FEAT: Add sudo_wrapper to catch unauthorized sudo commands

As for now, if a sudo command was not allowed, check might sometimes
pass, resulting compliant state even if it actually is not.
Sudo wrapper first checks wether command is allowed before running it,
otherwise issues a crit message, setting check as not compliant

Fix script to make sudo_wrapper work, split "find" lines
Fix quotes in $@ and $* when running sudo command

Fixed quotes and curly braces with shellcheck report
This commit is contained in:
Charles Herlin 2018-03-16 12:06:56 +01:00
parent 176fb96fa4
commit 71b70a2b8c
8 changed files with 28 additions and 7 deletions

View File

@ -18,7 +18,8 @@ DESCRIPTION="Find SUID system executables."
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are suid files"
FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -4000 -print)
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
FOUND_BINARIES=$( $SUDO_CMD find "$FS_NAMES" -xdev -type f -perm -4000 -print)
BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then

View File

@ -18,7 +18,8 @@ DESCRIPTION="Find SGID system executables."
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are sgid files"
FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -2000 -print)
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
FOUND_BINARIES=$( $SUDO_CMD find "$FS_NAMES" -xdev -type f -perm -2000 -print)
BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then

View File

@ -17,7 +17,8 @@ DESCRIPTION="Find world writable files."
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are world writable files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')

View File

@ -19,7 +19,8 @@ USER='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are unowned files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nouser -print 2>/dev/null)
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some unowned files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')

View File

@ -19,7 +19,8 @@ GROUP='root'
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are ungrouped files"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nogroup -print 2>/dev/null)
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some ungrouped files are present"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')

View File

@ -17,7 +17,8 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if setuid is set on world writable Directories"
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
if [ ! -z "$RESULT" ]; then
crit "Some world writable directories are not on sticky bit mode!"
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')

View File

@ -90,3 +90,18 @@ info () {
debug () {
if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi
}
#
# sudo wrapper
# issue crit state if not allowed to perform sudo
# for the specified command
#
sudo_wrapper() {
if sudo -l "$@" >/dev/null 2>&1 ; then
sudo -n "$@"
else
crit "Not allowed to \"sudo -n $*\" "
fi
}

View File

@ -33,7 +33,7 @@ while [[ $# > 0 ]]; do
fi
;;
--sudo)
SUDO_CMD="sudo -n"
SUDO_CMD="sudo_wrapper"
;;
--batch)
debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'."