tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[HRDN-7222] enhanced compiler permission test

This commit is contained in:
Michael Boelen 2018-03-04 17:52:15 +01:00
parent 2c9116dc0c
commit 73a4e92a7b
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
1 changed files with 15 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
include/tests_hardening
View File

@ -53,42 +53,31 @@
if [ ${COMPILER_INSTALLED} -eq 0 ]; then if [ ${COMPILER_INSTALLED} -eq 0 ]; then
LogText "Result: no compilers found" LogText "Result: no compilers found"
else else
# as # TODO - c89 c99 cpp ld
if [ ! -z "${ASBINARY}" ]; then TEST_BINARIES="${ASBINARY} ${GCCBINARY}"
LogText "Test: Check file permissions for as (Assembler)" for ITEM in ${TEST_BINARIES}; do
if IsWorldExecutable ${ASBINARY}; then FILE="${ITEM}"
LogText "Binary: found ${ASBINARY} (world executable)" LogText "Test: Check file permissions for ${ITEM}"
Report "compiler_world_executable[]=${ASBINARY}" ShowSymlinkPath ${ITEM}
if [ ! -z "${SYMLINK}" ]; then
FILE="${SYMLINK}"
fi
if IsWorldExecutable ${FILE}; then
LogText "Binary: found ${FILE} (world executable)"
Report "compiler_world_executable[]=${FILE}"
AddHP 2 3 AddHP 2 3
HARDEN_COMPILERS_NEEDED=1 HARDEN_COMPILERS_NEEDED=1
else else
AddHP 3 3 AddHP 3 3
fi fi
fi done
# gcc
if [ ! -z "${GCCBINARY}" ]; then
LogText "Test: Check file permissions for GCC compiler"
if IsWorldExecutable ${GCCBINARY}; then
LogText "Binary: found ${GCCBINARY} (world executable)"
Report "compiler_world_executable[]=${GCCBINARY}"
AddHP 2 3
HARDEN_COMPILERS_NEEDED=1
else
AddHP 3 3
fi
fi
# Report suggestion is one or more compilers can be better hardened # Report suggestion is one or more compilers can be better hardened
if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then
LogText "Result: at least one compiler could be better hardened by restricting executable access to root or group only" LogText "Result: at least one compiler could be better hardened by restricting executable access to root or group only"
ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only" ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only"
fi fi
# TODO check if compilers have a specific group (like compiler, or NOT root/wheel)
# Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
# /usr/bin/*cc*
# /usr/bin/*++*
# /usr/bin/ld
# (and 700 or 750 permissions)
fi fi
fi fi
# #