mirror of https://github.com/CISOfy/lynis.git
[AUTH-9252] Sudo configuration file/folder check improvements (#637)
* [AUTH-9252] Adds support for files in sudoers.d This commit adds permission checks for files found in 'sudoers.d'. Previously only the main 'sudoers' file is checked. Fixes #600. * [AUTH-9252] Check drop-in directory permissions The test case currently only checks file permissions. This adds logic to check the drop-in directory permissions as well. * [AUTH-9252] Check file/folder ownership This test currently only checks file/directory permissions. This commit adds checks to ensure sudo configuration files/folders are owned with UID=0 and GID=0.
This commit is contained in:
parent
76ec39176a
commit
353cf84413
|
@ -483,20 +483,39 @@
|
|||
#################################################################################
|
||||
#
|
||||
# Test : AUTH-9252
|
||||
# Description : Check for sudoers file permissions
|
||||
# Description : Check ownership and permissions for sudo configuration files
|
||||
if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sudoers file"
|
||||
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions"
|
||||
FIND=$(ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10)
|
||||
LogText "Result: Found file permissions: ${FIND}"
|
||||
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
|
||||
LogText "Result: file ${SUDOERS_FILE} has correct permissions"
|
||||
Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_OK}" --color GREEN
|
||||
SUDO_CONFIG_FILES="${SUDOERS_FILE}"
|
||||
SUDOERS_D="${SUDOERS_FILE}.d"
|
||||
if [ -d "${SUDOERS_D}" ]; then
|
||||
LogText "Test: checking drop-in directory (${SUDOERS_D})"
|
||||
FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10)
|
||||
FIND1=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}')
|
||||
LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND1}"
|
||||
if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND1}" = "00" ]; then
|
||||
LogText "Result: directory ${SUDOERS_D} permissions/ownership OK"
|
||||
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
LogText "Result: file has possibly unsafe file permissions"
|
||||
Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: directory has possibly unsafe permissions/ownership"
|
||||
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
|
||||
fi
|
||||
SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)"
|
||||
fi
|
||||
for f in ${SUDO_CONFIG_FILES}; do
|
||||
LogText "Test: checking file (${f})"
|
||||
FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10)
|
||||
FIND1=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}')
|
||||
LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND1}"
|
||||
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND1}" = "00" ]; then
|
||||
LogText "Result: file ${f} permissions/ownerhsip OK"
|
||||
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
LogText "Result: file has possibly unsafe permissions/ownership"
|
||||
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
|
||||
fi
|
||||
done
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
|
Loading…
Reference in New Issue