Add scripts to audit

Bench-common is now supports scripts in audit aquasecurity/bench-common#108
aquasecurity · Nov 22, 2020 · 174b607 · 174b607
1 parent cc3954e
commit 174b607
Showing 1 changed file with 222 additions and 16 deletions.
diff --git a/cfg/2.0.0/definitions.yaml b/cfg/2.0.0/definitions.yaml
@@ -2806,7 +2806,7 @@ groups:
  value: "(none)" 
  set: true 
  - flag: "Installed" 
- set: false  
+ set: false 
  remediation: |
  Remove the X Windows System packages using the appropriate package manager or manual installation:
  
@@ -8136,7 +8136,15 @@ groups:
  scored: true
  - id: 5.4.1.5
  description: "Ensure all users last password change date is in the past"
- audit: "for usr in $(cut -d: -f1 /etc/shadow); do [[ $(chage --list $usr | grep '^Last password change' | cut -d: -f2) > $(date) ]] && echo \"$usr :$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\"; done"
+ audit: |
+ #!/bin/bash 
+ for usr in $(cut -d: -f1 /etc/shadow | sort -u ); do
+ p=$(chage --list $usr | grep '^Last password change' | cut -d: -f2)
+ today=$(date +'%b %d %Y')
+ if [ $(date --date="$p" +%s) -gt $(date --date="$today" +%s) ]; then
+ echo "$usr : $p"
+ fi
+ done
  tests:
  test_items:
  - flag: ""
@@ -8772,7 +8780,40 @@ groups:
 
  - id: 6.2.6
  description: "Ensure root PATH Integrity"
- audit: "./cfg/2.0.0/6.2.6.sh"
+ audit: |
+ #!/bin/bash
+ if [ "$(echo "$PATH" | grep ::)" != "" ]; then
+ echo "Empty Directory in PATH (::)"
+ fi
+
+ if [ "$(echo "$PATH" | grep :$)" != "" ]; then
+ echo "Trailing : in PATH"
+ fi
+
+ p=$(echo "$PATH" | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
+ set -- $p
+ while [ "$1" != "" ]; do
+ if [ "$1" = "." ]; then
+ shift
+ continue
+ fi
+ if [ -d "$1" ]; then
+ dirperm=$(ls -ldH "$1" | cut -f1 -d" ")
+ if [ "$(echo "$dirperm" | cut -c6)" != "-" ]; then
+ echo "Group Write permission set on directory $1"
+ fi
+ if [ "$(echo "$dirperm" | cut -c9)" != "-" ]; then
+ echo "Other Write permission set on directory $1"
+ fi
+ dirown=$(ls -ldH "$1" | awk '{print $3}')
+ if [ "$dirown" != "root" ] ; then
+ echo "$1 is not owned by root"
+ fi
+ else
+ echo "$1 is not a directory"
+ fi
+ shift
+ done
  tests:
  test_items:
  - flag: ""
@@ -8787,7 +8828,14 @@ groups:
 
  - id: 6.2.7
  description: "Ensure all users' home directories exist"
- audit: "./cfg/2.0.0/6.2.7.sh" 
+ audit: |
+ #!/bin/bash
+ grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' |
+ while read -r user dir; do
+ if [ ! -d "$dir" ]; then
+ echo "The home directory ($dir) of user $user does not exist."
+ fi
+ done
  tests:
  test_items:
  - flag: ""
@@ -8801,7 +8849,28 @@ groups:
 
  - id: 6.2.8
  description: "Ensure users' home directories permissions are 750 or more restrictive"
- audit: "./cfg/2.0.0/6.2.8.sh"
+ audit: |
+ #!/bin/bash 
+ grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | 
+ while read user dir; do 
+ if [ ! -d "$dir" ]; then 
+ echo "The home directory ($dir) of user $user does not exist." 
+ else 
+ dirperm=$(ls -ld $dir | cut -f1 -d" ") 
+ if [ $(echo $dirperm | cut -c6) != "-" ]; then 
+ echo "Group Write permission set on the home directory ($dir) of user $user" 
+ fi 
+ if [ $(echo $dirperm | cut -c8) != "-" ]; then 
+ echo "Other Read permission set on the home directory ($dir) of user $user" 
+ fi 
+ if [ $(echo $dirperm | cut -c9) != "-" ]; then 
+ echo "Other Write permission set on the home directory ($dir) of user $user" 
+ fi 
+ if [ $(echo $dirperm | cut -c10) != "-" ]; then 
+ echo "Other Execute permission set on the home directory ($dir) of user $user" 
+ fi 
+ fi 
+ done
  tests:
  test_items:
  - flag: ""
@@ -8815,7 +8884,18 @@ groups:
 
  - id: 6.2.9
  description: "Ensure users own their home directories"
- audit: "./cfg/2.0.0/6.2.9.sh"
+ audit: |
+ #!/bin/bash
+ grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+ if [ ! -d "$dir" ]; then
+ echo "The home directory ($dir) of user $user does not exist."
+ else
+ owner=$(stat -L -c "%U" "$dir")
+ if [ "$owner" != "$user" ]; then
+ echo "The home directory ($dir) of user $user is owned by $owner."
+ fi
+ fi
+ done
  tests:
  test_items:
  - flag: ""
@@ -8830,7 +8910,25 @@ groups:
 
  - id: 6.2.10
  description: "Ensure users' dot files are not group or world writable"
- audit: "./cfg/2.0.0/6.2.10.sh"
+ audit: |
+ #!/bin/bash
+ grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+ if [ ! -d "$dir" ]; then
+ echo "The home directory ($dir) of user $user does not exist."
+ else
+ for file in $dir/.[A-Za-z0-9]*; do
+ if [ ! -h "$file" -a -f "$file" ]; then
+ fileperm=$(ls -ld $file | cut -f1 -d" ")
+ if [ $(echo $fileperm | cut -c6) != "-" ]; then
+ echo "Group Write permission set on file $file"
+ fi
+ if [ $(echo $fileperm | cut -c9) != "-" ]; then
+ echo "Other Write permission set on file $file"
+ fi
+ fi
+ done
+ fi
+ done
  tests:
  test_items:
  - flag: ""
@@ -8844,7 +8942,17 @@ groups:
 
  - id: 6.2.11
  description: "Ensure no users have .forward files"
- audit: "./cfg/2.0.0/6.2.11.sh"
+ audit: |
+ #!/bin/bash
+ grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+ if [ ! -d "$dir" ]; then
+ echo "The home directory ($dir) of user $user does not exist."
+ else
+ if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then
+ echo ".forward file $dir/.forward exists"
+ fi
+ fi
+ done
  tests:
  test_items:
  - flag: ""
@@ -8859,7 +8967,17 @@ groups:
 
  - id: 6.2.12
  description: "Ensure no users have .netrc files"
- audit: "./cfg/2.0.0/6.2.12.sh"
+ audit: |
+ #!/bin/bash
+ grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+ if [ ! -d "$dir" ]; then
+ echo "The home directory ($dir) of user $user does not exist."
+ else
+ if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then
+ echo ".netrc file $dir/.netrc exists"
+ fi
+ fi
+ done
  tests:
  test_items:
  - flag: ""
@@ -8873,7 +8991,37 @@ groups:
 
  - id: 6.2.13
  description: "Ensure users' .netrc Files are not group or world accessible"
- audit: "./cfg/2.0.0/6.2.13.sh" 
+ audit: |
+ #!/bin/bash
+ grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+ if [ ! -d "$dir" ]; then
+ echo "The home directory ($dir) of user $user does not exist."
+ else
+ for file in $dir/.netrc; do
+ if [ ! -h "$file" -a -f "$file" ]; then
+ fileperm=$(ls -ld $file | cut -f1 -d" ")
+ if [ $(echo $fileperm | cut -c5) != "-" ]; then
+ echo "Group Read set on $file"
+ fi
+ if [ $(echo $fileperm | cut -c6) != "-" ]; then
+ echo "Group Write set on $file"
+ fi
+ if [ $(echo $fileperm | cut -c7) != "-" ]; then
+ echo "Group Execute set on $file"
+ fi
+ if [ $(echo $fileperm | cut -c8) != "-" ]; then
+ echo "Other Read set on $file"
+ fi
+ if [ $(echo $fileperm | cut -c9) != "-" ]; then
+ echo "Other Write set on $file"
+ fi
+ if [ $(echo $fileperm | cut -c10) != "-" ]; then
+ echo "Other Execute set on $file"
+ fi
+ fi
+ done
+ fi
+ done
  tests:
  test_items:
  - flag: ""
@@ -8887,7 +9035,20 @@ groups:
 
  - id: 6.2.14
  description: "Ensure no users have .rhosts files"
- audit: "./cfg/2.0.0/6.2.14.sh"
+ audit: |
+ #!/bin/bash
+ grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+ if [ ! -d "$dir" ]; then
+ echo "The home directory ($dir) of user $user does not exist."
+ else
+ for file in $dir/.rhosts; do
+ if [ ! -h "$file" -a -f "$file" ]; then
+ echo ".rhosts file in $dir"
+ fi
+ done
+ fi
+ done
+
  tests:
  test_items:
  - flag: ""
@@ -8901,7 +9062,15 @@ groups:
 
  - id: 6.2.15
  description: "Ensure all groups in /etc/passwd exist in /etc/group"
- audit: "./cfg/2.0.0/6.2.15.sh"
+ audit: |
+ #!/bin/bash
+ for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
+ grep -q -P "^.*?:[^:]*:$i:" /etc/group
+ if [ $? -ne 0 ]; then
+ echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group"
+ fi
+ done
+
  tests:
  test_items:
  - flag: ""
@@ -8915,7 +9084,16 @@ groups:
 
  - id: 6.2.16
  description: "Ensure no duplicate UIDs exist" 
- audit: "./cfg/2.0.0/6.2.16.sh"
+ audit: |
+ #!/bin/bash
+ cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do
+ [ -z "$x" ] && break
+ set - $x
+ if [ $1 -gt 1 ]; then
+ users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs)
+ echo "Duplicate UID ($2): $users"
+ fi
+ done
  tests:
  test_items:
  - flag: ""
@@ -8929,7 +9107,17 @@ groups:
 
  - id: 6.2.17
  description: "Ensure no duplicate GIDs exist" 
- audit: "./cfg/2.0.0/6.2.17.sh"
+ audit: |
+ #!/bin/bash
+ cut -f3 -d":" /etc/group | sort -n | uniq -c | while read x ; do
+ [ -z "$x" ] && break
+ set - $x
+ if [ $1 -gt 1 ]; then
+ groups=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs)
+ echo "Duplicate GID ($2): $groups"
+ fi
+ done
+
  tests:
  test_items:
  - flag: ""
@@ -8943,7 +9131,16 @@ groups:
 
  - id: 6.2.18
  description: "Ensure no duplicate user names exist" 
- audit: "./cfg/2.0.0/6.2.18.sh"
+ audit: |
+ #!/bin/bash
+ cut -f1 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do
+ [ -z "$x" ] && break
+ set - $x
+ if [ $1 -gt 1 ]; then
+ uids=$(awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs)
+ echo "Duplicate User Name ($2): $uids"
+ fi
+ done
  tests:
  test_items:
  - flag: ""
@@ -8958,7 +9155,16 @@ groups:
 
  - id: 6.2.19
  description: "Ensure no duplicate group names exist" 
- audit: "./cfg/2.0.0/6.2.19.sh"
+ audit: |
+ #!/bin/bash
+ cut -f1 -d":" /etc/group | sort -n | uniq -c | while read x ; do
+ [ -z "$x" ] && break
+ set - $x
+ if [ $1 -gt 1 ]; then
+ gids=$(gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs)
+ echo "Duplicate Group Name ($2): $gids"
+ fi
+ done
  tests:
  test_items:
  - flag: ""