[AUTH-9252] Sudo configuration file/folder check improvements (#637)

* [AUTH-9252] Adds support for files in sudoers.d

This commit adds permission checks for files found in 'sudoers.d'.
Previously only the main 'sudoers' file is checked. Fixes #600.

* [AUTH-9252] Check drop-in directory permissions

The test case currently only checks file permissions. This adds
logic to check the drop-in directory permissions as well.

* [AUTH-9252] Check file/folder ownership

This test currently only checks file/directory permissions. This
commit adds checks to ensure sudo configuration files/folders are
owned with UID=0 and GID=0.
This commit is contained in:
chr0mag 2019-02-28 01:15:57 -08:00 committed by Michael Boelen
parent 76ec39176a
commit 353cf84413
1 changed files with 29 additions and 10 deletions

View File

@ -483,20 +483,39 @@
#################################################################################
#
# Test : AUTH-9252
# Description : Check for sudoers file permissions
# Description : Check ownership and permissions for sudo configuration files
if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sudoers file"
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions"
FIND=$(ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: Found file permissions: ${FIND}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
LogText "Result: file ${SUDOERS_FILE} has correct permissions"
Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_OK}" --color GREEN
SUDO_CONFIG_FILES="${SUDOERS_FILE}"
SUDOERS_D="${SUDOERS_FILE}.d"
if [ -d "${SUDOERS_D}" ]; then
LogText "Test: checking drop-in directory (${SUDOERS_D})"
FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10)
FIND1=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}')
LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND1}"
if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND1}" = "00" ]; then
LogText "Result: directory ${SUDOERS_D} permissions/ownership OK"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: file has possibly unsafe file permissions"
Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_WARNING}" --color RED
LogText "Result: directory has possibly unsafe permissions/ownership"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
fi
SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)"
fi
for f in ${SUDO_CONFIG_FILES}; do
LogText "Test: checking file (${f})"
FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10)
FIND1=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}')
LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND1}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND1}" = "00" ]; then
LogText "Result: file ${f} permissions/ownerhsip OK"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: file has possibly unsafe permissions/ownership"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
fi
done
fi
#
#################################################################################