tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-26 23:34:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Security: test PATH and warn or exit on discovery of dangerous location

Browse Source
This commit is contained in:
Michael Boelen 2019-06-30 19:21:07 +02:00
parent 5e4e44bdf3
commit fdacc00b45
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
1 changed files with 28 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
include/binaries
View File

@ -42,18 +42,39 @@
Display --indent 2 --text "- Checking system binaries..." Display --indent 2 --text "- Checking system binaries..."
LogText "Status: Starting binary scan..." LogText "Status: Starting binary scan..."
# Test if our PATH variable provides a set of paths # Notes:
# If so, reverse the order. If we discover the same binary multiple times, the one first in PATH # - If PATH is empty, we use the predefined list in include/consts
# should be used. # - Common paths first, then followed by more specific paths. This helps on the slightly ancient UNIX derivatives.
# If PATH is empty, we use the predefined list in include/consts. Common paths first, then followed # - Avoid sorting the path list, as this might result in incorrect order of finding binaries (e.g. awk binary)
# by more specific paths. This helps on the slightly ancient UNIX derivatives.
# Test if our PATH variable provides a set of paths. If so, reverse the order. If we discover the same binary
# multiple times, the one first in PATH should be used.
if [ ! -z "${PATH}" ]; then if [ ! -z "${PATH}" ]; then
PATH_REVERSED=$(echo ${PATH} | awk -F: '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }') PATH_REVERSED=$(echo ${PATH} | awk -F: '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
BIN_PATHS=$(echo "${PATH_REVERSED} ${BIN_PATHS}" | tr ':' ' ') BIN_PATHS=$(echo "${PATH_REVERSED} ${BIN_PATHS}" | tr ':' ' ')
fi fi
# Avoid sorting, as this might result in incorrect order of finding binaries (e.g. awk binary) # First test available locations that may be suspicious or dangerous
#SORTED_BIN_PATHS=$(echo ${BIN_PATHS} | tr ' ' '\n' | sort | uniq | tr '\n' ' ') for SCANDIR in ${BIN_PATHS}; do
FOUND=0
if [ "${SCANDIR}" = "." ]; then FOUND=1; MSG="Found single dot (.) in PATH"
elif [ "${SCANDIR}" = ".." ]; then FOUND=1; MSG="Found double dot (..) in PATH"
elif echo ${SCANDIR} | grep '^\.\.' > /dev/null; then FOUND=1; MSG="Found path starting with double dot (..) in PATH"
elif echo ${SCANDIR} | grep '^[a-zA-Z]' > /dev/null; then FOUND=1; MSG="Found relative path in PATH"
fi
if [ ${FOUND} -eq 1 ]; then
# Stop execution if privileged, otherwise continue but warn user
if [ ${PRIVILEGED} -eq 1 ]; then
ExitFatal "Possible riskful location (${SCANDIR}) in PATH discovered. Quitting..."
else
Display --indent 4 --text "Warning: suspicious location (${SCANDIR}) in PATH"
ReportWarning "${TEST_NO}" "Possible riskful location in PATH discovered" "text:${MSG}"
sleep 1
fi
fi
done
# Now perform binary detection
for SCANDIR in ${BIN_PATHS}; do for SCANDIR in ${BIN_PATHS}; do
LogText "Test: Checking binaries in directory ${SCANDIR}" LogText "Test: Checking binaries in directory ${SCANDIR}"
ORGPATH="" ORGPATH=""