fix EXCEPTIONS management (#104)

* FIX(1.1.21, 6.1.10) fix EXCEPTIONS management
* Update changelog
* Refactor test for 6.1.10-14

Author: thibaultserti

bin/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -23,21 +23,14 @@ EXCEPTIONS=''
 audit() {
     info "Checking if setuid is set on world writable Directories"
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
-    # shellcheck disable=SC2086
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    IFS_BAK=$IFS
-    IFS=$'\n'
-    for LINE in $RESULT; do
-        debug "line : $LINE"
-        if echo "$EXCEPTIONS" | grep -q "$LINE"; then
-            debug "$LINE is confirmed as an exception"
-            # shellcheck disable=SC2001
-            RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
-        else
-            debug "$LINE not found in exceptions"
-        fi
-    done
-    IFS=$IFS_BAK
+    if [ -n "$EXCEPTIONS" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+    else
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
         crit "Some world writable directories are not on sticky bit mode!"
         # shellcheck disable=SC2001
@@ -50,20 +43,13 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
-    IFS_BAK=$IFS
-    IFS=$'\n'
-    for LINE in $RESULT; do
-        debug "line : $LINE"
-        if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
-            debug "$ACCOUNT is confirmed as an exception"
-            # shellcheck disable=SC2001
-            RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
-        else
-            debug "$ACCOUNT not found in exceptions"
-        fi
-    done
-    IFS=$IFS_BAK
+    if [ -n "$EXCEPTIONS" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -regextype 'egrep' ! -regex $EXCEPTIONS -print 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
         warn "Setting sticky bit on world writable directories"
         df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
@@ -72,20 +58,10 @@ apply() {
     fi
 }
 
-# This function will create the config file for this check with default values
-create_config() {
-    cat <<EOF
-status=audit
-# Put here your exceptions separated by spaces
-EXCEPTIONS=""
-EOF
-}
-
 # This function will check config parameters required
 check_config() {
-    if [ -z "$EXCEPTIONS" ]; then
-        EXCEPTIONS="@"
-    fi
+    # No param for this function
+    :
 }
 
 # Source Root Dir Parameter

bin/hardening/6.1.10_find_world_writable_file.sh

@@ -17,27 +17,21 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Ensure no world writable files exist"
 
-EXCEPTIONS=''
+EXCLUDED=''
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     info "Checking if there are world writable files"
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
-    # shellcheck disable=SC2086
-    RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
-    IFS_BAK=$IFS
-    IFS=$'\n'
-    for LINE in $RESULT; do
-        debug "line : $LINE"
-        if echo "$EXCEPTIONS" | grep -q "$LINE"; then
-            debug "$LINE is confirmed as an exception"
-            # shellcheck disable=SC2001
-            RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
-        else
-            debug "$LINE not found in exceptions"
-        fi
-    done
-    IFS=$IFS_BAK
+
+    if [ -n "$EXCLUDED" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+    else
+        # shellcheck disable=SC2086
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
         crit "Some world writable files are present"
         # shellcheck disable=SC2001
@@ -50,20 +44,13 @@ audit() {
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
-    IFS_BAK=$IFS
-    IFS=$'\n'
-    for LINE in $RESULT; do
-        debug "line : $LINE"
-        if echo "$EXCEPTIONS" | grep -q "$ACCOUNT"; then
-            debug "$ACCOUNT is confirmed as an exception"
-            # shellcheck disable=SC2001
-            RESULT=$(sed "s!$LINE!!" <<<"$RESULT")
-        else
-            debug "$ACCOUNT not found in exceptions"
-        fi
-    done
-    IFS=$IFS_BAK
+    if [ -n "$EXCLUDED" ]; then
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
+    else
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
+    fi
+
     if [ -n "$RESULT" ]; then
         warn "chmoding o-w all files in the system"
         df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null | xargs chmod o-w
@@ -72,20 +59,10 @@ apply() {
     fi
 }
 
-# This function will create the config file for this check with default values
-create_config() {
-    cat <<EOF
-status=audit
-# Put here your exceptions separated by spaces
-EXCEPTIONS=""
-EOF
-}
-
 # This function will check config parameters required
 check_config() {
-    if [ -z "$EXCEPTIONS" ]; then
-        EXCEPTIONS="@"
-    fi
+    # No param for this function
+    :
 }
 
 # Source Root Dir Parameter

bin/hardening/6.1.11_find_unowned_files.sh

@@ -26,7 +26,7 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCLUDED" ]; then
         # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
     else
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
@@ -44,7 +44,8 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     if [ -n "$EXCLUDED" ]; then
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
     else
         RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null)
     fi

bin/hardening/6.1.12_find_ungrouped_files.sh

@@ -26,7 +26,7 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}')
     if [ -n "$EXCLUDED" ]; then
         # shellcheck disable=SC2086
-        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -print 2>/dev/null)
+        RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -print 2>/dev/null)
     else
         # shellcheck disable=SC2086
         RESULT=$($SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
@@ -44,7 +44,8 @@ audit() {
 # This function will be called if the script status is on enabled mode
 apply() {
     if [ -n "$EXCLUDED" ]; then
-        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex "$EXCLUDED" -ls 2>/dev/null)
+        # shellcheck disable=SC2086
+        RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -regextype 'egrep' ! -regex $EXCLUDED -ls 2>/dev/null)
     else
         RESULT=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null)
     fi

bin/hardening/6.1.13_find_suid_files.sh

@@ -24,7 +24,7 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
     # shellcheck disable=2086
     if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
     else
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -4000 -print)
     fi

bin/hardening/6.1.14_find_sgid_files.sh

@@ -24,7 +24,7 @@ audit() {
     FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
     # shellcheck disable=2086
     if [ -n "$IGNORED_PATH" ]; then
-        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
+        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print)
     else
         FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
     fi

debian/changelog

@@ -1,3 +1,10 @@
+cis-hardening (3.1-6) unstable; urgency=medium
+
+  * Improve EXCEPTIONS management (1.1.21,6.1.10)
+  * Fix bug linked with regex quoting (6.1.10-11-12-13-14)
+
+ -- Thibault Ayanides <[email protected]>  Wed, 02 Jun 2021 09:45:40 +0200
+
 cis-hardening (3.1-5) unstable; urgency=medium
 
   * Fix unbound EXCEPTIONS variable in some cases

tests/hardening/1.1.21_sticky_bit_world_writable_folder.sh

@@ -1,29 +1,35 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
+    describe Running void to generate the conf file that will later be edited
+    # shellcheck disable=2154
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+    # shellcheck disable=2016
+    echo 'EXCEPTIONS="$EXCEPTIONS /home/secaudit/exception"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    mkdir /home/secaudit/exception
+    chmod 777 /home/secaudit/exception
+
     describe Running on blank host
     register_test retvalshouldbe 0
     register_test contain "All world writable directories have a sticky bit"
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    if [ -f "/.dockerenv" ]; then
-        skip "SKIPPED on docker"
-    else
-        describe Tests purposely failing
-        local targetdir="/home/secaudit/world_writable_folder"
-        mkdir $targetdir || true
-        chmod 777 "$targetdir"
-        register_test retvalshouldbe 1
-        register_test contain "Some world writable directories are not on sticky bit mode"
-        run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-        describe correcting situation
-        sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
-        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+    describe Tests purposely failing
+    local targetdir="/home/secaudit/world_writable_folder"
+    mkdir $targetdir || true
+    chmod 777 "$targetdir"
+    register_test retvalshouldbe 1
+    register_test contain "Some world writable directories are not on sticky bit mode"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    describe correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "All world writable directories have a sticky bit"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-        describe Checking resolved state
-        register_test retvalshouldbe 0
-        register_test contain "All world writable directories have a sticky bit"
-        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    fi
 }

tests/hardening/6.1.10_find_world_writable_file.sh

@@ -1,32 +1,33 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
+    describe Running void to generate the conf file that will later be edited
+    # shellcheck disable=2154
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+    # shellcheck disable=2016
+    echo 'EXCLUDED="$EXCLUDED ^/dev/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
 
-    #run this test only if we're not in docker
-    if [ -f "/.dockerenv" ]; then
-        skip "SKIPPED on docker"
-    else
-        describe Running on blank host
-        register_test retvalshouldbe 0
-        register_test contain "No world writable files found"
-        # shellcheck disable=2154
-        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    register_test contain "No world writable files found"
+    # shellcheck disable=2154
+    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-        describe Tests purposely failing
-        local targetfile="/home/secaudit/worldwritable"
-        touch "$targetfile"
-        chmod 777 "$targetfile"
-        register_test retvalshouldbe 1
-        register_test contain "Some world writable files are present"
-        run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    describe Tests purposely failing
+    local targetfile="/home/secaudit/worldwritable"
+    touch "$targetfile"
+    chmod 777 "$targetfile"
+    register_test retvalshouldbe 1
+    register_test contain "Some world writable files are present"
+    run noncompliant /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-        describe correcting situation
-        sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
-        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+    describe correcting situation
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "No world writable files found"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-        describe Checking resolved state
-        register_test retvalshouldbe 0
-        register_test contain "No world writable files found"
-        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-    fi
 }

tests/hardening/6.1.11_find_unowned_files.sh

@@ -1,6 +1,15 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
+    describe Running void to generate the conf file that will later be edited
+    # shellcheck disable=2154
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+    # shellcheck disable=2016
+    echo 'EXCLUDED="$EXCLUDED ^/home/secaudit/6.1.11/.*"' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    mkdir /home/secaudit/6.1.11/
+    touch /home/secaudit/6.1.11/test
+    chown 1200 /home/secaudit/6.1.11/test
+
     describe Running on blank host
     register_test retvalshouldbe 0
     register_test contain "No unowned files found"