tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add deprecation message for old format and added check for unexpected/invalid characters in profile (additional security measure)

This commit is contained in:
Michael Boelen 2019-07-07 18:49:01 +02:00
parent 7a816ece8a
commit 5217db95b1
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
1 changed files with 31 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
include/profiles
View File

@ -32,8 +32,37 @@
for PROFILE in ${PROFILES}; do
LogText "Reading profile/configuration ${PROFILE}"
FIND=$(egrep "^config:|^[a-z-].*=" ${PROFILE} | sed 's/ /!space!/g')
for CONFIGOPTION in ${FIND}; do
# Show deprecation message for old config entries
FOUND=0
#DATA=$(egrep "^config:" ${PROFILE} | od --address-radix=none -t a | sed 's/ /!space!/g')
#if ! IsEmpty "${DATA}"; then FOUND=1; fi
# Items such as 'apache:'
DATA=$(egrep "^[a-z-]{1,}:" ${PROFILE} | od --address-radix=none -t a | sed 's/ /!space!/g')
if ! IsEmpty "${DATA}"; then FOUND=1; fi
if [ ${FOUND} -eq 1 ]; then
DisplayWarning "Your profile contains old-style configuration entries. See log file for more details and how to convert these entries"
LogText "Your profile has one or more configuration items that are in an old format (lines starting with key:value). They need to be converted into the new format (key=value)."
LogText "Tip: Use egrep to see the relevant matches (egrep \"^[a-z-]{1,}:\" custom.prf)"
sleep 30
fi
# Security check for unexpected and possibly harmful escape characters
DATA=$(grep -v '^$\|^ \|^#\|^config:' ${PROFILE} | tr -d '[:alnum:]/\[\]\(\)\-_\|,\.:;= \n\r' | od --address-radix=none -t a | sed 's/ /!space!/g')
if ! IsEmpty "${DATA}"; then
DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
LogText "Found unexpected or possibly harmful characters in the profile. See output below."
for I in "${DATA}"; do
I=$(echo ${I} | sed 's/!space!/ /g')
LogText "Output: ${I}"
done
sleep 30
fi
# Now parse the profile and filter out unwanted characters
DATA=$(egrep "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)\-_\|,\.:;= \n\r' | sed 's/ /!space!/g')
for CONFIGOPTION in ${DATA}; do
if ContainsString "config:" "${CONFIGOPTION}"; then
# Old style configuration
OPTION=$(echo ${CONFIGOPTION} | cut -d ':' -f2)