From 71b70a2b8cc778a4c13c9dc69a93a1248ef227fe Mon Sep 17 00:00:00 2001 From: Charles Herlin Date: Fri, 16 Mar 2018 12:06:56 +0100 Subject: [PATCH] FEAT: Add sudo_wrapper to catch unauthorized sudo commands As for now, if a sudo command was not allowed, check might sometimes pass, resulting compliant state even if it actually is not. Sudo wrapper first checks wether command is allowed before running it, otherwise issues a crit message, setting check as not compliant Fix script to make sudo_wrapper work, split "find" lines Fix quotes in $@ and $* when running sudo command Fixed quotes and curly braces with shellcheck report --- bin/hardening/12.10_find_suid_files.sh | 3 ++- bin/hardening/12.11_find_sgid_files.sh | 3 ++- bin/hardening/12.7_find_world_writable_file.sh | 3 ++- bin/hardening/12.8_find_unowned_files.sh | 3 ++- bin/hardening/12.9_find_ungrouped_files.sh | 3 ++- .../2.17_sticky_bit_world_writable_folder.sh | 3 ++- lib/common.sh | 15 +++++++++++++++ lib/main.sh | 2 +- 8 files changed, 28 insertions(+), 7 deletions(-) diff --git a/bin/hardening/12.10_find_suid_files.sh b/bin/hardening/12.10_find_suid_files.sh index a817939..358cbe0 100755 --- a/bin/hardening/12.10_find_suid_files.sh +++ b/bin/hardening/12.10_find_suid_files.sh @@ -18,7 +18,8 @@ DESCRIPTION="Find SUID system executables." # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are suid files" - FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -4000 -print) + FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' ) + FOUND_BINARIES=$( $SUDO_CMD find "$FS_NAMES" -xdev -type f -perm -4000 -print) BAD_BINARIES="" for BINARY in $FOUND_BINARIES; do if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then diff --git a/bin/hardening/12.11_find_sgid_files.sh b/bin/hardening/12.11_find_sgid_files.sh index 4400a3b..c9b2802 100755 --- a/bin/hardening/12.11_find_sgid_files.sh +++ b/bin/hardening/12.11_find_sgid_files.sh @@ -18,7 +18,8 @@ DESCRIPTION="Find SGID system executables." # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are sgid files" - FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -2000 -print) + FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' ) + FOUND_BINARIES=$( $SUDO_CMD find "$FS_NAMES" -xdev -type f -perm -2000 -print) BAD_BINARIES="" for BINARY in $FOUND_BINARIES; do if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then diff --git a/bin/hardening/12.7_find_world_writable_file.sh b/bin/hardening/12.7_find_world_writable_file.sh index 8819baf..2492c4a 100755 --- a/bin/hardening/12.7_find_world_writable_file.sh +++ b/bin/hardening/12.7_find_world_writable_file.sh @@ -17,7 +17,8 @@ DESCRIPTION="Find world writable files." # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are world writable files" - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) + FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) + RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null) if [ ! -z "$RESULT" ]; then crit "Some world writable files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') diff --git a/bin/hardening/12.8_find_unowned_files.sh b/bin/hardening/12.8_find_unowned_files.sh index 75397a5..a36886b 100755 --- a/bin/hardening/12.8_find_unowned_files.sh +++ b/bin/hardening/12.8_find_unowned_files.sh @@ -19,7 +19,8 @@ USER='root' # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are unowned files" - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nouser -print 2>/dev/null) + FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) + RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null) if [ ! -z "$RESULT" ]; then crit "Some unowned files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') diff --git a/bin/hardening/12.9_find_ungrouped_files.sh b/bin/hardening/12.9_find_ungrouped_files.sh index 42f6406..e637186 100755 --- a/bin/hardening/12.9_find_ungrouped_files.sh +++ b/bin/hardening/12.9_find_ungrouped_files.sh @@ -19,7 +19,8 @@ GROUP='root' # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are ungrouped files" - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nogroup -print 2>/dev/null) + FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) + RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null) if [ ! -z "$RESULT" ]; then crit "Some ungrouped files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') diff --git a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh index dbf6524..90af24a 100755 --- a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh @@ -17,7 +17,8 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if setuid is set on world writable Directories" - RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) + FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} ) + RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) if [ ! -z "$RESULT" ]; then crit "Some world writable directories are not on sticky bit mode!" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') diff --git a/lib/common.sh b/lib/common.sh index 35dae91..a38113c 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -90,3 +90,18 @@ info () { debug () { if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi } + + +# +# sudo wrapper +# issue crit state if not allowed to perform sudo +# for the specified command +# +sudo_wrapper() { + if sudo -l "$@" >/dev/null 2>&1 ; then + sudo -n "$@" + else + crit "Not allowed to \"sudo -n $*\" " + fi +} + diff --git a/lib/main.sh b/lib/main.sh index 5e0b0c4..72cb295 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -33,7 +33,7 @@ while [[ $# > 0 ]]; do fi ;; --sudo) - SUDO_CMD="sudo -n" + SUDO_CMD="sudo_wrapper" ;; --batch) debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'."