debian-cis/bin/hardening/6.1.14_find_sgid_files.sh

#!/bin/bash

# run-shellcheck
#
# CIS Debian Hardening
#

#
# 6.1.14 Audit SGID executables (Not Scored)
#

set -e # One error, it's over
set -u # One variable unset, it's over

# shellcheck disable=2034
HARDENING_LEVEL=2
# shellcheck disable=2034
DESCRIPTION="Find SGID system executables."
IGNORED_PATH=''

# This function will be called if the script status is on enabled / audit mode
audit() {
    info "Checking if there are sgid files"
    FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }')
    # shellcheck disable=2086
    if [ -n "$IGNORED_PATH" ]; then
        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)
    else
        FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)
    fi
    BAD_BINARIES=""
    for BINARY in $FOUND_BINARIES; do
        if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then
            debug "$BINARY is confirmed as an exception"
        else
            BAD_BINARIES="$BAD_BINARIES $BINARY"
        fi
    done
    if [ -n "$BAD_BINARIES" ]; then
        crit "Some sgid files are present"
        # shellcheck disable=SC2001
        FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ')
        crit "$FORMATTED_RESULT"
    else
        ok "No unknown sgid files found"
    fi
}

# This function will be called if the script status is on enabled mode
apply() {
    info "Removing sgid on valid binary may seriously harm your system, report only here"
}

# This function will create the config file for this check with default values
create_config() {
    cat <<EOF
status=audit
# Put here valid binaries with sgid enabled separated by spaces
EXCEPTIONS="/sbin/unix_chkpwd /usr/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
EOF
}

# This function will check config parameters required
check_config() {
    if [ -z "$EXCEPTIONS" ]; then
        EXCEPTIONS="@"
    fi
}

# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
fi

# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
fi
12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00			`#!/bin/bash`

IMP(shellcheck): add run-shellcheck prefix 2020-11-23 17:10:37 +01:00			`# run-shellcheck`
12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00			`#`
Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00			`# CIS Debian Hardening`
12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00			`#`

			`#`
Renum 12.x checks to 6.1.x Verify_System_File_Permissions modified: bin/hardening/12.4_etc_passwd_ownership.sh modified: bin/hardening/12.5_etc_shadow_ownership.sh modified: bin/hardening/12.6_etc_group_ownership.sh renamed: bin/hardening/12.7_find_world_writable_file.sh -> bin/hardening/6.1.10_find_world_writable_file.sh renamed: bin/hardening/12.8_find_unowned_files.sh -> bin/hardening/6.1.11_find_unowned_files.sh renamed: bin/hardening/12.9_find_ungrouped_files.sh -> bin/hardening/6.1.12_find_ungrouped_files.sh renamed: bin/hardening/12.10_find_suid_files.sh -> bin/hardening/6.1.13_find_suid_files.sh renamed: bin/hardening/12.11_find_sgid_files.sh -> bin/hardening/6.1.14_find_sgid_files.sh renamed: bin/hardening/12.1_etc_passwd_permissions.sh -> bin/hardening/6.1.2_etc_passwd_permissions.sh renamed: bin/hardening/12.2_etc_shadow_permissions.sh -> bin/hardening/6.1.3_etc_shadow_permissions.sh renamed: bin/hardening/12.3_etc_group_permissions.sh -> bin/hardening/6.1.4_etc_group_permissions.sh deleted: tests/hardening/12.1_etc_passwd_permissions.sh deleted: tests/hardening/12.2_etc_shadow_permissions.sh deleted: tests/hardening/12.3_etc_group_permissions.sh renamed: tests/hardening/12.7_find_world_writable_file.sh -> tests/hardening/6.1.10_find_world_writable_file.sh renamed: tests/hardening/12.8_find_unowned_files.sh -> tests/hardening/6.1.11_find_unowned_files.sh renamed: tests/hardening/12.9_find_ungrouped_files.sh -> tests/hardening/6.1.12_find_ungrouped_files.sh renamed: tests/hardening/12.10_find_suid_files.sh -> tests/hardening/6.1.13_find_suid_files.sh renamed: tests/hardening/12.11_find_sgid_files.sh -> tests/hardening/6.1.14_find_sgid_files.sh renamed: tests/hardening/12.6_etc_group_ownership.sh -> tests/hardening/6.1.2_etc_passwd_permissions.sh renamed: tests/hardening/12.5_etc_shadow_ownership.sh -> tests/hardening/6.1.3_etc_shadow_permissions.sh renamed: tests/hardening/12.4_etc_passwd_ownership.sh -> tests/hardening/6.1.4_etc_group_permissions.sh 2019-09-12 16:44:45 +02:00			`# 6.1.14 Audit SGID executables (Not Scored)`
12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00			`#`

			`set -e # One error, it's over`
			`set -u # One variable unset, it's over`

FIX: sed that was too greedy Used to sed 's!/usr/bin/su!!' /usr/bin/sudo leaving only "do" that lead to misinterpreting result Change algorithm to avoid partial sed in the result list Now the not compliant list is built out of the find results instead of items being removed from them. Allow better control of grep inside this list. Chore: apply shellcheck recommendations 2019-01-02 13:02:02 +01:00			`# shellcheck disable=2034`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`HARDENING_LEVEL=2`
IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck disable=2034`
Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main Update README with --batch mode info Add --batch mode in hardening.sh Change summary to make it oneliner when batch mode AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74 2017-10-31 17:44:15 +01:00			`DESCRIPTION="Find SGID system executables."`
IMP(12.8,12.9,12.10,12.11): be able to exclude some paths consider exclusions in apply() functions 2020-03-31 14:22:24 +02:00			`IGNORED_PATH=''`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00
12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00			`# This function will be called if the script status is on enabled / audit mode`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`audit() {`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`info "Checking if there are sgid files"`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`FS_NAMES=$(df --local -P \| awk '{ if (NR!=1) print $6 }')`
FIX: quotes in find command, misinterpreted shellcheck advice 2019-01-23 16:55:48 +01:00			`# shellcheck disable=2086`
IMP(shellcheck): replace ! -z by -n (SC2236) 2020-12-04 15:14:18 +01:00			`if [ -n "$IGNORED_PATH" ]; then`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -regextype 'egrep' ! -regex "$IGNORED_PATH" -print)`
IMP(12.8,12.9,12.10,12.11): be able to exclude some paths consider exclusions in apply() functions 2020-03-31 14:22:24 +02:00			`else`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -type f -perm -2000 -print)`
IMP(12.8,12.9,12.10,12.11): be able to exclude some paths consider exclusions in apply() functions 2020-03-31 14:22:24 +02:00			`fi`
FIX: sed that was too greedy Used to sed 's!/usr/bin/su!!' /usr/bin/sudo leaving only "do" that lead to misinterpreting result Change algorithm to avoid partial sed in the result list Now the not compliant list is built out of the find results instead of items being removed from them. Allow better control of grep inside this list. Chore: apply shellcheck recommendations 2019-01-02 13:02:02 +01:00			`BAD_BINARIES=""`
			`for BINARY in $FOUND_BINARIES; do`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then`
12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00			`debug "$BINARY is confirmed as an exception"`
FIX: sed that was too greedy Used to sed 's!/usr/bin/su!!' /usr/bin/sudo leaving only "do" that lead to misinterpreting result Change algorithm to avoid partial sed in the result list Now the not compliant list is built out of the find results instead of items being removed from them. Allow better control of grep inside this list. Chore: apply shellcheck recommendations 2019-01-02 13:02:02 +01:00			`else`
			`BAD_BINARIES="$BAD_BINARIES $BINARY"`
12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00			`fi`
			`done`
IMP(shellcheck): replace ! -z by -n (SC2236) 2020-12-04 15:14:18 +01:00			`if [ -n "$BAD_BINARIES" ]; then`
12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00			`crit "Some sgid files are present"`
IMP(shellcheck): disable sed replacement (SC2001) Shellcheck recommands to replace sed by shell expansions in 'simple' cases. However, the replacement here is likely to lead to erros, so we disable this rule. Moreover, it does'nt really add readability. 2020-12-10 08:34:57 +01:00			`# shellcheck disable=SC2001`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" \| sort \| uniq \| tr '\n' ' ')`
12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00			`crit "$FORMATTED_RESULT"`
			`else`
			`ok "No unknown sgid files found"`
			`fi`
			`}`

			`# This function will be called if the script status is on enabled mode`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`apply() {`
12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00			`info "Removing sgid on valid binary may seriously harm your system, report only here"`
			`}`

add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`# This function will create the config file for this check with default values`
			`create_config() {`
			`cat <<EOF`
Change default status to audit for file with custom `create_config` 2019-02-14 14:33:21 +01:00			`status=audit`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`# Put here valid binaries with sgid enabled separated by spaces`
FIX: add /usr/bin/* path for suid/guid allowed binaries Debian is still migrating /bin to /usr/bin so I added both path to the allowed ones * mount * umount * ping * ping6 * unix_chkpwd 2019-01-02 17:03:29 +01:00			`EXCEPTIONS="/sbin/unix_chkpwd /usr/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`EOF`
			`}`

12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00			`# This function will check config parameters required`
			`check_config() {`
			`if [ -z "$EXCEPTIONS" ]; then`
			`EXCEPTIONS="@"`
			`fi`
			`}`

			`# Source Root Dir Parameter`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`if [ -r /etc/default/cis-hardening ]; then`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`# shellcheck source=../../debian/default`
Corrected default file path 2016-04-18 17:39:14 +02:00			`. /etc/default/cis-hardening`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`fi`
			`if [ -z "$CIS_ROOT_DIR" ]; then`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."`
			`echo "Cannot source CIS_ROOT_DIR variable, aborting."`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`exit 128`
			`fi`
12.11_find_sgid_files.sh 2016-04-16 12:57:24 +02:00
			`# Main function, will call the proper functions given the configuration (audit, enabled, disabled)`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then`
IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck source=../../lib/main.sh`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`. "$CIS_ROOT_DIR"/lib/main.sh`
Fixed default file error handling and quickstart 2016-04-21 23:19:50 +02:00			`else`
			`echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"`
			`exit 128`
			`fi`