tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Change variable name to better indicate what it does

This commit is contained in:
Michael Boelen 2019-07-03 15:07:46 +02:00
parent bc88775d0e
commit 2e1ec2c32f
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
2 changed files with 79 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
include/functions
View File

@ -2544,74 +2544,96 @@
################################################################################ ################################################################################
# Name : SafePerms() # Name : SafePerms()
# Return : 0 (file OK) or break # Description :
# Returns : 0 (file permissions OK) or break
################################################################################ ################################################################################
SafePerms() { SafePerms() {
if [ ${WARN_ON_FILE_ISSUES} -eq 1 ]; then exitcode=1
IS_PARAMETERS=0
IS_PROFILE=0
if [ ${IGNORE_FILE_PERMISSION_ISSUES} -eq 0 ]; then
PERMS_OK=0 PERMS_OK=0
LogText "Checking permissions of $1" LogText "Checking permissions of $1"
if [ $# -eq 1 ]; then
IS_PARAMETERS_FILE=$(echo $1 | grep "/parameters") if [ $# -gt 0 ]; then
if [ $# -eq 2 ]; then
case "$2" in
"parameters")
IS_PARAMETERS=1
;;
"profile")
IS_PROFILE=1
;;
esac
else
FIND=$(echo $1 | grep "/parameters")
if [ $? -eq 0 ]; then IS_PARAMETERS=1; fi
fi
# Check file permissions # Check file permissions
if [ ! -f "$1" ]; then if [ ! -f "$1" ]; then
LogText "Fatal error: file $1 does not exist. Quitting." LogText "Fatal error: file $1 does not exist. Quitting."
echo "Fatal error: file $1 does not exist" echo "Fatal error: file $1 does not exist"
ExitFatal ExitFatal
else else
PERMS=$(ls -l $1) PERMS=$(ls -l $1)
# Owner permissions
OWNER=$(echo ${PERMS} | awk -F" " '{ print $3 }')
OWNERID=$(ls -n $1 | awk -F" " '{ print $3 }')
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
echo "Fatal error: file $1 should be owned by user 'root' when running it as root (found: ${OWNER})."
ExitFatal
fi
fi
# Group permissions
GROUP=$(echo ${PERMS} | awk -F" " '{ print $4 }')
GROUPID=$(ls -n $1 | awk -F" " '{ print $4 }')
if [ ${PENTESTINGMODE} -eq 0 -a "${IS_PARAMETERS_FILE}" = "" ]; then # Owner permissions
if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then OWNER=$(echo ${PERMS} | awk -F" " '{ print $3 }')
echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})." OWNERID=$(ls -n $1 | awk -F" " '{ print $3 }')
ExitFatal if [ ${PENTESTINGMODE} -eq 0 -a ${IS_PARAMETERS} -eq 0 ]; then
fi if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
fi echo "Fatal error: file $1 should be owned by user 'root' when running it as root (found: ${OWNER})."
ExitFatal
fi
fi
# Group permissions
GROUP=$(echo ${PERMS} | awk -F" " '{ print $4 }')
GROUPID=$(ls -n $1 | awk -F" " '{ print $4 }')
# Owner permissions if [ ${PENTESTINGMODE} -eq 0 -a ${IS_PARAMETERS} -eq 0 ]; then
OWNER_PERMS=$(echo ${PERMS} | cut -c2-4) if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then
if [ ! "${OWNER_PERMS}" = "rw-" -a ! "${OWNER_PERMS}" = "r--" ]; then echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})."
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'owner' should be read-write, or read. Change with: chmod 600 $1" ExitFatal
ExitFatal fi
fi fi
# Owner permissions # Owner permissions
GROUP_PERMS=$(echo ${PERMS} | cut -c5-7) OWNER_PERMS=$(echo ${PERMS} | cut -c2-4)
if [ ! "${GROUP_PERMS}" = "rw-" -a ! "${GROUP_PERMS}" = "r--" -a ! "${GROUP_PERMS}" = "---" ]; then if [ ! "${OWNER_PERMS}" = "rw-" -a ! "${OWNER_PERMS}" = "r--" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'group' should be read-write, read, or none. Change with: chmod 600 $1" echo "Fatal error: permissions of file $1 are not strict enough. Access to 'owner' should be read-write, or read. Change with: chmod 600 $1"
ExitFatal ExitFatal
fi fi
# Other permissions # Owner permissions
OTHER_PERMS=$(echo ${PERMS} | cut -c8-10) GROUP_PERMS=$(echo ${PERMS} | cut -c5-7)
if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then if [ ! "${GROUP_PERMS}" = "rw-" -a ! "${GROUP_PERMS}" = "r--" -a ! "${GROUP_PERMS}" = "---" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only. Change with: chmod 600 $1" echo "Fatal error: permissions of file $1 are not strict enough. Access to 'group' should be read-write, read, or none. Change with: chmod 600 $1"
ExitFatal ExitFatal
fi fi
# Set PERMS_OK to 1 if no fatal errors occurred
PERMS_OK=1 # Other permissions
LogText "File permissions are OK" OTHER_PERMS=$(echo ${PERMS} | cut -c8-10)
return 0 if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then
fi echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only. Change with: chmod 600 $1"
ExitFatal
fi
# Set PERMS_OK to 1 if no fatal errors occurred
PERMS_OK=1
LogText "File permissions are OK"
exitcode=0
fi
else else
ReportException "SafePerms()" "Invalid number of arguments for function" ReportException "SafePerms()" "Invalid number of arguments for function"
fi fi
else else
PERMS_OK=1 PERMS_OK=1
return 0 exitcode=0
fi fi
return ${exitcode}
} }

13
lynis
View File

@ -24,7 +24,9 @@
# #
# Code quality: don't allow using undefined variables # Code quality: don't allow using undefined variables
set -o nounset set -o nounset
#
#################################################################################
#
# In Solaris /bin/sh is not POSIX, but /usr/xpg4/bin/sh is. # In Solaris /bin/sh is not POSIX, but /usr/xpg4/bin/sh is.
# Switch to /usr/xpg4/bin/sh if it exists and we are not already running it. # Switch to /usr/xpg4/bin/sh if it exists and we are not already running it.
test "$_" != "/usr/xpg4/bin/sh" && test -f /usr/xpg4/bin/sh && exec /usr/xpg4/bin/sh "$0" "$@" test "$_" != "/usr/xpg4/bin/sh" && test -f /usr/xpg4/bin/sh && exec /usr/xpg4/bin/sh "$0" "$@"
@ -137,8 +139,7 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
################################################################################# #################################################################################
# #
# Perform a basic check for permissions. After including functions, using SafePerms() # Perform a basic check for permissions. After including functions, using SafePerms()
WARN_ON_FILE_ISSUES=1 IGNORE_FILE_PERMISSION_ISSUES=0
WARN_ON_FILE_ISSUES_ASKED=0
FILES_TO_CHECK="consts functions" FILES_TO_CHECK="consts functions"
@ -190,14 +191,10 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
printf "\n Option 2) Change ownership of the related files (or full directory).\n\n Commands (full directory):\n # cd ..\n # chown -R 0:0 lynis\n # cd lynis\n # ./lynis audit system" printf "\n Option 2) Change ownership of the related files (or full directory).\n\n Commands (full directory):\n # cd ..\n # chown -R 0:0 lynis\n # cd lynis\n # ./lynis audit system"
fi fi
printf "\n\n[ Press ENTER to continue, or CTRL+C to cancel ]" printf "\n\n[ Press ENTER to continue, or CTRL+C to cancel ]"
WARN_ON_FILE_ISSUES_ASKED=1 IGNORE_FILE_PERMISSION_ISSUES=1
read DUMMY read DUMMY
fi fi
if [ ${WARN_ON_FILE_ISSUES_ASKED} -eq 1 ]; then
WARN_ON_FILE_ISSUES=0
fi
# Now include files if permissions are correct, or user decided to continue # Now include files if permissions are correct, or user decided to continue
. ${INCLUDEDIR}/consts . ${INCLUDEDIR}/consts
. ${INCLUDEDIR}/functions . ${INCLUDEDIR}/functions