mirror of
https://github.com/ovh/debian-cis.git
synced 2024-12-23 14:35:26 +01:00
FEAT: Add sudo_wrapper to catch unauthorized sudo commands
As for now, if a sudo command was not allowed, check might sometimes pass, resulting compliant state even if it actually is not. Sudo wrapper first checks wether command is allowed before running it, otherwise issues a crit message, setting check as not compliant Fix script to make sudo_wrapper work, split "find" lines Fix quotes in $@ and $* when running sudo command Fixed quotes and curly braces with shellcheck report
This commit is contained in:
parent
70cb310c54
commit
ec6b79e3c7
@ -18,7 +18,8 @@ DESCRIPTION="Find SUID system executables."
|
|||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if there are suid files"
|
info "Checking if there are suid files"
|
||||||
FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -4000 -print)
|
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
|
||||||
|
FOUND_BINARIES=$( $SUDO_CMD find "$FS_NAMES" -xdev -type f -perm -4000 -print)
|
||||||
BAD_BINARIES=""
|
BAD_BINARIES=""
|
||||||
for BINARY in $FOUND_BINARIES; do
|
for BINARY in $FOUND_BINARIES; do
|
||||||
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
|
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
|
||||||
|
@ -18,7 +18,8 @@ DESCRIPTION="Find SGID system executables."
|
|||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if there are sgid files"
|
info "Checking if there are sgid files"
|
||||||
FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -2000 -print)
|
FS_NAMES=$(df --local -P | awk '{ if (NR!=1) print $6 }' )
|
||||||
|
FOUND_BINARIES=$( $SUDO_CMD find "$FS_NAMES" -xdev -type f -perm -2000 -print)
|
||||||
BAD_BINARIES=""
|
BAD_BINARIES=""
|
||||||
for BINARY in $FOUND_BINARIES; do
|
for BINARY in $FOUND_BINARIES; do
|
||||||
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
|
if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then
|
||||||
|
@ -17,7 +17,8 @@ DESCRIPTION="Find world writable files."
|
|||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if there are world writable files"
|
info "Checking if there are world writable files"
|
||||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type f -perm -0002 -print 2>/dev/null)
|
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
|
||||||
|
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type f -perm -0002 -print 2>/dev/null)
|
||||||
if [ ! -z "$RESULT" ]; then
|
if [ ! -z "$RESULT" ]; then
|
||||||
crit "Some world writable files are present"
|
crit "Some world writable files are present"
|
||||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||||
|
@ -19,7 +19,8 @@ USER='root'
|
|||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if there are unowned files"
|
info "Checking if there are unowned files"
|
||||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nouser -print 2>/dev/null)
|
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
|
||||||
|
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nouser -print 2>/dev/null)
|
||||||
if [ ! -z "$RESULT" ]; then
|
if [ ! -z "$RESULT" ]; then
|
||||||
crit "Some unowned files are present"
|
crit "Some unowned files are present"
|
||||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||||
|
@ -19,7 +19,8 @@ GROUP='root'
|
|||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if there are ungrouped files"
|
info "Checking if there are ungrouped files"
|
||||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -nogroup -print 2>/dev/null)
|
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
|
||||||
|
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -nogroup -print 2>/dev/null)
|
||||||
if [ ! -z "$RESULT" ]; then
|
if [ ! -z "$RESULT" ]; then
|
||||||
crit "Some ungrouped files are present"
|
crit "Some ungrouped files are present"
|
||||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||||
|
@ -17,7 +17,8 @@ DESCRIPTION="Set sticky bit on world writable directories to prevent users from
|
|||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if setuid is set on world writable Directories"
|
info "Checking if setuid is set on world writable Directories"
|
||||||
RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' $SUDO_CMD find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
FS_NAMES=$(df --local -P | awk {'if (NR!=1) print $6'} )
|
||||||
|
RESULT=$( $SUDO_CMD find $FS_NAMES -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null)
|
||||||
if [ ! -z "$RESULT" ]; then
|
if [ ! -z "$RESULT" ]; then
|
||||||
crit "Some world writable directories are not on sticky bit mode!"
|
crit "Some world writable directories are not on sticky bit mode!"
|
||||||
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ')
|
||||||
|
@ -90,3 +90,18 @@ info () {
|
|||||||
debug () {
|
debug () {
|
||||||
if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi
|
if [ $MACHINE_LOG_LEVEL -ge 5 ]; then _logger $GRAY "[DBG ] $*"; fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# sudo wrapper
|
||||||
|
# issue crit state if not allowed to perform sudo
|
||||||
|
# for the specified command
|
||||||
|
#
|
||||||
|
sudo_wrapper() {
|
||||||
|
if sudo -l "$@" >/dev/null 2>&1 ; then
|
||||||
|
sudo -n "$@"
|
||||||
|
else
|
||||||
|
crit "Not allowed to \"sudo -n $*\" "
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ while [[ $# > 0 ]]; do
|
|||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
--sudo)
|
--sudo)
|
||||||
SUDO_CMD="sudo -n"
|
SUDO_CMD="sudo_wrapper"
|
||||||
;;
|
;;
|
||||||
--batch)
|
--batch)
|
||||||
debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'."
|
debug "Auditing in batch mode, will limit output by setting LOGLEVEL to 'ok'."
|
||||||
|
Loading…
Reference in New Issue
Block a user