Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-20 20:42:04 -05:00
Code Issues Packages Projects Releases Wiki Activity

Log output with defined levels

Browse Source
This commit is contained in:
Ben Grande 2024-07-23 18:46:47 +02:00
parent 06fbcdac1d
commit aa99de68d3
No known key found for this signature in database
GPG Key ID: 00C64E14F51F9E56
1 changed files with 79 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
usr/bin/permission-hardener
View File

@ -13,25 +13,33 @@ store_dir="/var/lib/permission-hardener"
dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode"
dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode"
log_level=info
# shellcheck disable=SC1091
source /usr/libexec/helper-scripts/log_run_die.sh
echo_wrapper_ignore() {
if test "${1}" = "verbose"; then
echo "INFO: run: $*"
shift
log info "Run: $*"
else
shift
fi
shift
"$@" 2>/dev/null || true
}
echo_wrapper_audit() {
if test "${1}" = "verbose"; then
echo "INFO: run: $*"
shift
log info "Run: $*"
else
shift
fi
shift
return_code=0
"$@" ||
{
return_code="$?"
exit_code=203
echo "ERROR: command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2
log error "Command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2
}
}
@ -55,14 +63,13 @@ add_nosuid_statoverride_entry() {
counter_actual=0
local dummy_line
while IFS="" read -r -d "" dummy_line; do
true "DEBUG: test would parse line:" "${dummy_line}"
while IFS="" read -r dummy_line; do
log info "Test would parse line: ${dummy_line}"
should_be_counter=$((should_be_counter + 1))
done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {})
local line
while IFS="" read -r -d "" line; do
true "DEBUG: line: ${line}"
while IFS="" read -r line; do
counter_actual="$((counter_actual + 1))"
local arr file_name existing_mode existing_owner existing_group
@ -73,23 +80,23 @@ add_nosuid_statoverride_entry() {
existing_group="${arr[3]}"
if test "${#arr[@]}" = 0; then
echo "ERROR: line is empty: '${line}'" >&2
log error "Line is empty: '${line}'" >&2
continue
fi
if test -z "${file_name}"; then
echo "ERROR: file name is empty. line: '${line}'" >&2
log error "File name is empty. line: '${line}'" >&2
continue
fi
if test -z "${existing_mode}"; then
echo "ERROR: existing mode is empty. line: '${line}'" >&2
log error "Existing mode is empty. line: '${line}'" >&2
continue
fi
if test -z "${existing_owner}"; then
echo "ERROR: existing owner is empty. line: '${line}'" >&2
log error "Existing owner is empty. line: '${line}'" >&2
continue
fi
if test -z "${existing_group}"; then
echo "ERROR: existing group is empty. line: '${line}'" >&2
log error "Existing group is empty. line: '${line}'" >&2
continue
fi
@ -99,12 +106,12 @@ add_nosuid_statoverride_entry() {
if test -h "${file_name}"; then
## https://forums.whonix.org/t/disable-suid-binaries/7706/14
true "DEBUG: skip symlink: ${file_name}"
log info "Skip symlink: ${file_name}"
continue
fi
if test -d "${file_name}"; then
true "DEBUG: skip directory: ${file_name}"
log info "Skip directory: ${file_name}"
continue
fi
@ -144,6 +151,9 @@ add_nosuid_statoverride_entry() {
local is_exact_whitelisted
is_exact_whitelisted=""
for white_list_entry in "${exact_white_list[@]:-}"; do
if test -z "${white_list_entry}"; then
continue
fi
if test "${file_name}" = "${white_list_entry}"; then
is_exact_whitelisted="true"
## Stop looping through the whitelist.
@ -154,6 +164,9 @@ add_nosuid_statoverride_entry() {
local is_match_whitelisted
is_match_whitelisted=""
for matchwhite_list_entry in "${match_white_list[@]:-}"; do
if test -z "${matchwhite_list_entry}"; then
continue
fi
if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then
is_match_whitelisted="true"
## Stop looping through the match_white_list.
@ -164,6 +177,9 @@ add_nosuid_statoverride_entry() {
local is_disable_whitelisted
is_disable_whitelisted=""
for disablematch_list_entry in "${disable_white_list[@]:-}"; do
if test -z "${disablematch_list_entry}"; then
continue
fi
if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then
is_disable_whitelisted="true"
## Stop looping through the disablewhitelist.
@ -171,27 +187,26 @@ add_nosuid_statoverride_entry() {
fi
done
clean_output_prefix="Managing (S|G)UID of line:"
clean_output="setuid=${setuid_output} setgid=${setsgid_output} existing_mode=${existing_mode} new_mode=${new_mode} file='${file_name}'"
if test "${whitelists_disable_all:-}" = "true"; then
echo "INFO: whitelists_disable_all=true ${clean_output}"
log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}"
elif test "${is_disable_whitelisted}" = "true"; then
true "INFO: white list disabled ${clean_output}"
log info "${clean_output_prefix} is_disable_whitelisted=true ${clean_output}"
else
if test "${is_exact_whitelisted}" = "true"; then
true "INFO: is_exact_whitelisted=true ${clean_output}"
log info "${clean_output_prefix} is_exact_whitelisted=true ${clean_output}"
continue
fi
if test "${is_match_whitelisted}" = "true"; then
true "INFO: is_match_whitelisted=true ${clean_output} matchwhite_list_entry: '${matchwhite_list_entry}'"
log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry=${matchwhite_list_entry} ${clean_output}"
continue
fi
fi
echo "INFO: ${clean_output}"
# shellcheck disable=SC2086
if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then
true "INFO: Existing mode already saved previously. Not saving again."
log info "Existing mode already saved previously. Not saving again."
else
## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode.
@ -225,14 +240,14 @@ add_nosuid_statoverride_entry() {
## Sanity test.
if test ! "${should_be_counter}" = "${counter_actual}"; then
echo "INFO: file (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})"
echo "ERROR: expected number of files to be parsed was not met." >&2
log info "File (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})"
log error "Expected number of files to be parsed was not met." >&2
exit_code=202
fi
}
set_file_perms() {
true "INFO: START parsing config file: '${config_file}'"
log info "START parsing config file: ${config_file}"
local line
while read -r line || test -n "${line}"; do
if test -z "${line}"; then
@ -243,11 +258,9 @@ set_file_perms() {
continue
fi
if [[ "${line}" =~ [0-9a-zA-Z/] ]]; then
true "INFO: line contains only white listed characters."
else
if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then
exit_code=200
echo "ERROR: cannot parse line with invalid character in line: '${line}'" >&2
log error "Line contains invalid characters: ${line}" >&2
## Safer to exit with error in this case.
## https://forums.whonix.org/t/disable-suid-binaries/7706/59
exit "${exit_code}"
@ -255,7 +268,7 @@ set_file_perms() {
if test "${line}" = 'whitelists_disable_all=true'; then
whitelists_disable_all=true
echo "INFO: whitelists_disable_all=true"
log info "whitelists_disable_all=true"
continue
fi
@ -263,7 +276,7 @@ set_file_perms() {
local mode_from_config owner_from_config group_from_config capability_from_config
if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then
exit_code=201
echo "ERROR: cannot parse line: '${line}'" >&2
log error "Cannot parse line: '${line}'" >&2
## Debugging.
du -hs /tmp || true
echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true
@ -272,6 +285,8 @@ set_file_perms() {
exit "${exit_code}"
fi
log info "Parsing line: fso=${fso} mode_from_config=${mode_from_config} owner_from_config=${owner_from_config} group_from_config=${group_from_config} capability_from_config=${capability_from_config}"
## Debugging.
#echo "line: '${line}'"
#echo "fso: '${fso}'"
@ -282,6 +297,7 @@ set_file_perms() {
fso_without_trailing_slash="${fso%/}"
## TODO: test/add white spaces inside file name support
declare -g disable_white_list exact_white_list match_white_list
case "${mode_from_config}" in
disablewhitelist)
disable_white_list+=("${fso}")
@ -298,7 +314,7 @@ set_file_perms() {
esac
if test ! -e "${fso}"; then
true "INFO: file does not exist: '${fso}'"
log warn "File does not exist: '${fso}'"
continue
fi
@ -312,21 +328,21 @@ set_file_perms() {
local string_length_of_mode_from_config
string_length_of_mode_from_config="${#mode_from_config}"
if test "${string_length_of_mode_from_config}" -gt "4"; then
echo "ERROR: Invalid mode: '${mode_from_config}'" >&2
log error "Invalid mode: '${mode_from_config}'" >&2
continue
fi
if test "${string_length_of_mode_from_config}" -lt "3"; then
echo "ERROR: Invalid mode: '${mode_from_config}'" >&2
log error "Invalid mode: '${mode_from_config}'" >&2
continue
fi
if ! grep --quiet --fixed-strings "${owner_from_config}:" "${store_dir}/private/passwd"; then
echo "ERROR: owner from config does not exist: '${owner_from_config}'" >&2
log error "Owner from config does not exist: '${owner_from_config}'" >&2
continue
fi
if ! grep --quiet --fixed-strings "${group_from_config}:" "${store_dir}/private/group"; then
echo "ERROR: group from config does not exist: '${group_from_config}'" >&2
log error "Group from config does not exist: '${group_from_config}'" >&2
continue
fi
@ -341,7 +357,7 @@ set_file_perms() {
local stat_output
stat_output=""
if ! stat_output="$(stat -c "%n %a %U %G" "${fso_without_trailing_slash}")"; then
echo "ERROR: failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2
log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2
continue
fi
@ -353,23 +369,23 @@ set_file_perms() {
existing_group="${arr[3]}"
if test "${#arr[@]}" = 0; then
echo "ERROR: line is empty. Stat output: '${stat_output}', line: '${line}'" >&2
log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2
continue
fi
if test -z "${file_name}"; then
echo "ERROR: file name is empty. Stat output: '${stat_output}', line: '${line}'" >&2
log error "File name is empty. Stat output: '${stat_output}', line: '${line}'" >&2
continue
fi
if test -z "${existing_mode}"; then
echo "ERROR: existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2
log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2
continue
fi
if test -z "${existing_owner}"; then
echo "ERROR: existing_owner is empty. stat_output: '${stat_output}' | line: '${line}'" >&2
log error "Existing_owner is empty. stat_output: '${stat_output}' | line: '${line}'" >&2
continue
fi
if test -z "${existing_group}"; then
echo "ERROR: existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2
log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2
continue
fi
@ -388,19 +404,18 @@ set_file_perms() {
}
if test "${dpkg_statoverride_list_exit_code}" = "0"; then
true "INFO: There is an fso entry. Check if owner/group/mode matches."
local grep_line
grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}"
if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings "${grep_line}"; then
true "INFO: The owner/group/mode matches. No further action required."
log info "The owner/group/mode matches fso entry. No further action required."
else
true "INFO: The owner/group/mode does not match, removing and re-adding the entry to update it."
log info "The owner/group/mode does not match fso entry, updating entry."
## fso_without_trailing_slash instead of fso to prevent
## "dpkg-statoverride: warning: stripping trailing /"
# shellcheck disable=SC2086
if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then
true "INFO: Existing mode already saved previously. Not saving again."
log info "Existing mode already saved previously. Not saving again."
else
## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode.
@ -421,11 +436,11 @@ set_file_perms() {
echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}"
fi
else
true "INFO: There is no fso entry, adding one."
log info "There is no fso entry, adding one."
# shellcheck disable=SC2086
if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then
true "INFO: Existing mode already saved previously. Not saving again."
log info "Existing mode already saved previously. Not saving again."
else
## Save existing_mode in separate database.
## Not using --update as not intending to enforce existing_mode.
@ -457,12 +472,12 @@ set_file_perms() {
getcap_output="$(getcap "${fso}")"
if test -n "${getcap_output}"; then
exit_code=205
echo "ERROR: removing capabilities failed. File: '${fso}'" >&2
log error "Removing capabilities failed. File: '${fso}'" >&2
continue
fi
else
if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "${capability_from_config}"; then
echo "ERROR: capability from config does not exist: '${capability_from_config}'" >&2
log error "Capability from config does not exist: '${capability_from_config}'" >&2
continue
fi
@ -470,8 +485,9 @@ set_file_perms() {
## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580
echo_wrapper_audit verbose setcap "${capability_from_config}+ep" "${fso}"
fi
done <"${config_file}"
true "INFO: END parsing config file: '${config_file}'"
log info "END parsing config file: ${config_file}"
}
parse_config_folder() {
@ -504,6 +520,7 @@ parse_config_folder() {
/usr/local/etc/permission-hardening.d/*.conf
do
set_file_perms
done
}
@ -513,8 +530,8 @@ apply() {
sanity_tests
parse_config_folder
echo "\
INFO: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
log info "\
To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes:
sudo apt install --no-install-recommends meld
meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride"
}
@ -529,21 +546,22 @@ spare() {
dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode"
if test ! -f "${store_dir}/existing_mode/statoverride"; then
true debug "Stat file does not exist, hardening was not applied not applied before"
return 0
fi
local line
while IFS="" read -r -d "" line; do
while read -r line; do
## example line:
## root root 4755 /usr/lib/eject/dmcrypt-get-device
local owner group mode file_name
if ! read -r owner group mode file_name <<< "${line}"; then
exit_code=201
echo "ERROR: cannot parse line: ${line}" >&2
log error "Cannot parse line: ${line}" >&2
continue
fi
true "INFO: owner=${owner} group=${group} mode=${mode} file_name='${file_name}'"
log info "Parsing line: owner=${owner} group=${group} mode=${mode} file_name='${file_name}'"
if test "${remove_file}" = "all"; then
verbose=""
@ -571,7 +589,7 @@ spare() {
# shellcheck disable=SC2086
chmod ${verbose} "${mode}" "${file_name}" || exit_code=203
else
echo "INFO: file doesn't exist: '${file_name}'"
log warn "File does not exist: '${file_name}'"
fi
dpkg-statoverride --remove "${file_name}" &>/dev/null || true
@ -589,7 +607,7 @@ spare() {
if test ! "${remove_file}" = "all"; then
if test "$(cat "${store_dir}/remove_one")" = "false"; then
echo "INFO: no file was removed.
log info "No file was removed.
File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if already done earlier.
@ -617,7 +635,7 @@ spare() {
check_root(){
if test "$(id -u)" != "0"; then
echo "ERROR: Not running as root, aborting."
log error "Not running as root, aborting."
exit 1
fi
}
@ -647,7 +665,7 @@ case "${1:-}" in
esac
if test "${exit_code}" != "0"; then
echo "ERROR: Exiting with non-zero exit code: '${exit_code}'" >&2
log error "Exiting with non-zero exit code: '${exit_code}'" >&2
fi
exit "${exit_code}"