[AUTH-9252] Sudo configuration file/folder check improvements (#637)

* [AUTH-9252] Adds support for files in sudoers.d

This commit adds permission checks for files found in 'sudoers.d'.
Previously only the main 'sudoers' file is checked. Fixes #600.

* [AUTH-9252] Check drop-in directory permissions

The test case currently only checks file permissions. This adds
logic to check the drop-in directory permissions as well.

* [AUTH-9252] Check file/folder ownership

This test currently only checks file/directory permissions. This
commit adds checks to ensure sudo configuration files/folders are
owned with UID=0 and GID=0.

include/tests_authentication

@@ -483,20 +483,39 @@
 #################################################################################
 #
     # Test        : AUTH-9252
-    # Description : Check for sudoers file permissions
+    # Description : Check ownership and permissions for sudo configuration files
     if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-    Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sudoers file"
+    Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files"
     if [ ${SKIPTEST} -eq 0 ]; then
-        LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions"
-        FIND=$(ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10)
-        LogText "Result: Found file permissions: ${FIND}"
-        if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
-            LogText "Result: file ${SUDOERS_FILE} has correct permissions"
-            Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_OK}" --color GREEN
+      SUDO_CONFIG_FILES="${SUDOERS_FILE}"
+      SUDOERS_D="${SUDOERS_FILE}.d"
+      if [ -d "${SUDOERS_D}" ]; then
+	LogText "Test: checking drop-in directory (${SUDOERS_D})"
+	FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10)
+	FIND1=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}')
+	LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND1}"
+	if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND1}" = "00" ]; then
+	  LogText "Result: directory ${SUDOERS_D} permissions/ownership OK"
+	  Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN
+	else
+	  LogText "Result: directory has possibly unsafe permissions/ownership"
+          Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
+	fi
+	SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)"
+      fi
+      for f in ${SUDO_CONFIG_FILES}; do
+        LogText "Test: checking file (${f})"
+        FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10)
+	FIND1=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}')
+        LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND1}"
+        if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND1}" = "00" ]; then
+            LogText "Result: file ${f} permissions/ownerhsip OK"
+	    Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN
         else
-            LogText "Result: file has possibly unsafe file permissions"
-            Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_WARNING}" --color RED
+            LogText "Result: file has possibly unsafe permissions/ownership"
+	    Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
         fi
+      done
     fi
 #
 #################################################################################