Section 6 Fixes - 1

Section 6 Fixes - 1

Author: rdiers

LICENSE

@@ -1,7 +1,19 @@
 MIT License
 
+Copyright for portions of CentOS7-CIS are held by
+
+Copyright (c) 2015 MindPoint Group http://www.mindpointgroup.com
+
+as part of RHEL7-CIS.
+
+All other copyright for project CentOS7-CIS are held by 
+
 Copyright (c) 2018 Radsec
 
+AND
+
+Copyright (c) 2018 Glownew Group
+
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights

scripts/6.2.10.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+  if [ ! -d "$dir" ]; then
+    echo "The home directory ($dir) of user $user does not exist."
+  else
+    for file in $dir/.[A-Za-z0-9]*; do
+      if [ ! -h "$file" -a -f "$file" ]; then
+        fileperm=`ls -ld $file | cut -f1 -d" "`
+
+        if [ `echo $fileperm | cut -c6`  != "-" ]; then
+          echo "Group Write permission set on file $file"
+        fi
+        if [ `echo $fileperm | cut -c9`  != "-" ]; then
+          echo "Other Write permission set on file $file"
+        fi
+      fi
+    done
+  fi
+done

scripts/6.2.11.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+for dir in `cat /etc/passwd | awk -F: '{ print $6 }'`; do
+if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then
+ echo ".forward file $dir/.forward exists"
+fi
+done

scripts/6.2.12.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+for dir in `cat /etc/passwd | awk -F: '{ print $6 }'`; do
+if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then
+ echo ".netrc file $dir/.netrc exists"
+fi
+done

scripts/6.2.13.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+  if [ ! -d "$dir" ]; then
+    echo "The home directory ($dir) of user $user does not exist."
+  else
+    for file in $dir/.netrc; do
+      if [ ! -h "$file" -a -f "$file" ]; then
+        fileperm=`ls -ld $file | cut -f1 -d" "`
+        if [ `echo $fileperm | cut -c5`  != "-" ]; then
+          echo "Group Read set on $file"
+        fi
+        if [ `echo $fileperm | cut -c6`  != "-" ]; then
+          echo "Group Write set on $file"
+        fi
+        if [ `echo $fileperm | cut -c7`  != "-" ]; then
+          echo "Group Execute set on $file"
+        fi
+        if [ `echo $fileperm | cut -c8`  != "-" ]; then
+          echo "Other Read set on $file"
+        fi
+        if [ `echo $fileperm | cut -c9`  != "-" ]; then
+          echo "Other Write set on $file"
+        fi
+        if [ `echo $fileperm | cut -c10`  != "-" ]; then
+          echo "Other Execute set on $file"
+        fi
+      fi
+    done
+  fi
+done

scripts/6.2.14.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+for dir in `cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin") { print $6 }'`; do
+  for file in $dir/.rhosts; do
+    if [ ! -h "$file" -a -f "$file" ]; then
+      echo ".rhosts file in $dir"
+    fi
+  done
+done

scripts/6.2.15.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
+  grep -q -P "^.*?:[^:]*:$i:" /etc/group
+  if [ $? -ne 0 ]; then
+    echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group"
+  fi
+done

scripts/6.2.17.sh

@@ -0,0 +1,10 @@
+#!/bin/bash 
+
+cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do
+  [ -z "${x}" ] && break
+  set - $x
+  if [ $1 -gt 1 ]; then
+    groups= `awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs` 
+    echo "Duplicate GID ($2): ${groups}"
+  fi
+done

scripts/6.2.18.sh

@@ -0,0 +1,10 @@
+#!/bin/bash 
+
+cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do
+  [ -z "${x}" ] && break
+  set - $x
+  if [ $1 -gt 1 ]; then
+    uids= `awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs` 
+    echo "Duplicate User Name ($2): ${uids}"
+  fi
+done

scripts/6.2.19.sh

@@ -0,0 +1,10 @@
+#!/bin/bash 
+
+cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do
+  [ -z "${x}" ] && break
+  set - $x
+  if [ $1 -gt 1 ]; then
+    gids= `gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` 
+    echo "Duplicate Group Name ($2): ${gids}"
+  fi
+done

scripts/6.2.6.sh

@@ -0,0 +1,30 @@
+#!/bin/bash 
+
+if [ " `echo $PATH | grep ::` " != "" ]; then
+    echo "Empty Directory in PATH (::)"
+fi
+  if ["`echo$PATH|grep:$`" !=""]; then echo "Trailing : in PATH"
+fi
+p= `echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` set -- $p
+while [ "$1" != "" ]; do
+  if [ "$1" = "." ]; then
+    echo "PATH contains ."
+    shift
+    continue
+  fi
+  if [ -d $1 ]; then
+    dirperm= `ls -ldH $1 | cut -f1 -d" "`
+    if [ `echo $dirperm | cut -c6`  != "-" ]; then
+echo "Group Write permission set on directory $1" fi
+if [ `echo $dirperm | cut -c9` != "-" ]; then
+echo "Other Write permission set on directory $1"
+    fi
+    dirown= `ls -ldH $1 | awk '{print $3}'`
+    if [ "$dirown" != "root" ] ; then
+      echo $1 is not owned by root
+    fi
+else
+ 318 | P a g e
+echo $1 is not a directory
+  fi
+shift done

scripts/6.2.7.sh

@@ -0,0 +1,7 @@
+#!/bin/bash 
+
+cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+  if [ ! -d "$dir" ]; then
+    echo "The home directory ($dir) of user $user does not exist."
+  fi
+done

scripts/6.2.8.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+  if [ ! -d "$dir" ]; then
+    echo "The home directory ($dir) of user $user does not exist."
+  else
+    dirperm=`ls -ld $dir | cut -f1 -d" "`
+    if [ `echo $dirperm | cut -c6` != "-" ]; then
+      echo "Group Write permission set on the home directory ($dir) of user $user"
+    fi
+    if [ `echo $dirperm | cut -c8` != "-" ]; then
+      echo "Other Read permission set on the home directory ($dir) of user $user"
+    fi
+    if [ `echo $dirperm | cut -c9` != "-" ]; then
+      echo "Other Write permission set on the home directory ($dir) of user $user"
+    fi
+    if [ `echo $dirperm | cut -c10` != "-" ]; then
+      echo "Other Execute permission set on the home directory ($dir) of user $user"
+    fi
+  fi
+done

scripts/6.2.9.sh

@@ -0,0 +1,12 @@
+#!/bin/bash 
+
+cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+  if [ ! -d "$dir" ]; then
+    echo "The home directory ($dir) of user $user does not exist."
+  else
+   owner=$(stat -L -c "%U" "$dir")
+   if [ "$owner" != "$user" ]; then
+     echo "The home directory ($dir) of user $user is owned by $owner."
+   fi
+ fi
+done

scripts/six_two_eight_rule.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+if [ ! -d "$dir" ]; then
+echo "The home directory ($dir) of user $user does not exist."
+  else
+    dirperm=`ls -ld $dir | cut -f1 -d" "`
+    if [ `echo $dirperm | cut -c6` != "-" ]; then
+echo "Group Write permission set on the home directory ($dir) of user $user"
+    fi
+    if [ `echo $dirperm | cut -c8` != "-" ]; then
+echo "Other Read permission set on the home directory ($dir) of user $user"
+    fi
+    if [ `echo $dirperm | cut -c9` != "-" ]; then
+echo "Other Write permission set on the home directory ($dir) of user $user"
+    fi
+    if [ `echo $dirperm | cut -c10` != "-" ]; then
+echo "Other Execute permission set on the home directory ($dir) of user $user"
+fi fi
+done

scripts/six_two_eighteen_rule.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break
+set - $x
+if [ $1 -gt 1 ]; then
+uids= `awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs`
+    echo "Duplicate User Name ($2): ${uids}"
+  fi
+done

scripts/six_two_eleven_rule.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+if [ ! -d "$dir" ]; then
+echo "The home directory ($dir) of user $user does not exist."
+else
+if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then
+echo ".forward file $dir/.forward exists" fi
+fi
+done

scripts/six_two_fifteen_rule.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do grep -q -P "^.*?:[^:]*:$i:" /etc/group
+if [ $? -ne 0 ]; then
+echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group"
+fi done

scripts/six_two_fourteen_rule.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+if [ ! -d "$dir" ]; then
+echo "The home directory ($dir) of user $user does not exist."
+  else
+    for file in $dir/.rhosts; do
+      if [ ! -h "$file" -a -f "$file" ]; then
+        echo ".rhosts file in $dir"
+fi done
+fi done

scripts/six_two_nine_rule.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+if [ ! -d "$dir" ]; then
+echo "The home directory ($dir) of user $user does not exist."
+  else
+   owner=$(stat -L -c "%U" "$dir")
+   if [ "$owner" != "$user" ]; then
+echo "The home directory ($dir) of user $user is owned by $owner." fi
+fi done

scripts/six_two_nineteen_rule.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break
+set - $x
+if [ $1 -gt 1 ]; then
+gids= `gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs`
+    echo "Duplicate Group Name ($2): ${gids}"
+  fi
+done

scripts/six_two_seven_rule.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+if [ ! -d "$dir" ]; then
+echo "The home directory ($dir) of user $user does not exist."
+fi done

scripts/six_two_seventeen_rule.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break
+set - $x
+if [ $1 -gt 1 ]; then
+groups= `awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs`
+    echo "Duplicate GID ($2): ${groups}"
+  fi
+done

scripts/six_two_six_rule.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+if [ " `echo $PATH | grep ::` " != "" ]; then
+    echo "Empty Directory in PATH (::)"
+fi
+if["`echo$PATH|grep:$`" !=""];then echo "Trailing : in PATH"
+fi
+p= `echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` set -- $p
+while [ "$1" != "" ]; do
+  if [ "$1" = "." ]; then
+    echo "PATH contains ."
+    shift
+    continue
+  fi
+  if [ -d $1 ]; then
+    dirperm= `ls -ldH $1 | cut -f1 -d" "`
+    if [ `echo $dirperm | cut -c6`  != "-" ]; then
+echo "Group Write permission set on directory $1" fi
+if [ `echo $dirperm | cut -c9` != "-" ]; then
+echo "Other Write permission set on directory $1"
+    fi
+    dirown= `ls -ldH $1 | awk '{print $3}'`
+    if [ "$dirown" != "root" ] ; then
+      echo $1 is not owned by root
+    fi
+else
+ 318 | P a g e
+echo $1 is not a directory
+  fi
+shift done

scripts/six_two_sixteen_rule.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break
+set - $x
+if [ $1 -gt 1 ]; then
+users= `awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs`
+    echo "Duplicate UID ($2): ${users}"
+  fi
+done

scripts/six_two_ten_rule.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+if [ ! -d "$dir" ]; then
+echo "The home directory ($dir) of user $user does not exist."
+  else
+    for file in $dir/.[A-Za-z0-9]*; do
+      if [ ! -h "$file" -a -f "$file" ]; then
+        fileperm=`ls -ld $file | cut -f1 -d" "`
+if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write permission set on file $file"
+        fi
+        if [ `echo $fileperm | cut -c9`  != "-" ]; then
+echo "Other Write permission set on file $file" fi
+fi done
+fi done

scripts/six_two_thirdteen_rule.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do
+if [ ! -d "$dir" ]; then
+echo "The home directory ($dir) of user $user does not exist."
+  else
+    for file in $dir/.netrc; do
+      if [ ! -h "$file" -a -f "$file" ]; then
+        fileperm=`ls -ld $file | cut -f1 -d" "`
+        if [ `echo $fileperm | cut -c5`  != "-" ]; then
+echo "Group Read set on $file"
+    fi
+    if [ `echo $fileperm | cut -c6`  != "-" ]; then
+      echo "Group Write set on $file"
+    fi
+    if [ `echo $fileperm | cut -c7`  != "-" ]; then
+      echo "Group Execute set on $file"
+    fi
+    if [ `echo $fileperm | cut -c8`  != "-" ]; then
+      echo "Other Read set on $file"
+    fi
+    if [ `echo $fileperm | cut -c9`  != "-" ]; then
+      echo "Other Write set on $file"
+    fi
+    if [ `echo $fileperm | cut -c10`  != "-" ]; then
+      echo "Other Execute set on $file"
+fi fi
+done