Home > Linux, Security > CIS RHEL hardening script – fixing non-working Sed expressions (unknown option to `s’)

CIS RHEL hardening script – fixing non-working Sed expressions (unknown option to `s’)

I do not know what they were thinking about (and testing!) but the sed regular expressions below did not work on neither of my instances of RHEL (CIS remediation script version 1.4.0):

# Set nodev option for /tmp Partition
echo
echo \*\*\*\* Set\ nodev\ option\ for\ /tmp\ Partition
egrep -q “^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$” /etc/fstab && sed -ri “s/^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/tmp\2nodev\3\4/” /etc/fstab

# Set nosuid option for /tmp Partition
echo
echo \*\*\*\* Set\ nosuid\ option\ for\ /tmp\ Partition
egrep -q “^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$” /etc/fstab && sed -ri “s/^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/tmp\2nosuid\3\4/” /etc/fstab

# Set noexec option for /tmp Partition
echo
echo \*\*\*\* Set\ noexec\ option\ for\ /tmp\ Partition
egrep -q “^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$” /etc/fstab && sed -ri “s/^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$/\1/tmp\2noexec\3\4/” /etc/fstab

All of them were throwing a very annoying:

sed: -e expression #1, char 61: unknown option to `s'

So the solution was to swap the delimiter for the substitute command and add comma before the partition option (I wonder where did this one go in the original script?). Here is the modified and working version for your cut/paste pleasure:

# Set nodev option for /tmp Partition
echo
echo \*\*\*\* Set\ nodev\ option\ for\ /tmp\ Partition
egrep -q “^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$” /etc/fstab && sed -ri ‘s:^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$:\1/tmp\2,nodev\3\4:’ /etc/fstab

# Set nosuid option for /tmp Partition
echo
echo \*\*\*\* Set\ nosuid\ option\ for\ /tmp\ Partition
egrep -q “^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$” /etc/fstab && sed -ri “s:^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$:\1/tmp\2,nosuid\3\4:” /etc/fstab

# Set noexec option for /tmp Partition
echo
echo \*\*\*\* Set\ noexec\ option\ for\ /tmp\ Partition
egrep -q “^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$” /etc/fstab && sed -ri “s:^(\s*\S+\s+)/tmp(\s+\S+\s+\S+)(\s+\S+\s+\S+)(\s*#.*)?\s*$:\1/tmp\2,noexec\3\4:” /etc/fstab

Update 19/11/15:

Another one!

The regexp

$\s*/tmp\s+/var/tmp\s+none\s+bind\s+0\s+0\s*$

in CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.4.0-oval.xml

was meant to be checking /etc/fstab for presence of the likes of:

/tmp /var/tmp none bind 0 0

(obviously bind can be accompanied by rw, nosuid etc.)

Of course the expression had no chances to ever work in real life given the “$” sign in the very beginning and the dumb standalone “bind”.

So I ended up rewriting it as follows:

^\s*/tmp\s+/var/tmp\s+none\s+((rw|nosuid|noexec|nodev|(bind)+)+[,]*)+\s+0\s+0\s*$

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: