|
|
@@ -230,20 +230,17 @@ def isWorldWritable(path):
|
|
|
|
|
|
exceptions = ''
|
|
|
|
|
|
-def logExceptions(message, pathList):
|
|
|
- global exceptions
|
|
|
- if len(pathList) > 0:
|
|
|
- exceptions += "%s: \n" % message
|
|
|
- for path in (pathList):
|
|
|
- exceptions += " * %s\n" % path.as_posix()
|
|
|
- exceptions += "\n"
|
|
|
-
|
|
|
-def logException(description, path, context = None):
|
|
|
+def logExceptions(description, paths = [], context = None):
|
|
|
global exceptions
|
|
|
exceptions += "%s\n" % description
|
|
|
- exceptions += " Path: %s\n" % path.as_posix()
|
|
|
if context != None:
|
|
|
exceptions += " Context: %s\n" % context
|
|
|
+ if len(paths) == 1:
|
|
|
+ exceptions += " Path: %s\n" % paths[0].as_posix()
|
|
|
+ elif len(paths) > 1:
|
|
|
+ exceptions += " Paths: \n"
|
|
|
+ for path in paths:
|
|
|
+ exceptions += " * %s\n" % path.as_posix()
|
|
|
exceptions += "\n"
|
|
|
|
|
|
def printExceptions():
|
|
|
@@ -259,11 +256,11 @@ def auditProcess(proc):
|
|
|
try:
|
|
|
if (exePath.stat().st_uid != rootPwe.pw_uid and
|
|
|
exePath.stat().st_uid != ruid):
|
|
|
- logException('Executable is owned by another, non-root user', exePath.resolve(), 'Process %d' % proc.pid)
|
|
|
+ logExceptions('Executable is owned by another, non-root user', [exePath.resolve()], 'Process %d' % proc.pid)
|
|
|
except:
|
|
|
pass
|
|
|
if isWorldWritable(exePath):
|
|
|
- logException('Executable is world-writable', exePath.resolve(), 'Process %d' % proc.pid)
|
|
|
+ logExceptions('Executable is world-writable', [exePath.resolve()], 'Process %d' % proc.pid)
|
|
|
|
|
|
def auditCommand(ruid, argList, cwd, env = {}, context = None):
|
|
|
if 'PATH' in env:
|
|
|
@@ -280,11 +277,11 @@ def auditCommand(ruid, argList, cwd, env = {}, context = None):
|
|
|
scriptPath = scriptPath.resolve()
|
|
|
if (scriptPath.stat().st_uid != rootPwe.pw_uid and
|
|
|
scriptPath.stat().st_uid != ruid):
|
|
|
- logException('Script is owned by another, non-root user', scriptPath.resolve(), context)
|
|
|
+ logExceptions('Script is owned by another, non-root user', [scriptPath.resolve()], context)
|
|
|
except FileNotFoundError:
|
|
|
pass # warning('File not found')
|
|
|
if isWorldWritable(scriptPath):
|
|
|
- logException('Script is world-writable', scriptPath.resolve(), context)
|
|
|
+ logExceptions('Script is world-writable', [scriptPath.resolve()], context)
|
|
|
|
|
|
readExceptions = []
|
|
|
for pattern in readPatterns:
|
|
|
@@ -293,7 +290,8 @@ for pattern in readPatterns:
|
|
|
if isWorldReadable(path):
|
|
|
readExceptions.append(path)
|
|
|
|
|
|
-logExceptions('These paths are world readable', readExceptions)
|
|
|
+if len(readExceptions) > 0:
|
|
|
+ logExceptions('These paths are world readable', readExceptions)
|
|
|
|
|
|
writeExceptions = []
|
|
|
for pattern in writePatterns:
|
|
|
@@ -302,7 +300,8 @@ for pattern in writePatterns:
|
|
|
if isWorldWritable(path):
|
|
|
writeExceptions.append(path)
|
|
|
|
|
|
-logExceptions('These paths are world-writable', writeExceptions)
|
|
|
+if len(writeExceptions):
|
|
|
+ logExceptions('These paths are world-writable', writeExceptions)
|
|
|
|
|
|
parentWriteExceptions = []
|
|
|
for pattern in writePatternsParents:
|
|
|
@@ -311,7 +310,8 @@ for pattern in writePatternsParents:
|
|
|
if isWorldWritable(path):
|
|
|
parentWriteExceptions.append(path)
|
|
|
|
|
|
-logExceptions('These paths are world-writable', parentWriteExceptions)
|
|
|
+if len(parentWriteExceptions) > 0:
|
|
|
+ logExceptions('These paths are world-writable', parentWriteExceptions)
|
|
|
|
|
|
execpathWriteExceptions = []
|
|
|
for strPath in os.get_exec_path():
|
|
|
@@ -319,7 +319,8 @@ for strPath in os.get_exec_path():
|
|
|
if isWorldWritable(path):
|
|
|
execpathWriteExceptions.append(path)
|
|
|
|
|
|
-logExceptions('These executable search paths are world-writable', execpathWriteExceptions)
|
|
|
+if len(execpathWriteExceptions) > 0:
|
|
|
+ logExceptions('These executable search paths are world-writable', execpathWriteExceptions)
|
|
|
|
|
|
pythonpathWriteExceptions = []
|
|
|
for strPath in sys.path:
|
|
|
@@ -327,7 +328,8 @@ for strPath in sys.path:
|
|
|
if isWorldWritable(path):
|
|
|
pythonpathWriteExceptions.append(path)
|
|
|
|
|
|
-logExceptions('These python search paths are world-writable', pythonpathWriteExceptions)
|
|
|
+if len(pythonpathWriteExceptions) > 0:
|
|
|
+ logExceptions('These python search paths are world-writable', pythonpathWriteExceptions)
|
|
|
|
|
|
perlpathWriteExceptions = []
|
|
|
for strPath in get_perl_searchpath():
|
|
|
@@ -335,7 +337,8 @@ for strPath in get_perl_searchpath():
|
|
|
if isWorldWritable(path):
|
|
|
perlpathWriteExceptions.append(path)
|
|
|
|
|
|
-logExceptions('These perl search paths are world-writable', perlpathWriteExceptions)
|
|
|
+if len(perlpathWriteExceptions) > 0:
|
|
|
+ logExceptions('These perl search paths are world-writable', perlpathWriteExceptions)
|
|
|
|
|
|
rubypathWriteExceptions = []
|
|
|
for strPath in get_ruby_searchpath():
|
|
|
@@ -343,7 +346,8 @@ for strPath in get_ruby_searchpath():
|
|
|
if isWorldWritable(path):
|
|
|
rubypathWriteExceptions.append(path)
|
|
|
|
|
|
-logExceptions('These ruby search paths are world-writable', rubypathWriteExceptions)
|
|
|
+if len(rubypathWriteExceptions) > 0:
|
|
|
+ logExceptions('These ruby search paths are world-writable', rubypathWriteExceptions)
|
|
|
|
|
|
for proc in psutil.process_iter():
|
|
|
pid = proc.pid
|
|
|
@@ -361,6 +365,7 @@ for pw in pwd.getpwall():
|
|
|
if len(pw.pw_passwd) > 0 and pw.pw_passwd != 'x' and pw.pw_passwd != '*' and pw.pw_passwd != '!':
|
|
|
contentExceptions.append(Path('/etc/passwd'))
|
|
|
|
|
|
-logExceptions('These files contains sensible information', contentExceptions)
|
|
|
+if len(contentExceptions) > 0:
|
|
|
+ logExceptions('These files contains sensible information', contentExceptions)
|
|
|
|
|
|
printExceptions()
|
root