From 353cf844130b6acce9ff3be618319dd6d33510db Mon Sep 17 00:00:00 2001 From: chr0mag Date: Thu, 28 Feb 2019 01:15:57 -0800 Subject: [PATCH] [AUTH-9252] Sudo configuration file/folder check improvements (#637) * [AUTH-9252] Adds support for files in sudoers.d This commit adds permission checks for files found in 'sudoers.d'. Previously only the main 'sudoers' file is checked. Fixes #600. * [AUTH-9252] Check drop-in directory permissions The test case currently only checks file permissions. This adds logic to check the drop-in directory permissions as well. * [AUTH-9252] Check file/folder ownership This test currently only checks file/directory permissions. This commit adds checks to ensure sudo configuration files/folders are owned with UID=0 and GID=0. --- include/tests_authentication | 39 +++++++++++++++++++++++++++--------- 1 file changed, 29 insertions(+), 10 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 69a357a9..c4f62b64 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -483,20 +483,39 @@ ################################################################################# # # Test : AUTH-9252 - # Description : Check for sudoers file permissions + # Description : Check ownership and permissions for sudo configuration files if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sudoers file" + Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions" - FIND=$(ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10) - LogText "Result: Found file permissions: ${FIND}" - if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then - LogText "Result: file ${SUDOERS_FILE} has correct permissions" - Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_OK}" --color GREEN + SUDO_CONFIG_FILES="${SUDOERS_FILE}" + SUDOERS_D="${SUDOERS_FILE}.d" + if [ -d "${SUDOERS_D}" ]; then + LogText "Test: checking drop-in directory (${SUDOERS_D})" + FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10) + FIND1=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}') + LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND1}" + if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND1}" = "00" ]; then + LogText "Result: directory ${SUDOERS_D} permissions/ownership OK" + Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: directory has possibly unsafe permissions/ownership" + Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED + fi + SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)" + fi + for f in ${SUDO_CONFIG_FILES}; do + LogText "Test: checking file (${f})" + FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10) + FIND1=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}') + LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND1}" + if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND1}" = "00" ]; then + LogText "Result: file ${f} permissions/ownerhsip OK" + Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN else - LogText "Result: file has possibly unsafe file permissions" - Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_WARNING}" --color RED + LogText "Result: file has possibly unsafe permissions/ownership" + Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED fi + done fi # #################################################################################