-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path15_tcp_wrappers.sh
executable file
·60 lines (46 loc) · 1.8 KB
/
15_tcp_wrappers.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/bin/env bash
# ----------------------------------------------------------- #
# Copyright (C) 2008 Red Hat, Inc. #
# Written by Michel Samia <msamia@redhat.com> #
# Adapted for SCE by Martin Preisler <mpreisle@redhat.com> #
# #
# tcp_wrappers.sh #
# more info in tcp_wrappers.dsc #
# ----------------------------------------------------------- #
CHECK="/usr/bin/* /usr/sbin/*"
ALLOW='/etc/hosts.allow'
DENY='/etc/hosts.deny'
# filter binaries which use specified library
# stdin: list of paths to binaries
# stdout: filtered list
# usage: filter_lib libname
function filter_lib {
while read prog; do
ldd "$prog" 2>/dev/null | awk '{ print $1 }' \
| sed -e 's/\.so\(\.[0-9]\+\)\?//g' -e 's/^.*\///g' \
| grep -F "$1" >/dev/null && echo "$prog"
done
}
# get list of applications, which are linked with libwrap
apps=`ls -1 $CHECK | filter_lib libwrap | grep -v config | xargs -n1 basename`
ps="`ps -eo comm=`"
while read app
do
# TODO: it would be better to grep it with sth like "^[^:#]*$app|^ALL *:" to work with lists of services on one line...
# if the application is not running, we will not cry about it..
echo "$ps" | grep "$app" >/dev/null || continue
#report 'INFO' 1 "App: $app"
egrep "^$app|^ALL *:" $ALLOW > /dev/null
isInAllow=$[ 1 - $? ]
egrep "^$app|^ALL *:" $DENY > /dev/null
isInDeny=$[ 1 - $? ]
if [ $isInAllow -ne 1 ] && [ $isInDeny -ne 1 ]
then
echo "Application $app is using tcp wrappers, but does not specify any restrictions in $ALLOW nor in $DENY"
echo "Please consider restricting access to this service i.e. according to IP address ranges"
RET=$XCCDF_RESULT_FAIL
fi
done<<EOF
$apps
EOF
exit $RET