#!/bin/bash # # CIS Debian 7/8 Hardening # # # 12.10 Find SUID System Executables (Not Scored) # set -e # One error, it's over set -u # One variable unset, it's over # shellcheck disable=2034 HARDENING_LEVEL=2 DESCRIPTION="Find SUID system executables." # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if there are suid files" FOUND_BINARIES=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' "$SUDO_CMD" find '{}' -xdev -type f -perm -4000 -print) BAD_BINARIES="" for BINARY in $FOUND_BINARIES; do if grep -qw "$BINARY" <<< "$EXCEPTIONS"; then debug "$BINARY is confirmed as an exception" else BAD_BINARIES="$BAD_BINARIES $BINARY" fi done if [ ! -z "$BAD_BINARIES" ]; then crit "Some suid files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< "$BAD_BINARIES" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "No unknown suid files found" fi } # This function will be called if the script status is on enabled mode apply () { info "Removing suid on valid binary may seriously harm your system, report only here" } # This function will create the config file for this check with default values create_config() { cat <