From fa9d9079856c60b69e18a2c63fa8522458c43851 Mon Sep 17 00:00:00 2001
From: Samson-W <samson@hardenedlinux.org>
Date: Sat, 28 Dec 2019 04:28:09 +0800
Subject: [PATCH] Fix some bugs for CentOS8.

---
 bin/hardening/10.2_disable_system_accounts.sh      |  2 +-
 .../11.2_remove_os_info_warning_banners.sh         |  2 +-
 bin/hardening/12.10_find_suid_files.sh             |  8 +++++++-
 bin/hardening/12.11_find_sgid_files.sh             |  8 +++++++-
 .../12.13_etc_gshadow_backup_permissions.sh        | 14 ++++++++++++++
 bin/hardening/12.2_etc_shadow_permissions.sh       | 14 ++++++++++++++
 bin/hardening/12.4_etc_gshadow_permissions.sh      | 14 ++++++++++++++
 .../12.6_etc_shadow_backup_permissions.sh          | 14 ++++++++++++++
 bin/hardening/13.6_sanitize_root_path.sh           |  6 +++++-
 9 files changed, 77 insertions(+), 5 deletions(-)

diff --git a/bin/hardening/10.2_disable_system_accounts.sh b/bin/hardening/10.2_disable_system_accounts.sh
index e396d22..258b7c6 100755
--- a/bin/hardening/10.2_disable_system_accounts.sh
+++ b/bin/hardening/10.2_disable_system_accounts.sh
@@ -20,7 +20,7 @@ RESULT=''
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     info "Checking if admin accounts have a login shell different than $SHELL"
-    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}')
+    RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false" && $7!="/sbin/nologin") {print}')
     IFS=$'\n'
     for LINE in $RESULT; do
         debug "line : $LINE"
diff --git a/bin/hardening/11.2_remove_os_info_warning_banners.sh b/bin/hardening/11.2_remove_os_info_warning_banners.sh
index 153eee1..71126aa 100755
--- a/bin/hardening/11.2_remove_os_info_warning_banners.sh
+++ b/bin/hardening/11.2_remove_os_info_warning_banners.sh
@@ -14,7 +14,7 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=3
 
 FILES='/etc/motd /etc/issue /etc/issue.net'
-PATTERN='(\\v|\\r|\\m|\\s|Debian)'
+PATTERN='(\\v|\\r|\\m|\\s|Debian|CentOS)'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
diff --git a/bin/hardening/12.10_find_suid_files.sh b/bin/hardening/12.10_find_suid_files.sh
index 9acc183..a86acda 100755
--- a/bin/hardening/12.10_find_suid_files.sh
+++ b/bin/hardening/12.10_find_suid_files.sh
@@ -28,14 +28,20 @@ audit () {
         crit "Some suid files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"
+		FNRET=1
     else
         ok "No unknown suid files found"
+		FNRET=0
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply () {
-	warn "Removing suid on valid binary may seriously harm your system, report only here, need a manual fix."
+	if [ $FNRET = 1 ]; then
+		warn "Removing suid on valid binary may seriously harm your system, report only here, need a manual fix."
+	else
+        ok "No unknown suid files found"
+	fi
 }
 
 # This function will create the config file for this check with default values
diff --git a/bin/hardening/12.11_find_sgid_files.sh b/bin/hardening/12.11_find_sgid_files.sh
index 132e3db..f4736e5 100755
--- a/bin/hardening/12.11_find_sgid_files.sh
+++ b/bin/hardening/12.11_find_sgid_files.sh
@@ -29,14 +29,20 @@ audit () {
         crit "Some sgid files are present"
         FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
         crit "$FORMATTED_RESULT"
+		FNRET=1
     else
         ok "No unknown sgid files found"
+		FNRET=0
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    info "Removing sgid on valid binary may seriously harm your system, report only here"
+	if [ $FNRET = 1 ]; then
+    	warn "Removing sgid on valid binary may seriously harm your system, report only here"
+	else
+        ok "No unknown sgid files found"
+	fi
 }
 
 # This function will create the config file for this check with default values
diff --git a/bin/hardening/12.13_etc_gshadow_backup_permissions.sh b/bin/hardening/12.13_etc_gshadow_backup_permissions.sh
index ce598cf..7f49e85 100755
--- a/bin/hardening/12.13_etc_gshadow_backup_permissions.sh
+++ b/bin/hardening/12.13_etc_gshadow_backup_permissions.sh
@@ -16,11 +16,19 @@ HARDENING_LEVEL=1
 
 FILE='/etc/gshadow-'
 PERMISSIONS='600'
+PERMISSIONS_REDHAT='0000'
 USER='root'
 GROUP='shadow'
+GROUP_REDHAT='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_REDHAT
+		GROUP=$GROUP_REDHAT
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
@@ -37,6 +45,12 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_REDHAT
+		GROUP=$GROUP_REDHAT
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
diff --git a/bin/hardening/12.2_etc_shadow_permissions.sh b/bin/hardening/12.2_etc_shadow_permissions.sh
index 90234dd..7e6b2ff 100755
--- a/bin/hardening/12.2_etc_shadow_permissions.sh
+++ b/bin/hardening/12.2_etc_shadow_permissions.sh
@@ -16,11 +16,19 @@ HARDENING_LEVEL=1
 
 FILE='/etc/shadow'
 PERMISSIONS='640'
+PERMISSIONS_REDHAT='0000'
 USER='root'
 GROUP='shadow'
+GROUP_REDHAT='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_REDHAT
+		GROUP=$GROUP_REDHAT
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
@@ -37,6 +45,12 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_REDHAT
+		GROUP=$GROUP_REDHAT
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
diff --git a/bin/hardening/12.4_etc_gshadow_permissions.sh b/bin/hardening/12.4_etc_gshadow_permissions.sh
index 3612685..7832dd2 100755
--- a/bin/hardening/12.4_etc_gshadow_permissions.sh
+++ b/bin/hardening/12.4_etc_gshadow_permissions.sh
@@ -16,11 +16,19 @@ HARDENING_LEVEL=1
 
 FILE='/etc/gshadow'
 PERMISSIONS='640'
+PERMISSIONS_REDHAT='0000'
 USER='root'
 GROUP='shadow'
+GROUP_REDHAT='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_REDHAT
+		GROUP=$GROUP_REDHAT
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
@@ -37,6 +45,12 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_REDHAT
+		GROUP=$GROUP_REDHAT
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
diff --git a/bin/hardening/12.6_etc_shadow_backup_permissions.sh b/bin/hardening/12.6_etc_shadow_backup_permissions.sh
index 6db3c56..307a24f 100755
--- a/bin/hardening/12.6_etc_shadow_backup_permissions.sh
+++ b/bin/hardening/12.6_etc_shadow_backup_permissions.sh
@@ -16,11 +16,19 @@ HARDENING_LEVEL=1
 
 FILE='/etc/shadow-'
 PERMISSIONS='600'
+PERMISSIONS_REDHAT='0000'
 USER='root'
 GROUP='shadow'
+GROUP_REDHAT='root'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_REDHAT
+		GROUP=$GROUP_REDHAT
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
@@ -37,6 +45,12 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PERMISSIONS=$PERMISSIONS_REDHAT
+		GROUP=$GROUP_REDHAT
+	else
+		:
+	fi
 	has_file_correct_ownership $FILE $USER $GROUP
 	if [ $FNRET = 0 ]; then
 		ok "$FILE has correct ownership"
diff --git a/bin/hardening/13.6_sanitize_root_path.sh b/bin/hardening/13.6_sanitize_root_path.sh
index 1edeb64..1a3dd5f 100755
--- a/bin/hardening/13.6_sanitize_root_path.sh
+++ b/bin/hardening/13.6_sanitize_root_path.sh
@@ -62,7 +62,11 @@ audit () {
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    warn "Editing items from PATH may seriously harm your system, report only here, need a manual fix."
+    if [ $ERRORS = 0 ]; then
+        ok "root PATH is secure"
+	else
+    	warn "Editing items from PATH may seriously harm your system, report only here, need a manual fix."
+	fi
 }
 
 # This function will check config parameters required