diff options
| author | chr0mag <phillips.julian@gmail.com> | 2019-02-28 12:15:57 +0300 |
|---|---|---|
| committer | Michael Boelen <michael.boelen@cisofy.com> | 2019-02-28 12:15:57 +0300 |
| commit | 353cf844130b6acce9ff3be618319dd6d33510db (patch) | |
| tree | 95a56039cc8850770fc6af8b5a19fc616df9da13 | |
| parent | 76ec39176a67e04b462443a685a03ec09d5cee1b (diff) | |
[AUTH-9252] Sudo configuration file/folder check improvements (#637)
* [AUTH-9252] Adds support for files in sudoers.d
This commit adds permission checks for files found in 'sudoers.d'.
Previously only the main 'sudoers' file is checked. Fixes #600.
* [AUTH-9252] Check drop-in directory permissions
The test case currently only checks file permissions. This adds
logic to check the drop-in directory permissions as well.
* [AUTH-9252] Check file/folder ownership
This test currently only checks file/directory permissions. This
commit adds checks to ensure sudo configuration files/folders are
owned with UID=0 and GID=0.
| -rw-r--r-- | include/tests_authentication | 39 |
1 files changed, 29 insertions, 10 deletions
diff --git a/include/tests_authentication b/include/tests_authentication index 69a357a9..c4f62b64 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -483,20 +483,39 @@ ################################################################################# # # Test : AUTH-9252 - # Description : Check for sudoers file permissions + # Description : Check ownership and permissions for sudo configuration files if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sudoers file" + Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions" - FIND=$(ls -l ${SUDOERS_FILE} | ${CUTBINARY} -c 2-10) - LogText "Result: Found file permissions: ${FIND}" - if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then - LogText "Result: file ${SUDOERS_FILE} has correct permissions" - Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_OK}" --color GREEN + SUDO_CONFIG_FILES="${SUDOERS_FILE}" + SUDOERS_D="${SUDOERS_FILE}.d" + if [ -d "${SUDOERS_D}" ]; then + LogText "Test: checking drop-in directory (${SUDOERS_D})" + FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10) + FIND1=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}') + LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND1}" + if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND1}" = "00" ]; then + LogText "Result: directory ${SUDOERS_D} permissions/ownership OK" + Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: directory has possibly unsafe permissions/ownership" + Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED + fi + SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)" + fi + for f in ${SUDO_CONFIG_FILES}; do + LogText "Test: checking file (${f})" + FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10) + FIND1=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}') + LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND1}" + if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND1}" = "00" ]; then + LogText "Result: file ${f} permissions/ownerhsip OK" + Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN else - LogText "Result: file has possibly unsafe file permissions" - Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_WARNING}" --color RED + LogText "Result: file has possibly unsafe permissions/ownership" + Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED fi + done fi # ################################################################################# |