elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-02 23:39:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

FEAT: Add sudo_wrapper to catch unauthorized sudo commands

Browse Source 
As for now, if a sudo command was not allowed, check might sometimes
pass, resulting compliant state even if it actually is not.
Sudo wrapper first checks wether command is allowed before running it,
otherwise issues a crit message, setting check as not compliant

Fix script to make sudo_wrapper work, split "find" lines
Fix quotes in $@ and $* when running sudo command

Fixed quotes and curly braces with shellcheck report
This commit is contained in:
Charles Herlin
2018-03-16 12:06:56 +01:00
parent 70cb310c54
commit ec6b79e3c7
8 changed files with 28 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
bin/hardening/12.11_find_sgid_files.sh
View File

@ -18,7 +18,8 @@ DESCRIPTION="Find SGID system executables."
# This function will be called if the script status is on enabled / audit mode
audit () {
info "Checking if there are sgid files"
FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -2000 -print)
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
FOUND_BINARIES=$( $SUDO_CMD find "$FS_NAMES" -xdev -type f -perm -2000 -print)
BAD_BINARIES=""
for BINARY in $FOUND_BINARIES; do
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then