tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-31 01:24:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #35 from aptx4869/fix_log_permission

Browse Source 
fix(log directory permissions) : Apply chmod only to logfiles
This commit is contained in:
Samson.W 2021-11-15 03:14:31 +08:00 committed by GitHub
commit 666f071399
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh
View File

@ -17,13 +17,12 @@ HARDENING_LEVEL=3
LOGDIR='/var/log' LOGDIR='/var/log'
ERRPERFILELIST='/dev/shm/8.5-filelist' ERRPERFILELIST='/dev/shm/8.5-filelist'
PERMISS_MODE='/7137' PERMISS_MODE='/7137'
PERMISS_SET='0640'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
find $LOGDIR -type f -perm $PERMISS_MODE -ls > $ERRPERFILELIST find $LOGDIR -type f -perm $PERMISS_MODE -ls > $ERRPERFILELIST
countnum=$(cat $ERRPERFILELIST | wc -l) countnum=$(wc -l < $ERRPERFILELIST)
if [ $countnum -gt 0 ]; then if [ "$countnum" -gt 0 ]; then
crit "Permissions of all log files are not correctly configured!" crit "Permissions of all log files are not correctly configured!"
cat $ERRPERFILELIST cat $ERRPERFILELIST
FNRET=1 FNRET=1
@ -36,11 +35,11 @@ audit () {
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply () { apply () {
if [ FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "Permissions of all log files have correctly configured!" ok "Permissions of all log files have correctly configured!"
else else
warn "Permissions of all log files are not correctly configured! Set it" warn "Permissions of all log files are not correctly configured! Set it"
chmod -R $PERMISS_SET $LOGDIR/* find $LOGDIR -type f -perm $PERMISS_MODE -exec chmod a-x,go-w,o-r {} \;
if [ -r $ERRPERFILELIST ]; then if [ -r $ERRPERFILELIST ]; then
rm $ERRPERFILELIST rm $ERRPERFILELIST
fi fi
@ -63,8 +62,8 @@ if [ -z "$CIS_ROOT_DIR" ]; then
fi fi
# Main function, will call the proper functions given the configuration (audit, enabled, disabled) # Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then if [ -r "$CIS_ROOT_DIR/lib/main.sh" ]; then
. $CIS_ROOT_DIR/lib/main.sh . "$CIS_ROOT_DIR/lib/main.sh"
else else
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
exit 128 exit 128