From 1604707e56a57f463d234b077d39b9b8895c224a Mon Sep 17 00:00:00 2001
From: Samson-W <sccxboy@gmail.com>
Date: Thu, 9 May 2019 14:06:04 +0800
Subject: [PATCH] Modify audit and apply methods for 9.3.24

---
 ....3.24_ssh_check_priv_hostkey_permission.sh | 28 +++++++++++++------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/bin/hardening/9.3.24_ssh_check_priv_hostkey_permission.sh b/bin/hardening/9.3.24_ssh_check_priv_hostkey_permission.sh
index daccd3c..ea2639e 100755
--- a/bin/hardening/9.3.24_ssh_check_priv_hostkey_permission.sh
+++ b/bin/hardening/9.3.24_ssh_check_priv_hostkey_permission.sh
@@ -14,25 +14,37 @@ set -u # One variable unset, it's over
 
 HARDENING_LEVEL=2
 
+USER='root'
+GROUP='root'
+PERMISSIONS='0600'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
+	if [ $(find /etc/ssh/ -name "*ssh_host*key" ! -uid 0 -o ! -gid 0 | wc -l) -gt 0 ]; then
+		crit "There are file ownership was not set to $USER:$GROUP"
+	else
+		ok "There are file has correct ownership"
+	fi
     if [ $(find /etc/ssh/ -name "*ssh_host*key" -perm /177 | wc -l) -gt 0 ]; then
-        crit "There are file file has a mode more permissive than "0600""
-        FNRET=1
+        crit "There are file file has a mode more permissive than $PERMISSIONS"
     else
-        ok "Not any file has a mode more permissive than "0600""
-        FNRET=0
+        ok "Not any file has a mode more permissive than $PERMISSIONS"
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    if [ $FNRET = 0 ]; then
-        ok "any file has a mode more permissive than "0600""
-    else
+	if [ $(find /etc/ssh/ -name "*ssh_host*key" ! -uid 0 -o ! -gid 0 | wc -l) -gt 0 ]; then
+		warn "There are file ownership was not set to $USER:$GROUP"
+		find /etc/ssh/ -name "*ssh_host*key" ! -uid 0 -o ! -gid 0 -exec chown $USER:$GROUP {} \;
+	else
+		ok "There are file has correct ownership"
+	fi
+    if [ $(find /etc/ssh/ -name "*ssh_host*key" -perm /177 | wc -l) -gt 0 ]; then
         warn "Set ssh private host key permission to 0600"
-        find /etc/ssh/ -name "*ssh_host*key" -perm /177 -exec chmod 0600 {} \;
+        find /etc/ssh/ -name "*ssh_host*key" -perm /177 -exec chmod $PERMISSIONS {} \;
+    else
+        ok "any file has a mode more permissive than "0600""
     fi
 }