File tests_binary_rpath of Package lynis

Overview Repositories Revisions Requests Users Attributes Meta

File tests_binary_rpath of Package lynis

#!/bin/bash

#################################################################################
#
# Author: Thomas Biege <thomas@suse.de>
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Verifies if a binary contains an insecure RPATH variable.
#
#################################################################################
#
# TODO:
#
################################################################################
#
    InsertSection "Binary integrity"
    report "[Software]"
#
#################################################################################
#
    # Test        : BINARY-1000
    # Description : Verifies if a binary contains an insecure RPATH variable.
    Register --test-no BINARY-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable."
    if [ ${SKIPTEST} -eq 0 ]; then
        Display --indent 2 --text "- Starting binary RPATH check..."
        logtext "Test: Checking binary integrity of RPATH"

RPNOTOK=0
	FILENUM=0
	HPMAX=0
	HPBAD=0
	for FILE in $(find / -xdev -type f $ -perm -0100 -o -perm -0010 -o -perm -0001 $ 2>/dev/null)
	do
		((FILENUM))
		for RPATH_VAL in $(objdump -p "$FILE" 2>/dev/null | egrep -w '(RPATH|RUNPATH)' | awk '{ print $2 ":"}')
		do
			((HPMAX))
			if [ "${RPATH_VAL:0:7}" = "\$ORIGIN" ]; then continue; fi
			while [ -n "$RPATH_VAL" ]
			do
				RPATH_VAL_NXT=${RPATH_VAL%%:*}
				RPATH_VAL=${RPATH_VAL##$RPATH_VAL_NXT:}
				test -d "$RPATH_VAL_NXT" && RPATH_VAL_NXT=$(cd ${RPATH_VAL_NXT//#\/\//\/}; pwd -P)

case ":$RPATH_VAL_NXT" in
					:/usr/lib*)
						;;
					:/lib*)
						;;
					:/opt/*/lib*)
						;;
					:/usr/X11R6/lib*)
						;;
					:/usr/local/lib*)
						;;
					*)
						((HPBAD))
						RPNOTOK=1;
						Display --indent 4 --text "${FILE}" --text "RPATH \"$RPATH_VAL_NXT\" on $FILE is not allowed" --result WARNING --color RED
				esac
			done
		done
	done
	if [ $RPNOTOK == 0 ]; then
		Display --indent 4 --text "No bad RPATH usage found in $FILENUM executables" --result OK --color GREEN
	fi
	HP=$(expr $HPMAX - $HPBAD)
# 	echo "AddHP $HP $HPMAX"
	AddHP $HP $HPMAX

fi
#
#################################################################################
#

wait_for_keypress

Places

File tests_binary_rpath of Package lynis

Places