From 001323f4481e5e996bb6d823c8b5c6760f47e4fe Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Wed, 2 Jan 2019 13:02:02 +0100 Subject: [PATCH] FIX: sed that was too greedy Used to sed 's!/usr/bin/su!!' /usr/bin/sudo leaving only "do" that lead to misinterpreting result Change algorithm to avoid partial sed in the result list Now the not compliant list is built out of the find results instead of items being removed from them. Allow better control of grep inside this list. Chore: apply shellcheck recommendations --- bin/hardening/12.10_find_suid_files.sh | 20 ++++++++++++-------- bin/hardening/12.11_find_sgid_files.sh | 20 ++++++++++++-------- 2 files changed, 24 insertions(+), 16 deletions(-) diff --git a/bin/hardening/12.10_find_suid_files.sh b/bin/hardening/12.10_find_suid_files.sh index 08ce6e7..a817939 100755 --- a/bin/hardening/12.10_find_suid_files.sh +++ b/bin/hardening/12.10_find_suid_files.sh @@ -11,22 +11,25 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 DESCRIPTION="Find SUID system executables." # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are suid files" - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -4000 -print) - for BINARY in $RESULT; do - if grep -q $BINARY <<< "$EXCEPTIONS"; then + FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -4000 -print) + BAD_BINARIES="" + for BINARY in $FOUND_BINARIES; do + if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then debug "$BINARY is confirmed as an exception" - RESULT=$(sed "s!$BINARY!!" <<< $RESULT) + else + BAD_BINARIES="$BAD_BINARIES $BINARY" fi done - if [ ! -z "$RESULT" ]; then + if [ ! -z "$BAD_BINARIES" ]; then crit "Some suid files are present" - FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< "$BAD_BINARIES" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "No unknown suid files found" @@ -64,8 +67,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=/opt/debian-cis/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128 diff --git a/bin/hardening/12.11_find_sgid_files.sh b/bin/hardening/12.11_find_sgid_files.sh index 46f073d..4400a3b 100755 --- a/bin/hardening/12.11_find_sgid_files.sh +++ b/bin/hardening/12.11_find_sgid_files.sh @@ -11,22 +11,25 @@ set -e # One error, it's over set -u # One variable unset, it's over +# shellcheck disable=2034 HARDENING_LEVEL=2 DESCRIPTION="Find SGID system executables." # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are sgid files" - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -2000 -print) - for BINARY in $RESULT; do - if grep -q $BINARY <<< "$EXCEPTIONS"; then + FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -2000 -print) + BAD_BINARIES="" + for BINARY in $FOUND_BINARIES; do + if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then debug "$BINARY is confirmed as an exception" - RESULT=$(sed "s!$BINARY!!" <<< $RESULT) + else + BAD_BINARIES="$BAD_BINARIES $BINARY" fi done - if [ ! -z "$RESULT" ]; then + if [ ! -z "$BAD_BINARIES" ]; then crit "Some sgid files are present" - FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< "$BAD_BINARIES" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "No unknown sgid files found" @@ -65,8 +68,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh +if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then + # shellcheck source=/opt/debian-cis/lib/main.sh + . "$CIS_ROOT_DIR"/lib/main.sh else echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" exit 128