diff options
author | mboelen <michael@cisofy.com> | 2016-05-02 16:04:54 +0300 |
---|---|---|
committer | mboelen <michael@cisofy.com> | 2016-05-02 16:04:54 +0300 |
commit | 4493810df25cdcdfe0448e8fb1adaf422f174eeb (patch) | |
tree | b5e19fd28238a1e0386fda5ae1e9b80ea98ac07c /lynis | |
parent | 6e2640c4d5e21e634fdd0945778578964561b816 (diff) |
Change permission tests and messages
Diffstat (limited to 'lynis')
-rwxr-xr-x | lynis | 81 |
1 files changed, 34 insertions, 47 deletions
@@ -100,74 +100,61 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta # # Perform a basic check for permissions. After including functions, using SafePerms() # Optimization: remove ls -l for owner and only do UID check, reducing one getpwent - PERMS=`ls -l ${INCLUDEDIR}/consts | cut -c 2-10` - PERMS2=`ls -l ${INCLUDEDIR}/functions | cut -c 2-10` - OWNER=`ls -l ${INCLUDEDIR}/consts | awk -F" " '{ print $3 }'` - OWNER2=`ls -l ${INCLUDEDIR}/functions | awk -F" " '{ print $3 }'` - OWNERID=`ls -n ${INCLUDEDIR}/consts | awk -F" " '{ print $3 }'` - OWNER2ID=`ls -n ${INCLUDEDIR}/functions | awk -F" " '{ print $3 }'` + + FILES_TO_CHECK="consts functions" ISSUE=0 + ISSUE_TYPE="" SHOWPERMERROR=0 - # Check permissions of include/consts file (400, 600, 640, 644) - if [ ! "${PERMS}" = "r--------" -a ! "${PERMS}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then - ISSUE=1; echo "[!] Change file permissions of ${INCLUDEDIR}/consts to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/consts" - fi - # Check permissions of include/functions file - if [ ! "${PERMS2}" = "r--------" -a ! "${PERMS2}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then - ISSUE=1; echo "[!] Change file permissions of ${INCLUDEDIR}/functions to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/functions" - fi - # Check if owner of both files is root user, or the same user which is running Lynis (for pentester mode) - - # Consts - if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then - if [ ! "${MYID}" = "${OWNER2ID}" ]; then - ISSUE=1; SHOWPERMERROR=1; FILE="consts" + for FILE in ${FILES_TO_CHECK}; do + PERMS=`ls -l ${INCLUDEDIR}/${FILE} | cut -c 2-10` + GROUPPERMS=`ls -l ${INCLUDEDIR}/${FILE} | cut -c 5-7` + GROUPOWNERID=`ls -n ${INCLUDEDIR}/${FILE} | awk '{ print $4 }'` + OWNER=`ls -l ${INCLUDEDIR}/${FILE} | awk -F" " '{ print $3 }'` + OWNERID=`ls -n ${INCLUDEDIR}/${FILE} | awk -F" " '{ print $3 }'` + + # Check permissions of include/X file (400, 600, 640, 644) + if [ "${PERMS}" = "rwxrwxrwx" ]; then + ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}" + elif [ ! "${PERMS}" = "r--------" -a ! "${PERMS}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then + # If group ID equals user ID, we consider permissions to be fine (probably default umask) + if [ ! "${GROUPOWNERID}" = "${OWNERID}" ]; then + ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}" fi fi - # Functions - if [ ! "${OWNER2}" = "root" -a ! "${OWNER2ID}" = "0" ]; then + + # Check if owner of both files is root user, or the same user which is running Lynis (for pentester mode) + if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then if [ ! "${MYID}" = "${OWNER2ID}" ]; then - ISSUE=1; SHOWPERMERROR=1; FILE="functions" + ISSUE=1; ISSUE_TYPE="owner"; SHOWPERMERROR=1; ISSUE_FILE="${FILE}"; ISSUE_OWNER="${OWNER}"; ISSUE_OWNERID="${OWNERID}" fi fi + done + if [ ${SHOWPERMERROR} -eq 1 ]; then printf "%s" " -[!] Change ownership of ${INCLUDEDIR}/${FILE} to 'root' or similar (found: ${OWNER} with UID ${OWNERID}). +[!] Change ownership of ${INCLUDEDIR}/${ISSUE_FILE} to 'root' or similar (found: ${ISSUE_OWNER} with UID ${ISSUE_OWNERID}). Command: - # chown 0:0 ${INCLUDEDIR}/${FILE} + # chown 0:0 ${INCLUDEDIR}/${ISSUE_FILE} " fi # Now if there is an issue with permissions, show it to the user and let them decide how to continue. if [ ${ISSUE} -eq 1 ]; then - printf "%s" " -[X] Security check failed - - Why do I see this error? - ------------------------------- - This is a protection mechanism to prevent the root user from executing user created files. The files may be altered, or including malicious pieces of script. - - What can I do? - --------------------- - Option 1) Check if a trusted user created the files (e.g. due to using Git, Homebrew or similar). - If you trust these files, you can decide to continue this run by pressing ENTER. - - Option 2) Change ownership and permissions of the related files (or full directory). - - Commands (full directory): - # cd .. - # chown -R 0:0 lynis - # cd lynis - ./lynis audit system - - -[ Press ENTER to continue, or CTRL+C to cancel ]" + printf "\n[X] Security check failed\n\n Why do I see this error?\n -------------------------------\n This is a protection mechanism to prevent the root user from executing user created files. The files may be altered, or including malicious pieces of script.\n\n What can I do?\n ---------------------\n Option 1) Check if a trusted user created the files (e.g. due to using Git, Homebrew or similar).\n If you trust these files, you can decide to continue this run by pressing ENTER.\n" + if [ "${ISSUE_TYPE}" = "perms" ]; then + printf "\n Option 2) Change permissions of the related files.\n\n Commands (full directory):\n # chmod 640 include/*\n # ./lynis audit system" + elif [ "${ISSUE_TYPE}" = "owner" ]; then + printf "\n Option 2) Change ownership of the related files (or full directory).\n\n Commands (full directory):\n # cd ..\n # chown -R 0:0 lynis\n # cd lynis\n # ./lynis audit system" + fi + printf "\n\n[ Press ENTER to continue, or CTRL+C to cancel ]" read DUMMY fi + + # Now include files if permissions are correct, or user decided to continue . ${INCLUDEDIR}/consts . ${INCLUDEDIR}/functions |