mirror of
https://github.com/ovh/debian-cis.git
synced 2025-06-22 02:33:42 +02:00
FEAT: Add sudo_wrapper to catch unauthorized sudo commands
As for now, if a sudo command was not allowed, check might sometimes pass, resulting compliant state even if it actually is not. Sudo wrapper first checks wether command is allowed before running it, otherwise issues a crit message, setting check as not compliant Fix script to make sudo_wrapper work, split "find" lines Fix quotes in $@ and $* when running sudo command Fixed quotes and curly braces with shellcheck report
This commit is contained in:
@ -90,3 +90,18 @@ info () {
|
||||
debug () {
|
||||
if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# sudo wrapper
|
||||
# issue crit state if not allowed to perform sudo
|
||||
# for the specified command
|
||||
#
|
||||
sudo_wrapper() {
|
||||
if sudo -l "$@" >/dev/null 2>&1 ; then
|
||||
sudo -n "$@"
|
||||
else
|
||||
crit "Not allowed to \"sudo -n $*\" "
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -33,7 +33,7 @@ while [[ $# > 0 ]]; do
|
||||
fi
|
||||
;;
|
||||
--sudo)
|
||||
SUDO_CMD="sudo -n"
|
||||
SUDO_CMD="sudo_wrapper"
|
||||
;;
|
||||
--batch)
|
||||
debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'."
|
||||
|
Reference in New Issue
Block a user