-
Diego Blanco committed 4 years ago
1 parent 27821b2d
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
-
1 - #!/bin/bash 1 + #!/bin/sh 2 2 # vim: set ts=2 sw=2 sts=2 et: 3 3 4 4 # Author: Diego Blanco <[email protected]> skipped 79 lines 84 84 lse_DEBUG=false 85 85 86 86 # internal data 87 - lse_common_setuid=( 88 - '/bin/fusermount' 89 - '/bin/mount' 90 - '/bin/ntfs-3g' 91 - '/bin/ping' 92 - '/bin/ping6' 93 - '/bin/su' 94 - '/bin/umount' 95 - '/lib64/dbus-1/dbus-daemon-launch-helper' 96 - '/sbin/mount.ecryptfs_private' 97 - '/sbin/mount.nfs' 98 - '/sbin/pam_timestamp_check' 99 - '/sbin/pccardctl' 100 - '/sbin/unix2_chkpwd' 101 - '/sbin/unix_chkpwd' 102 - '/usr/bin/Xorg' 103 - '/usr/bin/arping' 104 - '/usr/bin/at' 105 - '/usr/bin/beep' 106 - '/usr/bin/chage' 107 - '/usr/bin/chfn' 108 - '/usr/bin/chsh' 109 - '/usr/bin/crontab' 110 - '/usr/bin/expiry' 111 - '/usr/bin/firejail' 112 - '/usr/bin/fusermount' 113 - '/usr/bin/fusermount-glusterfs' 114 - '/usr/bin/gpasswd' 115 - '/usr/bin/kismet_capture' 116 - '/usr/bin/mount' 117 - '/usr/bin/mtr' 118 - '/usr/bin/newgidmap' 119 - '/usr/bin/newgrp' 120 - '/usr/bin/newuidmap' 121 - '/usr/bin/passwd' 122 - '/usr/bin/pkexec' 123 - '/usr/bin/procmail' 124 - '/usr/bin/staprun' 125 - '/usr/bin/su' 126 - '/usr/bin/sudo' 127 - '/usr/bin/sudoedit' 128 - '/usr/bin/traceroute6.iputils' 129 - '/usr/bin/umount' 130 - '/usr/bin/weston-launch' 131 - '/usr/lib/chromium-browser/chrome-sandbox' 132 - '/usr/lib/dbus-1.0/dbus-daemon-launch-helper' 133 - '/usr/lib/dbus-1/dbus-daemon-launch-helper' 134 - '/usr/lib/eject/dmcrypt-get-device' 135 - '/usr/lib/openssh/ssh-keysign' 136 - '/usr/lib/policykit-1/polkit-agent-helper-1' 137 - '/usr/lib/polkit-1/polkit-agent-helper-1' 138 - '/usr/lib/pt_chown' 139 - '/usr/lib/snapd/snap-confine' 140 - '/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper' 141 - '/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic' 142 - '/usr/lib/xorg/Xorg.wrap' 143 - '/usr/libexec/Xorg.wrap' 144 - '/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache' 145 - '/usr/libexec/dbus-1/dbus-daemon-launch-helper' 146 - '/usr/libexec/gstreamer-1.0/gst-ptp-helper' 147 - '/usr/libexec/openssh/ssh-keysign' 148 - '/usr/libexec/polkit-1/polkit-agent-helper-1' 149 - '/usr/libexec/pt_chown' 150 - '/usr/libexec/qemu-bridge-helper' 151 - '/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper' 152 - '/usr/sbin/exim4' 153 - '/usr/sbin/grub2-set-bootflag' 154 - '/usr/sbin/mount.nfs' 155 - '/usr/sbin/mtr-packet' 156 - '/usr/sbin/pam_timestamp_check' 157 - '/usr/sbin/pppd' 158 - '/usr/sbin/pppoe-wrapper' 159 - '/usr/sbin/suexec' 160 - '/usr/sbin/unix_chkpwd' 161 - '/usr/sbin/userhelper' 162 - '/usr/sbin/usernetctl' 163 - '/usr/sbin/uuidd' 164 - ) 87 + lse_common_setuid=" 88 + /bin/fusermount 89 + /bin/mount 90 + /bin/ntfs-3g 91 + /bin/ping 92 + /bin/ping6 93 + /bin/su 94 + /bin/umount 95 + /lib64/dbus-1/dbus-daemon-launch-helper 96 + /sbin/mount.ecryptfs_private 97 + /sbin/mount.nfs 98 + /sbin/pam_timestamp_check 99 + /sbin/pccardctl 100 + /sbin/unix2_chkpwd 101 + /sbin/unix_chkpwd 102 + /usr/bin/Xorg 103 + /usr/bin/arping 104 + /usr/bin/at 105 + /usr/bin/beep 106 + /usr/bin/chage 107 + /usr/bin/chfn 108 + /usr/bin/chsh 109 + /usr/bin/crontab 110 + /usr/bin/expiry 111 + /usr/bin/firejail 112 + /usr/bin/fusermount 113 + /usr/bin/fusermount-glusterfs 114 + /usr/bin/gpasswd 115 + /usr/bin/kismet_capture 116 + /usr/bin/mount 117 + /usr/bin/mtr 118 + /usr/bin/newgidmap 119 + /usr/bin/newgrp 120 + /usr/bin/newuidmap 121 + /usr/bin/passwd 122 + /usr/bin/pkexec 123 + /usr/bin/procmail 124 + /usr/bin/staprun 125 + /usr/bin/su 126 + /usr/bin/sudo 127 + /usr/bin/sudoedit 128 + /usr/bin/traceroute6.iputils 129 + /usr/bin/umount 130 + /usr/bin/weston-launch 131 + /usr/lib/chromium-browser/chrome-sandbox 132 + /usr/lib/dbus-1.0/dbus-daemon-launch-helper 133 + /usr/lib/dbus-1/dbus-daemon-launch-helper 134 + /usr/lib/eject/dmcrypt-get-device 135 + /usr/lib/openssh/ssh-keysign 136 + /usr/lib/policykit-1/polkit-agent-helper-1 137 + /usr/lib/polkit-1/polkit-agent-helper-1 138 + /usr/lib/pt_chown 139 + /usr/lib/snapd/snap-confine 140 + /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper 141 + /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic 142 + /usr/lib/xorg/Xorg.wrap 143 + /usr/libexec/Xorg.wrap 144 + /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache 145 + /usr/libexec/dbus-1/dbus-daemon-launch-helper 146 + /usr/libexec/gstreamer-1.0/gst-ptp-helper 147 + /usr/libexec/openssh/ssh-keysign 148 + /usr/libexec/polkit-1/polkit-agent-helper-1 149 + /usr/libexec/pt_chown 150 + /usr/libexec/qemu-bridge-helper 151 + /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper 152 + /usr/sbin/exim4 153 + /usr/sbin/grub2-set-bootflag 154 + /usr/sbin/mount.nfs 155 + /usr/sbin/mtr-packet 156 + /usr/sbin/pam_timestamp_check 157 + /usr/sbin/pppd 158 + /usr/sbin/pppoe-wrapper 159 + /usr/sbin/suexec 160 + /usr/sbin/unix_chkpwd 161 + /usr/sbin/userhelper 162 + /usr/sbin/usernetctl 163 + /usr/sbin/uuidd 164 + " 165 165 #regex rules for common setuid 166 - lse_common_setuid+=( 167 - '/snap/core/.*' 168 - '/var/tmp/mkinitramfs.*' 169 - ) 166 + lse_common_setuid="$lse_common_setuid 167 + /snap/core/.* 168 + /var/tmp/mkinitramfs.* 169 + " 170 170 #critical writable files 171 - lse_critical_writable=( 172 - '/etc/apache2/apache2.conf' 173 - '/etc/apache2/httpd.conf' 174 - '/etc/bash.bashrc' 175 - '/etc/bash_completion' 176 - '/etc/bash_completion.d/*' 177 - '/etc/environment' 178 - '/etc/environment.d/*' 179 - '/etc/hosts.allow' 180 - '/etc/hosts.deny' 181 - '/etc/httpd/conf/httpd.conf' 182 - '/etc/httpd/httpd.conf' 183 - '/etc/incron.conf' 184 - '/etc/incron.d/*' 185 - '/etc/logrotate.d/*' 186 - '/etc/modprobe.d/*' 187 - '/etc/pam.d/*' 188 - '/etc/passwd' 189 - '/etc/php*/fpm/pool.d/*' 190 - '/etc/php/*/fpm/pool.d/*' 191 - '/etc/profile' 192 - '/etc/profile.d/*' 193 - '/etc/rc*.d/*' 194 - '/etc/rsyslog.d/*' 195 - '/etc/shadow' 196 - '/etc/skel/*' 197 - '/etc/sudoers' 198 - '/etc/sudoers.d/*' 199 - '/etc/supervisor/conf.d/*' 200 - '/etc/supervisor/supervisord.conf' 201 - '/etc/sysctl.conf' 202 - '/etc/sysctl.d/*' 203 - '/etc/uwsgi/apps-enabled/*' 204 - '/root/.ssh/authorized_keys' 205 - ) 171 + lse_critical_writable=" 172 + /etc/apache2/apache2.conf 173 + /etc/apache2/httpd.conf 174 + /etc/bash.bashrc 175 + /etc/bash_completion 176 + /etc/bash_completion.d/* 177 + /etc/environment 178 + /etc/environment.d/* 179 + /etc/hosts.allow 180 + /etc/hosts.deny 181 + /etc/httpd/conf/httpd.conf 182 + /etc/httpd/httpd.conf 183 + /etc/incron.conf 184 + /etc/incron.d/* 185 + /etc/logrotate.d/* 186 + /etc/modprobe.d/* 187 + /etc/pam.d/* 188 + /etc/passwd 189 + /etc/php*/fpm/pool.d/* 190 + /etc/php/*/fpm/pool.d/* 191 + /etc/profile 192 + /etc/profile.d/* 193 + /etc/rc*.d/* 194 + /etc/rsyslog.d/* 195 + /etc/shadow 196 + /etc/skel/* 197 + /etc/sudoers 198 + /etc/sudoers.d/* 199 + /etc/supervisor/conf.d/* 200 + /etc/supervisor/supervisord.conf 201 + /etc/sysctl.conf 202 + /etc/sysctl.d/* 203 + /etc/uwsgi/apps-enabled/* 204 + /root/.ssh/authorized_keys 205 + " 206 206 #critical writable directories 207 - lse_critical_writable_dirs=( 208 - '/etc/bash_completion.d' 209 - '/etc/cron.d' 210 - '/etc/cron.daily' 211 - '/etc/cron.hourly' 212 - '/etc/cron.weekly' 213 - '/etc/environment.d' 214 - '/etc/logrotate.d' 215 - '/etc/modprobe.d' 216 - '/etc/pam.d' 217 - '/etc/profile.d' 218 - '/etc/rsyslog.d/' 219 - '/etc/sudoers.d/' 220 - '/etc/sysctl.d' 221 - '/root' 222 - ) 207 + lse_critical_writable_dirs=" 208 + /etc/bash_completion.d 209 + /etc/cron.d 210 + /etc/cron.daily 211 + /etc/cron.hourly 212 + /etc/cron.weekly 213 + /etc/environment.d 214 + /etc/logrotate.d 215 + /etc/modprobe.d 216 + /etc/pam.d 217 + /etc/profile.d 218 + /etc/rsyslog.d/ 219 + /etc/sudoers.d/ 220 + /etc/sysctl.d 221 + /root 222 + " 223 223 #) 224 224 225 225 #( Options skipped 17 lines 243 243 cecho "${red}ERROR: ${reset}$*\n" >&2 244 244 } 245 245 lse_exclude_paths() { 246 - local IFS=$'\r\n' 247 - local GLOBIGNORE='*' 246 + local IFS=" 247 + " 248 248 for p in `echo $1 | tr ',' '\n'`; do 249 - [ "${p:0:1}" == "/" ] || lse_error "'$p' is not an absolute path." 250 - [ "${p: -1}" == "/" ] && p="${p%%/}" 251 - lse_find_opts+=" -path ${p} -prune -o" 249 + [ "`printf $p | cut -c1`" = "/" ] || lse_error "'$p' is not an absolute path." 250 + p="${p%%/}" 251 + lse_find_opts="$lse_find_opts -path ${p} -prune -o" 252 252 done 253 253 } 254 254 lse_set_level() { skipped 62 lines 317 317 # Checks if a test passed by ID 318 318 local id="$1" 319 319 for i in $lse_passed_tests; do 320 - [ "$i" == "$id" ] && return 0 320 + [ "$i" = "$id" ] && return 0 321 321 done 322 322 return 1 323 323 } skipped 21 lines 345 345 if [ "$lse_selection" ]; then 346 346 local sel_match=false 347 347 for s in $lse_selection; do 348 - if [ "$s" == "$id" ] || [ "$s" == "${id:0:3}" ]; then 348 + if [ "$s" = "$id" ] || [ "$s" = "`printf '$id' | cut -c1-3`" ]; then 349 349 sel_match=true 350 350 fi 351 351 done skipped 12 lines 364 364 # Check dependencies 365 365 local non_met_deps="" 366 366 for d in $deps; do 367 - lse_test_passed "$d" || non_met_deps+="$d" 367 + lse_test_passed "$d" || non_met_deps="$non_met_deps $d" 368 368 done 369 369 if [ "$non_met_deps" ]; then 370 370 cecho " ${grey}skip\n" skipped 21 lines 392 392 fi 393 393 [ "$var" ] && readonly "${var}=$output" 394 394 # Mark test as executed 395 - lse_executed_tests+=" $id" 395 + lse_executed_tests="$lse_executed_tests $id" 396 396 fi 397 397 398 398 if [ -z "$output" ]; then 399 399 cecho "${grey} nope${reset}\n" 400 400 return 1 401 401 else 402 - lse_passed_tests+=" $id" 402 + lse_passed_tests="$lse_passed_tests $id" 403 403 cecho "${r} yes!${reset}\n" 404 404 if [ $lse_level -ge $level ]; then 405 405 cecho "${grey}---$reset\n" skipped 38 lines 444 444 if [ "$lse_selection" ]; then 445 445 local sel_match=false 446 446 for s in $lse_selection; do 447 - if [ "${s:0:3}" == "$id" ]; then 447 + if [ "`printf $s|cut -c1-3`" = "$id" ]; then 448 448 sel_match=true 449 449 break 450 450 fi skipped 2 lines 453 453 fi 454 454 455 455 for i in $(seq ${#title} 70); do 456 - text+="=" 456 + text="$text=" 457 457 done 458 - text+="(${green} $title ${magenta})=====" 458 + text="$text(${green} $title ${magenta})=====" 459 459 cecho "$text${reset}\n" 460 460 } 461 461 lse_exit() { 462 462 local ec=1 463 463 local text="\n${magenta}==================================" 464 464 [ "$1" ] && ec=$1 465 - text+="(${green} FINISHED ${magenta})==================================" 465 + text="$text(${green} FINISHED ${magenta})==================================" 466 466 cecho "$text${reset}\n" 467 467 exit $ec 468 468 } skipped 57 lines 526 526 #check if . is in PATHs 527 527 lse_test "usr080" "0" \ 528 528 "Is '.' in a PATH variable defined inside /etc?" \ 529 - 'for ep in $lse_exec_paths; do [ "$ep" == "." ] && grep -ER "^ *PATH=.*" /etc/ 2> /dev/null | tr -d \"\'"'"' | grep -E "[=:]\.([:[:space:]]|\$)";done' \ 529 + 'for ep in $lse_exec_paths; do [ "$ep" = "." ] && grep -ER "^ *PATH=.*" /etc/ 2> /dev/null | tr -d \"\'"'"' | grep -E "[=:]\.([:[:space:]]|\$)";done' \ 530 530 "usr070" 531 531 } 532 532 skipped 71 lines 604 604 #uncommon setuid binaries 605 605 lse_test "fst020" "0" \ 606 606 "Uncommon setuid binaries" \ 607 - 'local setuidbin="$lse_setuid_binaries"; for cs in "${lse_common_setuid[@]}"; do setuidbin=`echo -e "$setuidbin" | grep -Ev "$cs"`;done ; echo -e "$setuidbin"' \ 607 + 'local setuidbin="$lse_setuid_binaries"; local IFS=" 608 + "; for cs in ${lse_common_setuid}; do setuidbin=`printf "$setuidbin\n" | grep -Ev "$cs"`;done ; printf "$setuidbin\n"' \ 608 609 "fst010" 609 610 610 611 #can we write to any setuid binary skipped 11 lines 622 623 #uncommon setgid binaries 623 624 lse_test "fst050" "0" \ 624 625 "Uncommon setgid binaries" \ 625 - 'echo -e "$lse_setgid_binaries" | grep -Ev "^/(bin|sbin|usr/bin|usr/lib|usr/sbin)"' \ 626 + 'printf "$lse_setgid_binaries\n" | grep -Ev "^/(bin|sbin|usr/bin|usr/lib|usr/sbin)"' \ 626 627 "fst040" 627 628 628 629 #can we write to any setgid binary skipped 50 lines 679 680 #can we write to files that can give us root 680 681 lse_test "fst160" "0" \ 681 682 "Can we write to critical files?" \ 682 - 'for uw in $lse_user_writable; do [ -f "$uw" ] && for cw in "${lse_critical_writable[@]}"; do [ "$cw" == "$uw" ] && [ -w "$cw" ] && ls -l $cw; done ; done' \ 683 + 'for uw in $lse_user_writable; do [ -f "$uw" ] && IFS=" 684 + "; for cw in ${lse_critical_writable}; do [ "$cw" = "$uw" ] && [ -w "$cw" ] && ls -l $cw; done ; done' \ 683 685 "fst000" 684 686 685 687 #can we write to directories that can give us root 686 688 lse_test "fst170" "0" \ 687 689 "Can we write to critical directories?" \ 688 - 'for uw in $lse_user_writable; do [ -d "$uw" ] && for cw in "${lse_critical_writable_dirs[@]}"; do [ "$cw" == "$uw" ] && [ -w "$cw" ] && ls -ld $cw; done ; done' \ 690 + 'for uw in $lse_user_writable; do [ -d "$uw" ] && IFS=" 691 + "; for cw in ${lse_critical_writable_dirs}; do [ "$cw" = "$uw" ] && [ -w "$cw" ] && ls -ld $cw; done ; done' \ 689 692 "fst000" 690 693 691 694 #can we write to directories inside PATHS skipped 68 lines 760 763 #check for superuser accounts 761 764 lse_test "sys040" "1" \ 762 765 "Check for other superuser accounts" \ 763 - 'for u in $(cut -d: -f1 /etc/passwd); do [ $(id -u $u) == 0 ] && echo $u; done | grep -v root' 766 + 'for u in $(cut -d: -f1 /etc/passwd); do [ $(id -u $u) = 0 ] && echo $u; done | grep -v root' 764 767 765 768 #can root log in via SSH 766 769 lse_test "sys050" "1" \ skipped 36 lines 803 806 #check if we can write an a binary with capabilities 804 807 lse_test "sec020" "0" \ 805 808 "Can we write to a binary with caps?" \ 806 - 'for b in $(echo -e "$lse_cap_bin" | cut -d" " -f1); do [ -w "$b" ] && echo "$b"; done' 809 + 'for b in $(printf "$lse_cap_bin\n" | cut -d" " -f1); do [ -w "$b" ] && echo "$b"; done' 807 810 808 811 #check if we have all capabilities in any binary 809 812 lse_test "sec030" "0" \ 810 813 "Do we have all caps in any binary?" \ 811 - 'echo -e "$lse_cap_bin" | grep -v "cap_"' 814 + 'printf "$lse_cap_bin\n" | grep -v "cap_"' 812 815 813 816 #search /etc/security/capability.conf for users associated capapilies 814 817 lse_test "sec040" "1" \ skipped 5 lines 820 823 #does user have capabilities 821 824 lse_test "sec050" "0" \ 822 825 "Does current user have capabilities?" \ 823 - 'echo -e "$lse_user_caps" | grep "$lse_user"' \ 826 + 'printf "$lse_user_caps\n" | grep "$lse_user"' \ 824 827 "sec040" 825 828 } 826 829 skipped 56 lines 883 886 #can we write in any system timer? 884 887 lse_test "ret510" "0" \ 885 888 "Can we write in any system timer?" \ 886 - 'echo -e "$lse_user_writable" | grep -E "\.timer$"' \ 889 + 'printf "$lse_user_writable\n" | grep -E "\.timer$"' \ 887 890 "fst000" 888 891 889 892 #system timers skipped 62 lines 952 955 #check write permissions in init.d/* inetd.conf xinetd.conf 953 956 lse_test "srv000" "0" \ 954 957 "Can we write in service files?" \ 955 - 'echo -e "$lse_user_writable" | grep -E "^/etc/(init/|init\.d/|rc\.d/|rc[0-9S]\.d/|rc\.local|inetd\.conf|xinetd\.conf|xinetd\.d/)"' \ 958 + 'printf "$lse_user_writable\n" | grep -E "^/etc/(init/|init\.d/|rc\.d/|rc[0-9S]\.d/|rc\.local|inetd\.conf|xinetd\.conf|xinetd\.d/)"' \ 956 959 "fst000" 957 960 958 961 #check write permissions for binaries involved in services skipped 60 lines 1019 1022 #check write permissions in systemd services 1020 1023 lse_test "srv500" "0" \ 1021 1024 "Can we write in systemd service files?" \ 1022 - 'echo -e "$lse_user_writable" | grep -E "^/(etc/systemd/|lib/systemd/).+\.service$"' \ 1025 + 'printf "$lse_user_writable\n" | grep -E "^/(etc/systemd/|lib/systemd/).+\.service$"' \ 1023 1026 "fst000" 1024 1027 1025 1028 #check write permissions for binaries involved in systemd services skipped 33 lines 1059 1062 #list processes running as users with shell 1060 1063 lse_test "pro020" "1" \ 1061 1064 "Processes running by non-root users with shell" \ 1062 - 'for user in `echo -e "$lse_shell_users" | cut -d: -f1 | grep -v root`; do ps -u "$user" | grep -Eq "^ *[0-9]" && echo -e "\n\n------ $user ------\n\n" && ps -u $user -f; done' \ 1065 + 'for user in `printf "$lse_shell_users\n" | cut -d: -f1 | grep -v root`; do ps -u "$user" | grep -Eq "^ *[0-9]" && printf "\n\n------ $user ------\n\n\n" && ps -u $user -f; done' \ 1063 1066 "usr030" 1064 1067 1065 1068 #running processes skipped 4 lines 1070 1073 #list running process binaries and their permissions 1071 1074 lse_test "pro510" "2" \ 1072 1075 "Running process binaries and permissions" \ 1073 - 'echo -e "$lse_proc_bin" | xargs -n1 ls -l' 1076 + 'printf "$lse_proc_bin\n" | xargs -n1 ls -l' 1074 1077 } 1075 1078 1076 1079 skipped 96 lines 1173 1176 e) lse_exclude_paths "${OPTARG}";; 1174 1177 i) lse_interactive=false;; 1175 1178 l) lse_set_level "${OPTARG}";; 1176 - s) lse_selection="${OPTARG//,/ }";; 1179 + s) lse_selection="`printf ${OPTARG}|sed 's/,/ /g'`";; 1177 1180 h) lse_help; exit 0;; 1178 1181 *) lse_help; exit 1;; 1179 1182 esac 1180 1183 done 1181 1184 1182 1185 #trap to exec on SIGINT 1183 - trap "lse_exit 1" SIGINT 1186 + trap "lse_exit 1" 2 1184 1187 1185 1188 lse_request_information 1186 1189 lse_show_info skipped 17 lines