78 lines
2.3 KiB
Bash
78 lines
2.3 KiB
Bash
#!/bin/bash
|
|
|
|
#################################################################################
|
|
#
|
|
# Author: Thomas Biege <thomas@suse.de>
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Verifies if a binary contains an insecure RPATH variable.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# TODO:
|
|
#
|
|
################################################################################
|
|
#
|
|
InsertSection "Binary integrity"
|
|
report "[Software]"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : BINARY-1000
|
|
# Description : Verifies if a binary contains an insecure RPATH variable.
|
|
Register --test-no BINARY-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable."
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
Display --indent 2 --text "- Starting binary RPATH check..."
|
|
logtext "Test: Checking binary integrity of RPATH"
|
|
|
|
RPNOTOK=0
|
|
FILENUM=0
|
|
HPBAD=0
|
|
for FILE in $(find / -xdev -type f \( -perm -0100 -o -perm -0010 -o -perm -0001 \) 2>/dev/null)
|
|
do
|
|
((FILENUM++))
|
|
for RPATH_VAL in $(objdump -p "$FILE" 2>/dev/null | egrep -w '(RPATH|RUNPATH)' | awk '{ print $2 ":"}')
|
|
do
|
|
if [ "${RPATH_VAL:0:7}" = "\$ORIGIN" ]; then continue; fi
|
|
while [ -n "$RPATH_VAL" ]
|
|
do
|
|
RPATH_VAL_NXT=${RPATH_VAL%%:*}
|
|
RPATH_VAL=${RPATH_VAL##$RPATH_VAL_NXT:}
|
|
test -d "$RPATH_VAL_NXT" && RPATH_VAL_NXT=$(cd ${RPATH_VAL_NXT//#\/\//\/}; pwd -P)
|
|
|
|
case ":$RPATH_VAL_NXT" in
|
|
:/usr/lib*)
|
|
;;
|
|
:/lib*)
|
|
;;
|
|
:/opt/*/lib*)
|
|
;;
|
|
:/usr/X11R6/lib*)
|
|
;;
|
|
:/usr/local/lib*)
|
|
;;
|
|
*)
|
|
((HPBAD--))
|
|
RPNOTOK=1;
|
|
Display --indent 4 --text "${FILE}" --text "RPATH \"$RPATH_VAL_NXT\" on $FILE is not allowed" --result WARNING --color RED
|
|
esac
|
|
done
|
|
done
|
|
done
|
|
if [ $RPNOTOK == 0 ]; then
|
|
Display --indent 4 --text "No bad RPATH usage found in $FILENUM executables" --result OK --color GREEN
|
|
fi
|
|
AddHP $HPBAD 0
|
|
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
wait_for_keypress
|