fix: timeout of 99.1.3 (#168)

The 99.1.3_acc_sudoers_no_all.sh script can sometimes timeout
on servers where /etc/sudoers.d/ has thousands of files.
This patch makes it run roughly 5x faster, as tested on a
server with 1500 files in sudoers.d/.

Closes #167.

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>

Signed-off-by: Stephane Lesimple <stephane.lesimple@corp.ovh.com>

bin/hardening/99.1.3_acc_sudoers_no_all.sh

@@ -19,13 +19,32 @@ DESCRIPTION="Checks there are no carte-blanche authorization in sudoers file(s).
 
 FILE="/etc/sudoers"
 DIRECTORY="/etc/sudoers.d"
-# spaces will be expanded to [:space:]* when using the regex
+# spaces will be expanded to [[:space:]]* when using the regex
 # improves readability in audit report
 REGEX="ALL = \( ALL( : ALL)? \)( NOPASSWD:)? ALL"
 EXCEPT=""
+MAX_FILES_TO_LOG=0
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
+    # expand spaces to [[:space:]]*
+    # shellcheck disable=2001
+    REGEX="$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')"
+
+    local skiplog
+    skiplog=0
+    if [ $MAX_FILES_TO_LOG != 0 ]; then
+        # if we have more than $MAX_FILES_TO_LOG files in $DIRECTORY, we'll reduce
+        # logging in the loop, to avoid flooding the logs and getting timed out
+        local nbfiles
+        # shellcheck disable=2012 # (find is too slow and calls fstatat() for each file)
+        nbfiles=$(ls -f "$DIRECTORY" | wc -l)
+        if [ "$nbfiles" -gt "$MAX_FILES_TO_LOG" ]; then
+            skiplog=1
+            info "Found $nbfiles files in $DIRECTORY (> $MAX_FILES_TO_LOG), we won't log every file we check"
+        fi
+    fi
+
     FILES=""
     if $SUDO_CMD [ ! -r "$FILE" ]; then
         crit "$FILE is not readable"
@@ -43,12 +62,12 @@ audit() {
         if $SUDO_CMD [ ! -r "$file" ]; then
             crit "$file is not readable"
         else
-            # shellcheck disable=2001
-            if ! $SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" &>/dev/null; then
-                ok "There is no carte-blanche sudo permission in $file"
+            if ! $SUDO_CMD grep -E "$REGEX" "$file" &>/dev/null; then
+                if [ $skiplog = 0 ]; then
+                    ok "There is no carte-blanche sudo permission in $file"
+                fi
             else
-                # shellcheck disable=2001
-                RET=$($SUDO_CMD grep -E "$(echo "$REGEX" | sed 's/ /[[:space:]]*/g')" "$file" | sed 's/\t/#/g;s/ /#/g')
+                RET=$($SUDO_CMD grep -E "$REGEX" "$file" | sed 's/\t/#/g;s/ /#/g')
                 for line in $RET; do
                     if grep -q "$(echo "$line" | cut -d '#' -f 1)" <<<"$EXCEPT"; then
                         # shellcheck disable=2001
@@ -73,8 +92,16 @@ apply() {
 create_config() {
     cat <<EOF
 status=audit
+
 # Put EXCEPTION account names here, space separated
 EXCEPT="root %root %sudo %wheel"
+
+# If we find more than this amount of files in sudoers.d/,
+# we'll reduce the logging in the loop to avoid getting
+# timed out because we spend too much time logging.
+# Using 0 disables this feature and will never reduce the
+# logging, regardless of the number of files.
+MAX_FILES_TO_LOG=0
 EOF
 }
 # This function will check config parameters required

tests/hardening/99.1.3_acc_sudoers_no_all.sh

@@ -28,6 +28,19 @@ test_audit() {
     register_test contain "[ OK ] jeantestuser ALL = (ALL) NOPASSWD:ALL is present in /etc/sudoers.d/jeantestuser but was EXCUSED because jeantestuser is part of exceptions"
     run userexcept /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    # testing the MAX_FILES_TO_LOG config option
+    echo 'MAX_FILES_TO_LOG=1' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    describe Testing with MAX_FILES_TO_LOG=1
+    register_test retvalshouldbe 0
+    register_test contain "won't log every file we check"
+    run maxlogfiles_1 /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+    echo 'MAX_FILES_TO_LOG=9999' >>/opt/debian-cis/etc/conf.d/"${script}".cfg
+    describe Testing with MAX_FILES_TO_LOG=9999
+    register_test retvalshouldbe 0
+    register_test contain "There is no carte-blanche sudo permission in"
+    run maxlogfiles_9999 /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     rm -f /etc/sudoers.d/jeantestuser
     userdel jeantestuser
 }