-
Notifications
You must be signed in to change notification settings - Fork 35
/
Copy pathuptux.py
executable file
·804 lines (648 loc) · 29.2 KB
/
uptux.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
#!/usr/bin/env python
"""
uptux by initstring (gitlab.com/initstring)
This tool checks for configuration issues on Linux systems that may lead to
privilege escalation.
All functionality is contained in a single file, because installing packages
in restricted shells is a pain.
"""
import os
import sys
import socket
import getpass
import argparse
import datetime
import subprocess
import inspect
import glob
import re
BANNER = r'''
____ ___ ___________
| | \_____\__ ___/_ _____ ___
| | /\____ \| | | | \ \/ /
| | / | |_> > | | | /> <
|______/ | __/|____| |____//__/\_ \
|__| \/
PrivEsc for modern Linux systems
github.com/initstring/uptux
'''
########################## Global Declarations Follow #########################
LOGFILE = 'log-uptux-{:%Y-%m-%d-%H.%M.%S}'.format(datetime.datetime.now())
PARSER = argparse.ArgumentParser(description=
"PrivEsc for modern Linux systems,"
" by initstring (gitlab.com/initstring)")
PARSER.add_argument('-n', '--nologging', action='store_true',
help='do not write output to a logfile')
PARSER.add_argument('-d', '--debug', action='store_true',
help='print some debugging info to the console')
ARGS = PARSER.parse_args()
## Known directories for storing systemd files.
SYSTEMD_DIRS = ['/etc/systemd/**/',
'/lib/systemd/**/',
'/run/systemd/**/',
'/usr/lib/systemd/**/']
## Known directories for storing D-Bus configuration files
DBUS_DIRS = ['/etc/dbus-1/system.d/',
'/etc/dbus-1/session.d']
# Target files that we know we cannot exploit
NOT_VULN = ['/dev/null',
'.']
# Used to enable/disable the relative path checks of systemd
SYSTEMD_PATH_WRITABLE = False
########################## End of Global Declarations #########################
############################ Setup Functions Follow ###########################
# This is the place for functions that help set up the application.
def tee(text, **kwargs):
"""Used to log and print concurrently"""
# Defining variables to print color-coded messages to the console.
colors = {'green': '\033[92m',
'blue': '\033[94m',
'orange': '\033[93m',
'red': '\033[91m',}
end_color = '\033[0m'
boxes = {'ok': colors['blue'] + '[*] ' + end_color,
'note': colors['green'] + '[+] ' + end_color,
'warn': colors['orange'] + '[!] ' + end_color,
'vuln': colors['red'] + '[VULNERABLE] ' + end_color,
'sus': colors['orange'] + '[INVESTIGATE] ' + end_color}
# If this function is called with an optional 'box=xxx' parameter, these
# will be prepended to the message.
box = kwargs.get('box', '')
if box:
box = boxes[box]
# First, just print the item to the console.
print(box + text)
# Then, write it to the log if logging is not disabled
if not ARGS.nologging:
try:
with open(LOGFILE, 'a') as logfile:
logfile.write(box + text + '\n')
except PermissionError:
ARGS.nologging = True
print(boxes['warn'] + "Could not create a log file due to"
" insufficient permissions. Continuing with checks...")
def check_handler(check, check_name, check_desc):
"""Check handler
This function takes a dictionary of check_desc,check_name and will
iterate through them all.
"""
tee("\n\n++++++++++ {}: {} ++++++++++\n\n"
.format(check_name, check_desc))
tee("Starting module at {:%Y-%m-%d-%H.%M.%S}"
.format(datetime.datetime.now()), box='ok')
tee("\n")
check()
tee("\n")
tee("Finished module at {:%Y-%m-%d-%H.%M.%S}\n"
.format(datetime.datetime.now()), box='ok')
def get_function_order(function):
"""Helper function for build_checks_list"""
# Grabs the line number of a function it is passed.
order = function.__code__.co_firstlineno
return order
def build_checks_list():
"""Dynamically build list of checks to execute
This function will grab, in order, all functions that start with
'uptux_check_' and populate a list. This is then used to run the checks.
"""
# Start to build a list of functions we will execute.
uptux_checks = []
# Get the name of this python script and all the functions inside it.
current_module = sys.modules[__name__]
all_functions = inspect.getmembers(current_module, inspect.isfunction)
# If the function name matches 'uptux_check_' we will include it.
for function in all_functions:
function_name = function[0]
function_object = function[1]
if 'uptux_check_' in function_name:
uptux_checks.append(function_object)
# Use the helper function to sort by line number in script.
uptux_checks.sort(key=get_function_order)
# Return the sorted list of functions.
return uptux_checks
############################# End Setup Functions #############################
########################### Helper Functions Follow ###########################
# This is the place to put functions that are used by multiple "Individual
# Checks" (those starting with uptux_check_).
def shell_exec(command):
"""Executes Linux shell commands"""
# Split the command into a list as needed by subprocess
command = command.split()
# Get both stdout and stderror from command. Grab the Python exception
# if there is one.
try:
out_bytes = subprocess.check_output(command,
stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as error:
out_bytes = error.output
except OSError as error:
print('Could not run the following OS command. Sorry!\n'
' Command: {}'.format(command))
print(error)
sys.exit()
# Return the lot as a text string for processing.
out_text = out_bytes.decode('utf-8')
out_text = out_text.rstrip()
return out_text
def find_system_files(**kwargs):
"""Locates system files
Expected kwargs: known_dirs, search_mask
"""
# Define known Linux folders for storing service unit definitions
return_list = set()
# Recursively gather all service unit from the known directories
# and add them to a deduplicated set.
for directory in kwargs['known_dirs']:
found_files = glob.glob(directory + kwargs['search_mask'])
for item in found_files:
# We don't care about files that point to /dev/null.
if '/dev/null' not in os.path.realpath(item):
return_list.add(item)
if ARGS.debug:
print("DEBUG, FOUND FILES")
for item in return_list:
print(item)
return return_list
def regex_vuln_search(**kwargs):
"""Helper function for searching text files
This function will take a list of file paths and search through
them with a given regex. Relevant messages will be printed to the console
and log.
Expected kwargs: file_paths, regex, message_text, message_box
"""
# Start a list of dictionaries for files with interesting content.
return_list = []
# Open up each individual file and read the text into memory.
for file_name in kwargs['file_paths']:
return_dict = {}
# Continue if we can't access the file.
if not os.access(file_name, os.R_OK):
continue
file_object = open(file_name, 'r')
file_text = file_object.read()
# Use the regex we pass in to the function to look for vulns.
found = re.findall(kwargs['regex'], file_text)
# Save the file name and the interesting lines of text
if found:
return_dict['file_name'] = file_name
return_dict['text'] = found
return_list.append(return_dict)
# If the function is supplied with message info, print to console and log.
# This function may be used instead as input to another function, so we
# don't always want to print here.
if return_list and kwargs['message_text'] and kwargs['message_box']:
# Print to console and log the interesting file names and content.
tee("")
tee(kwargs['message_text'], box=kwargs['message_box'])
for item in return_list:
tee(" {}:".format(item['file_name']))
for text in item['text']:
tee(" {}".format(text))
tee("")
if ARGS.debug:
print("DEBUG, SEARCH RESULTS")
for item in return_list:
print(item['file_name'])
for text in item['text']:
print(" {}".format(text))
return return_list
def check_file_permissions(**kwargs):
"""Helper function to check permissions and symlink status
This function will take a list of file paths, resolve them to their
actual location (for symlinks), and determine if they are writeable
by the current user. Will also alert on broken symlinks and whether
the target directory for the broken link is writeable.
Expected kwargs: file_paths, files_message_text, dirs_message_text,
message_box
"""
# Start deuplicated sets for interesting files and directories.
writeable_files = set()
writeable_dirs = set()
for file_name in kwargs['file_paths']:
# Ignore known not-vulnerable targets
if file_name in NOT_VULN:
continue
# Is it a symlink? If so, get the real path and check permissions.
# If it is broken, check permissions on the parent directory.
if os.path.islink(file_name):
target = os.readlink(file_name)
# Some symlinks use relative path names. Find these and prepend
# the directory name so we can investigate properly.
if target[0] == '.':
parent_dir = os.path.dirname(file_name)
target = parent_dir + '/' + target
if os.path.exists(target) and os.access(target, os.W_OK):
writeable_files.add('{} -- symlink --> {}'
.format(file_name, target))
else:
parent_dir = os.path.dirname(target)
if os.access(parent_dir, os.W_OK):
writeable_dirs.add((file_name, target))
# OK, not a symlink. Just check permissions.
else:
if os.access(file_name, os.W_OK):
writeable_files.add(file_name)
if writeable_files:
# Print to console and log the interesting findings.
tee("")
tee(kwargs['files_message_text'], box=kwargs['message_box'])
for item in writeable_files:
tee(" {}".format(item))
if writeable_dirs:
# Print to console and log the interesting findings.
tee("")
tee(kwargs['dirs_message_text'], box=kwargs['message_box'])
for item in writeable_dirs:
tee(" {} --> {}".format(item[0], item[1]))
if not writeable_files and not writeable_dirs:
tee("")
tee("No writeable targets. This is expected...",
box='note')
def check_command_permission(**kwargs):
"""Checks permissions on commands returned from inside files
Loops through a provided list of dictionaries with a file name and
commands found within. Checks to see if they are writeable or missing and
living in a writable directory.
Expected kwargs: file_paths, regex, message_text, message_box
"""
# Start an empty list for the return of the writable files/commands
return_list = []
for item in kwargs['commands']:
return_dict = {}
return_dict['text'] = []
# The commands we have are long and may include parameters or even
# multiple commands with pipes and ;. We try to split this all out
# below.
for command in item['text']:
command = re.sub(r'[\'"]', '', command)
command = re.split(r'[ ;\|]', command)
# We now have a list of some commands and some parameters and
# other garbage. Checking for os access will clean this up for us.
# The lines below determine if we have write access to anything.
# It also checks for the case where the target does not exist but
# the parent directory is writeable.
for split_command in command:
vuln = False
# Ignore known not-vulnerable targets
if split_command in NOT_VULN:
continue
# Some systemd items will specicify a command with a path
# relative to the calling item, particularly timer files.
relative_path = os.path.dirname(item['file_name'])
# First, check the obvious - is this a writable command?
if os.access(split_command, os.W_OK):
vuln = True
# What about if we assume it is a relative path?
elif os.access(relative_path + '/' + split_command, os.W_OK):
vuln = True
# Or maybe it doesn't exist at all, but is in a writeable
# director?
elif (os.access(os.path.dirname(split_command), os.W_OK)
and not os.path.exists(split_command)):
vuln = True
# If so, pack it all up in a new dictionary which is used
# below for output.
if vuln:
return_dict['file_name'] = item['file_name']
return_dict['text'].append(split_command)
if return_dict not in return_list:
return_list.append(return_dict)
if return_list and kwargs['message_text'] and kwargs['message_box']:
# Print to console and log the interesting file names and content.
tee("")
tee(kwargs['message_text'], box=kwargs['message_box'])
for item in return_list:
tee(" {}:".format(item['file_name']))
for text in item['text']:
tee(" {}".format(text))
tee("")
########################## Helper Functions Complete ##########################
########################### Individual Checks Follow ##########################
# Note: naming a new function 'uptux_check_xxxx' will automatically
# include it in execution. These will trigger in the same order listed
# in the script. The docstring will be pulled and used in the console and
# log file, so keep it short (one line).
def uptux_check_sysinfo():
"""Gather basic OS information"""
# Gather a few basics for the report.
uname = os.uname()
tee("Host: {}".format(uname[1]))
tee("OS: {}, {}".format(uname[0], uname[3]))
tee("Kernel: {}".format(uname[2]))
tee("Current user: {} (UID {} GID {})".format(getpass.getuser(),
os.getuid(),
os.getgid()))
tee("Member of following groups:\n {}".format(shell_exec('groups')))
def uptux_check_systemd_paths():
"""Check if systemd PATH is writeable"""
# Define the bash command.
command = 'systemctl show-environment'
output = shell_exec(command)
# Define the regex to find in the output.
regex = re.compile(r'PATH=(.*$)')
# Take the output from bash and split it into a list of paths.
output = re.findall(regex, output)
# This command may fail in some environments, only proceed if we have
# a good match.
if output:
output = output[0].split(':')
# Check each path - if it is writable, add it to a list.
writeable_paths = []
for item in output:
if os.access(item, os.W_OK):
writeable_paths.append(item)
else:
writeable_paths = False
# Write the status to the console and log.
if writeable_paths:
tee("The following systemd paths are writeable. THIS IS ODD!\n"
"See if you can combine this with a relative path Exec statement"
" for privesc:",
box='vuln')
for path in writeable_paths:
tee(" {}".format(path))
global SYSTEMD_PATH_WRITABLE
SYSTEMD_PATH_WRITABLE = True
else:
tee("No systemd paths are writeable. This is expected...",
box='note')
def uptux_check_services():
"""Inspect systemd service unit files"""
# Define known Linux folders for storing service unit definitions
units = set()
mask = '*.service'
units = find_system_files(known_dirs=SYSTEMD_DIRS,
search_mask=mask)
tee("Found {} service units to analyse...\n".format(len(units)),
box='ok')
# Test for write access to any service files.
# Will resolve symlinks to their target and also check for broken links.
text = 'Found writeable service unit files:'
text2 = 'Found writeable directories referred to by broken symlinks'
box = 'vuln'
tee("")
tee("Checking permissions on service unit files...",
box='ok')
check_file_permissions(file_paths=units,
files_message_text=text,
dirs_message_text=text2,
message_box=box)
# Only check relative paths if we can abuse them
if SYSTEMD_PATH_WRITABLE:
# Look for relative calls to binaries.
# Example: ExecStart=somfolder/somebinary
regex = re.compile(r'^Exec(?:Start|Stop|Reload)='
r'(?:@[^/]' # special exec
r'|-[^/]' # special exec
r'|\+[^/]' # special exec
r'|![^/]' # special exec
r'|!![^/]' # special exec
r'|)' # or maybe no special exec
r'[^/@\+!-]' # not abs path or special exec
r'.*', # rest of line
re.MULTILINE)
text = ('Possible relative path in an Exec statement.\n'
'Unless you have writeable systemd paths, you won\'t be able to'
' exploit this:')
box = 'sus'
tee("")
tee("Checking for relative paths in service unit files [check 1]...",
box='ok')
regex_vuln_search(file_paths=units,
regex=regex,
message_text=text,
message_box=box)
# Look for relative calls to binaries but invoked by an interpreter.
# Example: ExecStart=/bin/sh -c 'somefolder/somebinary'
regex = re.compile(r'^Exec(?:Start|Stop|Reload)='
r'(?:@[^/]' # special exec
r'|-[^/]' # special exec
r'|\+[^/]' # special exec
r'|![^/]' # special exec
r'|!![^/]' # special exec
r'|)' # or maybe no special exec
r'.*?(?:/bin/sh|/bin/bash) ' # interpreter
r'(?:[\'"]|)' # might have quotes
r'(?:-[a-z]+|)'# might have params
r'(?:[ ]+|)' # might have more spaces now
r'[^/-]' # not abs path or param
r'.*', # rest of line
re.MULTILINE)
text = ('Possible relative path invoked with an interpreter in an'
' Exec statement.\n'
'Unless you have writable systemd paths, you won\'t be able to'
' exploit this:')
box = 'sus'
tee("")
tee("Checking for relative paths in service unit files [check 2]...",
box='ok')
regex_vuln_search(file_paths=units,
regex=regex,
message_text=text,
message_box=box)
# Check for write access to any commands invoked by Exec statements.
# Thhs regex below is used to extract command lines.
regex = re.compile(r'^Exec.*?=[!@+-]*(.*?$)',
re.MULTILINE)
# We don't pass message info to this function as we need to perform more
# processing on the output to determine what is writeable.
tee("")
tee("Checking for write access to commands referenced in service files...",
box='ok')
service_commands = regex_vuln_search(file_paths=units,
regex=regex,
message_text='',
message_box='')
# Another helper function to take the extracted commands and check for
# write permissions.
text = 'You have write access to commands referred to in service files:'
box = 'vuln'
check_command_permission(commands=service_commands,
message_text=text,
message_box=box)
def uptux_check_timer_units():
"""Inspect systemd timer unit files"""
units = set()
mask = '*.timer'
units = find_system_files(known_dirs=SYSTEMD_DIRS,
search_mask=mask)
tee("Found {} timer units to analyse...\n".format(len(units)),
box='ok')
# Test for write access to any timer files.
# Will resolve symlinks to their target and also check for broken links.
text = 'Found writeable timer unit files:'
text2 = 'Found writeable directories referred to by broken symlinks'
box = 'vuln'
tee("")
tee("Checking permissions on timer unit files...",
box='ok')
check_file_permissions(file_paths=units,
files_message_text=text,
dirs_message_text=text2,
message_box=box)
# Timers may reference systemd services, which are already being checked.
# But they may reference a specific script (often a '.target' file of the
# same name. Check to see if the action called is writable.
# The regex below is used to extract these targets.
regex = re.compile(r'^Unit=*(.*?$)',
re.MULTILINE)
# We don't pass message info to this function as we need to perform more
# processing on the output to determine what is writeable.
tee("")
tee("Checking for write access to commands referenced in timer files...",
box='ok')
timer_commands = regex_vuln_search(file_paths=units,
regex=regex,
message_text='',
message_box='')
# Another helper function to take the extracted commands and check for
# write permissions.
text = 'You have write access to commands referred to in timer files:'
box = 'vuln'
check_command_permission(commands=timer_commands,
message_text=text,
message_box=box)
def uptux_check_socket_units():
"""Inspect systemd socket unit files"""
units = set()
mask = '*.socket'
units = find_system_files(known_dirs=SYSTEMD_DIRS,
search_mask=mask)
tee("Found {} socket units to analyse...\n".format(len(units)),
box='ok')
# Test for write access to any socket files.
# Will resolve symlinks to their target and also check for broken links.
text = 'Found writeable socket unit files:'
text2 = 'Found writeable directories referred to by broken symlinks'
box = 'vuln'
tee("")
tee("Checking permissions on socket unit files...",
box='ok')
check_file_permissions(file_paths=units,
files_message_text=text,
dirs_message_text=text2,
message_box=box)
# Check for write access to any socket files created by a service.
# This can be interesting - I've seen a systemd service run a REST
# API on a AF_UNIX socket. This would be missed by normal privesc
# checks.
# Thhs regex below is used to extract command lines.
regex = re.compile(r'^Listen.*?=[!@+-]*(.*?$)',
re.MULTILINE)
# We don't pass message info to this function as we need to perform more
# processing on the output to determine what is writeable.
tee("")
tee("Checking for write access to AF_UNIX sockets...",
box='ok')
socket_files = regex_vuln_search(file_paths=units,
regex=regex,
message_text='',
message_box='')
# Another helper function to take the extracted commands and check for
# write permissions.
text = ('You have write access to AF_UNIX socket files invoked by a'
' systemd service.\n'
'This could be interesting. \n'
'You can attach to these files to look for an exploitable API.')
box = 'sus'
check_command_permission(commands=socket_files,
message_text=text,
message_box=box)
def uptux_check_socket_apis():
"""Look for web servers on UNIX domain sockets"""
# Use Linux ss tool to find sockets in listening state
command = 'ss -xlp -H state listening'
output = shell_exec(command)
# We get Unicode back from the above command, let's fix
output = str(output)
root_sockets = []
socket_replies = {}
# We want to grab all the strings that look like socket paths
sockets = re.findall(r' (/.*?) ', output)
abstract_sockets = re.findall(r' (@.*?) ', output)
for socket_path in sockets:
# For now, we are only interested in sockets owned by root
if os.path.exists(socket_path) and os.stat(socket_path).st_uid == 0:
root_sockets.append(socket_path)
tee("Trying to connect to {} unix sockets owned by uid 0..."
.format(len(root_sockets)), box='ok')
tee("")
# Cycle through each and try to send a raw HTTP GET
for socket_target in root_sockets:
# Define a raw HTTP GET request
http_get = ('GET / HTTP/1.1\r\n'
'Host: localhost\r\n'
'\r\n\r\n')
# Try to interact with the socket like a web API
client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
client.settimeout(5)
try:
client.connect(socket_target)
client.sendall(http_get.encode())
reply = client.recv(8192).decode()
# If we get a reply to this, we assume it is an API
if reply:
socket_replies[socket_target] = reply
except (socket.error, UnicodeDecodeError):
continue
# If we have some replies, print to console
# Hack-ish string replacement to get a nice indent
if socket_replies:
tee("The following root-owned sockets replied as follows",
box='sus')
for socket_path in socket_replies:
tee(" " + socket_path + ":")
tee(" " + socket_replies[socket_path]
.replace('\n', '\n '))
tee("")
def uptux_check_dbus_issues():
"""Inspect D-Bus configuration items"""
units = set()
mask = '*.conf'
units = find_system_files(known_dirs=DBUS_DIRS,
search_mask=mask)
tee("Found {} D-Bus conf files to analyse...\n".format(len(units)),
box='ok')
# Test for write access to any files.
# Will resolve symlinks to their target and also check for broken links.
text = 'Found writeable D-Bus conf files:'
text2 = 'Found writeable directories referred to by broken symlinks'
box = 'vuln'
tee("")
tee("Checking permissions on D-Bus conf files...",
box='ok')
check_file_permissions(file_paths=units,
files_message_text=text,
dirs_message_text=text2,
message_box=box)
# Checking for overly permission policies in D-Bus configuration files.
# For example, normally "policy" is defined as a username. When defined in
# an XML tag on its own, it applies to everyone.
tee("")
tee("Checking for overly permissive D-Bus configuration rules...",
box='ok')
regex = re.compile(r'<policy>.*?</policy>',
re.MULTILINE|re.DOTALL)
text = ('These D-Bus policies may be overly permissive as they do not'
' specify a user or group.')
box = 'sus'
regex_vuln_search(file_paths=units,
regex=regex,
message_text=text,
message_box=box)
########################## Individual Checks Complete #########################
def main():
"""Main function"""
print(BANNER)
# Dynamically build list of checks to execute.
uptux_checks = build_checks_list()
# Use the handler to execute each check.
for check in uptux_checks:
check_name = check.__name__
check_desc = check.__doc__
check_handler(check, check_name, check_desc)
# Good luck!
tee("")
tee("All done, good luck!", box='note')
if __name__ == "__main__":
main()