mirror of https://github.com/CISOfy/lynis.git
Change permission tests and messages
This commit is contained in:
mboelen
parent
6e2640c4d5
commit
4493810df2
81
lynis
81
lynis
|
|
@ -100,74 +100,61 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta
|
||||||
#
|
#
|
||||||
# Perform a basic check for permissions. After including functions, using SafePerms()
|
# Perform a basic check for permissions. After including functions, using SafePerms()
|
||||||
# Optimization: remove ls -l for owner and only do UID check, reducing one getpwent
|
# Optimization: remove ls -l for owner and only do UID check, reducing one getpwent
|
||||||
PERMS=`ls -l ${INCLUDEDIR}/consts | cut -c 2-10`
|
|
||||||
PERMS2=`ls -l ${INCLUDEDIR}/functions | cut -c 2-10`
|
FILES_TO_CHECK="consts functions"
|
||||||
OWNER=`ls -l ${INCLUDEDIR}/consts | awk -F" " '{ print $3 }'`
|
|
||||||
OWNER2=`ls -l ${INCLUDEDIR}/functions | awk -F" " '{ print $3 }'`
|
|
||||||
OWNERID=`ls -n ${INCLUDEDIR}/consts | awk -F" " '{ print $3 }'`
|
|
||||||
OWNER2ID=`ls -n ${INCLUDEDIR}/functions | awk -F" " '{ print $3 }'`
|
|
||||||
|
|
||||||
ISSUE=0
|
ISSUE=0
|
||||||
|
ISSUE_TYPE=""
|
||||||
SHOWPERMERROR=0
|
SHOWPERMERROR=0
|
||||||
# Check permissions of include/consts file (400, 600, 640, 644)
|
|
||||||
if [ ! "${PERMS}" = "r--------" -a ! "${PERMS}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then
|
|
||||||
ISSUE=1; echo "[!] Change file permissions of ${INCLUDEDIR}/consts to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/consts"
|
|
||||||
fi
|
|
||||||
# Check permissions of include/functions file
|
|
||||||
if [ ! "${PERMS2}" = "r--------" -a ! "${PERMS2}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then
|
|
||||||
ISSUE=1; echo "[!] Change file permissions of ${INCLUDEDIR}/functions to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/functions"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Check if owner of both files is root user, or the same user which is running Lynis (for pentester mode)
|
for FILE in ${FILES_TO_CHECK}; do
|
||||||
|
PERMS=`ls -l ${INCLUDEDIR}/${FILE} | cut -c 2-10`
|
||||||
|
GROUPPERMS=`ls -l ${INCLUDEDIR}/${FILE} | cut -c 5-7`
|
||||||
|
GROUPOWNERID=`ls -n ${INCLUDEDIR}/${FILE} | awk '{ print $4 }'`
|
||||||
|
OWNER=`ls -l ${INCLUDEDIR}/${FILE} | awk -F" " '{ print $3 }'`
|
||||||
|
OWNERID=`ls -n ${INCLUDEDIR}/${FILE} | awk -F" " '{ print $3 }'`
|
||||||
|
|
||||||
# Consts
|
# Check permissions of include/X file (400, 600, 640, 644)
|
||||||
|
if [ "${PERMS}" = "rwxrwxrwx" ]; then
|
||||||
|
ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}"
|
||||||
|
elif [ ! "${PERMS}" = "r--------" -a ! "${PERMS}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then
|
||||||
|
# If group ID equals user ID, we consider permissions to be fine (probably default umask)
|
||||||
|
if [ ! "${GROUPOWNERID}" = "${OWNERID}" ]; then
|
||||||
|
ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Check if owner of both files is root user, or the same user which is running Lynis (for pentester mode)
|
||||||
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
|
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
|
||||||
if [ ! "${MYID}" = "${OWNER2ID}" ]; then
|
if [ ! "${MYID}" = "${OWNER2ID}" ]; then
|
||||||
ISSUE=1; SHOWPERMERROR=1; FILE="consts"
|
ISSUE=1; ISSUE_TYPE="owner"; SHOWPERMERROR=1; ISSUE_FILE="${FILE}"; ISSUE_OWNER="${OWNER}"; ISSUE_OWNERID="${OWNERID}"
|
||||||
fi
|
|
||||||
fi
|
|
||||||
# Functions
|
|
||||||
if [ ! "${OWNER2}" = "root" -a ! "${OWNER2ID}" = "0" ]; then
|
|
||||||
if [ ! "${MYID}" = "${OWNER2ID}" ]; then
|
|
||||||
ISSUE=1; SHOWPERMERROR=1; FILE="functions"
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
if [ ${SHOWPERMERROR} -eq 1 ]; then
|
if [ ${SHOWPERMERROR} -eq 1 ]; then
|
||||||
printf "%s" "
|
printf "%s" "
|
||||||
|
|
||||||
[!] Change ownership of ${INCLUDEDIR}/${FILE} to 'root' or similar (found: ${OWNER} with UID ${OWNERID}).
|
[!] Change ownership of ${INCLUDEDIR}/${ISSUE_FILE} to 'root' or similar (found: ${ISSUE_OWNER} with UID ${ISSUE_OWNERID}).
|
||||||
|
|
||||||
Command:
|
Command:
|
||||||
# chown 0:0 ${INCLUDEDIR}/${FILE}
|
# chown 0:0 ${INCLUDEDIR}/${ISSUE_FILE}
|
||||||
"
|
"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Now if there is an issue with permissions, show it to the user and let them decide how to continue.
|
# Now if there is an issue with permissions, show it to the user and let them decide how to continue.
|
||||||
if [ ${ISSUE} -eq 1 ]; then
|
if [ ${ISSUE} -eq 1 ]; then
|
||||||
printf "%s" "
|
printf "\n[X] Security check failed\n\n Why do I see this error?\n -------------------------------\n This is a protection mechanism to prevent the root user from executing user created files. The files may be altered, or including malicious pieces of script.\n\n What can I do?\n ---------------------\n Option 1) Check if a trusted user created the files (e.g. due to using Git, Homebrew or similar).\n If you trust these files, you can decide to continue this run by pressing ENTER.\n"
|
||||||
[X] Security check failed
|
if [ "${ISSUE_TYPE}" = "perms" ]; then
|
||||||
|
printf "\n Option 2) Change permissions of the related files.\n\n Commands (full directory):\n # chmod 640 include/*\n # ./lynis audit system"
|
||||||
Why do I see this error?
|
elif [ "${ISSUE_TYPE}" = "owner" ]; then
|
||||||
-------------------------------
|
printf "\n Option 2) Change ownership of the related files (or full directory).\n\n Commands (full directory):\n # cd ..\n # chown -R 0:0 lynis\n # cd lynis\n # ./lynis audit system"
|
||||||
This is a protection mechanism to prevent the root user from executing user created files. The files may be altered, or including malicious pieces of script.
|
fi
|
||||||
|
printf "\n\n[ Press ENTER to continue, or CTRL+C to cancel ]"
|
||||||
What can I do?
|
|
||||||
---------------------
|
|
||||||
Option 1) Check if a trusted user created the files (e.g. due to using Git, Homebrew or similar).
|
|
||||||
If you trust these files, you can decide to continue this run by pressing ENTER.
|
|
||||||
|
|
||||||
Option 2) Change ownership and permissions of the related files (or full directory).
|
|
||||||
|
|
||||||
Commands (full directory):
|
|
||||||
# cd ..
|
|
||||||
# chown -R 0:0 lynis
|
|
||||||
# cd lynis
|
|
||||||
./lynis audit system
|
|
||||||
|
|
||||||
|
|
||||||
[ Press ENTER to continue, or CTRL+C to cancel ]"
|
|
||||||
read DUMMY
|
read DUMMY
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Now include files if permissions are correct, or user decided to continue
|
||||||
. ${INCLUDEDIR}/consts
|
. ${INCLUDEDIR}/consts
|
||||||
. ${INCLUDEDIR}/functions
|
. ${INCLUDEDIR}/functions
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue