harden.py - permissions are not set to root

[qriff]

harden.py sends (on a average small webserver) a ~20MB email, consisting of all /var/www/ files not owned by root, each listed on its own row with the full description repeated thousands of times.

Insecure configuration detected on filesystem: Issue identified: /var/www/* permissions are not set to root. If an attacker compromises the system and is running under the Apache user account, could view these files. Recommendation: Change the permission of /var/www/* to root:root. Command: chown root:root /var/www/*

Would suggest some sort of limiting and grouping.

[qriff]

Presumably this is related to the setting:

# THIS CHECKS TO SEE WHAT PERMISSIONS ARE RUNNING AS ROOT IN A WEB SERVER DIRECTORY
ROOT_CHECK="ON"

which doesn't actually swith anything (on or off).

[russhaun]

just looked @ src for harden.py. the setting you refer to is for checking ssh config. it is is_config_enabled("ROOT_CHECK"): on line 19 through 21. not sure why it says www in config file. will look into it for you. also can i ask what you are running this on i know its linux but what flavor/kernel etc.
python version? as to replicate your env as close as possible. will see if i can work in a new option in cfg to address your issue concerning limiting/grouping & switching on/off alerting for this part of harden.py

[qriff]

Debian GNU/Linux 7.8
Linux version 3.10.23-xxxx-std-ipv6-64 ([email protected]) (gcc version 4.7.2 (Debian 4.7.2-5) )
Python 2.7.3