Fix some bugs for CentOS8.

2019-12-28 16:38:34 +08:00 · 2019-12-28 16:38:34 +08:00 · 60daf8a4f6
parent fa9d907985
commit 60daf8a4f6
3 changed files with 42 additions and 26 deletions
--- a/bin/hardening/13.13_check_user_homedir_ownership.sh
+++ b/bin/hardening/13.13_check_user_homedir_ownership.sh
@ -23,7 +23,7 @@ audit () {
        USER=$(awk -F: {'print $1'} <<< $LINE)
        USERID=$(awk -F: {'print $2'} <<< $LINE)
        DIR=$(awk -F: {'print $3'} <<< $LINE)    
-        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
+        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" -a "$DIR" != '/' ]; then
            OWNER=$(stat -L -c "%U" "$DIR")
            if [ "$OWNER" != "$USER" ]; then
                crit "The home directory ($DIR) of user $USER is owned by $OWNER."
@ -40,7 +40,7 @@ audit () {
 # This function will be called if the script status is on enabled mode
 apply () {
    cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do
-        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then
+        if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" -a "$DIR" != '/' ]; then
            OWNER=$(stat -L -c "%U" "$DIR")
            if [ "$OWNER" != "$USER" ]; then
                warn "The home directory ($DIR) of user $USER is owned by $OWNER."
--- a/bin/hardening/13.20_shadow_group_empty.sh
+++ b/bin/hardening/13.20_shadow_group_empty.sh
@ -19,33 +19,49 @@ PATTERN='^shadow:x:[[:digit:]]+:'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    does_pattern_exist_in_file $FILEGROUP $PATTERN
-    if [ $FNRET = 0 ]; then
-        info "shadow group exists"
-        RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
-        GROUPID=$(getent group shadow | cut -d: -f3)
-        debug "$RESULT $GROUPID"
-        if [ ! -z "$RESULT" ]; then
-            crit "Some users belong to shadow group: $RESULT"
-        else
-            ok "No user belongs to shadow group"
-        fi
+	if [ $OS_RELEASE -eq 1 ]; then
+    	does_pattern_exist_in_file $FILEGROUP $PATTERN
+    	if [ $FNRET = 0 ]; then
+        	info "shadow group exists"
+        	RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4)
+        	GROUPID=$(getent group shadow | cut -d: -f3)
+        	debug "$RESULT $GROUPID"
+        	if [ ! -z "$RESULT" ]; then
+            	crit "Some users belong to shadow group: $RESULT"
+				FNRET=1
+        	else
+            	ok "No user belongs to shadow group"
+				FNRET=0
+        	fi

-        info "Checking if a user has $GROUPID as primary group"
-        RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
-        if [ ! -z "$RESULT" ]; then
-            crit "Some users have shadow id as their primary group: $RESULT"
-        else
-            ok "No user has shadow id as their primary group"
-        fi
-    else
-        crit "shadow group doesn't exist"
-    fi
+        	info "Checking if a user has $GROUPID as primary group"
+        	RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd)
+        	if [ ! -z "$RESULT" ]; then
+            	crit "Some users have shadow id as their primary group: $RESULT"
+				FNRET=2
+        	else
+            	ok "No user has shadow id as their primary group"
+				FNRET=0
+        	fi
+    	else
+        	crit "shadow group doesn't exist"
+			FNRET=3
+    	fi
+	elif [ $OS_RELEASE -eq 2 ]; then
+		ok "shadow group doesn't exist in CentOS8"
+		FNRET=0
+	else
+		:
+	fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    info "Editing automatically users/groups may seriously harm your system, report only here"
+	if [ $FNRET = 0 ]; then
+		ok "Pass."
+	else 
+    	warn "Editing automatically users/groups may seriously harm your system, report only here"
+	fi
 }

 # This function will check config parameters required
--- a/bin/hardening/13.7_check_user_dir_perm.sh
+++ b/bin/hardening/13.7_check_user_dir_perm.sh
@ -17,7 +17,7 @@ ERRORS=0

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        debug "Working on $dir"
        debug "Exceptions : $EXCEPTIONS"
        debug "echo \"$EXCEPTIONS\" | grep -q $dir"
@ -56,7 +56,7 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
-    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
+    for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do
        debug "Working on $dir"
        debug "Exceptions : $EXCEPTIONS"
        debug "echo \"$EXCEPTIONS\" | grep -q $dir"