autonomic-cooperative
/
unix-privesc-check
mirror of https://gitlab.com/kalilinux/packages/unix-privesc-check.git
0
0
Fork 0
Code Issues Projects Releases Wiki Activity

Imported Upstream version 1.4~svn361

This commit is contained in:
Devon Kearns 2012-12-20 15:42:13 -07:00
commit a75bafe602
147 changed files with 331854 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
CHANGELOG Normal file
View File

@ -0,0 +1,38 @@
2008-11-23 unix-privesc-check v1.4
* Added check of file perms of shared libraries used by SUID programs.
* Tidied output slightly.
2008-11-09 unix-privesc-check v1.3
* Bug fix: Parts of the script only worked with /bin/bash and not /bin/sh
* Bug fix: Fixed typos in reporting for privescs via cron.
2008-07-06 unix-privesc-check v1.2
* Added check of library dirs (/etc/ld.so.conf) for Linux
* Crude check of programs called from shell scripts
* Check of libraries used by each binary program (using ldd)
* Check of hard-coded paths within binaries (using strings)
* More verbose WARNING messages. All the explanation for a WARNING
should now be on one line so you can grep for 'WARNING' and still
understand the results
* Check of file perms on open file handles of running processes
* Check for running SSH agent. Lists keys if possible.
* Check for public and private SSH keys in home directories.
* Check for running GPG agent.
* Check for cron jobs in /var/spool/cron/tabs
* Extra non-priv check for local postgres trusts
* Bug fix: lanscan now used on HPUX to get interface names
* Check if system is an NFS client (HPUX only)
* Check if swap space is readable / writable
2008-04-17 unix-privesc-check v1.1
* Added check for accounts with no password in /etc/passwd
* Record some basic info about the host (hostname, uname -a, interface IPs)
2008-02-01 unix-privesc-check v1.0
* Initial public release

339
COPYING.GPL Normal file
View File

@ -0,0 +1,339 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.

6
COPYING.UNIX-PRIVESC-CHECK Normal file
View File

@ -0,0 +1,6 @@
This tool may be used for legal purposes only. Users take full responsibility
for any actions performed using this tool. The author accepts no liability for
damage caused by this tool. If these terms are not acceptable to you, then
you are not permitted to use this tool.
In all other respects the GPL version 2 applies.

3
docs/AUTHORS Normal file
View File

@ -0,0 +1,3 @@
pentestmonkey <pentestmonkey@pentestmonkey.net>
Bernardo Damele A. G. <bernardo.damele@gmail.com>
Tim Brown <timb@nth-dimension.org.uk>

453
docs/CHANGELOG Normal file
View File

@ -0,0 +1,453 @@
2012-11-14 unix-privesc-check trunk
* Tidied docs/CHANGELOG
* Updated docs/HACKING
* Tidied upc.sh
* Added tools/generate_docs.sh to generate stub documentation for
lib/misc/* and lib/checks/*
-- Tim Brown <timb@nth-dimension.org.uk>
2012-11-05 unix-privesc-check trunk
* Add support for PostgreSQL
* Added lib/checks/postgresql_configuration
* Added lib/checks/postgresql_connection
* Added lib/checks/postgresql_trust
* Added lib/misc/postgresql
* Added lib/misc/ldap and lib/checks/ldap_authentication
* Added lib/misc/nis and lib/checks/nis_authentication
* Added lib/checks/privileged_arguments to verify if textual
privileged files (like bash scripts) accept arguments from command line
* Added lib/misc/init and support in lib/misc/privileged
* Added security check to verify device mount options: dev, suid, user
* Added function file_is_basename to lib/misc/file
* Renamed lib/checks/devices to lib/checks/devices_permission
-- Bernardo Damele A. G. <bernardo.damele@gmail.com>
2012-11-02 unix-privesc-check trunk
* Bug fix: uname on Solaris returns SunOS
* Added lib/misc/device and lib/checks/devices to verify world-readable and
world-writable permission on all device files including swap device(s)
* Improved lib/misc/cron to correctly handle PATH variable from /etc/crontab
and to differentiate programs lauched by /etc/crontab with
/etc/cron.[hourly|daily|monthly]
* Added lib/checks/privileged_environment_variables to verify if textual
privileged files (like bash scripts) use environment variables
* Improved lib/checks/privileged_tmp to also process textual privileged
files (like bash scripts)
* Added binary_matches_string_grep function to lib/misc/binary to avoid
interpreting the pattern as an extended regular expression
-- Bernardo Damele A. G. <bernardo.damele@gmail.com>
2012-11-01 unix-privesc-check trunk
* Bug fix: Return value in lib/misc/binary
* Bug fix: Avoid recursing the linker_list_dependencies function
* Added lib/misc/inittab and support in lib/misc/privileged
* Improved lib/checks/system_configuration check to display also sensitive
directories and their content
* Improved lic/checks/system_configuration to notify about writable
configuration files by non-root users
* More detailed stdout messages for file owner condition across
lib/checks/*
* Updated the lib/misc/shadow and lib/checks/shadow_hash to display a
warning message when the password hashes file is readable
* Cleaned the code of libs/checks/privileged_dependency
-- Bernardo Damele A. G. <bernardo.damele@gmail.com>
2012-10-31 unix-privesc-check trunk
* Added lib/misc/cron to parse /etc/cron*, /var/spool/cron/crontabs/*,
crontab -l and used it in lib/misc/privileged
* Enhanced process_show_command function to process /proc/PID/environ and
return script file path instead of ruby, perl, bash, etc
* Added parse_environ_cwd function to parse /proc/PID/environ file and
extract the process current working directory
* Added a preliminary check to all functions that call objdump to ensure
the file is not a textual file (like a bash script, etc)
* Added other file paths to check for permissions in
lib/checks/system_configuration
* Added file_is_directory function to lib/misc/file
-- Bernardo Damele A. G. <bernardo.damele@gmail.com>
2012-10-30 unix-privesc-check trunk
* Added lib/checks/sudo to verify permissions on /etc/sudoers and its
entries
* Added functions to parse /etc/sudoers to lib/misc/sudo
-- Bernardo Damele A. G. <bernardo.damele@gmail.com>
2012-10-28 unix-privesc-check trunk
* Added lib/checks/history_readable to list all readable .*_history
files
* Added lib/checks/homedirs_executable and lib/checks/homedirs_writable
* Added lib/checks/system_configuration to list writable permissions on
system configuration files and directories
* Added support for --verbose switch
* Added passwd_show_homedir function to lib/misc/passwd
* Aligned test types (symlinks) to all recently developed security checks
* Bug fix: group_is_in_group_name function
-- Bernardo Damele A. G. <bernardo.damele@gmail.com>
2012-10-22 unix-privesc-check trunk
* Added lib/checks/privileged_nx
* Added lib/checks/privileged_relro
* Added lib/misc/kernel
* Added lib/checks/system_aslr
* Added lib/checks/system_mmap
* Added lib/checks/system_nx
* Added lib/checks/system_selinux
* Added permission_is_world_writable_sticky_bit function to
lib/misc/permission
* Added support to verify sticky bit against world-writable directories
* Renamed lib/checks/banned_* to lib/checks/privileged_*
-- Bernardo Damele A. G. <bernardo.damele@gmail.com>
2012-10-22 unix-privesc-check trunk
* Added lib/misc/validation and modified lib/misc/* to use it.
The aim is to sanity check that libraries are being called
correctly. We can improve this over time
* Bug fix: Renamed validation_is_regex to validation_matches_regex
in lib/misc/validation
* Bug fix: validation_matches_regex test was wrong, should be -n
not -r in lib/misc/validation
* Bug fix: Added inclusion checks to prevent multiple inclusions
* Bug fix: Changed lib/misc/* to catch data returned by
validate_is_*
* Removed unnecessary calls to file_check_or_generate_cache in
lib/misc/checks/*
* Updated symlinks for different types of scan
* Removed tools/banned.h
* Tidied up formatting
* Fixed AIX specific bug with checking users don't have a password
of ! in lib/checks/passwd_hashes
-- Tim Brown <timb@nth-dimension.org.uk>
2012-10-21 unix-privesc-check trunk
* Added library to parse patterns, for now implements only one function to
extract and return all absolute file paths, parse_extract_absolute_filepaths
* Added lib/misc/sudo
* Added sudo support to lib/misc/privileged
* Added lib/misc/user
* Added lib/misc/group
* Added lib/misc/permission
* Added file_is_readable function to lib/misc/file
* Added two functions to lib/misc/file
* file_exists_file and file_is_regular_file
* Added validate_is_boolean function to lib/misc/validate
* Added support for --color switch to enable output coloring
* Updated lib/checks/jar and lib/checks/key_material
* Removed one cycle, minor refactoring and use lib/misc/user and
lib/misc/group
* Ported all calls to id command through the code to their relevant
user/group libraries functions
* Bug fix: Missing import bug in lib/checks/binary_rpath
-- Bernardo Damele A. G. <bernardo.damele@gmail.com>
2012-10-21 unix-privesc-check trunk
* Bug fix: Changed $VERSION to ${VERSION} etc in upc.sh
* Removed old TODOs from lib/checks/set[ug]id
* Bug fix: Removed symlink exclusion in lib/misc/file cache
generation
-- Tim Brown <timb@nth-dimension.org.uk>
2012-10-20 unix-privesc-check trunk
* Minor improvements to lib/misc/linker
* Bug fix: Avoid using file as variable name
* Bug fix: Use grep instead of egrep in one file function
* Consolidated the stdout to clarify where the warning message throughout
lib/checks/binary_*
* Improved lib/checks/key_material and lib/checks/jar to show more detailed stdout
* Major speedup to lib/checks/group_writable and lib/checks/world_writable
* Re-engineered lib/checks/binary_dependency
* Improved lib/checks/binary_rpath and lib/checks/binary_writable to also verify
write access by non-root users
* Refactored lib/checks/system_libraries code
* Added function to check for SSH key files permissions to lib/checks/ssh_agent
* Renamed lib/checks/ssh_key_unencrypted to lib/checks/ssh_key
* Consolidated lib/checks/ssh_agent and lib/checks/ssh_key checks to also
show encrypted key files
* Removed exclusions from lib/checks/credentials
* Created lib/misc/file function file_is_textual
* Improved file_show_symlinked_filename function to be recursive and always
return the real linked filename
-- Bernardo Damele A. G. <bernardo.damele@gmail.com>
2012-10-19 unix-privesc-check trunk
* Re-engineered check lib/checks/binary_rpath
* Fixed the file_parent_traverse function call in lib/checks/binary_writable
and lib/checks/system_libraries
* Fixed some more checks' descriptions
* Bug fix: Syntax fix in lib/misc/binary
-- Bernardo Damele A. G. <bernardo.damele@gmail.com>
2012-10-18 unix-privesc-check trunk
* Tidied up upc.sh, added an additional error check
* Purged dummy, replaced with _ after suggestion from BDA
* Bug fix: No longer considers "enabled" as a check
* Changed lib/misc/privileged to split out cache generation so that it
happens on inclusion
* Bug fix: Removed unintentional trailing space from file cache
-- Tim Brown <timb@nth-dimension.org.uk>
2012-10-18 unix-privesc-check trunk
* Bug fix: Fixed regexp patterns to avoid returning directories in
lib/misc/privileged and lib/misc/file
-- <pentestmonkey@pentestmonkey.net>
2012-10-18 unix-privesc-check trunk
* Added check lib/checks/binary_writable
* Bug fix: Proper use of dirname in file_show_symlinked_filename function
* Bug fix: Replaced STDIN redirection with cat for inetd configuration
files parsing in lib/misc/linker
* Bug fix: Avoid escaping a path with an asterisk in lib/misc/ssh_agent
* Refactored check lib/checks/system_libraries code
* Refactored check lib/checks/world_writable code
* Refactored check lib/checks/binary_dependency code
* Refactored checks lib/checks/setuid and lib/checks/setgid code
* Improved a lot speed of lib/checks/jar and lib/checks/key_material
* Improved lib/misc/ssh_agent to work on recent Linux distributions too
and inspect /tmp folder for both SSH agent parent process and pid-1
* Avoid duplicate processes entries in lib/misc/privileged
* Improved regular expression patterns throughout the code
* Added --check and --version switches to upc.sh
* Added description to missing checks
* Added verbose comment to lib/checks/ssh_key_unencrypted with suggestions
for improvements
* Set subversion properties on all missing files
-- Bernardo Damele A. G. <bernardo.damele@gmail.com>
2012-10-18 unix-privesc-check trunk
* Changed lib/misc/shadow to favour 1 egrep over 2 greps
-- Tim Brown <timb@nth-dimension.org.uk>
2012-10-17 unix-privesc-check trunk
* Added lib/checks/binary_path
* Added lib/checks/binary_random
* Changed stdio_message_error to output to STDERR
in lib/misc/stdio
* Removed date from output (reverting BDA change)
* Updated lib/misc/ssh_agent
* Updated lib/misc/shadow
* Updated lib/misc/process (reverting BDA change)
* Updated lib/misc/privileged (partially reverting BDA change)
* Kept the caching code
* Kept variable name changed to make the code more readable
* Updated lib/misc/passwd
* Updated lib/misc/linker (reverting BDA change)
* Updated lib/misc/inetd (reverting BDA change)
* Updated lib/misc/dependencies to disable for now. The
principal is solid, but it needs more consideration.
For example, why does only lib/misc/binary need dependencies,
what happens on non-Linux systems etc
* Added docs/HACKING. I will need to work on it but it should
help to smooth the path for new hackers :)
* Updated lib/misc/file (partially reverting BDA change)
* Kept symlink related code
* Kept permissions related code
* Changed lib/misc/privileged to use file_list_by_perms
correctly. Bonus, reduction of loops
-- Tim Brown <timb@nth-dimension.org.uk>
2012-10-17 unix-privesc-check trunk
* Added binary_banned_api function to lib/misc/binary
* Added file_show_symlinked_file function to lib/misc/file
* Added code comments to lib/misc/file
* Added cashing mechanism to lib/misc/privileged
* Added file headers throughout the source code
* Added checks' description in comment headers
* Added date to standard output function
* Added an error message log function
* Added notification of needed dependencies (binutils package)
* Narrowed down regular expression patterns in some checks
* Refactored check lib/checks/credentials code and exclude man pages and
python/ruby/perl libraries
* Refactored check lib/checks/binary_dependency code
* Refactored check lib/checks/group_writable code
* Removed unnecessary Linux-specific code from lib/misc/process
* Standardized checks' standard output and removed unnecessary lines
-- Bernardo Damele A. G. <bernardo.damele@gmail.com>
2012-09-23 unix-privesc-check trunk
* Bug fix: Changed from stdio_message_debug to stdio_message_warn
in lib/checks/binary_banned
* Bug fix: Incorrect symlink checking in binary_dependency,
binary_rpath, world_writable and group_writable
* Added support for PIE to lib/misc/binary
* Added lib/checks/binary_pie
-- Tim Brown <timb@nth-dimension.org.uk>
2012-09-22 unix-privesc-check trunk
* Started adding --help
* Removed date from output
* Bug fix: Changed $1 to ${1} etc
* Added message when generating cache
* Bug fix: Checking wrong variable in lib/misc/process
* Added lib/misc/privileged
* Changed string checks from "" to -n etc
* Standardised variable names
* Changed how checks are enabled, it is now possible to have
different types of scan using --type
* Added check for encryption to lib/checks/ssh_key_unencrypted
* Renamed lib/checks/binary_changeprivs to
lib/checks/binary_change_privileges
* Updated docs/COPYING.UNIX-PRIVESC-CHECK to reference
version 1 explicitly. This will allow version 2 into
Debian and other free distributions
* Added lib/checks/binary_banned
* Added check for lack of XXX in lib/checks/tmp
* Added check for DT_RUNPATH to lib/checks/binary_rpath
* Started work on porting lib/misc/* to Solaris
-- Tim Brown <timb@nth-dimension.org.uk>
2012-09-11 unix-privesc-check trunk
* Branching 1.x at revision 26
* 2.0 released
* Bug fix: Typo in lib/checks/binary_dependency
* Improved output of lib/checks/system_libraries,
lib/checks/binary_dependency, lib/checks/binary_rpath
-- Tim Brown <timb@nth-dimension.org.uk>
2010-12-30 unix-privesc-check trunk
* Bug fix: Cleaned up a typo
* Added support for fscaps
* Updated CHANGELOG
-- Tim Brown <timb@nth-dimension.org.uk>
2010-11-09 unix-privesc-check trunk
* Bug fix: False positive if svn.simple directory is empty
-- <pentestmonkey@pentestmonkey.net>
2010-11-04 unix-privesc-check trunk
* Added unique issue numbers. Should help to generate reports
-- <pentestmonkey@pentestmonkey.net>
2010-04-17 unix-privesc-check trunk
* Bug fix: Now checks HP-UX swap permissions correctly
* Bug fix: Cleaned up a few typos
-- Tim Brown <timb@nth-dimension.org.uk>
2010-09-27 unix-privesc-check trunk
* Added check for cleartext subversion passwords in home directory
-- <pentestmonkey@pentestmonkey.net>
2010-01-06 unix-privesc-check trunk
* Added support for exploit mitigations (HP-UX and Solaris)
* Checks if shadow and passwd are writable, thanks jdv
* Checks for SetUID shell scripts which might be racey
* Improved NX and SSP checks (Linux only)
* Bug fix: Cleaned up a few typos
-- Tim Brown <timb@nth-dimension.org.uk>
2009-09-23 unix-privesc-check trunk
* Bug fix: Cron jobs starting with '(' parsed properly
* Checks perms on Java classpath
-- <pentestmonkey@pentestmonkey.net>
2009-09-06 unix-privesc-check trunk
* Added MMAP allows map to 0 exploit mitigation (Linux ATM)
* Added SELinux exploit mitigation (Linux only)
-- Tim Brown <timb@nth-dimension.org.uk>
2009-07-30 unix-privesc-check v1.5
* Initial AIX support added
* Check for exploit mitigations (Linux only ATM)
* Brain dumped some more interesting things to check for into TODOs
* Bug fix: Fixed typos in comments
* Added SSP exploit mitigation (Linux only ATM)
-- Tim Brown <timb@nth-dimension.org.uk>
2008-11-23 unix-privesc-check v1.4
* Added check of file perms of shared libraries used by SUID programs
* Tidied output slightly
2008-11-09 unix-privesc-check v1.3
* Bug fix: Parts of the script only worked with /bin/bash and not /bin/sh
* Bug fix: Fixed typos in reporting for privescs via cron
2008-07-06 unix-privesc-check v1.2
* Added check of library dirs (/etc/ld.so.conf) for Linux
* Crude check of programs called from shell scripts
* Check of libraries used by each binary program (using ldd)
* Check of hard-coded paths within binaries (using strings)
* More verbose WARNING messages. All the explanation for a WARNING
should now be on one line so you can grep for 'WARNING' and still
understand the results
* Check of file perms on open file handles of running processes
* Check for running SSH agent. Lists keys if possible
* Check for public and private SSH keys in home directories
* Check for running GPG agent
* Check for cron jobs in /var/spool/cron/tabs
* Extra non-priv check for local postgres trusts
* Bug fix: lanscan now used on HPUX to get interface names
* Check if system is an NFS client (HPUX only)
* Check if swap space is readable / writable
2008-04-17 unix-privesc-check v1.1
* Added check for accounts with no password in /etc/passwd
* Record some basic info about the host (hostname, uname -a, interface IPs)
2008-02-01 unix-privesc-check v1.0
* Initial public release

339
docs/COPYING.GPL Normal file
View File

@ -0,0 +1,339 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.

6
docs/COPYING.UNIX-PRIVESC-CHECK Normal file
View File

@ -0,0 +1,6 @@
Version 1 of this tool may be used for legal purposes only. Users take full
responsibility for any actions performed using this tool. The author accepts
no liability for damage caused by this tool. If these terms are not acceptable
to you, then you are not permitted to use this tool.
In all other respects the GPL version 2 applies.

33
docs/HACKING Normal file
View File

@ -0,0 +1,33 @@
General:
* docs/* exists for a reason, especially docs/CHANGELOG
* Changes should match commit messages, barring mistakes
* "Bug fix:" should be used to identify minor changes due to
coding errors
* docs/CHANGELOG should reference filename of changed files
* Quote correctly
* Use double-quotes, not single-quotes
* Variable names should be descriptive
* Reference variables as ${variablename}
* "printf --" unless you have reason not to
* Avoid unnecessary cats, never use two commands if one will do
* No unnecessary new lines, the only blocks should be those
introduced by code: if/then/else/fi etc
* Redirects take the form >/path/to/redirect/to (i.e. no space)
lib/misc/*:
* Changes to existing APIs used by lib/checks/* must be discussed
prior to implementation
* Such changes to the APIs used by lib/checks/* must be minimised
* New APIs can be freely added
* Code in here is meant to be ported to new platforms
* OS specific code should be minimised
* Don't read _ if there's a chance the data may be useful later
* Validate your input using lib/misc/validate
lib/checks/*:
* Code in here is meant to be portable, it should inherit new
capabilities by way of changes to lib/misc/*
* Avoid OS specific code, the APIs should fail sane

2
docs/TODO Normal file
View File

@ -0,0 +1,2 @@
* Rewrite the filesystem caching (ATM it only gets generated on first run to reduce testing time)
* Add support for other OS

26
docs/TODO-v1 Normal file
View File

@ -0,0 +1,26 @@
$Revision: 349 $
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
(c) Tim Brown, 2012
(c) pentestmonkey@pentestmonkey.net, 2008
<mailto:timb@nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
[UPC001] WARNING: $O_MESSAGE_STACK The user $O_FILE_USER can write to $O_FILE
[UPC002] WARNING: $O_MESSAGE_STACK The group $O_FILE_GROUP can write to $O_FILE
[UPC003] WARNING: $O_MESSAGE_STACK World write is set for $O_FILE (but sticky bit set)
[UPC004] WARNING: $O_MESSAGE_STACK World write is set for $O_FILE
[UPC043] WARNING: fscaps shell script, may be vulnerable to race attacks

323418
files_cache.temp Normal file
View File

File diff suppressed because it is too large Load Diff

83
lib/checks/credentials Executable file
View File

@ -0,0 +1,83 @@
#!/bin/sh
# $Revision: 255 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for read permissions on sensitive files
. lib/misc/file
. lib/misc/group
. lib/misc/stdio
credentials_init () {
stdio_message_log "credentials" "Starting at: `date`"
}
credentials_permissions () {
pattern="${1}"
file_show_non_symlink_perms " ${pattern}$" | while read filename permissions userid groupid
do
case "${permissions}" in
???????r??)
stdio_message_warn "credentials" "${filename} is owned by user ${userid} (group ${groupid}) and is world-readable (${permissions})"
;;
????r?????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "credentials" "${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable (${permissions})"
else
stdio_message_log "credentials" "${filename} is owned by user ${userid} (group ${groupid}) and is group-readable (${permissions})"
fi
;;
esac
done
}
credentials_main () {
# TODO we should expand this list
for pattern in "*passwd$" "*shadow$" "*password$" "*id_dsa*" "*id_rsa*" "*\.ssh/*" "*authorized_keys" "*rhosts" "*htaccess$" "*.subversion/auth/svn.simple/*"
do
file_list_by_filename "${pattern}" | while read filename
do
# exclude man pages and python/ruby/perl libraries
case "${filename}" in
*/man/*|/usr/lib*|/usr/share/doc/*|/usr/local/rvm/*|/usr/bin/*|/usr/sbin/*)
continue
;;
esac
if [ -h "${filename}" ]
then
linkedfilename="`file_show_symlinked_filename "${filename}"`"
if [ -n "${linkedfilename}" ]
then
#stdio_message_debug "credentials" "${filename} is a symlink to ${linkedfilename}"
credentials_permissions ${linkedfilename}
fi
else
credentials_permissions ${filename}
fi
done
done
}
credentials_fini () {
stdio_message_log "credentials" "Ending at: `date`"
}

56
lib/checks/devices_options Executable file
View File

@ -0,0 +1,56 @@
#!/bin/sh
# $Revision: 337 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for weak options on devices files
. lib/misc/device
. lib/misc/file
. lib/misc/stdio
devices_options_init () {
stdio_message_log "devices_options" "Starting at: `date`"
}
devices_options_main () {
device_list_options | while read device options
do
if [ -n "`printf -- \"${options}\" | egrep -- \"user\"`" -a -z "`printf -- \"${options}\" | egrep -- \"nouser\"`" ]
then
stdio_message_warn "devices_options" "device file ${device} can be mounted by users"
fi
if [ -n "`printf -- \"${options}\" | egrep -- \"dev\"`" -a -z "`printf -- \"${options}\" | egrep -- \"nodev\"`" ]
then
stdio_message_debug "devices_options" "device file ${device} interprets block devices"
fi
if [ -n "`printf -- \"${options}\" | egrep -- \"suid\"`" -a -z "`printf -- \"${options}\" | egrep -- \"nosuid\"`" ]
then
stdio_message_log "devices_options" "device file ${device} permits the execution of setuid and setgid executables"
fi
if [ -n "`printf -- \"${options}\" | egrep -- \"defaults\"`" -a -z "`printf -- \"${options}\" | egrep -- \"nosuid\"`" ]
then
stdio_message_log "devices_options" "device file ${device} permits the execution of setuid and setgid executables"
fi
done
}
devices_options_fini () {
stdio_message_log "devices_options" "Ending at: `date`"
}

80
lib/checks/devices_permission Executable file
View File

@ -0,0 +1,80 @@
#!/bin/sh
# $Revision: 336 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for world-readable and world-writable permissions on devices files
. lib/misc/device
. lib/misc/file
. lib/misc/stdio
devices_permission_init () {
stdio_message_log "devices_permission" "Starting at: `date`"
}
devices_permission_permissions () {
device="${1}"
mountpoint="`device_get_mountpoint \"${device}\"`"
if [ -n "${mountpoint}" ]
then
message="mounted to ${mountpoint}"
elif [ "`device_is_swap \"${device}\"`" -eq 1 ]
then
message="swap"
else
message="not mounted"
fi
file_show_non_symlink_perms " ${device}$" | while read filename permissions userid groupid
do
case "${permissions}" in
???????rw?)
stdio_message_warn "devices_permission" "device file ${filename} (${message}) is owned by user ${userid} (group ${groupid}) and is world-readable and world-writable (${permissions})"
;;
????????w?)
stdio_message_warn "devices_permission" "device file ${filename} (${message}) is owned by user ${userid} (group ${groupid}) and is world-writable (${permissions})"
;;
???????r??)
stdio_message_warn "devices_permission" "device file ${filename} (${message}) is owned by user ${userid} (group ${groupid}) and is world-readable (${permissions})"
;;
esac
done
}
devices_permission_main () {
device_list | while read device
do
if [ -h "${device}" ]
then
linkeddevice="`file_show_symlinked_filename \"${device}\"`"
if [ -z "${linkeddevice}" ]
then
continue
fi
#stdio_message_debug "devices_permission" "device file ${device} is a symbolic link to ${linkeddevice}"
devices_permission_permissions "${linkeddevice}"
else
devices_permission_permissions "${device}"
fi
done
}
devices_permission_fini () {
stdio_message_log "devices_permission" "Ending at: `date`"
}

1
lib/checks/enabled/all/credentials Symbolic link
View File

@ -0,0 +1 @@
../../credentials

1
lib/checks/enabled/all/gpg_agent Symbolic link
View File

@ -0,0 +1 @@
../../gpg_agent

1
lib/checks/enabled/all/group_writable Symbolic link
View File

@ -0,0 +1 @@
../../group_writable

1
lib/checks/enabled/all/history_readable Symbolic link
View File

@ -0,0 +1 @@
../../history_readable

1
lib/checks/enabled/all/homedirs_executable Symbolic link
View File

@ -0,0 +1 @@
../../homedirs_executable

1
lib/checks/enabled/all/homedirs_writable Symbolic link
View File

@ -0,0 +1 @@
../../homedirs_writable

1
lib/checks/enabled/all/jar Symbolic link
View File

@ -0,0 +1 @@
../../jar

1
lib/checks/enabled/all/key_material Symbolic link
View File

@ -0,0 +1 @@
../../key_material

1
lib/checks/enabled/all/passwd_hashes Symbolic link
View File

@ -0,0 +1 @@
../../passwd_hashes

1
lib/checks/enabled/all/privileged_banned Symbolic link
View File

@ -0,0 +1 @@
../../privileged_banned

1
lib/checks/enabled/all/privileged_change_privileges Symbolic link
View File

@ -0,0 +1 @@
../../privileged_change_privileges

1
lib/checks/enabled/all/privileged_chroot Symbolic link
View File

@ -0,0 +1 @@
../../privileged_chroot

1
lib/checks/enabled/all/privileged_dependency Symbolic link
View File

@ -0,0 +1 @@
../../privileged_dependency

1
lib/checks/enabled/all/privileged_nx Symbolic link
View File

@ -0,0 +1 @@
../../privileged_nx

1
lib/checks/enabled/all/privileged_path Symbolic link
View File

@ -0,0 +1 @@
../../privileged_path

1
lib/checks/enabled/all/privileged_pie Symbolic link
View File

@ -0,0 +1 @@
../../privileged_pie

1
lib/checks/enabled/all/privileged_random Symbolic link
View File

@ -0,0 +1 @@
../../privileged_random

1
lib/checks/enabled/all/privileged_relro Symbolic link
View File

@ -0,0 +1 @@
../../privileged_relro

1
lib/checks/enabled/all/privileged_rpath Symbolic link
View File

@ -0,0 +1 @@
../../privileged_rpath

1
lib/checks/enabled/all/privileged_ssp Symbolic link
View File

@ -0,0 +1 @@
../../privileged_ssp

1
lib/checks/enabled/all/privileged_tmp Symbolic link
View File

@ -0,0 +1 @@
../../privileged_tmp

1
lib/checks/enabled/all/privileged_writable Symbolic link
View File

@ -0,0 +1 @@
../../privileged_writable

1
lib/checks/enabled/all/setgid Symbolic link
View File

@ -0,0 +1 @@
../../setgid

1
lib/checks/enabled/all/setuid Symbolic link
View File

@ -0,0 +1 @@
../../setuid

1
lib/checks/enabled/all/shadow_hashes Symbolic link
View File

@ -0,0 +1 @@
../../shadow_hashes

1
lib/checks/enabled/all/ssh_agent Symbolic link
View File

@ -0,0 +1 @@
../../ssh_agent

1
lib/checks/enabled/all/ssh_key Symbolic link
View File

@ -0,0 +1 @@
../../ssh_key

1
lib/checks/enabled/all/system_aslr Symbolic link
View File

@ -0,0 +1 @@
../../system_aslr

1
lib/checks/enabled/all/system_configuration Symbolic link
View File

@ -0,0 +1 @@
../../system_configuration

1
lib/checks/enabled/all/system_libraries Symbolic link
View File

@ -0,0 +1 @@
../../system_libraries

1
lib/checks/enabled/all/system_mmap Symbolic link
View File

@ -0,0 +1 @@
../../system_mmap

1
lib/checks/enabled/all/system_nx Symbolic link
View File

@ -0,0 +1 @@
../../system_nx

1
lib/checks/enabled/all/system_selinux Symbolic link
View File

@ -0,0 +1 @@
../../system_selinux

1
lib/checks/enabled/all/world_writable Symbolic link
View File

@ -0,0 +1 @@
../../world_writable

1
lib/checks/enabled/attack_surface/credentials Symbolic link
View File

@ -0,0 +1 @@
../../credentials

1
lib/checks/enabled/attack_surface/history_readable Symbolic link
View File

@ -0,0 +1 @@
../../history_readable

1
lib/checks/enabled/attack_surface/homedirs_executable Symbolic link
View File

@ -0,0 +1 @@
../../homedirs_executable

1
lib/checks/enabled/attack_surface/key_material Symbolic link
View File

@ -0,0 +1 @@
../../key_material

1
lib/checks/enabled/attack_surface/passwd_hashes Symbolic link
View File

@ -0,0 +1 @@
../../passwd_hashes

1
lib/checks/enabled/attack_surface/privileged_change_privileges Symbolic link
View File

@ -0,0 +1 @@
../../privileged_change_privileges

1
lib/checks/enabled/attack_surface/privileged_path Symbolic link
View File

@ -0,0 +1 @@
../../privileged_path

1
lib/checks/enabled/attack_surface/privileged_rpath Symbolic link
View File

@ -0,0 +1 @@
../../privileged_rpath

1
lib/checks/enabled/attack_surface/privileged_writable Symbolic link
View File

@ -0,0 +1 @@
../../privileged_writable

1
lib/checks/enabled/attack_surface/setgid Symbolic link
View File

@ -0,0 +1 @@
../../setgid

1
lib/checks/enabled/attack_surface/setuid Symbolic link
View File

@ -0,0 +1 @@
../../setuid

1
lib/checks/enabled/attack_surface/shadow_hashes Symbolic link
View File

@ -0,0 +1 @@
../../shadow_hashes

1
lib/checks/enabled/attack_surface/ssh_key Symbolic link
View File

@ -0,0 +1 @@
../../ssh_key

1
lib/checks/enabled/attack_surface/system_configuration Symbolic link
View File

@ -0,0 +1 @@
../../system_configuration

1
lib/checks/enabled/attack_surface/world_writable Symbolic link
View File

@ -0,0 +1 @@
../../world_writable

1
lib/checks/enabled/sdl/privileged_banned Symbolic link
View File

@ -0,0 +1 @@
../../privileged_banned

1
lib/checks/enabled/sdl/privileged_change_privileges Symbolic link
View File

@ -0,0 +1 @@
../../privileged_change_privileges

1
lib/checks/enabled/sdl/privileged_chroot Symbolic link
View File

@ -0,0 +1 @@
../../privileged_chroot

1
lib/checks/enabled/sdl/privileged_dependency Symbolic link
View File

@ -0,0 +1 @@
../../privileged_dependency

1
lib/checks/enabled/sdl/privileged_nx Symbolic link
View File

@ -0,0 +1 @@
../../privileged_nx

1
lib/checks/enabled/sdl/privileged_path Symbolic link
View File

@ -0,0 +1 @@
../../privileged_path

1
lib/checks/enabled/sdl/privileged_pie Symbolic link
View File

@ -0,0 +1 @@
../../privileged_pie

1
lib/checks/enabled/sdl/privileged_random Symbolic link
View File

@ -0,0 +1 @@
../../privileged_random

1
lib/checks/enabled/sdl/privileged_relro Symbolic link
View File

@ -0,0 +1 @@
../../privileged_relro

1
lib/checks/enabled/sdl/privileged_rpath Symbolic link
View File

@ -0,0 +1 @@
../../privileged_rpath

1
lib/checks/enabled/sdl/privileged_ssp Symbolic link
View File

@ -0,0 +1 @@
../../privileged_ssp

1
lib/checks/enabled/sdl/privileged_tmp Symbolic link
View File

@ -0,0 +1 @@
../../privileged_tmp

1
lib/checks/enabled/sdl/privileged_writable Symbolic link
View File

@ -0,0 +1 @@
../../privileged_writable

40
lib/checks/gpg_agent Executable file
View File

@ -0,0 +1,40 @@
#!/bin/sh
# $Revision: 171 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if the gpg-agent is running
. lib/misc/stdio
. lib/misc/process
gpg_agent_init () {
stdio_message_log "gpg_agent" "Starting at: `date`"
}
gpg_agent_main () {
process_list "gpg-agent" | while read processid
do
stdio_message_warn "gpg_agent" "gpg-agent is running as `process_show_userid ${processid}` (`process_show_command ${processid}`)"
done
}
gpg_agent_fini () {
stdio_message_log "gpg_agent" "Ending at: `date`"
}

50
lib/checks/group_writable Executable file
View File

@ -0,0 +1,50 @@
#!/bin/sh
# $Revision: 254 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List group-writable files
. lib/misc/file
. lib/misc/group
. lib/misc/stdio
group_writable_init () {
stdio_message_log "group_writable" "Starting at: `date`"
}
group_writable_main () {
file_show_non_symlink_perms "^.....w.... " | while read filename permissions userid groupid
do
case "${permissions}" in
?????w????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "group_writable" "${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-writable (${permissions})"
else
stdio_message_log "group_writable" "${filename} is owned by user ${userid} (group ${groupid}) and is group-writable (${permissions})"
fi
;;
esac
done
}
group_writable_fini () {
stdio_message_log "group_writable" "Ending: `date`"
}

62
lib/checks/history_readable Executable file
View File

@ -0,0 +1,62 @@
#!/bin/sh
# $Revision: 283 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List all .*_history files
. lib/misc/file
. lib/misc/group
. lib/misc/stdio
. lib/misc/user
history_readable_init () {
stdio_message_log "history_readable" "Starting at: `date`"
}
history_readable_main () {
file_show_non_symlink_perms " *\.*_history$" | while read filename permissions userid groupid
do
case "${permissions}" in
???????r??)
stdio_message_warn "history_readable" "${filename} is owned by user ${userid} (group ${groupid}) and is world-readable (${permissions})"
;;
????r?????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "history_readable" "${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable (${permissions})"
else
stdio_message_log "history_readable" "${filename} is owned by user ${userid} (group ${groupid}) and is group-readable (${permissions})"
fi
;;
?r????????)
if [ "`user_is_user_name \"${userid}\"`" -eq 1 ]
then
stdio_message_log "history_readable" "${filename} is owned by user ${userid} (YOU) (group ${groupid}) (${permissions})"
else
stdio_message_debug "history_readable" "${filename} is owned by user ${userid} (group ${groupid}) (${permissions})"
fi
;;
esac
done
}
history_readable_fini () {
stdio_message_log "history_readable" "Ending at: `date`"
}

77
lib/checks/homedirs_executable Executable file
View File

@ -0,0 +1,77 @@
#!/bin/sh
# $Revision: 287 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for readable and executable permissions on home directories
. lib/misc/file
. lib/misc/group
. lib/misc/passwd
. lib/misc/permission
. lib/misc/stdio
homedirs_executable_init () {
stdio_message_log "homedirs_executable" "Starting at: `date`"
}
homedirs_executable_main () {
passwd_list | while read username
do
if [ "${username}" = "+" ]
then
continue
fi
homedir="`passwd_show_homedir "${username}"`"
if [ -z "${homedir}" -o "${homedir}" = "/dev/null" ]
then
stdio_message_debug "homedirs_executable" "${username} has no home directory set"
continue
fi
file_show_non_symlink_perms " ${homedir}$" | while read filename permissions userid groupid
do
case "${permissions}" in
???????r?x)
stdio_message_warn "homedirs_executable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}) and is world-readable and world-executable (${permissions})"
;;
???????r??)
stdio_message_log "homedirs_executable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}) and is world-readable, you can list the files within only (${permissions})"
;;
????r?x???)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "homedirs_executable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable and group-executable (${permissions})"
# TODO verify the case the owner, ${username}, is not within the group owner, ${groupid}
fi
;;
????r?????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_log "homedirs_executable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable, you can list the files within only (${permissions})"
# TODO verify the case the owner, ${username}, is not within the group owner, ${groupid}
fi
;;
esac
done
done
}
homedirs_executable_fini () {
stdio_message_log "homedirs_executable" "Ending at: `date`"
}

74
lib/checks/homedirs_writable Executable file
View File

@ -0,0 +1,74 @@
#!/bin/sh
# $Revision: 284 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for writable permission on home directories
. lib/misc/file
. lib/misc/group
. lib/misc/passwd
. lib/misc/permission
. lib/misc/stdio
homedirs_writable_init () {
stdio_message_log "homedirs_writable" "Starting at: `date`"
}
homedirs_writable_main () {
passwd_list | while read username
do
if [ "${username}" = "+" ]
then
continue
fi
homedir="`passwd_show_homedir "${username}"`"
if [ -z "${homedir}" -o "${homedir}" = "/dev/null" ]
then
stdio_message_debug "homedirs_writable" "${username} has no home directory set"
continue
fi
file_show_non_symlink_perms " ${homedir}$" | while read filename permissions userid groupid
do
case "${permissions}" in
????????w?)
if [ "`permission_is_world_writable_sticky_bit \"${permissions}\"`" -eq 1 ]
then
stdio_message_log "homedirs_writable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}) and is world-writable with sticky bit (${permissions})"
else
stdio_message_warn "homedirs_writable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}) and is world-writable (${permissions})"
fi
;;
?????w????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "homedirs_writable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-writable (${permissions})"
# TODO verify the case the owner, ${username}, is not within the group owner, ${groupid}
else
stdio_message_debug "homedirs_writable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}) and is group-writable (${permissions})"
fi
;;
esac
done
done
}
homedirs_writable_fini () {
stdio_message_log "homedirs_writable" "Ending at: `date`"
}

62
lib/checks/jar Executable file
View File

@ -0,0 +1,62 @@
#!/bin/sh
# $Revision: 248 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List all jar files
. lib/misc/file
. lib/misc/group
. lib/misc/stdio
. lib/misc/user
jar_init () {
stdio_message_log "jar" "Starting at: `date`"
}
jar_main () {
file_show_non_symlink_perms " *\.jar$" | while read filename permissions userid groupid
do
case "${permissions}" in
???????r??)
stdio_message_warn "jar" "${filename} is owned by user ${userid} (group ${groupid}) and is world-readable (${permissions})"
;;
????r?????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "jar" "${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable (${permissions})"
else
stdio_message_log "jar" "${filename} is owned by user ${userid} (group ${groupid}) and is group-readable (${permissions})"
fi
;;
?r????????)
if [ "`user_is_user_name \"${userid}\"`" -eq 1 ]
then
stdio_message_log "jar" "${filename} is owned by user ${userid} (YOU) (group ${groupid}) (${permissions})"
else
stdio_message_debug "jar" "${filename} is owned by user ${userid} (group ${groupid}) (${permissions})"
fi
;;
esac
done
}
jar_fini () {
stdio_message_log "jar" "Ending at: `date`"
}

73
lib/checks/key_material Executable file
View File

@ -0,0 +1,73 @@
#!/bin/sh
# $Revision: 248 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List potentially sensitive files
. lib/misc/file
. lib/misc/group
. lib/misc/stdio
. lib/misc/user
key_material_init () {
stdio_message_log "key_material" "Starting at: `date`"
}
key_material_main () {
# TODO we should expand this list
for pattern in "*\.crt" "*\.cer" "*\.pem" "*\.p12" "*\.keystore" "*\.key"
do
file_show_non_symlink_perms " ${pattern}$" | while read filename permissions userid groupid
do
# exclude Firefox certificates
case "${filename}" in
/usr/share/ca-certificates/mozilla/*)
continue
;;
esac
case "${permissions}" in
???????r??)
stdio_message_warn "key_material" "${filename} is owned by user ${userid} (group ${groupid}) and is world-readable (${permissions})"
;;
????r?????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "key_material" "${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable (${permissions})"
else
stdio_message_log "key_material" "${filename} is owned by user ${userid} (group ${groupid}) and is group-readable (${permissions})"
fi
;;
?r????????)
if [ "`user_is_user_name \"${userid}\"`" -eq 1 ]
then
stdio_message_log "key_material" "${filename} is owned by user ${userid} (YOU) (group ${groupid}) (${permissions})"
else
stdio_message_debug "key_material" "${filename} is owned by user ${userid} (group ${groupid}) (${permissions})"
fi
;;
esac
done
done
}
key_material_fini () {
stdio_message_log "key_material" "Ending at: `date`"
}

40
lib/checks/ldap_authentication Executable file
View File

@ -0,0 +1,40 @@
#!/bin/sh
# $Revision: 342 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if LDAP is used for authentication
. lib/misc/ldap
. lib/misc/stdio
ldap_authentication_init () {
stdio_message_log "ldap_authentication" "Starting at: `date`"
}
ldap_authentication_main () {
if [ "`ldap_authentication_in_use`" -eq 1 ]
then
stdio_message_log "ldap_authentication" "LDAP is used for authentication"
fi
}
ldap_authentication_fini () {
stdio_message_log "ldap_authentication" "Ending at: `date`"
}

40
lib/checks/nis_authentication Executable file
View File

@ -0,0 +1,40 @@
#!/bin/sh
# $Revision: 342 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if NIS is used for authentication
. lib/misc/nis
. lib/misc/stdio
nis_authentication_init () {
stdio_message_log "nis_authentication" "Starting at: `date`"
}
nis_authentication_main () {
if [ "`nis_authentication_in_use`" -eq 1 ]
then
stdio_message_log "nis_authentication" "NIS is used for authentication"
fi
}
nis_authentication_fini () {
stdio_message_log "nis_authentication" "Ending at: `date`"
}

54
lib/checks/passwd_hashes Executable file
View File

@ -0,0 +1,54 @@
#!/bin/sh
# $Revision: 317 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List users with no password set or password in /etc/passwd
. lib/misc/stdio
. lib/misc/passwd
passwd_hashes_init () {
stdio_message_log "passwd_hashes" "Starting at: `date`"
}
passwd_hashes_main () {
passwd_list | while read username
do
if [ "${username}" = "+" ]
then
stdio_message_warn "passwd_hashes" "/etc/passwd allows external authentication"
else
hash="`passwd_show_hash "${username}"`"
if [ "${hash}" != "x" -a "${hash}" != "\!" -a "${hash}" != "*" ]
then
if [ -z "${hash}" ]
then
stdio_message_warn "passwd_hashes" "${username} has no password set"
else
stdio_message_warn "passwd_hashes" "/etc/passwd contains password hash for ${username} (${hash})"
fi
fi
fi
done
}
passwd_hashes_fini () {
stdio_message_log "passwd_hashes" "Ending at: `date`"
}

62
lib/checks/postgresql_configuration Executable file
View File

@ -0,0 +1,62 @@
#!/bin/sh
# $Revision: 348 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check permissions of PostgreSQL configuration file pg_hba.conf
. lib/misc/file
. lib/misc/group
. lib/misc/stdio
. lib/misc/user
postgresql_configuration_init () {
stdio_message_log "postgresql_configuration" "Starting at: `date`"
}
postgresql_configuration_main () {
file_show_perms "/pg_hba.conf$" | while read filename permissions userid groupid
do
case "${permissions}" in
???????r??)
stdio_message_warn "postgresql_configuration" "${filename} is owned by user ${userid} (group ${groupid}) and is world-readable (${permissions})"
;;
????r?????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "postgresql_configuration" "${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable (${permissions})"
else
stdio_message_log "postgresql_configuration" "${filename} is owned by user ${userid} (group ${groupid}) and is group-readable (${permissions})"
fi
;;
?r????????)
if [ "`user_is_user_name \"${userid}\"`" -eq 1 ]
then
stdio_message_log "postgresql_configuration" "${filename} is owned by user ${userid} (YOU) (group ${groupid}) (${permissions})"
else
stdio_message_debug "postgresql_configuration" "${filename} is owned by user ${userid} (group ${groupid}) (${permissions})"
fi
;;
esac
done
}
postgresql_configuration_fini () {
stdio_message_log "postgresql_configuration" "Ending at: `date`"
}

56
lib/checks/postgresql_connection Executable file
View File

@ -0,0 +1,56 @@
#!/bin/sh
# $Revision: 348 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Verify PostgreSQL trust relationships by connecting to localhost with
# common usernames and no password
. lib/misc/file
. lib/misc/postgresql
. lib/misc/stdio
postgresql_connection_init () {
stdio_message_log "postgresql_connection" "Starting at: `date`"
}
postgresql_connection_main () {
file_show_perms "/postgresql.conf$" | while read filename permissions userid groupid
do
if [ "`file_is_readable_file \"${filename}\"`" -eq 1 ]
then
egrep "^port = " "${filename}" | while read _ _ port _
do
dbusers="psql pgsql postgres postgresql root admin"
printf -- "${dbusers}" | tr " " "\n" | while read dbuser
do
if [ "`postgresql_check_no_password \"${port}\" \"${dbuser}\"`" -eq 1 ]
then
stdio_message_warn "postgresql_connection" "User ${dbuser} can connect to PostgreSQL instance on port ${port}/tcp with no password"
break
fi
done
done
fi
done
}
postgresql_connection_fini () {
stdio_message_log "postgresql_connection" "Ending at: `date`"
}

61
lib/checks/postgresql_trust Executable file
View File

@ -0,0 +1,61 @@
#!/bin/sh
# $Revision: 348 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check PostgreSQL trust relationships
. lib/misc/file
. lib/misc/stdio
postgresql_trust_init () {
stdio_message_log "postgresql_trust" "Starting at: `date`"
}
postgresql_trust_main () {
file_show_perms "/pg_hba.conf$" | while read filename permissions userid groupid
do
if [ "`file_is_readable_file \"${filename}\"`" -eq 1 ]
then
egrep -v "^#" "${filename}" | egrep -v "^[ \t]*$" | while read authtype database user address method
do
if [ "${method}" = "trust" ]
then
if [ "${user}" = "all" ]
then
usermsg="all users"
else
usermsg="user ${user}"
fi
if [ "${database}" = "all" ]
then
dbmsg="all databases"
else
dbmsg="database ${database}"
fi
stdio_message_warn "postgresql_trust" "PostgreSQL trust is configured in ${filename} for ${usermsg} to ${dbmsg} from address ${address}"
fi
done
fi
done
}
postgresql_trust_fini () {
stdio_message_log "postgresql_trust" "Ending at: `date`"
}

49
lib/checks/privileged_arguments Executable file
View File

@ -0,0 +1,49 @@
#!/bin/sh
# $Revision: 335 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if textual privileged files (like bash scripts) accept user-provided
# arguments
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_arguments_init () {
stdio_message_log "privileged_arguments" "Starting at: `date`"
}
privileged_arguments_main () {
privileged_list | while read filetype filename usergroupid
do
# skip non textual files
if [ "`file_is_textual \"${filename}\"`" -ne 1 ]
then
continue
elif [ "`binary_matches_string_grep \"${filename}\" \"\$[\{]*[[:digit:]][\}]*\"`" -eq 1 ]
then
stdio_message_warn "privileged_arguments" "${filetype} ${filename} (${usergroupid}) accepts arguments, verify that it does not use them unsafely"
fi
done
}
privileged_arguments_fini () {
stdio_message_log "privileged_arguments" "Ending at: `date`"
}

46
lib/checks/privileged_banned Executable file
View File

@ -0,0 +1,46 @@
#!/bin/sh
# $Revision: 261 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if privileged files call banned (and potentially dangerous) functions
# Based on Microsoft's banned API list as parsed by ../../tools/generate_banned.sh
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_banned_init () {
stdio_message_log "privileged_banned" "Starting at: `date`"
}
privileged_banned_main () {
privileged_list | while read filetype filename usergroupid
do
banned_apis="`binary_banned_api "${filename}" "alloca|gets|memcpy|scanf|sprintf|sscanf|strcat|StrCat|strcpy|StrCpy|strlen|StrLen|strncat|StrNCat|strncpy|StrNCpy|strtok|swprintf|vsnprintf|vsprintf|vswprintf|wcscat|wcscpy|wcslen|wcsncat|wcsncpy|wcstok|wmemcpy"`"
if [ -n "${banned_apis}" ]
then
stdio_message_warn "privileged_banned" "${filetype} ${filename} (${usergroupid}) and uses banned APIs ($banned_apis)"
fi
done
}
privileged_banned_fini () {
stdio_message_log "privileged_banned" "Ending at: `date`"
}

47
lib/checks/privileged_change_privileges Executable file
View File

@ -0,0 +1,47 @@
#!/bin/sh
# $Revision: 261 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if privileged files drop their privileges
# Based on ideas found at http://people.redhat.com/sgrubb/security/
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_change_privileges_init () {
stdio_message_log "privileged_change_privileges" "Starting at: `date`"
}
privileged_change_privileges_main () {
privileged_list | while read filetype filename usergroupid
do
# TODO this needs cleaning up
match="`binary_matches_function "${filename}" "setuid|setgid|seteuid|setegid|setresuid|setresgid|setreuid|setregid|initgroups|setgroups|setcap|setfsuid|setfsgid"`"
if [ $match -ne 1 ]
then
stdio_message_warn "privileged_change_privileges" "${filetype} ${filename} (${usergroupid}) and does not attempt to change privileges"
fi
done
}
privileged_change_privileges_fini () {
stdio_message_log "privileged_change_privileges" "Ending at: `date`"
}

49
lib/checks/privileged_chroot Executable file
View File

@ -0,0 +1,49 @@
#!/bin/sh
# $Revision: 261 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if privileged files calling chroot() function call also chdir() function
# Based on ideas found at http://people.redhat.com/sgrubb/security/
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_chroot_init () {
stdio_message_log "privileged_chroot" "Starting at: `date`"
}
privileged_chroot_main () {
privileged_list | while read filetype filename usergroupid
do
match="`binary_matches_function "${filename}" "chroot"`"
if [ $match -eq 1 ]
then
if [ "`binary_matches_function "${filename}" "chdir"`" -ne 1 ]
then
stdio_message_warn "privileged_chroot" "${filetype} ${filename} (${usergroupid}) and may use chroot() unsafely - no chdir() call"
fi
fi
done
}
privileged_chroot_fini () {
stdio_message_log "privileged_chroot" "Ending at: `date`"
}

161
lib/checks/privileged_dependency Executable file
View File

@ -0,0 +1,161 @@
#!/bin/sh
# $Revision: 312 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for write permissions over privileged files and processes'
# linked libraries
. lib/misc/file
. lib/misc/group
. lib/misc/linker
. lib/misc/permission
. lib/misc/privileged
. lib/misc/stdio
. lib/misc/user
privileged_dependency_init () {
stdio_message_log "privileged_dependency" "Starting: `date`"
}
privileged_dependency_traverse () {
pattern="${1}"
privfilename="${2}"
filetype="${3}"
library="${4}"
pathtype="${5}"
file_parent_traverse "${pattern}" | while read filename
do
# /etc/ld.so.conf.d/ files can contain files which we are not interested here, only directories
if [ ! -d "${filename}" ]
then
continue
fi
file_show_non_symlink_perms " ${filename}$" | while read filepath permissions userid groupid
do
#stdio_message_debug "privileged_dependency" "Checking permissions of ${pathtype} ${filepath} ($permissions) for privileged file ${filetype} is ${privfilename} and library is ${library}"
case "${permissions}" in
????????w?)
if [ "`permission_is_world_writable_sticky_bit \"${permissions}\"`" -eq 1 ]
then
stdio_message_log "privileged_dependency" "${filetype} ${privfilename} depends on ${library} - ${pathtype} ${filepath} is owned by user ${userid} (group ${groupid}) and is world-writable with sticky bit (${permissions})"
else
stdio_message_warn "privileged_dependency" "${filetype} ${privfilename} depends on ${library} - ${pathtype} ${filepath} is owned by user ${userid} (group ${groupid}) and is world-writable (${permissions})"
fi
;;
?????w????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "privileged_dependency" "${filetype} ${privfilename} depends on ${library} - ${pathtype} ${filepath} is owned by user ${userid} (group ${groupid}: YOU) and is group-writable (${permissions})"
else
stdio_message_log "privileged_dependency" "${filetype} ${privfilename} depends on ${library} - ${pathtype} ${filepath} is owned by user ${userid} (group ${groupid}) and is group-writable (${permissions})"
fi
;;
??w???????)
if [ "`user_is_user_root \"${userid}\"`" -ne 1 -a "`user_show_user_name`" = "${userid}" ]
then
stdio_message_debug "privileged_dependency" "${filetype} ${privfilename} depends on ${library} - ${pathtype} ${filepath} is owned by user ${userid} (YOU) (group ${groupid}), non-root user (${permissions})"
elif [ "`user_is_user_root \"${userid}\"`" -ne 1 ]
then
stdio_message_log "privileged_dependency" "${filetype} ${privfilename} depends on ${library} - ${pathtype} ${filepath} is owned by user ${userid} (group ${groupid}), non-root user (${permissions})"
fi
;;
esac
done
done
}
privileged_dependency_permissions () {
library="${1}"
privfilename="${2}"
filetype="${3}"
file_show_non_symlink_perms " ${library}$" | while read filename permissions userid groupid
do
#stdio_message_debug "privileged_dependency" "Checking permissions for privileged file ${filetype} ${privfilename}'s library ${filename} ($permissions)"
case "${permissions}" in
????????w?)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_log "privileged_dependency" "${filetype} ${privfilename} depends on ${filename}, this is owned by user ${userid} (group ${groupid}) and is world-writable with sticky bit (${permissions})"
else
stdio_message_warn "privileged_dependency" "${filetype} ${privfilename} depends on ${filename}, this is owned by user ${userid} (group ${groupid}) and is world-writable (${permissions})"
fi
;;
?????w????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "privileged_dependency" "${filetype} ${privfilename} depends on ${filename}, this is owned by user ${userid} (group ${groupid}: YOU) and is group-writable (${permissions})"
else
stdio_message_log "privileged_dependency" "${filetype} ${privfilename} depends on ${filename}, this is owned by user ${userid} (group ${groupid}) and is group-writable (${permissions})"
fi
;;
??w???????)
if [ "`user_is_user_root \"${userid}\"`" -ne 1 ]
then
stdio_message_log "privileged_dependency" "${filetype} ${privfilename} depends on ${filename}, this is owned by user ${userid} (group ${groupid}), non-root user (${permissions})"
fi
;;
esac
done
}
privileged_dependency_main () {
privileged_list | while read filetype filename usergroupid
do
#stdio_message_debug "privileged_dependency" "Processing privileged file ${filetype} ${filename}"
linker_list_dependencies "${filename}" | while read library
do
#stdio_message_debug "privileged_dependency" "Processing privileged file ${filetype} ${filename}'s library ${library}"
# when the library needed by the program does not exist, ldd returns "not found" - i.e. " libname.so.2 => not found", however the following if condition is cautious and checks both if the file exist and if the ldd output returned "not found" (hence the linker library returned the library relative path (relativelibrary))
if [ ! -e "${library}" -o -n "`printf -- \"${library}\" | grep -v \"^/\"`" ]
then
case "${library}" in
# if the library is a absolute file path, we check for write permissions on its parent directories
/*)
#stdio_message_debug "privileged_dependency" "Library ${library} does not exist, traversing parent paths"
privileged_dependency_traverse "${library}" "${filename}" "${filetype}" "${library}" "parent path"
;;
# if the library is a relative file path, we check for write permissions on all system libraries file paths
*)
#stdio_message_debug "privileged_dependency" "Library ${library} does not exist, traversing system library paths"
linker_list_system_filenames | while read filepath
do
privileged_dependency_traverse "${filepath}" "${filename}" "${filetype}" "${library}" "system library path"
done
;;
esac
continue
elif [ -h "${library}" ]
then
linkedlibrary="`file_show_symlinked_filename "${library}"`"
if [ -n "${linkedlibrary}" ]
then
#stdio_message_debug "privileged_dependency" "Privileged file ${filetype} ${filename} depends on library ${library}, a symlink to ${linkedlibrary}"
privileged_dependency_permissions "${linkedlibrary}" "${filename}" "${filetype}"
fi
else
privileged_dependency_permissions "${library}" "${filename}" "${filetype}"
fi
done
done
}
privileged_dependency_fini () {
stdio_message_log "privileged_dependency" "Ending: `date`"
}

49
lib/checks/privileged_environment_variables Executable file
View File

@ -0,0 +1,49 @@
#!/bin/sh
# $Revision: 334 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if textual privileged files (like bash scripts) use environment
# variables
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_environment_variables_init () {
stdio_message_log "privileged_environment_variables" "Starting at: `date`"
}
privileged_environment_variables_main () {
privileged_list | while read filetype filename usergroupid
do
# skip non textual files
if [ "`file_is_textual \"${filename}\"`" -ne 1 ]
then
continue
elif [ "`binary_matches_string_grep \"${filename}\" \"\$[{,},a-z,A-Z,_,-]*\"`" -eq 1 ]
then
stdio_message_warn "privileged_environment_variables" "${filetype} ${filename} (${usergroupid}) uses environment variables, verify that it does not use them unsafely"
fi
done
}
privileged_environment_variables_fini () {
stdio_message_log "privileged_environment_variables" "Ending at: `date`"
}

44
lib/checks/privileged_nx Executable file
View File

@ -0,0 +1,44 @@
#!/bin/sh
# $Revision: 352 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for NX (NoExecute) support
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_nx_init () {
stdio_message_log "privileged_nx" "Starting at: `date`"
}
privileged_nx_main () {
privileged_list | while read filetype filename usergroupid
do
if [ "`binary_nx \"${filename}\"`" -ne 1 ]
then
stdio_message_warn "privileged_nx" "${filetype} ${filename} (${usergroupid}) is not compiled with NX (NoExecute)"
fi
done
}
privileged_nx_fini () {
stdio_message_log "privileged_nx" "Ending at: `date`"
}

45
lib/checks/privileged_path Executable file
View File

@ -0,0 +1,45 @@
#!/bin/sh
# $Revision: 328 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if privileged files set PATH variable
# Based on ideas found at http://people.redhat.com/sgrubb/security/
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_path_init () {
stdio_message_log "privileged_path" "Starting at: `date`"
}
privileged_path_main () {
privileged_list | while read filetype filename usergroupid
do
if [ "`binary_matches_string \"${filename}\" \"PATH=\"`" -eq 1 ]
then
stdio_message_warn "privileged_path" "${filetype} ${filename} (${usergroupid}) sets PATH environment variable, verify that it does not set it unsafely"
fi
done
}
privileged_path_fini () {
stdio_message_log "privileged_path" "Ending at: `date`"
}

45
lib/checks/privileged_pie Executable file
View File

@ -0,0 +1,45 @@
#!/bin/sh
# $Revision: 261 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for PIE (ASLR-compliant executable) support
# Based on ideas found at http://people.redhat.com/sgrubb/security/
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_pie_init () {
stdio_message_log "privileged_pie" "Starting at: `date`"
}
privileged_pie_main () {
privileged_list | while read filetype filename usergroupid
do
if [ "`binary_pie "${filename}"`" -ne 1 ]
then
stdio_message_warn "privileged_pie" "${filetype} ${filename} (${usergroupid}) and is not compiled with PIE (Position Independent Executable)"
fi
done
}
privileged_pie_fini () {
stdio_message_log "privileged_pie" "Ending at: `date`"
}

44
lib/checks/privileged_random Executable file
View File

@ -0,0 +1,44 @@
#!/bin/sh
# $Revision: 262 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if privileged files call random functions
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_random_init () {
stdio_message_log "privileged_random" "Starting at: `date`"
}
privileged_random_main () {
privileged_list | while read filetype filename usergroupid
do
if [ "`binary_matches_function "${filename}" "random|srand"`" -eq 1 ]
then
stdio_message_warn "privileged_random" "${filetype} ${filename} (${usergroupid}) and uses random()/srand()"
fi
done
}
privileged_random_fini () {
stdio_message_log "privileged_random" "Ending at: `date`"
}

47
lib/checks/privileged_relro Executable file
View File

@ -0,0 +1,47 @@
#!/bin/sh
# $Revision: 268 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for RELRO support
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_relro_init () {
stdio_message_log "privileged_relro" "Starting at: `date`"
}
privileged_relro_main () {
privileged_list | while read filetype filename usergroupid
do
if [ "`binary_relro "${filename}"`" -ne 1 ]
then
stdio_message_warn "privileged_relro" "${filetype} ${filename} (${usergroupid}) and is not compiled with RELRO"
elif [ "`binary_relro_full "${filename}"`" -ne 1 ]
then
stdio_message_log "privileged_relro" "${filetype} ${filename} (${usergroupid}) and is compiled with partial RELRO"
fi
done
}
privileged_relro_fini () {
stdio_message_log "privileged_relro" "Ending at: `date`"
}

Some files were not shown because too many files have changed in this diff Show More