diff --git a/bin/hardening/12.10_find_suid_files.sh b/bin/hardening/12.10_find_suid_files.sh index a817939..358cbe0 100755 --- a/bin/hardening/12.10_find_suid_files.sh +++ b/bin/hardening/12.10_find_suid_files.sh @@ -18,7 +18,8 @@ DESCRIPTION="Find SUID system executables." # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are suid files" - FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -4000 -print) + FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' ) + FOUND_BINARIES=$( $SUDO_CMD find "$FS_NAMES" -xdev -type f -perm -4000 -print) BAD_BINARIES="" for BINARY in $FOUND_BINARIES; do if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then diff --git a/bin/hardening/12.11_find_sgid_files.sh b/bin/hardening/12.11_find_sgid_files.sh index 4400a3b..c9b2802 100755 --- a/bin/hardening/12.11_find_sgid_files.sh +++ b/bin/hardening/12.11_find_sgid_files.sh @@ -18,7 +18,8 @@ DESCRIPTION="Find SGID system executables." # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are sgid files" - FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -2000 -print) + FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' ) + FOUND_BINARIES=$( $SUDO_CMD find "$FS_NAMES" -xdev -type f -perm -2000 -print) BAD_BINARIES="" for BINARY in $FOUND_BINARIES; do if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then diff --git a/bin/hardening/12.7_find_world_writable_file.sh b/bin/hardening/12.7_find_world_writable_file.sh index 8819baf..2492c4a 100755 --- a/bin/hardening/12.7_find_world_writable_file.sh +++ b/bin/hardening/12.7_find_world_writable_file.sh @@ -17,7 +17,8 @@ DESCRIPTION="Find world writable files." # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are world writable files" - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) + FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) + RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null) if [ ! -z "$RESULT" ]; then crit "Some world writable files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') diff --git a/bin/hardening/12.8_find_unowned_files.sh b/bin/hardening/12.8_find_unowned_files.sh index 75397a5..a36886b 100755 --- a/bin/hardening/12.8_find_unowned_files.sh +++ b/bin/hardening/12.8_find_unowned_files.sh @@ -19,7 +19,8 @@ USER='root' # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are unowned files" - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nouser -print 2>/dev/null) + FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) + RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null) if [ ! -z "$RESULT" ]; then crit "Some unowned files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') diff --git a/bin/hardening/12.9_find_ungrouped_files.sh b/bin/hardening/12.9_find_ungrouped_files.sh index 42f6406..e637186 100755 --- a/bin/hardening/12.9_find_ungrouped_files.sh +++ b/bin/hardening/12.9_find_ungrouped_files.sh @@ -19,7 +19,8 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are ungrouped files" - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nogroup -print 2>/dev/null) + FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) + RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null) if [ ! -z "$RESULT" ]; then crit "Some ungrouped files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') diff --git a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh index dbf6524..90af24a 100755 --- a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh @@ -17,7 +17,8 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if setuid is set on world writable Directories" - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) + FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) + RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) if [ ! -z "$RESULT" ]; then crit "Some world writable directories are not on sticky bit mode!" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') diff --git a/lib/common.sh b/lib/common.sh index 35dae91..a38113c 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -90,3 +90,18 @@ info () { debug () { if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi } + + +# +# sudo wrapper +# issue crit state if not allowed to perform sudo +# for the specified command +# +sudo_wrapper() { + if sudo -l "$@" >/dev/null 2>&1 ; then + sudo -n "$@" + else + crit "Not allowed to \"sudo -n $*\" " + fi +} + diff --git a/lib/main.sh b/lib/main.sh index 5e0b0c4..72cb295 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -33,7 +33,7 @@ while [[ $# > 0 ]]; do fi ;; --sudo) - SUDO_CMD="sudo -n" + SUDO_CMD="sudo_wrapper" ;; --batch) debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'."