CIS 1.1.17

Question

CIS 1.1.17

BenoitLefebvre opened this issue 10 years ago · 2 comments

Current script only change /tmp

According to CIS document (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.1.0.pdf)
The changes needs to be applied to ALL world-writable directory in the system.

Answer 1 · 2015-04-02T15:39:38.000Z

Here is a quick Ruby implementation, I'm sure there are more elegant ways to do it.

world_writables = %x[ df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 -a ! -perm -1000 2>/dev/null ]

world_writables.each do |filename|
filename.chomp!
exec("chmod a+t #{filename}")
end

Answer 2 · 2015-04-18T08:58:09.000Z

Puppifying the above Ruby from BenoitLefebvre would be something like this:

exec { "cis1_1_17":
  command => "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs chmod a+t",
  path => ["/usr/bin", "/bin"],
  onlyif => "/usr/bin/test $(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 |wc -l) -gt 0",
}