autonomic-cooperative/unix-privesc-check
0
0
Fork 0
mirror of https://gitlab.com/kalilinux/packages/unix-privesc-check.git synced 2025-06-27 02:20:46 +00:00
Code Issues Projects Releases Wiki Activity

Imported Upstream version 1.4~svn361

Browse Source
This commit is contained in:
Devon Kearns
2012-12-20 15:42:13 -07:00
commit a75bafe602
147 changed files with 331854 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
lib/checks/credentials Executable file
View File

@ -0,0 +1,83 @@
#!/bin/sh
# $Revision: 255 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for read permissions on sensitive files
. lib/misc/file
. lib/misc/group
. lib/misc/stdio
credentials_init () {
stdio_message_log "credentials" "Starting at: `date`"
}
credentials_permissions () {
pattern="${1}"
file_show_non_symlink_perms " ${pattern}$" | while read filename permissions userid groupid
do
case "${permissions}" in
???????r??)
stdio_message_warn "credentials" "${filename} is owned by user ${userid} (group ${groupid}) and is world-readable (${permissions})"
;;
????r?????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "credentials" "${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable (${permissions})"
else
stdio_message_log "credentials" "${filename} is owned by user ${userid} (group ${groupid}) and is group-readable (${permissions})"
fi
;;
esac
done
}
credentials_main () {
# TODO we should expand this list
for pattern in "*passwd$" "*shadow$" "*password$" "*id_dsa*" "*id_rsa*" "*\.ssh/*" "*authorized_keys" "*rhosts" "*htaccess$" "*.subversion/auth/svn.simple/*"
do
file_list_by_filename "${pattern}" | while read filename
do
# exclude man pages and python/ruby/perl libraries
case "${filename}" in
*/man/*|/usr/lib*|/usr/share/doc/*|/usr/local/rvm/*|/usr/bin/*|/usr/sbin/*)
continue
;;
esac
if [ -h "${filename}" ]
then
linkedfilename="`file_show_symlinked_filename "${filename}"`"
if [ -n "${linkedfilename}" ]
then
#stdio_message_debug "credentials" "${filename} is a symlink to ${linkedfilename}"
credentials_permissions ${linkedfilename}
fi
else
credentials_permissions ${filename}
fi
done
done
}
credentials_fini () {
stdio_message_log "credentials" "Ending at: `date`"
}

56
lib/checks/devices_options Executable file
View File

@ -0,0 +1,56 @@
#!/bin/sh
# $Revision: 337 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for weak options on devices files
. lib/misc/device
. lib/misc/file
. lib/misc/stdio
devices_options_init () {
stdio_message_log "devices_options" "Starting at: `date`"
}
devices_options_main () {
device_list_options | while read device options
do
if [ -n "`printf -- \"${options}\" | egrep -- \"user\"`" -a -z "`printf -- \"${options}\" | egrep -- \"nouser\"`" ]
then
stdio_message_warn "devices_options" "device file ${device} can be mounted by users"
fi
if [ -n "`printf -- \"${options}\" | egrep -- \"dev\"`" -a -z "`printf -- \"${options}\" | egrep -- \"nodev\"`" ]
then
stdio_message_debug "devices_options" "device file ${device} interprets block devices"
fi
if [ -n "`printf -- \"${options}\" | egrep -- \"suid\"`" -a -z "`printf -- \"${options}\" | egrep -- \"nosuid\"`" ]
then
stdio_message_log "devices_options" "device file ${device} permits the execution of setuid and setgid executables"
fi
if [ -n "`printf -- \"${options}\" | egrep -- \"defaults\"`" -a -z "`printf -- \"${options}\" | egrep -- \"nosuid\"`" ]
then
stdio_message_log "devices_options" "device file ${device} permits the execution of setuid and setgid executables"
fi
done
}
devices_options_fini () {
stdio_message_log "devices_options" "Ending at: `date`"
}

80
lib/checks/devices_permission Executable file
View File

@ -0,0 +1,80 @@
#!/bin/sh
# $Revision: 336 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for world-readable and world-writable permissions on devices files
. lib/misc/device
. lib/misc/file
. lib/misc/stdio
devices_permission_init () {
stdio_message_log "devices_permission" "Starting at: `date`"
}
devices_permission_permissions () {
device="${1}"
mountpoint="`device_get_mountpoint \"${device}\"`"
if [ -n "${mountpoint}" ]
then
message="mounted to ${mountpoint}"
elif [ "`device_is_swap \"${device}\"`" -eq 1 ]
then
message="swap"
else
message="not mounted"
fi
file_show_non_symlink_perms " ${device}$" | while read filename permissions userid groupid
do
case "${permissions}" in
???????rw?)
stdio_message_warn "devices_permission" "device file ${filename} (${message}) is owned by user ${userid} (group ${groupid}) and is world-readable and world-writable (${permissions})"
;;
????????w?)
stdio_message_warn "devices_permission" "device file ${filename} (${message}) is owned by user ${userid} (group ${groupid}) and is world-writable (${permissions})"
;;
???????r??)
stdio_message_warn "devices_permission" "device file ${filename} (${message}) is owned by user ${userid} (group ${groupid}) and is world-readable (${permissions})"
;;
esac
done
}
devices_permission_main () {
device_list | while read device
do
if [ -h "${device}" ]
then
linkeddevice="`file_show_symlinked_filename \"${device}\"`"
if [ -z "${linkeddevice}" ]
then
continue
fi
#stdio_message_debug "devices_permission" "device file ${device} is a symbolic link to ${linkeddevice}"
devices_permission_permissions "${linkeddevice}"
else
devices_permission_permissions "${device}"
fi
done
}
devices_permission_fini () {
stdio_message_log "devices_permission" "Ending at: `date`"
}

1
lib/checks/enabled/all/credentials Symbolic link
View File

@ -0,0 +1 @@
../../credentials

1
lib/checks/enabled/all/gpg_agent Symbolic link
View File

@ -0,0 +1 @@
../../gpg_agent

1
lib/checks/enabled/all/group_writable Symbolic link
View File

@ -0,0 +1 @@
../../group_writable

1
lib/checks/enabled/all/history_readable Symbolic link
View File

@ -0,0 +1 @@
../../history_readable

1
lib/checks/enabled/all/homedirs_executable Symbolic link
View File

@ -0,0 +1 @@
../../homedirs_executable

1
lib/checks/enabled/all/homedirs_writable Symbolic link
View File

@ -0,0 +1 @@
../../homedirs_writable

1
lib/checks/enabled/all/jar Symbolic link
View File

@ -0,0 +1 @@
../../jar

1
lib/checks/enabled/all/key_material Symbolic link
View File

@ -0,0 +1 @@
../../key_material

1
lib/checks/enabled/all/passwd_hashes Symbolic link
View File

@ -0,0 +1 @@
../../passwd_hashes

1
lib/checks/enabled/all/privileged_banned Symbolic link
View File

@ -0,0 +1 @@
../../privileged_banned

1
lib/checks/enabled/all/privileged_change_privileges Symbolic link
View File

@ -0,0 +1 @@
../../privileged_change_privileges

1
lib/checks/enabled/all/privileged_chroot Symbolic link
View File

@ -0,0 +1 @@
../../privileged_chroot

1
lib/checks/enabled/all/privileged_dependency Symbolic link
View File

@ -0,0 +1 @@
../../privileged_dependency

1
lib/checks/enabled/all/privileged_nx Symbolic link
View File

@ -0,0 +1 @@
../../privileged_nx

1
lib/checks/enabled/all/privileged_path Symbolic link
View File

@ -0,0 +1 @@
../../privileged_path

1
lib/checks/enabled/all/privileged_pie Symbolic link
View File

@ -0,0 +1 @@
../../privileged_pie

1
lib/checks/enabled/all/privileged_random Symbolic link
View File

@ -0,0 +1 @@
../../privileged_random

1
lib/checks/enabled/all/privileged_relro Symbolic link
View File

@ -0,0 +1 @@
../../privileged_relro

1
lib/checks/enabled/all/privileged_rpath Symbolic link
View File

@ -0,0 +1 @@
../../privileged_rpath

1
lib/checks/enabled/all/privileged_ssp Symbolic link
View File

@ -0,0 +1 @@
../../privileged_ssp

1
lib/checks/enabled/all/privileged_tmp Symbolic link
View File

@ -0,0 +1 @@
../../privileged_tmp

1
lib/checks/enabled/all/privileged_writable Symbolic link
View File

@ -0,0 +1 @@
../../privileged_writable

1
lib/checks/enabled/all/setgid Symbolic link
View File

@ -0,0 +1 @@
../../setgid

1
lib/checks/enabled/all/setuid Symbolic link
View File

@ -0,0 +1 @@
../../setuid

1
lib/checks/enabled/all/shadow_hashes Symbolic link
View File

@ -0,0 +1 @@
../../shadow_hashes

1
lib/checks/enabled/all/ssh_agent Symbolic link
View File

@ -0,0 +1 @@
../../ssh_agent

1
lib/checks/enabled/all/ssh_key Symbolic link
View File

@ -0,0 +1 @@
../../ssh_key

1
lib/checks/enabled/all/system_aslr Symbolic link
View File

@ -0,0 +1 @@
../../system_aslr

1
lib/checks/enabled/all/system_configuration Symbolic link
View File

@ -0,0 +1 @@
../../system_configuration

1
lib/checks/enabled/all/system_libraries Symbolic link
View File

@ -0,0 +1 @@
../../system_libraries

1
lib/checks/enabled/all/system_mmap Symbolic link
View File

@ -0,0 +1 @@
../../system_mmap

1
lib/checks/enabled/all/system_nx Symbolic link
View File

@ -0,0 +1 @@
../../system_nx

1
lib/checks/enabled/all/system_selinux Symbolic link
View File

@ -0,0 +1 @@
../../system_selinux

1
lib/checks/enabled/all/world_writable Symbolic link
View File

@ -0,0 +1 @@
../../world_writable

1
lib/checks/enabled/attack_surface/credentials Symbolic link
View File

@ -0,0 +1 @@
../../credentials

1
lib/checks/enabled/attack_surface/history_readable Symbolic link
View File

@ -0,0 +1 @@
../../history_readable

1
lib/checks/enabled/attack_surface/homedirs_executable Symbolic link
View File

@ -0,0 +1 @@
../../homedirs_executable

1
lib/checks/enabled/attack_surface/key_material Symbolic link
View File

@ -0,0 +1 @@
../../key_material

1
lib/checks/enabled/attack_surface/passwd_hashes Symbolic link
View File

@ -0,0 +1 @@
../../passwd_hashes

1
lib/checks/enabled/attack_surface/privileged_change_privileges Symbolic link
View File

@ -0,0 +1 @@
../../privileged_change_privileges

1
lib/checks/enabled/attack_surface/privileged_path Symbolic link
View File

@ -0,0 +1 @@
../../privileged_path

1
lib/checks/enabled/attack_surface/privileged_rpath Symbolic link
View File

@ -0,0 +1 @@
../../privileged_rpath

1
lib/checks/enabled/attack_surface/privileged_writable Symbolic link
View File

@ -0,0 +1 @@
../../privileged_writable

1
lib/checks/enabled/attack_surface/setgid Symbolic link
View File

@ -0,0 +1 @@
../../setgid

1
lib/checks/enabled/attack_surface/setuid Symbolic link
View File

@ -0,0 +1 @@
../../setuid

1
lib/checks/enabled/attack_surface/shadow_hashes Symbolic link
View File

@ -0,0 +1 @@
../../shadow_hashes

1
lib/checks/enabled/attack_surface/ssh_key Symbolic link
View File

@ -0,0 +1 @@
../../ssh_key

1
lib/checks/enabled/attack_surface/system_configuration Symbolic link
View File

@ -0,0 +1 @@
../../system_configuration

1
lib/checks/enabled/attack_surface/world_writable Symbolic link
View File

@ -0,0 +1 @@
../../world_writable

1
lib/checks/enabled/sdl/privileged_banned Symbolic link
View File

@ -0,0 +1 @@
../../privileged_banned

1
lib/checks/enabled/sdl/privileged_change_privileges Symbolic link
View File

@ -0,0 +1 @@
../../privileged_change_privileges

1
lib/checks/enabled/sdl/privileged_chroot Symbolic link
View File

@ -0,0 +1 @@
../../privileged_chroot

1
lib/checks/enabled/sdl/privileged_dependency Symbolic link
View File

@ -0,0 +1 @@
../../privileged_dependency

1
lib/checks/enabled/sdl/privileged_nx Symbolic link
View File

@ -0,0 +1 @@
../../privileged_nx

1
lib/checks/enabled/sdl/privileged_path Symbolic link
View File

@ -0,0 +1 @@
../../privileged_path

1
lib/checks/enabled/sdl/privileged_pie Symbolic link
View File

@ -0,0 +1 @@
../../privileged_pie

1
lib/checks/enabled/sdl/privileged_random Symbolic link
View File

@ -0,0 +1 @@
../../privileged_random

1
lib/checks/enabled/sdl/privileged_relro Symbolic link
View File

@ -0,0 +1 @@
../../privileged_relro

1
lib/checks/enabled/sdl/privileged_rpath Symbolic link
View File

@ -0,0 +1 @@
../../privileged_rpath

1
lib/checks/enabled/sdl/privileged_ssp Symbolic link
View File

@ -0,0 +1 @@
../../privileged_ssp

1
lib/checks/enabled/sdl/privileged_tmp Symbolic link
View File

@ -0,0 +1 @@
../../privileged_tmp

1
lib/checks/enabled/sdl/privileged_writable Symbolic link
View File

@ -0,0 +1 @@
../../privileged_writable

40
lib/checks/gpg_agent Executable file
View File

@ -0,0 +1,40 @@
#!/bin/sh
# $Revision: 171 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if the gpg-agent is running
. lib/misc/stdio
. lib/misc/process
gpg_agent_init () {
stdio_message_log "gpg_agent" "Starting at: `date`"
}
gpg_agent_main () {
process_list "gpg-agent" | while read processid
do
stdio_message_warn "gpg_agent" "gpg-agent is running as `process_show_userid ${processid}` (`process_show_command ${processid}`)"
done
}
gpg_agent_fini () {
stdio_message_log "gpg_agent" "Ending at: `date`"
}

50
lib/checks/group_writable Executable file
View File

@ -0,0 +1,50 @@
#!/bin/sh
# $Revision: 254 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List group-writable files
. lib/misc/file
. lib/misc/group
. lib/misc/stdio
group_writable_init () {
stdio_message_log "group_writable" "Starting at: `date`"
}
group_writable_main () {
file_show_non_symlink_perms "^.....w.... " | while read filename permissions userid groupid
do
case "${permissions}" in
?????w????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "group_writable" "${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-writable (${permissions})"
else
stdio_message_log "group_writable" "${filename} is owned by user ${userid} (group ${groupid}) and is group-writable (${permissions})"
fi
;;
esac
done
}
group_writable_fini () {
stdio_message_log "group_writable" "Ending: `date`"
}

62
lib/checks/history_readable Executable file
View File

@ -0,0 +1,62 @@
#!/bin/sh
# $Revision: 283 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List all .*_history files
. lib/misc/file
. lib/misc/group
. lib/misc/stdio
. lib/misc/user
history_readable_init () {
stdio_message_log "history_readable" "Starting at: `date`"
}
history_readable_main () {
file_show_non_symlink_perms " *\.*_history$" | while read filename permissions userid groupid
do
case "${permissions}" in
???????r??)
stdio_message_warn "history_readable" "${filename} is owned by user ${userid} (group ${groupid}) and is world-readable (${permissions})"
;;
????r?????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "history_readable" "${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable (${permissions})"
else
stdio_message_log "history_readable" "${filename} is owned by user ${userid} (group ${groupid}) and is group-readable (${permissions})"
fi
;;
?r????????)
if [ "`user_is_user_name \"${userid}\"`" -eq 1 ]
then
stdio_message_log "history_readable" "${filename} is owned by user ${userid} (YOU) (group ${groupid}) (${permissions})"
else
stdio_message_debug "history_readable" "${filename} is owned by user ${userid} (group ${groupid}) (${permissions})"
fi
;;
esac
done
}
history_readable_fini () {
stdio_message_log "history_readable" "Ending at: `date`"
}

77
lib/checks/homedirs_executable Executable file
View File

@ -0,0 +1,77 @@
#!/bin/sh
# $Revision: 287 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for readable and executable permissions on home directories
. lib/misc/file
. lib/misc/group
. lib/misc/passwd
. lib/misc/permission
. lib/misc/stdio
homedirs_executable_init () {
stdio_message_log "homedirs_executable" "Starting at: `date`"
}
homedirs_executable_main () {
passwd_list | while read username
do
if [ "${username}" = "+" ]
then
continue
fi
homedir="`passwd_show_homedir "${username}"`"
if [ -z "${homedir}" -o "${homedir}" = "/dev/null" ]
then
stdio_message_debug "homedirs_executable" "${username} has no home directory set"
continue
fi
file_show_non_symlink_perms " ${homedir}$" | while read filename permissions userid groupid
do
case "${permissions}" in
???????r?x)
stdio_message_warn "homedirs_executable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}) and is world-readable and world-executable (${permissions})"
;;
???????r??)
stdio_message_log "homedirs_executable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}) and is world-readable, you can list the files within only (${permissions})"
;;
????r?x???)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "homedirs_executable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable and group-executable (${permissions})"
# TODO verify the case the owner, ${username}, is not within the group owner, ${groupid}
fi
;;
????r?????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_log "homedirs_executable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable, you can list the files within only (${permissions})"
# TODO verify the case the owner, ${username}, is not within the group owner, ${groupid}
fi
;;
esac
done
done
}
homedirs_executable_fini () {
stdio_message_log "homedirs_executable" "Ending at: `date`"
}

74
lib/checks/homedirs_writable Executable file
View File

@ -0,0 +1,74 @@
#!/bin/sh
# $Revision: 284 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for writable permission on home directories
. lib/misc/file
. lib/misc/group
. lib/misc/passwd
. lib/misc/permission
. lib/misc/stdio
homedirs_writable_init () {
stdio_message_log "homedirs_writable" "Starting at: `date`"
}
homedirs_writable_main () {
passwd_list | while read username
do
if [ "${username}" = "+" ]
then
continue
fi
homedir="`passwd_show_homedir "${username}"`"
if [ -z "${homedir}" -o "${homedir}" = "/dev/null" ]
then
stdio_message_debug "homedirs_writable" "${username} has no home directory set"
continue
fi
file_show_non_symlink_perms " ${homedir}$" | while read filename permissions userid groupid
do
case "${permissions}" in
????????w?)
if [ "`permission_is_world_writable_sticky_bit \"${permissions}\"`" -eq 1 ]
then
stdio_message_log "homedirs_writable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}) and is world-writable with sticky bit (${permissions})"
else
stdio_message_warn "homedirs_writable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}) and is world-writable (${permissions})"
fi
;;
?????w????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "homedirs_writable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-writable (${permissions})"
# TODO verify the case the owner, ${username}, is not within the group owner, ${groupid}
else
stdio_message_debug "homedirs_writable" "${username} home directory ${filename} is owned by user ${userid} (group ${groupid}) and is group-writable (${permissions})"
fi
;;
esac
done
done
}
homedirs_writable_fini () {
stdio_message_log "homedirs_writable" "Ending at: `date`"
}

62
lib/checks/jar Executable file
View File

@ -0,0 +1,62 @@
#!/bin/sh
# $Revision: 248 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List all jar files
. lib/misc/file
. lib/misc/group
. lib/misc/stdio
. lib/misc/user
jar_init () {
stdio_message_log "jar" "Starting at: `date`"
}
jar_main () {
file_show_non_symlink_perms " *\.jar$" | while read filename permissions userid groupid
do
case "${permissions}" in
???????r??)
stdio_message_warn "jar" "${filename} is owned by user ${userid} (group ${groupid}) and is world-readable (${permissions})"
;;
????r?????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "jar" "${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable (${permissions})"
else
stdio_message_log "jar" "${filename} is owned by user ${userid} (group ${groupid}) and is group-readable (${permissions})"
fi
;;
?r????????)
if [ "`user_is_user_name \"${userid}\"`" -eq 1 ]
then
stdio_message_log "jar" "${filename} is owned by user ${userid} (YOU) (group ${groupid}) (${permissions})"
else
stdio_message_debug "jar" "${filename} is owned by user ${userid} (group ${groupid}) (${permissions})"
fi
;;
esac
done
}
jar_fini () {
stdio_message_log "jar" "Ending at: `date`"
}

73
lib/checks/key_material Executable file
View File

@ -0,0 +1,73 @@
#!/bin/sh
# $Revision: 248 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List potentially sensitive files
. lib/misc/file
. lib/misc/group
. lib/misc/stdio
. lib/misc/user
key_material_init () {
stdio_message_log "key_material" "Starting at: `date`"
}
key_material_main () {
# TODO we should expand this list
for pattern in "*\.crt" "*\.cer" "*\.pem" "*\.p12" "*\.keystore" "*\.key"
do
file_show_non_symlink_perms " ${pattern}$" | while read filename permissions userid groupid
do
# exclude Firefox certificates
case "${filename}" in
/usr/share/ca-certificates/mozilla/*)
continue
;;
esac
case "${permissions}" in
???????r??)
stdio_message_warn "key_material" "${filename} is owned by user ${userid} (group ${groupid}) and is world-readable (${permissions})"
;;
????r?????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "key_material" "${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable (${permissions})"
else
stdio_message_log "key_material" "${filename} is owned by user ${userid} (group ${groupid}) and is group-readable (${permissions})"
fi
;;
?r????????)
if [ "`user_is_user_name \"${userid}\"`" -eq 1 ]
then
stdio_message_log "key_material" "${filename} is owned by user ${userid} (YOU) (group ${groupid}) (${permissions})"
else
stdio_message_debug "key_material" "${filename} is owned by user ${userid} (group ${groupid}) (${permissions})"
fi
;;
esac
done
done
}
key_material_fini () {
stdio_message_log "key_material" "Ending at: `date`"
}

40
lib/checks/ldap_authentication Executable file
View File

@ -0,0 +1,40 @@
#!/bin/sh
# $Revision: 342 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if LDAP is used for authentication
. lib/misc/ldap
. lib/misc/stdio
ldap_authentication_init () {
stdio_message_log "ldap_authentication" "Starting at: `date`"
}
ldap_authentication_main () {
if [ "`ldap_authentication_in_use`" -eq 1 ]
then
stdio_message_log "ldap_authentication" "LDAP is used for authentication"
fi
}
ldap_authentication_fini () {
stdio_message_log "ldap_authentication" "Ending at: `date`"
}

40
lib/checks/nis_authentication Executable file
View File

@ -0,0 +1,40 @@
#!/bin/sh
# $Revision: 342 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if NIS is used for authentication
. lib/misc/nis
. lib/misc/stdio
nis_authentication_init () {
stdio_message_log "nis_authentication" "Starting at: `date`"
}
nis_authentication_main () {
if [ "`nis_authentication_in_use`" -eq 1 ]
then
stdio_message_log "nis_authentication" "NIS is used for authentication"
fi
}
nis_authentication_fini () {
stdio_message_log "nis_authentication" "Ending at: `date`"
}

54
lib/checks/passwd_hashes Executable file
View File

@ -0,0 +1,54 @@
#!/bin/sh
# $Revision: 317 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List users with no password set or password in /etc/passwd
. lib/misc/stdio
. lib/misc/passwd
passwd_hashes_init () {
stdio_message_log "passwd_hashes" "Starting at: `date`"
}
passwd_hashes_main () {
passwd_list | while read username
do
if [ "${username}" = "+" ]
then
stdio_message_warn "passwd_hashes" "/etc/passwd allows external authentication"
else
hash="`passwd_show_hash "${username}"`"
if [ "${hash}" != "x" -a "${hash}" != "\!" -a "${hash}" != "*" ]
then
if [ -z "${hash}" ]
then
stdio_message_warn "passwd_hashes" "${username} has no password set"
else
stdio_message_warn "passwd_hashes" "/etc/passwd contains password hash for ${username} (${hash})"
fi
fi
fi
done
}
passwd_hashes_fini () {
stdio_message_log "passwd_hashes" "Ending at: `date`"
}

62
lib/checks/postgresql_configuration Executable file
View File

@ -0,0 +1,62 @@
#!/bin/sh
# $Revision: 348 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check permissions of PostgreSQL configuration file pg_hba.conf
. lib/misc/file
. lib/misc/group
. lib/misc/stdio
. lib/misc/user
postgresql_configuration_init () {
stdio_message_log "postgresql_configuration" "Starting at: `date`"
}
postgresql_configuration_main () {
file_show_perms "/pg_hba.conf$" | while read filename permissions userid groupid
do
case "${permissions}" in
???????r??)
stdio_message_warn "postgresql_configuration" "${filename} is owned by user ${userid} (group ${groupid}) and is world-readable (${permissions})"
;;
????r?????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "postgresql_configuration" "${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable (${permissions})"
else
stdio_message_log "postgresql_configuration" "${filename} is owned by user ${userid} (group ${groupid}) and is group-readable (${permissions})"
fi
;;
?r????????)
if [ "`user_is_user_name \"${userid}\"`" -eq 1 ]
then
stdio_message_log "postgresql_configuration" "${filename} is owned by user ${userid} (YOU) (group ${groupid}) (${permissions})"
else
stdio_message_debug "postgresql_configuration" "${filename} is owned by user ${userid} (group ${groupid}) (${permissions})"
fi
;;
esac
done
}
postgresql_configuration_fini () {
stdio_message_log "postgresql_configuration" "Ending at: `date`"
}

56
lib/checks/postgresql_connection Executable file
View File

@ -0,0 +1,56 @@
#!/bin/sh
# $Revision: 348 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Verify PostgreSQL trust relationships by connecting to localhost with
# common usernames and no password
. lib/misc/file
. lib/misc/postgresql
. lib/misc/stdio
postgresql_connection_init () {
stdio_message_log "postgresql_connection" "Starting at: `date`"
}
postgresql_connection_main () {
file_show_perms "/postgresql.conf$" | while read filename permissions userid groupid
do
if [ "`file_is_readable_file \"${filename}\"`" -eq 1 ]
then
egrep "^port = " "${filename}" | while read _ _ port _
do
dbusers="psql pgsql postgres postgresql root admin"
printf -- "${dbusers}" | tr " " "\n" | while read dbuser
do
if [ "`postgresql_check_no_password \"${port}\" \"${dbuser}\"`" -eq 1 ]
then
stdio_message_warn "postgresql_connection" "User ${dbuser} can connect to PostgreSQL instance on port ${port}/tcp with no password"
break
fi
done
done
fi
done
}
postgresql_connection_fini () {
stdio_message_log "postgresql_connection" "Ending at: `date`"
}

61
lib/checks/postgresql_trust Executable file
View File

@ -0,0 +1,61 @@
#!/bin/sh
# $Revision: 348 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check PostgreSQL trust relationships
. lib/misc/file
. lib/misc/stdio
postgresql_trust_init () {
stdio_message_log "postgresql_trust" "Starting at: `date`"
}
postgresql_trust_main () {
file_show_perms "/pg_hba.conf$" | while read filename permissions userid groupid
do
if [ "`file_is_readable_file \"${filename}\"`" -eq 1 ]
then
egrep -v "^#" "${filename}" | egrep -v "^[ \t]*$" | while read authtype database user address method
do
if [ "${method}" = "trust" ]
then
if [ "${user}" = "all" ]
then
usermsg="all users"
else
usermsg="user ${user}"
fi
if [ "${database}" = "all" ]
then
dbmsg="all databases"
else
dbmsg="database ${database}"
fi
stdio_message_warn "postgresql_trust" "PostgreSQL trust is configured in ${filename} for ${usermsg} to ${dbmsg} from address ${address}"
fi
done
fi
done
}
postgresql_trust_fini () {
stdio_message_log "postgresql_trust" "Ending at: `date`"
}

49
lib/checks/privileged_arguments Executable file
View File

@ -0,0 +1,49 @@
#!/bin/sh
# $Revision: 335 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if textual privileged files (like bash scripts) accept user-provided
# arguments
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_arguments_init () {
stdio_message_log "privileged_arguments" "Starting at: `date`"
}
privileged_arguments_main () {
privileged_list | while read filetype filename usergroupid
do
# skip non textual files
if [ "`file_is_textual \"${filename}\"`" -ne 1 ]
then
continue
elif [ "`binary_matches_string_grep \"${filename}\" \"\$[\{]*[[:digit:]][\}]*\"`" -eq 1 ]
then
stdio_message_warn "privileged_arguments" "${filetype} ${filename} (${usergroupid}) accepts arguments, verify that it does not use them unsafely"
fi
done
}
privileged_arguments_fini () {
stdio_message_log "privileged_arguments" "Ending at: `date`"
}

46
lib/checks/privileged_banned Executable file
View File

@ -0,0 +1,46 @@
#!/bin/sh
# $Revision: 261 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if privileged files call banned (and potentially dangerous) functions
# Based on Microsoft's banned API list as parsed by ../../tools/generate_banned.sh
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_banned_init () {
stdio_message_log "privileged_banned" "Starting at: `date`"
}
privileged_banned_main () {
privileged_list | while read filetype filename usergroupid
do
banned_apis="`binary_banned_api "${filename}" "alloca|gets|memcpy|scanf|sprintf|sscanf|strcat|StrCat|strcpy|StrCpy|strlen|StrLen|strncat|StrNCat|strncpy|StrNCpy|strtok|swprintf|vsnprintf|vsprintf|vswprintf|wcscat|wcscpy|wcslen|wcsncat|wcsncpy|wcstok|wmemcpy"`"
if [ -n "${banned_apis}" ]
then
stdio_message_warn "privileged_banned" "${filetype} ${filename} (${usergroupid}) and uses banned APIs ($banned_apis)"
fi
done
}
privileged_banned_fini () {
stdio_message_log "privileged_banned" "Ending at: `date`"
}

47
lib/checks/privileged_change_privileges Executable file
View File

@ -0,0 +1,47 @@
#!/bin/sh
# $Revision: 261 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if privileged files drop their privileges
# Based on ideas found at http://people.redhat.com/sgrubb/security/
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_change_privileges_init () {
stdio_message_log "privileged_change_privileges" "Starting at: `date`"
}
privileged_change_privileges_main () {
privileged_list | while read filetype filename usergroupid
do
# TODO this needs cleaning up
match="`binary_matches_function "${filename}" "setuid|setgid|seteuid|setegid|setresuid|setresgid|setreuid|setregid|initgroups|setgroups|setcap|setfsuid|setfsgid"`"
if [ $match -ne 1 ]
then
stdio_message_warn "privileged_change_privileges" "${filetype} ${filename} (${usergroupid}) and does not attempt to change privileges"
fi
done
}
privileged_change_privileges_fini () {
stdio_message_log "privileged_change_privileges" "Ending at: `date`"
}

49
lib/checks/privileged_chroot Executable file
View File

@ -0,0 +1,49 @@
#!/bin/sh
# $Revision: 261 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if privileged files calling chroot() function call also chdir() function
# Based on ideas found at http://people.redhat.com/sgrubb/security/
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_chroot_init () {
stdio_message_log "privileged_chroot" "Starting at: `date`"
}
privileged_chroot_main () {
privileged_list | while read filetype filename usergroupid
do
match="`binary_matches_function "${filename}" "chroot"`"
if [ $match -eq 1 ]
then
if [ "`binary_matches_function "${filename}" "chdir"`" -ne 1 ]
then
stdio_message_warn "privileged_chroot" "${filetype} ${filename} (${usergroupid}) and may use chroot() unsafely - no chdir() call"
fi
fi
done
}
privileged_chroot_fini () {
stdio_message_log "privileged_chroot" "Ending at: `date`"
}

161
lib/checks/privileged_dependency Executable file
View File

@ -0,0 +1,161 @@
#!/bin/sh
# $Revision: 312 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for write permissions over privileged files and processes'
# linked libraries
. lib/misc/file
. lib/misc/group
. lib/misc/linker
. lib/misc/permission
. lib/misc/privileged
. lib/misc/stdio
. lib/misc/user
privileged_dependency_init () {
stdio_message_log "privileged_dependency" "Starting: `date`"
}
privileged_dependency_traverse () {
pattern="${1}"
privfilename="${2}"
filetype="${3}"
library="${4}"
pathtype="${5}"
file_parent_traverse "${pattern}" | while read filename
do
# /etc/ld.so.conf.d/ files can contain files which we are not interested here, only directories
if [ ! -d "${filename}" ]
then
continue
fi
file_show_non_symlink_perms " ${filename}$" | while read filepath permissions userid groupid
do
#stdio_message_debug "privileged_dependency" "Checking permissions of ${pathtype} ${filepath} ($permissions) for privileged file ${filetype} is ${privfilename} and library is ${library}"
case "${permissions}" in
????????w?)
if [ "`permission_is_world_writable_sticky_bit \"${permissions}\"`" -eq 1 ]
then
stdio_message_log "privileged_dependency" "${filetype} ${privfilename} depends on ${library} - ${pathtype} ${filepath} is owned by user ${userid} (group ${groupid}) and is world-writable with sticky bit (${permissions})"
else
stdio_message_warn "privileged_dependency" "${filetype} ${privfilename} depends on ${library} - ${pathtype} ${filepath} is owned by user ${userid} (group ${groupid}) and is world-writable (${permissions})"
fi
;;
?????w????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "privileged_dependency" "${filetype} ${privfilename} depends on ${library} - ${pathtype} ${filepath} is owned by user ${userid} (group ${groupid}: YOU) and is group-writable (${permissions})"
else
stdio_message_log "privileged_dependency" "${filetype} ${privfilename} depends on ${library} - ${pathtype} ${filepath} is owned by user ${userid} (group ${groupid}) and is group-writable (${permissions})"
fi
;;
??w???????)
if [ "`user_is_user_root \"${userid}\"`" -ne 1 -a "`user_show_user_name`" = "${userid}" ]
then
stdio_message_debug "privileged_dependency" "${filetype} ${privfilename} depends on ${library} - ${pathtype} ${filepath} is owned by user ${userid} (YOU) (group ${groupid}), non-root user (${permissions})"
elif [ "`user_is_user_root \"${userid}\"`" -ne 1 ]
then
stdio_message_log "privileged_dependency" "${filetype} ${privfilename} depends on ${library} - ${pathtype} ${filepath} is owned by user ${userid} (group ${groupid}), non-root user (${permissions})"
fi
;;
esac
done
done
}
privileged_dependency_permissions () {
library="${1}"
privfilename="${2}"
filetype="${3}"
file_show_non_symlink_perms " ${library}$" | while read filename permissions userid groupid
do
#stdio_message_debug "privileged_dependency" "Checking permissions for privileged file ${filetype} ${privfilename}'s library ${filename} ($permissions)"
case "${permissions}" in
????????w?)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_log "privileged_dependency" "${filetype} ${privfilename} depends on ${filename}, this is owned by user ${userid} (group ${groupid}) and is world-writable with sticky bit (${permissions})"
else
stdio_message_warn "privileged_dependency" "${filetype} ${privfilename} depends on ${filename}, this is owned by user ${userid} (group ${groupid}) and is world-writable (${permissions})"
fi
;;
?????w????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "privileged_dependency" "${filetype} ${privfilename} depends on ${filename}, this is owned by user ${userid} (group ${groupid}: YOU) and is group-writable (${permissions})"
else
stdio_message_log "privileged_dependency" "${filetype} ${privfilename} depends on ${filename}, this is owned by user ${userid} (group ${groupid}) and is group-writable (${permissions})"
fi
;;
??w???????)
if [ "`user_is_user_root \"${userid}\"`" -ne 1 ]
then
stdio_message_log "privileged_dependency" "${filetype} ${privfilename} depends on ${filename}, this is owned by user ${userid} (group ${groupid}), non-root user (${permissions})"
fi
;;
esac
done
}
privileged_dependency_main () {
privileged_list | while read filetype filename usergroupid
do
#stdio_message_debug "privileged_dependency" "Processing privileged file ${filetype} ${filename}"
linker_list_dependencies "${filename}" | while read library
do
#stdio_message_debug "privileged_dependency" "Processing privileged file ${filetype} ${filename}'s library ${library}"
# when the library needed by the program does not exist, ldd returns "not found" - i.e. " libname.so.2 => not found", however the following if condition is cautious and checks both if the file exist and if the ldd output returned "not found" (hence the linker library returned the library relative path (relativelibrary))
if [ ! -e "${library}" -o -n "`printf -- \"${library}\" | grep -v \"^/\"`" ]
then
case "${library}" in
# if the library is a absolute file path, we check for write permissions on its parent directories
/*)
#stdio_message_debug "privileged_dependency" "Library ${library} does not exist, traversing parent paths"
privileged_dependency_traverse "${library}" "${filename}" "${filetype}" "${library}" "parent path"
;;
# if the library is a relative file path, we check for write permissions on all system libraries file paths
*)
#stdio_message_debug "privileged_dependency" "Library ${library} does not exist, traversing system library paths"
linker_list_system_filenames | while read filepath
do
privileged_dependency_traverse "${filepath}" "${filename}" "${filetype}" "${library}" "system library path"
done
;;
esac
continue
elif [ -h "${library}" ]
then
linkedlibrary="`file_show_symlinked_filename "${library}"`"
if [ -n "${linkedlibrary}" ]
then
#stdio_message_debug "privileged_dependency" "Privileged file ${filetype} ${filename} depends on library ${library}, a symlink to ${linkedlibrary}"
privileged_dependency_permissions "${linkedlibrary}" "${filename}" "${filetype}"
fi
else
privileged_dependency_permissions "${library}" "${filename}" "${filetype}"
fi
done
done
}
privileged_dependency_fini () {
stdio_message_log "privileged_dependency" "Ending: `date`"
}

49
lib/checks/privileged_environment_variables Executable file
View File

@ -0,0 +1,49 @@
#!/bin/sh
# $Revision: 334 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if textual privileged files (like bash scripts) use environment
# variables
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_environment_variables_init () {
stdio_message_log "privileged_environment_variables" "Starting at: `date`"
}
privileged_environment_variables_main () {
privileged_list | while read filetype filename usergroupid
do
# skip non textual files
if [ "`file_is_textual \"${filename}\"`" -ne 1 ]
then
continue
elif [ "`binary_matches_string_grep \"${filename}\" \"\$[{,},a-z,A-Z,_,-]*\"`" -eq 1 ]
then
stdio_message_warn "privileged_environment_variables" "${filetype} ${filename} (${usergroupid}) uses environment variables, verify that it does not use them unsafely"
fi
done
}
privileged_environment_variables_fini () {
stdio_message_log "privileged_environment_variables" "Ending at: `date`"
}

44
lib/checks/privileged_nx Executable file
View File

@ -0,0 +1,44 @@
#!/bin/sh
# $Revision: 352 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for NX (NoExecute) support
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_nx_init () {
stdio_message_log "privileged_nx" "Starting at: `date`"
}
privileged_nx_main () {
privileged_list | while read filetype filename usergroupid
do
if [ "`binary_nx \"${filename}\"`" -ne 1 ]
then
stdio_message_warn "privileged_nx" "${filetype} ${filename} (${usergroupid}) is not compiled with NX (NoExecute)"
fi
done
}
privileged_nx_fini () {
stdio_message_log "privileged_nx" "Ending at: `date`"
}

45
lib/checks/privileged_path Executable file
View File

@ -0,0 +1,45 @@
#!/bin/sh
# $Revision: 328 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if privileged files set PATH variable
# Based on ideas found at http://people.redhat.com/sgrubb/security/
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_path_init () {
stdio_message_log "privileged_path" "Starting at: `date`"
}
privileged_path_main () {
privileged_list | while read filetype filename usergroupid
do
if [ "`binary_matches_string \"${filename}\" \"PATH=\"`" -eq 1 ]
then
stdio_message_warn "privileged_path" "${filetype} ${filename} (${usergroupid}) sets PATH environment variable, verify that it does not set it unsafely"
fi
done
}
privileged_path_fini () {
stdio_message_log "privileged_path" "Ending at: `date`"
}

45
lib/checks/privileged_pie Executable file
View File

@ -0,0 +1,45 @@
#!/bin/sh
# $Revision: 261 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for PIE (ASLR-compliant executable) support
# Based on ideas found at http://people.redhat.com/sgrubb/security/
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_pie_init () {
stdio_message_log "privileged_pie" "Starting at: `date`"
}
privileged_pie_main () {
privileged_list | while read filetype filename usergroupid
do
if [ "`binary_pie "${filename}"`" -ne 1 ]
then
stdio_message_warn "privileged_pie" "${filetype} ${filename} (${usergroupid}) and is not compiled with PIE (Position Independent Executable)"
fi
done
}
privileged_pie_fini () {
stdio_message_log "privileged_pie" "Ending at: `date`"
}

44
lib/checks/privileged_random Executable file
View File

@ -0,0 +1,44 @@
#!/bin/sh
# $Revision: 262 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if privileged files call random functions
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_random_init () {
stdio_message_log "privileged_random" "Starting at: `date`"
}
privileged_random_main () {
privileged_list | while read filetype filename usergroupid
do
if [ "`binary_matches_function "${filename}" "random|srand"`" -eq 1 ]
then
stdio_message_warn "privileged_random" "${filetype} ${filename} (${usergroupid}) and uses random()/srand()"
fi
done
}
privileged_random_fini () {
stdio_message_log "privileged_random" "Ending at: `date`"
}

47
lib/checks/privileged_relro Executable file
View File

@ -0,0 +1,47 @@
#!/bin/sh
# $Revision: 268 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for RELRO support
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_relro_init () {
stdio_message_log "privileged_relro" "Starting at: `date`"
}
privileged_relro_main () {
privileged_list | while read filetype filename usergroupid
do
if [ "`binary_relro "${filename}"`" -ne 1 ]
then
stdio_message_warn "privileged_relro" "${filetype} ${filename} (${usergroupid}) and is not compiled with RELRO"
elif [ "`binary_relro_full "${filename}"`" -ne 1 ]
then
stdio_message_log "privileged_relro" "${filetype} ${filename} (${usergroupid}) and is compiled with partial RELRO"
fi
done
}
privileged_relro_fini () {
stdio_message_log "privileged_relro" "Ending at: `date`"
}

124
lib/checks/privileged_rpath Executable file
View File

@ -0,0 +1,124 @@
#!/bin/sh
# $Revision: 310 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List group-writable and world-writable privileged files (their parent
# directories too) and processes that trust other filepaths (with RPATH
# variable)
. lib/misc/binary
. lib/misc/file
. lib/misc/group
. lib/misc/permission
. lib/misc/privileged
. lib/misc/stdio
. lib/misc/user
privileged_rpath_init () {
stdio_message_log "privileged_rpath" "Starting at: `date`"
}
privileged_rpath_permissions () {
filename="${1}"
permissions="${2}"
userid="${3}"
groupid="${4}"
privfilename="${5}"
filetype="${6}"
case "${permissions}" in
????????w?)
if [ "`permission_is_world_writable_sticky_bit \"${permissions}\"`" -eq 1 ]
then
stdio_message_log "privileged_rpath" "${filetype} ${privfilename} trusts ${filename}, this is owned by user ${userid} (group ${groupid}) and is world-writable with sticky bit (${permissions})"
else
stdio_message_warn "privileged_rpath" "${filetype} ${privfilename} trusts ${filename}, this is owned by user ${userid} (group ${groupid}) and is world-writable (${permissions})"
fi
;;
?????w????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "privileged_rpath" "${filetype} ${privfilename} trusts ${filename}, this is owned by user ${userid} (group ${groupid}: YOU) and is group-writable (${permissions})"
else
stdio_message_log "privileged_rpath" "${filetype} ${privfilename} trusts ${filename}, this is owned by user ${userid} (group ${groupid}) and is group-writable (${permissions})"
fi
;;
??w???????)
if [ "`user_is_user_root \"${userid}\"`" -ne 1 -a "`user_show_user_name`" = "${userid}" ]
then
stdio_message_debug "privileged_rpath" "${filetype} ${privfilename} trusts ${filename}, this is owned by user ${userid} (YOU) (group ${groupid}), non-root user (${permissions})"
elif [ "`user_is_user_root \"${userid}\"`" -ne 1 ]
then
stdio_message_log "privileged_rpath" "${filetype} ${privfilename} trusts ${filename}, this is owned by user ${userid} (group ${groupid}), non-root user (${permissions})"
fi
;;
esac
}
privileged_rpath_wrapper () {
origfilepath="${1}"
privfilename="${2}"
filetype="${3}"
file_parent_traverse "${origfilepath}" | while read filepath
do
file_show_non_symlink_perms " ${filepath}$" | while read filename permissions userid groupid
do
privileged_rpath_permissions "${filename}" "${permissions}" "${userid}" "${groupid}" "${privfilename}" "${filetype}"
done
done
}
privileged_rpath_main () {
privileged_list | while read filetype filename usergroupid
do
binary_list_rpath "${filename}" | while read filepath
do
if [ -z "${filepath}" ]
then
continue
# relative paths always end up at . with dirname
elif [ "${filepath}" = "." -o "`printf -- \"${filepath}\" | egrep -- \"ORIGIN\"`" ]
then
stdio_message_warn "privileged_rpath" "${filetype} ${filename} trusts ${filepath} and this is relative"
continue
elif [ ! -e "${filepath}" ]
then
stdio_message_warn "privileged_rpath" "${filetype} ${filename} trusts ${filepath}, but this does not exist"
continue
fi
if [ -h "${filepath}" ]
then
linkedfilename="`file_show_symlinked_filename "${filepath}"`"
if [ -n "${linkedfilename}" ]
then
#stdio_message_debug "privileged_rpath" "${filetype} ${filename} trusts ${filepath}, a symlink to ${linkedfilename}"
privileged_rpath_wrapper "${linkedfilename}" "${filename}" "${filetype}"
fi
else
privileged_rpath_wrapper "${filepath}" "${filename}" "${filetype}"
fi
done
done
}
privileged_rpath_fini () {
stdio_message_log "privileged_rpath" "Ending at: `date`"
}

44
lib/checks/privileged_ssp Executable file
View File

@ -0,0 +1,44 @@
#!/bin/sh
# $Revision: 261 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check for stack canary (SSP) support
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_ssp_init () {
stdio_message_log "privileged_ssp" "Starting at: `date`"
}
privileged_ssp_main () {
privileged_list | while read filetype filename usergroupid
do
if [ "`binary_matches_function "${filename}" "__stack_chk_fail"`" -ne 1 ]
then
stdio_message_warn "privileged_ssp" "${filetype} ${filename} (${usergroupid}) and is not compiled with SSP (Stack Smashing Protector)"
fi
done
}
privileged_ssp_fini () {
stdio_message_log "privileged_ssp" "Ending at: `date`"
}

55
lib/checks/privileged_tmp Executable file
View File

@ -0,0 +1,55 @@
#!/bin/sh
# $Revision: 333 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if privileged files call temporary files handling functions
# Based on ideas found at http://people.redhat.com/sgrubb/security/
. lib/misc/stdio
. lib/misc/privileged
. lib/misc/binary
privileged_tmp_init () {
stdio_message_log "privileged_tmp" "Starting at: `date`"
}
privileged_tmp_main () {
privileged_list | while read filetype filename usergroupid
do
if [ "`binary_matches_string \"${filename}\" \"/tmp\"`" -eq 1 ]
then
if [ "`file_is_textual \"${filename}\"`" -eq 1 -a "`binary_matches_string \"${filename}\" \">\"`" -eq 1 ]
then
stdio_message_warn "privileged_tmp" "${filetype} ${filename} script (${usergroupid}) may create predictable files in /tmp unsafely"
elif [ "`binary_matches_function \"${filename}\" \"mkstemp|tempnam|tmpfile\"`" -eq 1 ]
then
# XXX is part of template filename that is replaced by mkstemp, etc. - without an XXX, we assume the filename is likely to be predictable
if [ "`binary_matches_string \"${filename}\" \"XXX\"`" -ne 1 ]
then
stdio_message_warn "privileged_tmp" "${filetype} ${filename} (${usergroupid}) may create predictable files in /tmp unsafely"
fi
fi
fi
done
}
privileged_tmp_fini () {
stdio_message_log "privileged_tmp" "Ending at: `date`"
}

92
lib/checks/privileged_writable Executable file
View File

@ -0,0 +1,92 @@
#!/bin/sh
# $Revision: 326 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List group-writable and world-writable privileged files (their parent
# directories too) and processes
. lib/misc/file
. lib/misc/group
. lib/misc/permission
. lib/misc/privileged
. lib/misc/stdio
. lib/misc/user
privileged_writable_init () {
stdio_message_log "privileged_writable" "Starting: `date`"
}
privileged_writable_permissions () {
filename="${1}"
permissions="${2}"
userid="${3}"
groupid="${4}"
privfilename="${5}"
filetype="${6}"
case "${permissions}" in
????????w?)
if [ "`permission_is_world_writable_sticky_bit \"${permissions}\"`" -eq 1 ]
then
stdio_message_log "privileged_writable" "(${filetype} ${privfilename}) ${filename} is owned by user ${userid} (group ${groupid}) and is world-writable with sticky bit (${permissions})"
else
stdio_message_warn "privileged_writable" "(${filetype} ${privfilename}) ${filename} is owned by user ${userid} (group ${groupid}) and is world-writable (${permissions})"
fi
;;
?????w????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "privileged_writable" "(${filetype} ${privfilename}) ${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-writable (${permissions})"
else
stdio_message_log "privileged_writable" "(${filetype} ${privfilename}) ${filename} is owned by user ${userid} (group ${groupid}) and is group-writable (${permissions})"
fi
;;
??w???????)
if [ "`user_is_user_root \"${userid}\"`" -ne 1 -a "`user_show_user_name`" = "${userid}" ]
then
stdio_message_debug "privileged_writable" "(${filetype} ${privfilename}) ${filename} is owned by user ${userid} (YOU) (group ${groupid}), non-root user (${permissions})"
elif [ "`user_is_user_root \"${userid}\"`" -ne 1 ]
then
stdio_message_log "privileged_writable" "(${filetype} ${privfilename}) ${filename} is owned by user ${userid} (group ${groupid}), non-root user (${permissions})"
fi
;;
esac
}
privileged_writable_main () {
privileged_list | while read filetype filename usergroupid
do
# the privileged file might not exist for example when inetd calls it, but the executable has been uninstalled/removed (and inetd configuration not aligned)
if [ ! -e "${filename}" ]
then
stdio_message_debug "privileged_writable" "${filetype} ${filename} does not exist"
fi
file_parent_traverse "${filename}" | while read filepath
do
file_show_non_symlink_perms " ${filepath}$" | while read filepath permissions userid groupid
do
privileged_writable_permissions "${filepath}" "${permissions}" "${userid}" "${groupid}" "${filename}" "${filetype}"
done
done
done
}
privileged_writable_fini () {
stdio_message_log "privileged_writable" "Ending at: `date`"
}

43
lib/checks/setgid Executable file
View File

@ -0,0 +1,43 @@
#!/bin/sh
# $Revision: 232 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List setgid files
. lib/misc/stdio
. lib/misc/file
setgid_init () {
stdio_message_log "setgid" "Starting: `date`"
}
setgid_main () {
file_list_by_perm "^-.....s... |^-.....S... " | while read filename
do
file_show_non_symlink_perms " ${filename}$" | while read filename permissions userid groupid
do
stdio_message_warn "setgid" "${filename} is setgid (${userid}, ${groupid}): ${permissions}"
done
done
}
setgid_fini () {
stdio_message_log "setgid" "Ending: `date`"
}

43
lib/checks/setuid Executable file
View File

@ -0,0 +1,43 @@
#!/bin/sh
# $Revision: 232 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List setuid files
. lib/misc/stdio
. lib/misc/file
setuid_init () {
stdio_message_log "setuid" "Starting at: `date`"
}
setuid_main () {
file_list_by_perm "^-..s...... |^-..S...... " | while read filename
do
file_show_non_symlink_perms " ${filename}$" | while read filename permissions userid groupid
do
stdio_message_warn "setuid" "${filename} is setuid (${userid}, ${groupid}): ${permissions}"
done
done
}
setuid_fini () {
stdio_message_log "setuid" "Ending at: `date`"
}

49
lib/checks/shadow_hashes Executable file
View File

@ -0,0 +1,49 @@
#!/bin/sh
# $Revision: 314 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List users with no password set
. lib/misc/shadow
. lib/misc/stdio
shadow_hashes_init () {
stdio_message_log "shadow_hashes" "Starting at: `date`"
}
shadow_hashes_main () {
if [ "`shadow_file_check`" -eq 1 ]
then
stdio_message_warn "shadow_hashes" "password hashes file is readable"
shadow_list | while read username
do
hash="`shadow_show_hash "${username}"`"
if [ -z "${hash}" ]
then
stdio_message_warn "shadow_hashes" "${username} has no password set"
fi
# TODO add check for hashing function used (1, 2c, etc.)
done
fi
}
shadow_hashes_fini () {
stdio_message_log "shadow_hashes" "Ending at: `date`"
}

54
lib/checks/ssh_agent Executable file
View File

@ -0,0 +1,54 @@
#!/bin/sh
# $Revision: 228 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if the ssh-agent is running and list SSH unencrypted keys
. lib/misc/stdio
. lib/misc/process
. lib/misc/ssh_agent
. lib/misc/file
. lib/misc/ssh_key
ssh_agent_init () {
stdio_message_log "ssh_agent" "Starting at: `date`"
}
ssh_agent_main () {
process_list "ssh-agent" | while read processid
do
stdio_message_log "ssh_agent" "ssh-agent is running as `process_show_userid ${processid}` (`process_show_command ${processid}`)"
ssh_agent_list `process_show_parentid ${processid}` ${processid} | while read filename
do
stdio_message_debug "ssh_agent" "ssh-agent uses key from ${filename}"
ssh_key_permissions "${filename}"
if [ "`file_matches_string "${filename}" "ENCRYPTED"`" -ne 1 ]
then
stdio_message_warn "ssh_key" "${filename} is unencrypted"
else
stdio_message_log "ssh_key" "${filename} is encrypted"
fi
done
done
}
ssh_agent_fini () {
stdio_message_log "ssh_agent" "Ending at: `date`"
}

76
lib/checks/ssh_key Executable file
View File

@ -0,0 +1,76 @@
#!/bin/sh
# $Revision: 254 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# List unencrypted SSH client private keys
. lib/misc/file
. lib/misc/group
. lib/misc/stdio
ssh_key_init () {
stdio_message_log "ssh_key" "Starting at: `date`"
}
ssh_key_permissions () {
filename="${1}"
file_show_non_symlink_perms " ${filename}$" | while read filename permissions userid groupid
do
case "${permissions}" in
???????r??)
stdio_message_warn "ssh_key" "key ${filename} is owned by user ${userid} (group ${groupid}) and is world-readable (${permissions})"
;;
????r?????)
if [ "`group_is_in_group_name \"${groupid}\"`" -eq 1 ]
then
stdio_message_warn "ssh_key" "key ${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-readable (${permissions})"
else
stdio_message_log "ssh_key" "key ${filename} is owned by user ${userid} (group ${groupid}) and is group-readable (${permissions})"
fi
;;
esac
done
}
ssh_key_main () {
# TODO we should expand this list
# * parse the local SSH server configuration file /etc/ssh/ssh_config
# and add to the pattern the value of IdentityFile option
# * list files in home directories' .ssh/ and add to pattern list the
# ones with and without .pub extension
for pattern in "*id_dsa*" "*id_rsa*"
do
file_list_by_filename "${pattern}" | while read filename
do
ssh_key_permissions "${filename}"
if [ "`file_matches_string "${filename}" "ENCRYPTED"`" -ne 1 ]
then
stdio_message_warn "ssh_key" "${filename} is unencrypted"
else
stdio_message_log "ssh_key" "${filename} is encrypted"
fi
done
done
}
ssh_key_fini () {
stdio_message_log "ssh_key" "Ending at: `date`"
}

71
lib/checks/sudo Executable file
View File

@ -0,0 +1,71 @@
#!/bin/sh
# $Revision: 307 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
#
. lib/misc/stdio
. lib/misc/sudo
sudo_init () {
stdio_message_log "sudo" "Starting at: `date`"
}
sudo_main () {
if [ "`sudo_sudoers_check`" -eq 1 ]
then
if [ -n "`sudo_sudoers_list`" ]
then
stdio_message_warn "sudo" "/etc/sudoers is readable and configured"
# TODO: if privilegeduser is a group (e.g. %admin), notify the user accordingly
sudo_sudoers_list | while read privilegeduser passwd filepath
do
asuser="`printf -- \"${passwd}\" | cut -f2 -d\"=\" | tr -d \"(\" | tr -d \")\"`"
# for cases where the asuser is ALL:ALL (e.g. in Ubuntu there is always the following sudoers entry):
# root ALL=(ALL:ALL) ALL
if [ "${asuser}" = "ALL:ALL" ]
then
asuser="any user"
else
asuser="user ${asuser}"
fi
# for cases where the user can run any command. For example:
# foobar ALL=NOPASSWD: ALL
if [ "${filepath}" = "ALL" ]
then
filepath="any command"
fi
if [ -n "`printf -- \"${passwd}\" | egrep -- \"NOPASSWD\"`" ]
then
stdio_message_warn "sudo" "${privilegeduser} can run ${filepath} without providing a password"
else
stdio_message_log "sudo" "${privilegeduser} can run ${filepath} as ${asuser}"
fi
done
else
stdio_message_log "sudo" "/etc/sudoers is readable, but not configured"
fi
fi
}
sudo_fini () {
stdio_message_log "sudo" "Ending at: `date`"
}

50
lib/checks/system_aslr Executable file
View File

@ -0,0 +1,50 @@
#!/bin/sh
# $Revision: 270 $
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# (c) Tim Brown, 2012
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# Check if the system supports ASLR (Address Space Layout Randomization)
. lib/misc/kernel
. lib/misc/stdio
system_aslr_init () {
stdio_message_log "system_aslr" "Starting at: `date`"
}
system_aslr_main () {
if [ "`kernel_aslr`" -eq 0 ]
then
if [ "`kernel_aslr_pax`" -eq 0 ]
then
stdio_message_warn "system_aslr" "ASLR is not supported system-wide"
else
stdio_message_debug "system_aslr" "PAX ASLR is supported system-wide"
fi
elif [ "`kernel_aslr`" -eq 1 ]
then
stdio_message_log "system_aslr" "Conservative ASLR is supported system-wide (heap addresses are not randomized)"
else
stdio_message_debug "system_aslr" "ASLR is supported system-wide"
fi
}
system_aslr_fini () {
stdio_message_log "system_aslr" "Ending at: `date`"
}

Some files were not shown because too many files have changed in this diff Show More