From dc952b90dfd4b5bcd143ac527a40372f6fd670e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Thu, 22 Dec 2022 09:47:35 +0100 Subject: [PATCH] fix: timeout of 99.1.3 (#168) The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout on servers where /etc/sudoers.d/ has thousands of files. This patch makes it run roughly 5x faster, as tested on a server with 1500 files in sudoers.d/. Closes #167. Signed-off-by: Stephane Lesimple Signed-off-by: Stephane Lesimple --- bin/hardening/99.1.3_acc_sudoers_no_all.sh | 39 +++++++++++++++++--- tests/hardening/99.1.3_acc_sudoers_no_all.sh | 13 +++++++ 2 files changed, 46 insertions(+), 6 deletions(-) diff --git a/bin/hardening/99.1.3_acc_sudoers_no_all.sh b/bin/hardening/99.1.3_acc_sudoers_no_all.sh index d12fb42..5144bcf 100755 --- a/bin/hardening/99.1.3_acc_sudoers_no_all.sh +++ b/bin/hardening/99.1.3_acc_sudoers_no_all.sh @@ -19,13 +19,32 @@ DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s). FILE="/etc/sudoers" DIRECTORY="/etc/sudoers.d" -# spaces will be expanded to [:space:]* when using the regex +# spaces will be expanded to [[:space:]]* when using the regex # improves readability in audit report REGEX="ALL = \( ALL( : ALL)? \)( NOPASSWD:)? ALL" EXCEPT="" +MAX_FILES_TO_LOG=0 # This function will be called if the script status is on enabled / audit mode audit() { + # expand spaces to [[:space:]]* + # shellcheck disable=2001 + REGEX="$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" + + local skiplog + skiplog=0 + if [ $MAX_FILES_TO_LOG != 0 ]; then + # if we have more than $MAX_FILES_TO_LOG files in $DIRECTORY, we'll reduce + # logging in the loop, to avoid flooding the logs and getting timed out + local nbfiles + # shellcheck disable=2012 # (find is too slow and calls fstatat() for each file) + nbfiles=$(ls -f "$DIRECTORY" | wc -l) + if [ "$nbfiles" -gt "$MAX_FILES_TO_LOG" ]; then + skiplog=1 + info "Found $nbfiles files in $DIRECTORY (> $MAX_FILES_TO_LOG), we won't log every file we check" + fi + fi + FILES="" if $SUDO_CMD [ ! -r "$FILE" ]; then crit "$FILE is not readable" @@ -43,12 +62,12 @@ audit() { if $SUDO_CMD [ ! -r "$file" ]; then crit "$file is not readable" else - # shellcheck disable=2001 - if ! $SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" &>/dev/null; then - ok "There is no carte-blanche sudo permission in $file" + if ! $SUDO_CMD grep -E "$REGEX" "$file" &>/dev/null; then + if [ $skiplog = 0 ]; then + ok "There is no carte-blanche sudo permission in $file" + fi else - # shellcheck disable=2001 - RET=$($SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" | sed 's/\t/#/g;s/ /#/g') + RET=$($SUDO_CMD grep -E "$REGEX" "$file" | sed 's/\t/#/g;s/ /#/g') for line in $RET; do if grep -q "$(echo "$line" | cut -d '#' -f 1)" <<<"$EXCEPT"; then # shellcheck disable=2001 @@ -73,8 +92,16 @@ apply() { create_config() { cat <>/opt/debian-cis/etc/conf.d/"${script}".cfg + describe Testing with MAX_FILES_TO_LOG=1 + register_test retvalshouldbe 0 + register_test contain "won't log every file we check" + run maxlogfiles_1 /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + + echo 'MAX_FILES_TO_LOG=9999' >>/opt/debian-cis/etc/conf.d/"${script}".cfg + describe Testing with MAX_FILES_TO_LOG=9999 + register_test retvalshouldbe 0 + register_test contain "There is no carte-blanche sudo permission in" + run maxlogfiles_9999 /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + rm -f /etc/sudoers.d/jeantestuser userdel jeantestuser }