From 838cdc49105835987bc17c239597d2974b26aaf3 Mon Sep 17 00:00:00 2001 From: Delerrr <95750785+Delerrr@users.noreply.github.com> Date: Wed, 19 Apr 2023 23:45:43 +0800 Subject: [PATCH] Added benchmark,remediation-kits,scanners for rule 4.70-ensure-users-home-directories-permissions-are-750-or-more.md --- ...directories-permissions-are-750-or-more.md | 55 +++++++++++++++++++ docs/summary-of-rules.md | 1 + ...directories-permissions-are-750-or-more.sh | 14 +++++ ...directories-permissions-are-750-or-more.sh | 22 ++++++++ 4 files changed, 92 insertions(+) create mode 100644 benchmarks/system-configurations/4.70-ensure-users-home-directories-permissions-are-750-or-more.md create mode 100644 remediation-kits/system-configurations/4.70-ensure-users-home-directories-permissions-are-750-or-more.sh create mode 100644 scanners/system-configurations/4.70-ensure-users-home-directories-permissions-are-750-or-more.sh diff --git a/benchmarks/system-configurations/4.70-ensure-users-home-directories-permissions-are-750-or-more.md b/benchmarks/system-configurations/4.70-ensure-users-home-directories-permissions-are-750-or-more.md new file mode 100644 index 0000000..1a4c5ef --- /dev/null +++ b/benchmarks/system-configurations/4.70-ensure-users-home-directories-permissions-are-750-or-more.md @@ -0,0 +1,55 @@ +# 4.70 确保用户的主目录权限为750或更严格 + +## 安全等级 + +- Level 1 + +## 描述: + +虽然系统管理员可以为用户主目录建立安全权限,但是用户很容易覆盖这些权限。如果同一用户组的其他成员或者其他组用户对于用户主目录拥有可写的权限,可能会使恶意用户窃取或者修改其他用户的数据,或者获得其系统权限。 + +## 修复建议 + +以下脚本检查所有用户的主目录权限是否超过750,并把超过750权限的用户主目录的权限改为750: + +```bash +#!/bin/bash + +awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && +$7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) +{print $6}' /etc/passwd | while read -r dir; do + if [ -d "$dir" ]; then + dirperm=$(stat -L -c "%A" "$dir") + if [ "$(echo "$dirperm" | cut -c6)" != "-" ] || [ "$(echo "$dirperm" | + cut -c8)" != "-" ] || [ "$(echo "$dirperm" | cut -c9)" != "-" ] || + [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then + chmod g-w,o-rwx "$dir" + fi + fi +done +``` + +## 扫描检测 + +运行以下脚本,并确保返回结果为空: + +```bash +#!/bin/bash + +awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && +$7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) +{print $1 " " $6}' /etc/passwd | while read -r user dir; do + if [ -d "$dir" ]; then + dirperm=$(stat -L -c "%A" "$dir") + if [ "$(echo "$dirperm" | cut -c6)" != "-" ] || [ "$(echo "$dirperm" | + cut -c8)" != "-" ] || [ "$(echo "$dirperm" | cut -c9)" != "-" ] || + [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then + echo "User: \"$user\" home directory: \"$dir\" has permissions: \"$(stat -L -c "%a" "$dir")\"" + fi + fi +done +``` + +## 参考: + +- cis: \ No newline at end of file diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md index b41fd91..b2c907c 100644 --- a/docs/summary-of-rules.md +++ b/docs/summary-of-rules.md @@ -168,6 +168,7 @@ | 4.67 | 4.67-ensure-system-histfilesize-100.md | 4.67 限制历史命令存储文件的保存数量 | benchmarks/system-configurations | 1 | | 4.68 | 4.68-ensure-permissions-TMP-is-correct.md | 4.68 为公共目录/tmp添加粘贴位 | benchmarks/system-configurations | 1 | | 4.69 | 4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.md | 4.69 严格要求SSH公私钥文件权限配置正确 | benchmarks/system-configurations | 3 | +| 4.70 | 4.70-ensure-users-home-directories-permissions-are-750-or-more.md | 4.70 确保用户的主目录权限为750或更严格 | benchmarks/system-configurations | 1 | | 5.1 | 5.1-ensure-selinux-is-installed.md | 5.1 确保SElinux工具已安装 | benchmarks/mandatory-access-control | 1 | | 5.2 | 5.2-ensure-selinux-policy-is-configured.md | 5.2 确保SELinux调用mls策略 | benchmarks/mandatory-access-control | 3 | | 5.3 | 5.3-ensure-the-selinux-mode-is-enabled.md | 5.3 确保SELinux不是禁用模式 | benchmarks/mandatory-access-control | 3 | diff --git a/remediation-kits/system-configurations/4.70-ensure-users-home-directories-permissions-are-750-or-more.sh b/remediation-kits/system-configurations/4.70-ensure-users-home-directories-permissions-are-750-or-more.sh new file mode 100644 index 0000000..d7052c9 --- /dev/null +++ b/remediation-kits/system-configurations/4.70-ensure-users-home-directories-permissions-are-750-or-more.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && +$7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) +{print $6}' /etc/passwd | while read -r dir; do + if [ -d "$dir" ]; then + dirperm=$(stat -L -c "%A" "$dir") + if [ "$(echo "$dirperm" | cut -c6)" != "-" ] || [ "$(echo "$dirperm" | + cut -c8)" != "-" ] || [ "$(echo "$dirperm" | cut -c9)" != "-" ] || + [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then + chmod g-w,o-rwx "$dir" + fi + fi +done \ No newline at end of file diff --git a/scanners/system-configurations/4.70-ensure-users-home-directories-permissions-are-750-or-more.sh b/scanners/system-configurations/4.70-ensure-users-home-directories-permissions-are-750-or-more.sh new file mode 100644 index 0000000..8ac008f --- /dev/null +++ b/scanners/system-configurations/4.70-ensure-users-home-directories-permissions-are-750-or-more.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +result=true + +while read -r user dir; do + if [ -d "$dir" ]; then + dirperm=$(stat -L -c "%A" "$dir") + if [ "$(echo "$dirperm" | cut -c6)" != "-" ] || [ "$(echo "$dirperm" | + cut -c8)" != "-" ] || [ "$(echo "$dirperm" | cut -c9)" != "-" ] || + [ "$(echo "$dirperm" | cut -c10)" != "-" ]; then + result=false + fi + fi +done < <(awk -F: '($1!~/(halt|sync|shutdown|nfsnobody)/ && +$7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) +{print $1 " " $6}' /etc/passwd) + +if [ "$result" = true ] ; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file -- Gitee