lynis/tests_binary_rpath

#!/bin/bash

#################################################################################
#
# Author: Thomas Biege <thomas@suse.de>
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Verifies if a binary contains an insecure RPATH variable.
#
#################################################################################
#
# TODO:
#
################################################################################
#
    InsertSection "Binary integrity"
    report "[Software]"
#
#################################################################################
#
    # Test        : BINARY-1000
    # Description : Verifies if a binary contains an insecure RPATH variable.
    Register --test-no BINARY-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable."
    if [ ${SKIPTEST} -eq 0 ]; then
        Display --indent 2 --text "- Starting binary RPATH check..."
        logtext "Test: Checking binary integrity of RPATH"

	RPNOTOK=0
	FILENUM=0
	HPBAD=0
	for FILE in $(find / -xdev -type f \( -perm -0100 -o -perm -0010 -o -perm -0001 \) 2>/dev/null)
	do
		((FILENUM++))
		for RPATH_VAL in $(objdump -p "$FILE" 2>/dev/null | egrep -w '(RPATH|RUNPATH)' | awk '{ print $2 ":"}')
		do
			if [ "${RPATH_VAL:0:7}" = "\$ORIGIN" ]; then continue; fi
			while [ -n "$RPATH_VAL" ]
			do
				RPATH_VAL_NXT=${RPATH_VAL%%:*}
				RPATH_VAL=${RPATH_VAL##$RPATH_VAL_NXT:}
				test -d "$RPATH_VAL_NXT" && RPATH_VAL_NXT=$(cd ${RPATH_VAL_NXT//#\/\//\/}; pwd -P)

				case ":$RPATH_VAL_NXT" in
					:/usr/lib*)
						;;
					:/lib*)
						;;
					:/opt/*/lib*)
						;;
					:/usr/X11R6/lib*)
						;;
					:/usr/local/lib*)
						;;
					*)
						((HPBAD--))
						RPNOTOK=1;
						Display --indent 4 --text "${FILE}" --text "RPATH \"$RPATH_VAL_NXT\" on $FILE is not allowed" --result WARNING --color RED
				esac
			done
		done
	done
	if [ $RPNOTOK == 0 ]; then
		Display --indent 4 --text "No bad RPATH usage found in $FILENUM executables" --result OK --color GREEN
	fi
	AddHP $HPBAD 0

    fi
#
#################################################################################
#

wait_for_keypress
Sync from SUSE:SLFO:Main lynis revision 3b0de71aa5352bed3bb6f9211666db8d 2025-03-06 15:29:46 +01:00			`#!/bin/bash`

			`#################################################################################`
			`#`
			`# Author: Thomas Biege <thomas@suse.de>`
			`#`
			`# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are`
			`# welcome to redistribute it under the terms of the GNU General Public License.`
			`# See LICENSE file for usage of this software.`
			`#`
			`#################################################################################`
			`#`
			`# Verifies if a binary contains an insecure RPATH variable.`
			`#`
			`#################################################################################`
			`#`
			`# TODO:`
			`#`
			`################################################################################`
			`#`
			`InsertSection "Binary integrity"`
			`report "[Software]"`
			`#`
			`#################################################################################`
			`#`
			`# Test : BINARY-1000`
			`# Description : Verifies if a binary contains an insecure RPATH variable.`
			`Register --test-no BINARY-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable."`
			`if [ ${SKIPTEST} -eq 0 ]; then`
			`Display --indent 2 --text "- Starting binary RPATH check..."`
			`logtext "Test: Checking binary integrity of RPATH"`

			`RPNOTOK=0`
			`FILENUM=0`
			`HPBAD=0`
			`for FILE in $(find / -xdev -type f \( -perm -0100 -o -perm -0010 -o -perm -0001 \) 2>/dev/null)`
			`do`
			`((FILENUM++))`
			`for RPATH_VAL in $(objdump -p "$FILE" 2>/dev/null \| egrep -w '(RPATH\|RUNPATH)' \| awk '{ print $2 ":"}')`
			`do`
			`if [ "${RPATH_VAL:0:7}" = "\$ORIGIN" ]; then continue; fi`
			`while [ -n "$RPATH_VAL" ]`
			`do`
			`RPATH_VAL_NXT=${RPATH_VAL%%:*}`
			`RPATH_VAL=${RPATH_VAL##$RPATH_VAL_NXT:}`
			`test -d "$RPATH_VAL_NXT" && RPATH_VAL_NXT=$(cd ${RPATH_VAL_NXT//#\/\//\/}; pwd -P)`

			`case ":$RPATH_VAL_NXT" in`
			`:/usr/lib*)`
			`;;`
			`:/lib*)`
			`;;`
			`:/opt//lib)`
			`;;`
			`:/usr/X11R6/lib*)`
			`;;`
			`:/usr/local/lib*)`
			`;;`
			`*)`
			`((HPBAD--))`
			`RPNOTOK=1;`
			`Display --indent 4 --text "${FILE}" --text "RPATH \"$RPATH_VAL_NXT\" on $FILE is not allowed" --result WARNING --color RED`
			`esac`
			`done`
			`done`
			`done`
			`if [ $RPNOTOK == 0 ]; then`
			`Display --indent 4 --text "No bad RPATH usage found in $FILENUM executables" --result OK --color GREEN`
			`fi`
			`AddHP $HPBAD 0`

			`fi`
			`#`
			`#################################################################################`
			`#`

			`wait_for_keypress`