#!/usr/bin/env bash{l_output=""l_output2=""l_smask='01000'a_file=();a_dir=()# Initialize arraysa_path=(!-path"/run/user/*"-a!-path"/proc/*"-a!-path"*/containerd/*"-a!-path"*/kubelet/pods/*"-a!-path"*/kubelet/plugins/*"-a!-path"/sys/*"-a!-path"/snap/*")whileIFS=read-rl_mount;dowhileIFS=read-r-d$'\0'l_file;doif[-e"$l_file"];then[-f"$l_file"]&&a_file+=("$l_file")# Add WR filesif[-d"$l_file"];then# Add directories w/o sticky bitl_mode="$(stat-Lc'%#a'"$l_file")"[!$(($l_mode&$l_smask))-gt0]&&a_dir+=("$l_file")fifidone<<(find"$l_mount"-xdev\("${a_path[@]}"\)\(-typef-o-typed\)-perm-0002-print02>/dev/null)done<<(findmnt-Dkernofstype,target|awk'($1 !~/^\s*(nfs|proc|smb|vfat|iso9660|efivarfs|selinuxfs)/ && $2 !~/^(\/run\/user\/|\/tmp|\/var\/tmp)/){print $2}')if!((${#a_file[@]}>0));thenl_output="$l_output\n - No world writable files exist on the local filesystem."elsel_output2="$l_output2\n - There are \"$(printf'%s'"${#a_file[@]}")\" World writable files on the system.\n- The following is a list of World writable files:\n$(printf'%s\n'"${a_file[@]}")\n- end of list\n"fiif!((${#a_dir[@]}>0));thenl_output="$l_output\n - Sticky bit is set on world writable directories on the local filesystem."elsel_output2="$l_output2\n - There are \"$(printf'%s'"${#a_dir[@]}")\" World writable directories without the sticky bit on the system.\n- The following is a list of World writable directories without the sticky bit:\n$(printf'%s\n'"${a_dir[@]}")\n- end of list\n"fiunseta_path;unseta_arr;unseta_file;unseta_dir# Remove arrays# If l_output2 is empty, we passif[-z"$l_output2"];thenecho-e"\n- Audit Result:\n ** PASS **\n - * Correctly configured * :\n$l_output\n"elseecho-e"\n- Audit Result:\n ** FAIL **\n - * Reasons for audit failure * :\n$l_output2"[-n"$l_output"]&&echo-e"- * Correctly configured * :\n$l_output\n"fi}
Note: On systems with a large number of files and/or directories, this audit may be a long running process
It is recommended that write access is removed from other with the command ( chmod o-w ), but always consult relevant vendor documentation to avoid breaking any application dependencies on a given file.
World Writable Directories:
Set the sticky bit on all world writable directories with the command ( chmod a+t )
Run the following script to:
- Remove other write permission from any world writable files
- Add the sticky bit to all world writable directories
#!/usr/bin/env bash{l_smask='01000'a_file=();a_dir=()# Initialize arraysa_path=(!-path"/run/user/*"-a!-path"/proc/*"-a!-path"*/containerd/*"-a!-path"*/kubelet/pods/*"-a!-path"*/kubelet/plugins/*"-a!-path"/sys/*"-a!-path"/snap/*")whileIFS=read-rl_mount;dowhileIFS=read-r-d$'\0'l_file;doif[-e"$l_file"];thenl_mode="$(stat-Lc'%#a'"$l_file")"if[-f"$l_file"];then# Remove excess permissions from WW filesecho-e" - File: \"$l_file\" is mode: \"$l_mode\"\n -removing write permission on \"$l_file\" from \"other\""chmodo-w"$l_file"fiif[-d"$l_file"];then# Add sticky bitif[!$(($l_mode&$l_smask))-gt0];thenecho-e" - Directory: \"$l_file\" is mode: \"$l_mode\" and doesn't have the sticky bit set\n - Adding the sticky bit"chmoda+t"$l_file"fififidone<<(find"$l_mount"-xdev\("${a_path[@]}"\)\(-typef-o-typed\)-perm-0002-print02>/dev/null)done<<(findmnt-Dkernofstype,target|awk'($1 !~/^\s*(nfs|proc|smb|vfat|iso9660|efivarfs|selinuxfs)/ && $2 !~/^(\/run\/user\/|\/tmp|\/var\/tmp)/){print $2}')}