print $1 " does not have a password "}\'') + if not success: + return_value.append('password fields are not empty') + return_value.append('PASS') + return_value.append( + 'cat /etc/shadow | awk -F: \'($2 == "" ) { print $1 " does not have a password "}\' returned the following\n' + error) + else: + return_value.append('password fields are empty') + return_value.append('FAIL') + return_value.append( + 'The following accounts have empty password fields\n' + success) + return return_value + + +def _6_2_2_deb(): + return_value = list() + success, error = check("grep '^\+:' /etc/passwd") + if not success: + return_value.append('no legacy "+" entries exist in /etc/passwd') + return_value.append('PASS') + return_value.append( + "grep '^\+:' /etc/passwd returned the following\n" + error) + else: + return_value.append('legacy "+" entries exist in /etc/passwd') + return_value.append('FAIL') + return_value.append( + 'The following accounts have legacy "+" entries in /etc/passwd\n' + success) + return return_value + + +def _6_2_3_deb(): + return_value = list() + success, error = check("grep '^\+:' /etc/shadow") + if not success: + return_value.append('no legacy "+" entries exist in /etc/shadow') + return_value.append('PASS') + return_value.append( + "grep '^\+:' /etc/shadow returned the following\n" + error) + else: + return_value.append('legacy "+" entries exist in /etc/shadow') + return_value.append('FAIL') + return_value.append( + 'The following accounts have legacy "+" entries in /etc/shadow\n' + success) + return return_value + + +def _6_2_4_deb(): + return_value = list() + success, error = check("grep '^\+:' /etc/group") + if not success: + return_value.append('no legacy "+" entries exist in /etc/group') + return_value.append('PASS') + return_value.append( + "grep '^\+:' /etc/group returned the following\n" + error) + else: + return_value.append('legacy "+" entries exist in /etc/group') + return_value.append('FAIL') + return_value.append( + 'The following accounts have legacy "+" entries in /etc/group\n' + success) + return return_value + + +def _6_2_5_deb(): + return_value = list() + success, error = check( + "cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'") + if success: + if 'root\n' == success: + return_value.append('root is the only UID 0 account') + return_value.append('PASS') + return_value.append( + "cat /etc/passwd | awk -F: '($3 == 0) { print $1 }' returned the following\n" + success) + else: + return_value.append('root is not the only UID 0 account') + return_value.append('FAIL') + return_value.append( + "cat /etc/passwd | awk -F: '($3 == 0) { print $1 }' returned the following UID 0 accounts\n" + success) + else: + return_value.append('no UID 0 account found') + return_value.append('CHEK') + return_value.append(error) + return return_value + + +def _6_2_6_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_6.sh') + check('sudo cat ' + script + ' > ./root_path_integrity.sh') + check('chmod +x ./root_path_integrity.sh') + success, error = check('./root_path_integrity.sh') + if not success: + return_value.append('root PATH Integrity maintained') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_6.sh returned the following\n' + error) + else: + return_value.append('writable dir in root\'s executable path') + return_value.append('FAIL') + return_value.append( + 'The following writable directories were found in root\'s executable path\n' + success) + check('rm ./root_path_integrity.sh') + return return_value + + +def _6_2_7_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_7.sh') + check('sudo cat ' + script + ' > ./home_directories.sh') + check('chmod +x ./home_directories.sh') + success, error = check('./home_directories.sh') + if not success: + return_value.append('all users\' home directories exist') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_7.sh returned the following\n' + error) + else: + return_value.append('users without home directory') + return_value.append('FAIL') + return_value.append( + 'The following users are without home directory\n' + success) + check('rm ./home_directories.sh') + return return_value + + +def _6_2_8_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_8.sh') + check('sudo cat ' + script + ' > ./home_directory_permissions.sh') + check('chmod +x ./home_directory_permissions.sh') + success, error = check('./home_directory_permissions.sh') + if not success: + return_value.append('home directories permissions are gt 750') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_8.sh returned the following\n' + error) + else: + return_value.append('Group or world-writable home directories') + return_value.append('FAIL') + return_value.append( + 'The following users have Group or world-writable home directories\n' + success) + check('rm ./home_directory_permissions.sh') + return return_value + + +def _6_2_9_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_9.sh') + check('sudo cat ' + script + ' > ./own_home_directory.sh') + check('chmod +x ./own_home_directory.sh') + success, error = check('./own_home_directory.sh') + if not success: + return_value.append('users own their home directories') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_9.sh returned the following\n' + error) + else: + return_value.append('user not owner of home directory') + return_value.append('FAIL') + return_value.append( + 'The following users are not the not owner of their home directories\n' + success) + check('rm ./own_home_directory.sh') + return return_value + + +def _6_2_10_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_10.sh') + check('sudo cat ' + script + ' > ./user_dot_file.sh') + check('chmod +x ./user_dot_file.sh') + success, error = check('./user_dot_file.sh') + if not success: + return_value.append('users\' . files not group or world-writable') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_10.sh returned the following\n' + error) + else: + return_value.append('users\' . files group or world-writable') + return_value.append('FAIL') + return_value.append( + 'The following users\' dot files are group or world writable\n' + success) + check('rm ./user_dot_file.sh') + return return_value + + +def _6_2_11_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_11.sh') + check('sudo cat ' + script + ' > ./user_forward_file.sh') + check('chmod +x ./user_forward_file.sh') + success, error = check('./user_forward_file.sh') + if not success: + return_value.append('no users have .forward files') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_11.sh returned the following\n' + error) + else: + return_value.append('users have .forward files') + return_value.append('FAIL') + return_value.append( + 'The following users have .forward files\n' + success) + check('rm ./user_forward_file.sh') + return return_value + + +def _6_2_12_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_12.sh') + check('sudo cat ' + script + ' > ./user_netrc_file.sh') + check('chmod +x ./user_netrc_file.sh') + success, error = check('./user_netrc_file.sh') + if not success: + return_value.append('no users have .netrc files') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_12.sh returned the following\n' + error) + else: + return_value.append('users have .netrc files') + return_value.append('FAIL') + return_value.append( + 'The following users have .netrc files\n' + success) + check('rm ./user_netrc_file.sh') + return return_value + + +def _6_2_13_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_13.sh') + check('sudo cat ' + script + ' > ./user_netrc_writable.sh') + check('chmod +x ./user_netrc_writable.sh') + success, error = check('./user_netrc_writable.sh') + if not success: + return_value.append('users\' .netrc not group or world accessible') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_13.sh returned the following\n' + error) + else: + return_value.append('users\' .netrc group or world accessible') + return_value.append('FAIL') + return_value.append( + 'The following users\' .netrc Files are not group or world accessible\n' + success) + check('rm ./user_netrc_writable.sh') + return return_value + + +def _6_2_14_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_14.sh') + check('sudo cat ' + script + ' > ./user_rhosts_file.sh') + check('chmod +x ./user_rhosts_file.sh') + success, error = check('./user_rhosts_file.sh') + if not success: + return_value.append('no users have .rhosts files') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_14.sh returned the following\n' + error) + else: + return_value.append('users have .rhosts files') + return_value.append('FAIL') + return_value.append( + 'The following users have .rhosts files\n' + success) + check('rm ./user_rhosts_file.sh') + return return_value + + +def _6_2_15_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_15.sh') + check('sudo cat ' + script + ' > ./group_passwd.sh') + check('chmod +x ./group_passwd.sh') + success, error = check('./group_passwd.sh') + if not success: + return_value.append('all groups in passwd exist in group') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_15.sh returned the following\n' + error) + else: + return_value.append('groups in passwd don\'t exist in group') + return_value.append('FAIL') + return_value.append( + 'The following groups in /etc/passwd don\'t exist in /etc/group\n' + success) + check('rm ./group_passwd.sh') + return return_value + + +def _6_2_16_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_16.sh') + check('sudo cat ' + script + ' > ./duplicate_uid.sh') + check('chmod +x ./duplicate_uid.sh') + success, error = check('./duplicate_uid.sh') + if not success: + return_value.append('no duplicate UIDs exist') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_16.sh returned the following\n' + error) + else: + return_value.append('duplicate UIDs exist') + return_value.append('FAIL') + return_value.append('The following duplicate UIDs exist\n' + success) + check('rm ./duplicate_uid.sh') + return return_value + + +def _6_2_17_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_17.sh') + check('sudo cat ' + script + ' > ./duplicate_gid.sh') + check('chmod +x ./duplicate_gid.sh') + success, error = check('./duplicate_gid.sh') + if not success: + return_value.append('no duplicate GIDs exist') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_17.sh returned the following\n' + error) + else: + return_value.append('duplicate GIDs exist') + return_value.append('FAIL') + return_value.append('The following duplicate GIDs exist\n' + success) + check('rm ./duplicate_gid.sh') + return return_value + + +def _6_2_18_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_18.sh') + check('sudo cat ' + script + ' > ./duplicate_user_name.sh') + check('chmod +x ./duplicate_user_name.sh') + success, error = check('./duplicate_user_name.sh') + if not success: + return_value.append('no duplicate user names exist') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_18.sh returned the following\n' + error) + else: + return_value.append('duplicate user names exist') + return_value.append('FAIL') + return_value.append( + 'The following duplicate user names exist\n' + success) + check('rm ./duplicate_user_name.sh') + return return_value + + +def _6_2_19_deb(): + return_value = list() + from sys import _MEIPASS + from os.path import join + script = join(_MEIPASS, 'scripts/deb/6_2_19.sh') + check('sudo cat ' + script + ' > ./duplicate_group_name.sh') + check('chmod +x ./duplicate_group_name.sh') + success, error = check('./duplicate_group_name.sh') + if not success: + return_value.append('no duplicate group names exist') + return_value.append('PASS') + return_value.append( + 'executing https://github.com/Deepak710/SeBAz/blob/master/linux/scripts/deb/6_2_19.sh returned the following\n' + error) + else: + return_value.append('duplicate group names exist') + return_value.append('FAIL') + return_value.append( + 'The following duplicate group names exist\n' + success) + check('rm ./duplicate_group_name.sh') + return return_value + + +def _6_2_20_deb(): + return_value = list() + success, error = check('grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group') + if not success: + return_value.append('users not assigned to shadow group') + return_value.append('PASS') + return_value.append( + 'grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group returned the following\n' + error) + else: + result_success = '' + result_error = '' + for shadow_gid in success.splitlines(): + result = check("awk -F: '($4 == \"" + shadow_gid + + "\") { print }' /etc/passwd") + result_success += result[0] + result_error += result[1] + if len(result_success): + return_value.append('users not assigned to shadow group') + return_value.append('PASS') + return_value.append( + 'Following GIDs don\'t have entries in passwd\n' + success + '\n' + result_error) + else: + return_value.append( + 'users assigned to shadow group in /etc/passwd') + return_value.append('FAIL') + return_value.append('The following users are assigned to the shadow group in /etc/passwd\n' + + success + '\n' + result_success + '\n' + result_error + '\n' + error) + return return_value + + """ Definitions of Functions that perform Fedora checks against benchmarks return_value[0] = result diff --git a/linux/modules/reportGenerator.py b/linux/modules/reportGenerator.py index f35588e..502f11e 100644 --- a/linux/modules/reportGenerator.py +++ b/linux/modules/reportGenerator.py @@ -263,7 +263,7 @@ def makeIndex(pdf, SeBAz_contents): # result pdf.drawCentredString(A4[0]*17/20, line, SeBAz_contents[row][2]) line += 20 - if line > 770: + if line > 770 and ((row + 1) != (len(SeBAz_contents)-24)): line = 100 pdf.restoreState() pdf.showPage() diff --git a/linux/scripts/deb/6_2_10.sh b/linux/scripts/deb/6_2_10.sh new file mode 100755 index 0000000..4aa578f --- /dev/null +++ b/linux/scripts/deb/6_2_10.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.[A-Za-z0-9]*; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=`ls -ld $file | cut -f1 -d" "` + if [ `echo $fileperm | cut -c6` != "-" ]; then + echo "Group Write permission set on file $file" + fi + if [ `echo $fileperm | cut -c9` != "-" ]; then + echo "Other Write permission set on file $file" + fi + fi + done + fi +done diff --git a/linux/scripts/deb/6_2_11.sh b/linux/scripts/deb/6_2_11.sh new file mode 100755 index 0000000..09e781b --- /dev/null +++ b/linux/scripts/deb/6_2_11.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then + echo ".forward file $dir/.forward exists" + fi + fi +done diff --git a/linux/scripts/deb/6_2_12.sh b/linux/scripts/deb/6_2_12.sh new file mode 100755 index 0000000..1c6ee78 --- /dev/null +++ b/linux/scripts/deb/6_2_12.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then + echo ".netrc file $dir/.netrc exists" + fi + fi +done diff --git a/linux/scripts/deb/6_2_13.sh b/linux/scripts/deb/6_2_13.sh new file mode 100755 index 0000000..101afc2 --- /dev/null +++ b/linux/scripts/deb/6_2_13.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.netrc; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=`ls -ld $file | cut -f1 -d" "` + if [ `echo $fileperm | cut -c5` != "-" ]; then + echo "Group Read set on $file" + fi + if [ `echo $fileperm | cut -c6` != "-" ]; then + echo "Group Write set on $file" + fi + if [ `echo $fileperm | cut -c7` != "-" ]; then + echo "Group Execute set on $file" + fi + if [ `echo $fileperm | cut -c8` != "-" ]; then + echo "Other Read set on $file" + fi + if [ `echo $fileperm | cut -c9` != "-" ]; then + echo "Other Write set on $file" + fi + if [ `echo $fileperm | cut -c10` != "-" ]; then + echo "Other Execute set on $file" + fi + fi + done + fi +done diff --git a/linux/scripts/deb/6_2_14.sh b/linux/scripts/deb/6_2_14.sh new file mode 100755 index 0000000..5be3eef --- /dev/null +++ b/linux/scripts/deb/6_2_14.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.rhosts; do + if [ ! -h "$file" -a -f "$file" ]; then + echo ".rhosts file in $dir" + fi + done + fi +done diff --git a/linux/scripts/group_passwd.sh b/linux/scripts/deb/6_2_15.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/group_passwd.sh rename to linux/scripts/deb/6_2_15.sh diff --git a/linux/scripts/deb/6_2_16.sh b/linux/scripts/deb/6_2_16.sh new file mode 100755 index 0000000..ee527e2 --- /dev/null +++ b/linux/scripts/deb/6_2_16.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do + [ -z "${x}" ] && break + set - $x + if [ $1 -gt 1 ]; then + users=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs` + echo "Duplicate UID ($2): ${users}" + fi +done diff --git a/linux/scripts/deb/6_2_17.sh b/linux/scripts/deb/6_2_17.sh new file mode 100755 index 0000000..5babe71 --- /dev/null +++ b/linux/scripts/deb/6_2_17.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do + [ -z "${x}" ] && break + set - $x + if [ $1 -gt 1 ]; then + groups=`awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs` + echo "Duplicate GID ($2): ${groups}" + fi +done diff --git a/linux/scripts/deb/6_2_18.sh b/linux/scripts/deb/6_2_18.sh new file mode 100755 index 0000000..0ae6642 --- /dev/null +++ b/linux/scripts/deb/6_2_18.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do + [ -z "${x}" ] && break + set - $x + if [ $1 -gt 1 ]; then + uids=`awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs` + echo "Duplicate User Name ($2): ${uids}" + fi +done diff --git a/linux/scripts/deb/6_2_19.sh b/linux/scripts/deb/6_2_19.sh new file mode 100755 index 0000000..1bca250 --- /dev/null +++ b/linux/scripts/deb/6_2_19.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do + [ -z "${x}" ] && break + set - $x + if [ $1 -gt 1 ]; then + gids=`gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` + echo "Duplicate Group Name ($2): ${gids}" + fi +done diff --git a/linux/scripts/deb/6_2_6.sh b/linux/scripts/deb/6_2_6.sh new file mode 100755 index 0000000..ace6f31 --- /dev/null +++ b/linux/scripts/deb/6_2_6.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +if [ "`echo $PATH | grep :: `" != "" ]; then + echo "Empty Directory in PATH (::)" +fi + +if [ "`echo $PATH | grep :$`" != "" ]; then + echo "Trailing : in PATH" +fi + +p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` +set -- $p +while [ "$1" != "" ]; do + if [ "$1" = "." ]; then + echo "PATH contains ." + shift + continue + fi + if [ -d $1 ]; then + dirperm=`ls -ldH $1 | cut -f1 -d" "` + if [ `echo $dirperm | cut -c6 ` != "-" ]; then + echo "Group Write permission set on directory $1" + fi + if [ `echo $dirperm | cut -c9 ` != "-" ]; then + echo "Other Write permission set on directory $1" + fi + dirown=`ls -ldH $1 | awk '{print $3}'` + if [ "$dirown" != "root" ] ; then + echo $1 is not owned by root + fi + else + echo $1 is not a directory + fi + shift +done \ No newline at end of file diff --git a/linux/scripts/deb/6_2_7.sh b/linux/scripts/deb/6_2_7.sh new file mode 100755 index 0000000..1de98f6 --- /dev/null +++ b/linux/scripts/deb/6_2_7.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + fi +done \ No newline at end of file diff --git a/linux/scripts/deb/6_2_8.sh b/linux/scripts/deb/6_2_8.sh new file mode 100755 index 0000000..3b5dea2 --- /dev/null +++ b/linux/scripts/deb/6_2_8.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + dirperm=`ls -ld $dir | cut -f1 -d" "` + if [ `echo $dirperm | cut -c6` != "-" ]; then + echo "Group Write permission set on the home directory ($dir) of user $user" + fi + if [ `echo $dirperm | cut -c8` != "-" ]; then + echo "Other Read permission set on the home directory ($dir) of user $user" + fi + if [ `echo $dirperm | cut -c9` != "-" ]; then + echo "Other Write permission set on the home directory ($dir) of user $user" + fi + if [ `echo $dirperm | cut -c10` != "-" ]; then + echo "Other Execute permission set on the home directory ($dir) of user $user" + fi + fi +done \ No newline at end of file diff --git a/linux/scripts/deb/6_2_9.sh b/linux/scripts/deb/6_2_9.sh new file mode 100755 index 0000000..d3acd0c --- /dev/null +++ b/linux/scripts/deb/6_2_9.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + owner=$(stat -L -c "%U" "$dir") + if [ "$owner" != "$user" ]; then + echo "The home directory ($dir) of user $user is owned by $owner." + fi + fi +done diff --git a/linux/scripts/user_dot_file.sh b/linux/scripts/ind/6_2_10.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/user_dot_file.sh rename to linux/scripts/ind/6_2_10.sh diff --git a/linux/scripts/user_forward_file.sh b/linux/scripts/ind/6_2_11.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/user_forward_file.sh rename to linux/scripts/ind/6_2_11.sh diff --git a/linux/scripts/user_netrc_file.sh b/linux/scripts/ind/6_2_12.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/user_netrc_file.sh rename to linux/scripts/ind/6_2_12.sh diff --git a/linux/scripts/user_netrc_writable.sh b/linux/scripts/ind/6_2_13.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/user_netrc_writable.sh rename to linux/scripts/ind/6_2_13.sh diff --git a/linux/scripts/user_rhosts_file.sh b/linux/scripts/ind/6_2_14.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/user_rhosts_file.sh rename to linux/scripts/ind/6_2_14.sh diff --git a/linux/scripts/ind/6_2_15.sh b/linux/scripts/ind/6_2_15.sh new file mode 100755 index 0000000..ba379b4 --- /dev/null +++ b/linux/scripts/ind/6_2_15.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + grep -q -P "^.*?:[^:]*:$i:" /etc/group + if [ $? -ne 0 ]; then + echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" + fi +done diff --git a/linux/scripts/duplicate_uid.sh b/linux/scripts/ind/6_2_16.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/duplicate_uid.sh rename to linux/scripts/ind/6_2_16.sh diff --git a/linux/scripts/duplicate_gid.sh b/linux/scripts/ind/6_2_17.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/duplicate_gid.sh rename to linux/scripts/ind/6_2_17.sh diff --git a/linux/scripts/duplicate_user_name.sh b/linux/scripts/ind/6_2_18.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/duplicate_user_name.sh rename to linux/scripts/ind/6_2_18.sh diff --git a/linux/scripts/duplicate_group_name.sh b/linux/scripts/ind/6_2_19.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/duplicate_group_name.sh rename to linux/scripts/ind/6_2_19.sh diff --git a/linux/scripts/root_path_integrity.sh b/linux/scripts/ind/6_2_6.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/root_path_integrity.sh rename to linux/scripts/ind/6_2_6.sh diff --git a/linux/scripts/home_directories.sh b/linux/scripts/ind/6_2_7.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/home_directories.sh rename to linux/scripts/ind/6_2_7.sh diff --git a/linux/scripts/home_directory_permissions.sh b/linux/scripts/ind/6_2_8.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/home_directory_permissions.sh rename to linux/scripts/ind/6_2_8.sh diff --git a/linux/scripts/own_home_directory.sh b/linux/scripts/ind/6_2_9.sh old mode 100644 new mode 100755 similarity index 100% rename from linux/scripts/own_home_directory.sh rename to linux/scripts/ind/6_2_9.sh