File: binaries.test

package info (click to toggle)
yasat 526-1
  • links: PTS
  • area: main
  • in suites: wheezy
  • size: 920 kB
  • sloc: sh: 4,723; makefile: 47
file content (167 lines) | stat: -rw-r--r-- 6,835 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
 
#!/bin/sh
################################################################################
#                                                                              #
#   Copyright (C) 2008-2012 LABBE Corentin <corentin.labbe@geomatys.fr>
#
#    YASAT is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    YASAT is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with YASAT.  If not, see <http://www.gnu.org/licenses/>.
#                                                                              #
################################################################################

#    * The setuid bit adds 4 to the total,
#    * The setgid bit adds 2 to the total
#    * The sticky bit adds 1 to the total.


Title "Check system binaries and integrity tools"

#TODO check for AIDE and tripwire they better do this job than me
#TODO check for rkhunter
which aide 2>> $ERROR_OUTPUT_FILE >/dev/null
if [ $? -eq 1 ]
then
	Display --indent 2 --text "AIDE file integrity tester" --result NOTFOUND --color ORANGE --advice BINARIES_NO_AIDE
else
	Display --indent 2 --text "AIDE file integrity tester" --result FOUND --color GREEN
	#TODO check good usage of AIDE like if aideinit was used or not
	#AIDE installed is not sufficient
fi

which tripwire 2>> $ERROR_OUTPUT_FILE >/dev/null
if [ $? -eq 1 ] ;then
	Display --indent 2 --text "TRIPWIRE file integrity tester" --result NOTFOUND --color ORANGE --advice BINARIES_NO_TRIPWIRE
else
	Display --indent 2 --text "TRIPWIRE file integrity tester" --result FOUND --color GREEN
	#TODO check good usage of TRIPWIRE
	#TRIPWIRE installed is not sufficient
fi
which chkrootkit 2>> $ERROR_OUTPUT_FILE >/dev/null
if [ $? -eq 1 ]
then
	Display --indent 2 --text "chkrootkit" --result NOTFOUND --color ORANGE --advice BINARIES_NO_CHKROOTKIT
else
	Display --indent 2 --text "chkrootkit" --result FOUND --color GREEN
fi

BINARY_POSSIBLE_PATH='/sbin /bin /usr/sbin /usr/bin /usr/local/bin /usr/local/sbin /usr/local/usr/bin /usr/local/usr/sbin /lib /usr/lib /usr/libexec /usr/local/lib /lib64 /lib32 /usr/lib64'

echo "DEBUG This check is in development"

if [ "$SCANTYPE" = "FULL" ] ; then
	Display --indent 2 --text "Full setuid-scan of filesystem" --result INFO --color BLUE
	BINARY_POSSIBLE_PATH='/'
fi

HAVE_POSIX_CAPS_TOOLS=0
#POSIX CAPS only exists under Linux
if [ "$OS_TYPE" = 'Linux' ] ;then
	which getcap 2>> $ERROR_OUTPUT_FILE >/dev/null
	if [ $? -eq 0 ] ;then
		Display --indent 2 --text "POSIX CAPS tools" --result FOUND --color GREEN
		HAVE_POSIX_CAPS_TOOLS=1
	fi
	if [ $HAVE_POSIX_CAPS_TOOLS -eq 0 ] ; then
		which filecap 2>> $ERROR_OUTPUT_FILE >/dev/null
		if [ $? -eq 0 ] ;then
			Display --indent 2 --text "libcap-ng tools" --result FOUND --color GREEN
			HAVE_POSIX_CAPS_TOOLS=2
		fi
	fi
	if [ $HAVE_POSIX_CAPS_TOOLS -eq 0 ] ; then
		Display --indent 2 --text "POSIX CAPS tools" --result NOTFOUND --color ORANGE --advice BINARIES_NO_POSIXCAPSTOOLS
	fi
fi

#TODO check whole filesystem for setuid ?
#TODO propose better rights
for BIN_PATH in $BINARY_POSSIBLE_PATH
do
	if [ -e "$BIN_PATH" ] ;then
		echo "Checking file with set UID in $BIN_PATH"
		find $BIN_PATH -perm $FIND_SETUID -type f |
		while read BIN_TO_TEST
		do
			RIGHT_ACTUAL="`stat $STAT_FULL_RIGHT $BIN_TO_TEST`"
			OSTOTEST="${OS}"
			if [ ! -z "$LINUX_VERSION" ] ;then
				OSTOTEST="$LINUX_VERSION"
			fi
			if [ "$LINUX_VERSION" = 'Debian' ] ;then
				OSTOTEST="$OS_NICKNAME"
			fi
			BIN_TO_TEST2="`echo $BIN_TO_TEST | sed 's/lib64\//lib\//'`"
			RESULTAT=`grep -v '^#' $PLUGINS_REP/binaries.data | grep "$OSTOTEST" | grep "${BIN_TO_TEST2}|"`
			if [ -z "$RESULTAT" ] ;then
				Display --indent 2 --text "$BIN_TO_TEST with $RIGHT_ACTUAL" --result UNKNOWN --color RED --advice BINARIES_UNKNOWN
			else
				GOOD_RIGHT=`echo $RESULTAT | cut -d\| -f2`
				if [ "$RIGHT_ACTUAL" = "$GOOD_RIGHT" ] ;then
					Display --indent 2 --text "$BIN_TO_TEST with right=$RIGHT_ACTUAL" --result FOUND --color GREEN
				else
					Display --indent 2 --text "$BIN_TO_TEST with bad rights $RIGHT_ACTUAL != $GOOD_RIGHT" --result FOUND --color RED --advice BINARIES_BAD_RIGHT
				fi
				#a Set-UID binary must be owned by root
				#TODO On Debian Lenny at is daemon:daemon
				BINARY_FS_OWNER="`stat $STAT_USER $BIN_TO_TEST`"
				if [ "$BINARY_FS_OWNER" != "root" ] ;then
					Display --indent 2 --text "$BIN_TO_TEST is not owned by root on the FS" --result WARNING --color RED
				fi
#MD5 for common archs (obsolete, aide/tripwire do that better than me)
#				GOOD_MD5=`echo $RESULTAT | cut -d\| -f4`
#				if [ ! -z "$GOOD_MD5" ]
#				then
#					MD5_ACTUAL="`md5sum $BIN_TO_TEST | cut -d\  -f1`"
#					if [ "$MD5_ACTUAL" !=  "$GOOD_MD5" ]
#					then
#						echo $MD5_ACTUAL $GOOD_MD5
#						Display --indent 2 --text "$BIN_TO_TEST has incorrect MD5" --result WARNING --color RED
#					fi
#				fi

			fi
			#TODO some set-uid are not necessary like mount, netstat, ifconfig, traceroute, route and ping (and equivalent for ipv6 ping6 etc..)
			if [ ! -z "`grep $BIN_TO_TEST ${PLUGINS_REP}/binaries.suid`" ] ; then
				Display --indent 4 --text "You can remove PERHAPS setuid from $BIN_TO_TEST" --result WARNING --color BLUE --advice BINARIES_REMOVE_SETUID
			fi
			#TODO POSIX CAPS (check for XATTR)
			#getcap /bin/ping6
			#/bin/ping6 = cap_net_raw+ep
			#filecap /bin/ping6
			#file                 capabilities
			#/bin/ping6     net_raw
			if [ $HAVE_POSIX_CAPS_TOOLS -ge 1 ] ;then
				BIN_TO_TEST_NAME="`basename $BIN_TO_TEST`"
				POSIX_CAPS="`grep ^${BIN_TO_TEST_NAME}= ${PLUGINS_REP}/binaries.caps`"
				if [ $HAVE_POSIX_CAPS_TOOLS -eq 1 ] ;then
					ACTUAL_CAPS="`getcap $BIN_TO_TEST | sed 's/.*= //'`"
				else
					ACTUAL_CAPS="`filecap $BIN_TO_TEST | grep ^$BIN_TO_TEST | sed 's/.*[[:space:]]//g'`"
				fi
				if [ ! -z "$POSIX_CAPS" ] ; then
					if [ -z "$ACTUAL_CAPS" ] ; then
						ACTUAL_CAPS="no POSIX CAPS"
					fi
					Display --indent 4 --text "${BIN_TO_TEST_NAME} can use POSIX CAPS" --result INFO --color BLUE --advice BINARIES_CAN_HAVE_POSIX_CAPS
					Display --indent 4 --text "${BIN_TO_TEST_NAME} actual POSIX CAPS" --result "$ACTUAL_CAPS" --color BLUE
					Display --indent 4 --text "${BIN_TO_TEST_NAME} need POSIX CAPS $POSIX_CAPS" --result INFO --color BLUE
					add_correction "#setcap $POSIX_CAPS+ep $BIN_TO_TEST"
				fi
			fi

		done
#	else
#		echo "DEBUG $BIN_PATH dont exists"
	fi
done

#TODO store scan result for comparing later results