Merge branch 'stretch' of https://github.com/bashrc/freedombone

src/freedombone-addcert

@@ -239,6 +239,7 @@ function add_cert_letsencrypt {
         chgrp -R ssl-cert /etc/letsencrypt
         chmod -R 600 /etc/letsencrypt
         chmod -R g=rX /etc/letsencrypt
+        chown -R root:ssl-cert /etc/letsencrypt
         systemctl start nginx
         exit 63216
     fi
@@ -288,6 +289,7 @@ function add_cert_letsencrypt {
     chgrp -R ssl-cert /etc/letsencrypt
     chmod -R 600 /etc/letsencrypt
     chmod -R g=rX /etc/letsencrypt
+    chown -R root:ssl-cert /etc/letsencrypt
 
     nginx_ensite ${LETSENCRYPT_HOSTNAME}
     systemctl start nginx

src/freedombone-app-xmpp

@@ -689,6 +689,7 @@ function xmpp_onion_addresses {
     echo '  ["wtfismyip.com"] = "ofkztxcohimx34la.onion";' >> $filename
     echo '  ["prosody.xmpp.is"] = "y2qmqomqpszzryei.onion";' >> $filename
     echo '  ["xndr.de"] = "trcubpttd6zkc3tf.onion";' >> $filename
+    echo '  ["jabber.cat"] = "sybzodlxacch7st7.onion";' >> $filename
     echo '  ["trashserver.net"] = "m4c722bvc2r7brnn.onion";' >> $filename
     echo '};' >> $filename
 }

src/freedombone-utils-setup

@@ -645,6 +645,7 @@ function lockdown_permissions {
     if [ -d /etc/letsencrypt ]; then
         chmod -R 600 /etc/letsencrypt
         chmod -R g=rX /etc/letsencrypt
+        chown -R root:ssl-cert /etc/letsencrypt
     fi
     chown -f root:root /etc/motd /etc/issue*
     chmod -f 0444 /etc/motd /etc/issue*

tests/check-libs-owner.sh

@@ -2,41 +2,41 @@
 
 if [ -d "/lib" ];then
 
-        COUNT=$(find -L /lib  \! -user root  -exec ls -l {} \; | grep -v '> /dev/null' | wc -l)
+    COUNT=$(find -L /lib  \! -user root  -exec ls -l {} \; | grep -v '> /dev/null' | wc -l)
 
-        if [ $COUNT -eq 0 ];then
-                :
-        else
-                exit 1
-        fi
+    if [ $COUNT -eq 0 ];then
+        :
+    else
+        exit 1
+    fi
 fi
 if [ -d "/lib64" ];then
 
-        COUNT=$(find -L /lib64  \! -user root  -exec ls -l {} \; |wc -l)
+    COUNT=$(find -L /lib64  \! -user root  -exec ls -l {} \; |wc -l)
 
-        if [ $COUNT -eq 0 ];then
-                :
-        else
-                exit 1
-        fi
+    if [ $COUNT -eq 0 ];then
+        :
+    else
+        exit 1
+    fi
 fi
 if [ -d "/usr/lib" ];then
 
-        COUNT=$(find -L /usr/lib  \! -user root  -exec ls -l {} \; |wc -l)
+    COUNT=$(find -L /usr/lib  \! -user root  -exec ls -l {} \; |wc -l)
 
-        if [ $COUNT -eq 0 ];then
-                :
-        else
-                exit 1
-        fi
+    if [ $COUNT -eq 0 ];then
+        :
+    else
+        exit 1
+    fi
 fi
 if [ -d "/usr/lib64" ];then
 
-        COUNT=$(find -L /usr/lib64  \! -user root  -exec ls -l {} \; |wc -l)
+    COUNT=$(find -L /usr/lib64  \! -user root  -exec ls -l {} \; |wc -l)
 
-        if [ $COUNT -eq 0 ];then
-                :
-        else
-                exit 1
-        fi
+    if [ $COUNT -eq 0 ];then
+        :
+    else
+        exit 1
+    fi
 fi

tests/output.sh

@@ -485,6 +485,12 @@ time, are stored in the following directories by default:\n\n/lib\n/lib64\n/usr/
               if [ $2 -ne 0 ];then
                   printf '\n######################\n\nSTIG-ID:RHEL-06-000046\n\nVulnerability Discussion:  Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.\n\nFix text: System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n\nIf any file in these directories is found to be owned by a user other than root, correct its ownership with the following command:\n\n#chown root [FILE]\n\n######################\n\n' >> $LOG
               fi
+              find -L /lib  \! -user root  -exec ls -l {} \; | grep -v '> /dev/null'
+              find -L /lib64  \! -user root  -exec ls -l {} \;
+              find -L /usr/lib  \! -user root  -exec ls -l {} \;
+              if [ -d /usr/lib64 ]; then
+                  find -L /usr/lib64  \! -user root  -exec ls -l {} \;
+              fi
               ;;
     V-38469)  if [ "$3" = "en" ]; then
                   log_msg $2 'All system command files must have mode 755 or less permissive.'