emily/atap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
404ee3fec442838b068a79df338bb5074947b599
atap/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.2.3.sh
T
emily 404ee3fec4 a
2026-05-11 09:15:08 +02:00

69 lines
3.5 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
{
echo -e "\n- Start check - logfiles have appropriate permissions and ownership"
output=""
find /var/log -type f | (
while read -r fname; do
bname="$(basename "$fname")"
case "$bname" in lastlog | lastlog.* | wtmp | wtmp.* | btmp | btmp.*)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6][0,4]\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*root\h+(utmp|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
secure | auth.log)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(syslog|root)\h+(adm|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
SSSD | sssd)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Piq -- '^\h*(SSSD|root)\h+(SSSD|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
gdm | gdm3)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(root)\h+(gdm3?|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
*.journal)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(root)\h+(systemd-journal|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
*)
if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then
output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n"
fi
if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(syslog|root)\h+(adm|root)\h*$'; then
output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n"
fi
;;
esac
done
# If all files passed, then we pass
if [ -z "$output" ]; then
echo -e "\n- PASS\n- All files in \"/var/log/\" have appropriate permissions and ownership\n"
else
# print the reason why we are failing
echo -e "\n- FAIL:\n$output"
fi
echo -e "- End check - logfiles have appropriate permissions and ownership\n"
)
}
Reference in New Issue View Git Blame Copy Permalink