tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Change permission tests and messages

This commit is contained in:
mboelen 2016-05-02 15:04:54 +02:00
parent 6e2640c4d5
commit 4493810df2
1 changed files with 34 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
lynis
View File

@ -100,74 +100,61 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
#
# Perform a basic check for permissions. After including functions, using SafePerms()
# Optimization: remove ls -l for owner and only do UID check, reducing one getpwent
PERMS=`ls -l ${INCLUDEDIR}/consts | cut -c 2-10`
PERMS2=`ls -l ${INCLUDEDIR}/functions | cut -c 2-10`
OWNER=`ls -l ${INCLUDEDIR}/consts | awk -F" " '{ print $3 }'`
OWNER2=`ls -l ${INCLUDEDIR}/functions | awk -F" " '{ print $3 }'`
OWNERID=`ls -n ${INCLUDEDIR}/consts | awk -F" " '{ print $3 }'`
OWNER2ID=`ls -n ${INCLUDEDIR}/functions | awk -F" " '{ print $3 }'`
FILES_TO_CHECK="consts functions"
ISSUE=0
ISSUE_TYPE=""
SHOWPERMERROR=0
# Check permissions of include/consts file (400, 600, 640, 644)
if [ ! "${PERMS}" = "r--------" -a ! "${PERMS}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then
ISSUE=1; echo "[!] Change file permissions of ${INCLUDEDIR}/consts to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/consts"
fi
# Check permissions of include/functions file
if [ ! "${PERMS2}" = "r--------" -a ! "${PERMS2}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then
ISSUE=1; echo "[!] Change file permissions of ${INCLUDEDIR}/functions to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/functions"
fi
# Check if owner of both files is root user, or the same user which is running Lynis (for pentester mode)
for FILE in ${FILES_TO_CHECK}; do
PERMS=`ls -l ${INCLUDEDIR}/${FILE} | cut -c 2-10`
GROUPPERMS=`ls -l ${INCLUDEDIR}/${FILE} | cut -c 5-7`
GROUPOWNERID=`ls -n ${INCLUDEDIR}/${FILE} | awk '{ print $4 }'`
OWNER=`ls -l ${INCLUDEDIR}/${FILE} | awk -F" " '{ print $3 }'`
OWNERID=`ls -n ${INCLUDEDIR}/${FILE} | awk -F" " '{ print $3 }'`
# Consts
# Check permissions of include/X file (400, 600, 640, 644)
if [ "${PERMS}" = "rwxrwxrwx" ]; then
ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}"
elif [ ! "${PERMS}" = "r--------" -a ! "${PERMS}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then
# If group ID equals user ID, we consider permissions to be fine (probably default umask)
if [ ! "${GROUPOWNERID}" = "${OWNERID}" ]; then
ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}"
fi
fi
# Check if owner of both files is root user, or the same user which is running Lynis (for pentester mode)
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
if [ ! "${MYID}" = "${OWNER2ID}" ]; then
ISSUE=1; SHOWPERMERROR=1; FILE="consts"
fi
fi
# Functions
if [ ! "${OWNER2}" = "root" -a ! "${OWNER2ID}" = "0" ]; then
if [ ! "${MYID}" = "${OWNER2ID}" ]; then
ISSUE=1; SHOWPERMERROR=1; FILE="functions"
ISSUE=1; ISSUE_TYPE="owner"; SHOWPERMERROR=1; ISSUE_FILE="${FILE}"; ISSUE_OWNER="${OWNER}"; ISSUE_OWNERID="${OWNERID}"
fi
fi
done
if [ ${SHOWPERMERROR} -eq 1 ]; then
printf "%s" "
[!] Change ownership of ${INCLUDEDIR}/${FILE} to 'root' or similar (found: ${OWNER} with UID ${OWNERID}).
[!] Change ownership of ${INCLUDEDIR}/${ISSUE_FILE} to 'root' or similar (found: ${ISSUE_OWNER} with UID ${ISSUE_OWNERID}).
Command:
# chown 0:0 ${INCLUDEDIR}/${FILE}
# chown 0:0 ${INCLUDEDIR}/${ISSUE_FILE}
"
fi
# Now if there is an issue with permissions, show it to the user and let them decide how to continue.
if [ ${ISSUE} -eq 1 ]; then
printf "%s" "
[X] Security check failed
Why do I see this error?
-------------------------------
This is a protection mechanism to prevent the root user from executing user created files. The files may be altered, or including malicious pieces of script.
What can I do?
---------------------
Option 1) Check if a trusted user created the files (e.g. due to using Git, Homebrew or similar).
If you trust these files, you can decide to continue this run by pressing ENTER.
Option 2) Change ownership and permissions of the related files (or full directory).
Commands (full directory):
# cd ..
# chown -R 0:0 lynis
# cd lynis
./lynis audit system
[ Press ENTER to continue, or CTRL+C to cancel ]"
printf "\n[X] Security check failed\n\n Why do I see this error?\n -------------------------------\n This is a protection mechanism to prevent the root user from executing user created files. The files may be altered, or including malicious pieces of script.\n\n What can I do?\n ---------------------\n Option 1) Check if a trusted user created the files (e.g. due to using Git, Homebrew or similar).\n If you trust these files, you can decide to continue this run by pressing ENTER.\n"
if [ "${ISSUE_TYPE}" = "perms" ]; then
printf "\n Option 2) Change permissions of the related files.\n\n Commands (full directory):\n # chmod 640 include/*\n # ./lynis audit system"
elif [ "${ISSUE_TYPE}" = "owner" ]; then
printf "\n Option 2) Change ownership of the related files (or full directory).\n\n Commands (full directory):\n # cd ..\n # chown -R 0:0 lynis\n # cd lynis\n # ./lynis audit system"
fi
printf "\n\n[ Press ENTER to continue, or CTRL+C to cancel ]"
read DUMMY
fi
# Now include files if permissions are correct, or user decided to continue
. ${INCLUDEDIR}/consts
. ${INCLUDEDIR}/functions