#!/bin/bash # run-shellcheck # # CIS Debian Hardening # # # 6.1.14 Audit SGID executables (Not Scored) # set -e # One error, it's over set -u # One variable unset, it's over # shellcheck disable=2034 HARDENING_LEVEL=2 # shellcheck disable=2034 DESCRIPTION="Find SGID system executables." IGNORED_PATH='' # This function will be called if the script status is on enabled / audit mode audit() { info "Checking if there are sgid files" if [ -n "$IGNORED_PATH" ]; then # maybe IGNORED_PATH allow us to filter out some FS FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}' | grep -vE "$IGNORED_PATH") # shellcheck disable=2086 FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -regextype 'egrep' ! -regex $IGNORED_PATH -print) else FS_NAMES=$(df --local -P | awk '{if (NR!=1) print $6}') # shellcheck disable=2086 FOUND_BINARIES=$($SUDO_CMD find $FS_NAMES -xdev -ignore_readdir_race -type f -perm -2000 -print) fi BAD_BINARIES="" for BINARY in $FOUND_BINARIES; do if grep -qw "$BINARY" <<<"$EXCEPTIONS"; then debug "$BINARY is confirmed as an exception" else BAD_BINARIES="$BAD_BINARIES $BINARY" fi done if [ -n "$BAD_BINARIES" ]; then crit "Some sgid files are present" # shellcheck disable=SC2001 FORMATTED_RESULT=$(sed "s/ /\n/g" <<<"$BAD_BINARIES" | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else ok "No unknown sgid files found" fi } # This function will be called if the script status is on enabled mode apply() { info "Removing sgid on valid binary may seriously harm your system, report only here" } # This function will create the config file for this check with default values create_config() { cat <