test_section_06_level1.yml: update to Ubuntu 20.04

scripts/test_section_06_level1/6-1-13.sh

@@ -1,16 +1,22 @@
 #!/bin/bash
 #
-# 6.1.13 Audit SUID executables (Not Scored)
+# 6.1.13 Audit SUID executables (Manual)
 #
 # Description:
-# The owner of a file can set the file's permissions to run with the owner's or group's permissions,
-# even if the user running the program is not the owner or a member of the group.
-# The most common reason for a SUID program is to enable users to perform functions (such as changing their password) that require root privileges.
+# The owner of a file can set the file's permissions to run with the owner's or
+# group's permissions, even if the user running the program is not the owner or
+# a member of the group.
+# The most common reason for a SUID program is to enable users to perform
+# functions (such as changing their password) that require root privileges.
+#
+# Rationale:
+# There are valid reasons for SUID programs, but it is important to identify
+# and review such programs to ensure they are legitimate.
 
 set -o errexit
 set -o nounset
 
-declare gcp_binaries="37"
+declare gcp_binaries="29"
 declare azure_binaries="13"
 declare url_google="http://metadata/computeMetadata/v1/instance/hostname"
 status=0

scripts/test_section_06_level1/6-1-14.sh

@@ -1,16 +1,25 @@
 #!/bin/bash
 #
-# 6.1.14 Audit SGID executables (Not Scored)
+# 6.1.14 Audit SGID executables (Manual)
 #
 # Description:
-# The owner of a file can set the file's permissions to run with the owner's or group's permissions,
-# even if the user running the program is not the owner or a member of the group.
-# The most common reason for a SGID program is to enable users to perform functions (such as changing their password) that require root privileges.
+# The owner of a file can set the file's permissions to run with the owner's or
+# group's permissions, even if the user running the program is not the owner or
+# a member of the group. The most common reason for a SGID program is to enable
+# users to perform functions (such as changing their password) that require root
+# privileges.
+#
+# Rationale:
+# There are valid reasons for SGID programs, but it is important to identify and
+# review such programs to ensure they are legitimate. Review the files returned
+# by the action in the audit section and check to see if system binaries have a
+# different md5 checksum than what from the package. This is an indication that
+# the binary may have been replaced.
 
 set -o errexit
 set -o nounset
 
-declare gcp_binaries="24"
+declare gcp_binaries="14"
 declare azure_binaries="8"
 declare url_google="http://metadata/computeMetadata/v1/instance/hostname"
 status=0

scripts/test_section_06_level1/6-2-10.sh

@@ -1,10 +1,14 @@
 #!/bin/bash
 #
-# 6.2.10 Ensure users' dot files are not group or world writable
+# 6.2.10 Ensure users' .netrc Files are not group or world accessible (Automated)
 #
 # Description:
-# While the system administrator can establish secure permissions for users' "dot" files, the
-# users can easily override these.
+# While the system administrator can establish secure permissions for users'
+# .netrc files, the users can easily override these.
+#
+# Rationale:
+# .netrc files may contain unencrypted passwords that may be used to attack other
+# systems.
 
 set -o errexit
 set -o nounset
@@ -29,19 +33,35 @@ while read line; do
     if [ ${status} = "0" -a "${vars}x" != "x" ]; then
         set -- ${vars}
         user=${1-} && dir=${2-}
-        if [ ! -d "$dir" ]; then
+        if [ ! -d ${dir} ]; then
             echo "The home directory (${dir}) of user ${user} does not exist."
             stderr="1"
         else
-            for file in ${dir}/.[A-Za-z0-9]*; do
+            for file in ${dir}/.netrc; do
                 if [ ! -h "${file}" -a -f "${file}" ]; then
-                    fileperm=`ls -ld ${file} | cut -f1 -d" "`
-                    if [ $(echo ${fileperm} | cut -c6) != "-" ]; then
-                        echo "Group Write permission set on file ${file}"
+                    fileperm=$(ls -ld ${file} | cut -f1 -d" ")
+                    if [ $(echo ${fileperm} | cut -c5)  != "-" ]; then
+                        echo "Group Read set on ${file}"
+                        stderr="1"
+                    fi
+                    if [ $(echo ${fileperm} | cut -c6)  != "-" ]; then
+                        echo "Group Write set on ${file}"
+                        stderr="1"
+                    fi
+                    if [ $(echo ${fileperm} | cut -c7)  != "-" ]; then
+                        echo "Group Execute set on ${file}"
+                        stderr="1"
+                    fi
+                    if [ $(echo ${fileperm} | cut -c8)  != "-" ]; then
+                        echo "Other Read set on ${file}"
                         stderr="1"
                     fi
                     if [ $(echo ${fileperm} | cut -c9)  != "-" ]; then
-                        echo "Other Write permission set on file ${file}"
+                        echo "Other Write set on ${file}"
+                        stderr="1"
+                    fi
+                    if [ $(echo ${fileperm} | cut -c10)  != "-" ]; then
+                        echo "Other Execute set on ${file}"
                         stderr="1"
                     fi
                 fi
@@ -52,5 +72,5 @@ while read line; do
 done < /etc/passwd
 
 if [ ${stderr} != "0" ]; then
-   exit 1
+    exit 1
 fi

scripts/test_section_06_level1/6-2-11.sh

@@ -1,14 +1,21 @@
 #!/bin/bash
 #
-# 6.2.11 Ensure no users have .forward files
+# 6.2.11 Ensure no users have .rhosts files (Automated)
 #
 # Description:
-# The .forward file specifies an email address to forward the user's mail to.
+# While no .rhosts files are shipped by default, users can easily create them.
+#
+# Rationale:
+# This action is only meaningful if .rhosts support is permitted in the file
+# /etc/pam.conf. Even though the .rhosts files are ineffective if support is
+# disabled in /etc/pam.conf , they may have been brought over from other systems
+# and could contain information useful to an attacker for those other systems.
 
 set -o errexit
 set -o nounset
 
 declare dir=""
+declare file=""
 declare line=""
 declare status="0"
 declare stderr="0"
@@ -30,10 +37,12 @@ while read line; do
             echo "The home directory (${dir}) of user ${user} does not exist."
             stderr="1"
         else
-            if [ ! -h "${dir}/.forward" -a -f "${dir}/.forward" ]; then
-                echo ".forward file ${dir}/.forward exists"
-                stderr="1"
-            fi
+            for file in ${dir}/.rhosts; do
+                if [ ! -h "${file}" -a -f "${file}" ]; then
+                    echo ".rhosts file in ${dir}"
+                    stderr="1"
+                fi
+            done
         fi
     fi
 

scripts/test_section_06_level1/6-2-12.sh

@@ -1,44 +1,29 @@
 #!/bin/bash
 #
-# 6.2.12 Ensure no users have .netrc files
+# 6.2.12 Ensure all groups in /etc/passwd exist in /etc/group (Automated)
 #
 # Description:
-# The .netrc file contains data for logging into a remote host for
-# file transfers via FTP.
+# Over time, system administration errors and changes can lead to groups being
+# defined in /etc/passwd but not in /etc/group.
+#
+# Rationale:
+# Groups defined in the /etc/passwd file but not in the /etc/group file pose a
+# threat to system security since group permissions are not properly managed.
 
 set -o errexit
 set -o nounset
 
-declare dir=""
-declare line=""
+declare i=""
 declare status="0"
 declare stderr="0"
-declare user=""
-declare vars=""
-
-while read line; do
 
-    vars=$(
-            echo ${line} | \
-            egrep -v '^(root|halt|sync|shutdown)' | \
-            awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }'
-          ) || status=1
-
-    if [ ${status} = "0" -a "${vars}x" != "x" ]; then
-        set -- ${vars}
-        user=${1-} && dir=${2-}
-        if [ ! -d ${dir} ]; then
-            echo "The home directory (${dir}) of user ${user} does not exist."
-            stderr="1"
-        else
-            if [ ! -h "${dir}/.netrc" -a -f "${dir}/.netrc" ]; then
-                echo ".netrc file ${dir}/.netrc exists"
-                stderr="1"
-           fi
-        fi
+for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
+    grep -q -P "^.*?:[^:]*:$i:" /etc/group || status=1
+    if [ ${status} -ne 0 ]; then
+        echo "Group ${i} is referenced by /etc/passwd but does not exist in /etc/group"
+        stderr="1"
     fi
-
-done < /etc/passwd
+done
 
 if [ ${stderr} != "0" ]; then
     exit 1

scripts/test_section_06_level1/6-2-13.sh

@@ -1,71 +1,43 @@
 #!/bin/bash
 #
-# 6.2.13 Ensure users' .netrc Files are not group or world accessible
+# 6.2.13 Ensure no duplicate UIDs exist (Automated)
 #
 # Description:
-# While the system administrator can establish secure permissions for users'
-# .netrc files, the users can easily override these.
+# Although the useradd program will not let you create a duplicate
+# User ID (UID), it is possible for an administrator to manually edit
+# the /etc/passwd file and change the UID field.
+#
+# Rationale:
+# Users must be assigned unique UIDs for accountability and to ensure appropriate
+# access protections.
 
 set -o errexit
 set -o nounset
 
-declare dir=""
-declare file=""
-declare fileperm=""
+declare id=""
+declare l=""
 declare line=""
+declare qtd=""
 declare status="0"
 declare stderr="0"
-declare user=""
-declare vars=""
+declare users=""
 
-while read line; do
+line=$(cut -f3 -d":" /etc/passwd | sort -n | uniq -c | awk '{printf $1" "$2"@"}' |sed 's#@$##g') || status=1
 
-    vars=$(
-            echo ${line} | \
-            egrep -v '^(root|halt|sync|shutdown)' | \
-            awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }'
-          ) || status=1
+if [ ${status} = "0" ]; then
 
-    if [ ${status} = "0" -a "${vars}x" != "x" ]; then
-        set -- ${vars}
-        user=${1-} && dir=${2-}
-        if [ ! -d ${dir} ]; then
-            echo "The home directory (${dir}) of user ${user} does not exist."
-            stderr="1"
-        else
-            for file in ${dir}/.netrc; do
-                if [ ! -h "${file}" -a -f "${file}" ]; then
-                    fileperm=$(ls -ld ${file} | cut -f1 -d" ")
-                    if [ $(echo ${fileperm} | cut -c5)  != "-" ]; then
-                        echo "Group Read set on ${file}"
-                        stderr="1"
-                    fi
-                    if [ $(echo ${fileperm} | cut -c6)  != "-" ]; then
-                        echo "Group Write set on ${file}"
-                        stderr="1"
-                    fi
-                    if [ $(echo ${fileperm} | cut -c7)  != "-" ]; then
-                        echo "Group Execute set on ${file}"
-                        stderr="1"
-                    fi
-                    if [ $(echo ${fileperm} | cut -c8)  != "-" ]; then
-                        echo "Other Read set on ${file}"
-                        stderr="1"
-                    fi
-                    if [ $(echo ${fileperm} | cut -c9)  != "-" ]; then
-                        echo "Other Write set on ${file}"
-                        stderr="1"
-                    fi
-                    if [ $(echo ${fileperm} | cut -c10)  != "-" ]; then
-                        echo "Other Execute set on ${file}"
-                        stderr="1"
-                    fi
-                fi
-            done
-        fi
-    fi
+    IFS="@"
+    for l in ${line}; do
+            IFS=" " && set - ${l}
+            qtd=${1-} && id=${2-}
+            if [ ${qtd} -gt 1 ]; then
+               users=$(awk -F: '($3 == n) { print $1 }' n=${id} /etc/passwd | xargs)
+               echo "Duplicate UID (${id}): ${users}"
+               stderr="1"
+            fi
+    done
 
-done < /etc/passwd
+fi
 
 if [ ${stderr} != "0" ]; then
     exit 1

scripts/test_section_06_level1/6-2-14.sh

@@ -1,46 +1,43 @@
 #!/bin/bash
 #
-# 6.2.14 Ensure no users have .rhosts files
+# 6.2.14 Ensure no duplicate GIDs exist (Automated)
 #
 # Description:
-# While no .rhosts files are shipped by default, users can easily create them.
+# Although the groupadd program will not let you create a duplicate
+# Group ID (GID), it is possible for an administrator to manually
+# edit the /etc/group file and change the GID field.
+#
+# Rationale:
+# User groups must be assigned unique GIDs for accountability and to ensure
+# appropriate access protections.
 
 set -o errexit
 set -o nounset
 
-declare dir=""
-declare file=""
+declare groups=""
+declare id=""
+declare l=""
 declare line=""
+declare qtd=""
 declare status="0"
 declare stderr="0"
-declare user=""
-declare vars=""
 
-while read line; do
+line=$(cut -f3 -d":" /etc/group | sort -n | uniq -c | awk '{printf $1" "$2"@"}' |sed 's#@$##g') || status=1
 
-    vars=$(
-            echo ${line} | \
-            egrep -v '^(root|halt|sync|shutdown)' | \
-            awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }'
-          ) || status=1
+if [ ${status} = "0" ]; then
 
-    if [ ${status} = "0" -a "${vars}x" != "x" ]; then
-        set -- ${vars}
-        user=${1-} && dir=${2-}
-        if [ ! -d ${dir} ]; then
-            echo "The home directory (${dir}) of user ${user} does not exist."
-            stderr="1"
-        else
-            for file in ${dir}/.rhosts; do
-                if [ ! -h "${file}" -a -f "${file}" ]; then
-                    echo ".rhosts file in ${dir}"
-                    stderr="1"
-                fi
-            done
-        fi
-    fi
+    IFS="@"
+    for l in ${line}; do
+            IFS=" " && set - ${l}
+            qtd=${1-} && id=${2-}
+            if [ ${qtd} -gt 1 ]; then
+               groups=$(awk -F: '($3 == n) { print $1 }' n=${id} /etc/group | xargs)
+               echo "Duplicate GID (${id}): ${groups}"
+               stderr="1"
+            fi
+    done
 
-done < /etc/passwd
+fi
 
 if [ ${stderr} != "0" ]; then
     exit 1