/usr/share/openscap/sectool-sce/11_aliases.sh is in libopenscap8 1.2.15-1build1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 | #!/bin/bash
# ----------------------------------------------------------- #
# Copyright (C) 2008 Red Hat, Inc. #
# Written by Michel Samia <msamia@redhat.com> #
# Adapted for SCE by Martin Preisler <mpreisle@redhat.com> #
# #
# aliases.sh #
# ----------------------------------------------------------- #
# far from perfect but mostly works
STRING_RE="'[^']*'|\"(\\\\.|[^\"])*\""
RET=$XCCDF_RESULT_PASS
# test all defined aliases
while read line
do
name="`echo $line | awk -F= '{ print $1 }'`"
value="`echo $line | awk -F= '{ print $2 }' | sed "s/^'//" | sed "s/'$//"`" # all what is ritht from '=' , without border apostrophs
# todo: check all commands, since one alias can contain more, separated i.e. by ';', '&&' and so on
#value="`"echo $value" | sed
# take a first command..
command="`echo $value | awk '{ print $1 }' `"
if [[ "$command" == "." ]] || [[ "$command" == "source" ]]
then
included_file="`echo $value | awk '{ print $2 }' `"
is_command="0"
else
is_command="1"
fi
if [[ "$is_command" == "1" ]]
then
fullpath="`which $command 2>&1`"
commandWithoutPath="`basename $command`"
# does is exist?
if [[ "`echo "$fullpath" |grep -c "no $commandWithoutPath in"`" == "1" ]]
then
if [[ "$command" != "alias" ]] # fedora uses something strange for 'which'..
then
echo "Alias '$name' contains command '$command', which was not found"
[ "$RET" == $XCCDF_RESULT_FAIL ] || RET=$XCCDF_RESULT_INFORMATIONAL
fi
else
# is this file secure? (means not world/group writable + owned by root
perm="`stat -L -c '%A' $fullpath`"
if [[ ${perm:5:1} != '-' ]]
then
echo "Alias '$name' contains command '$command', which is is group writable"
echo "Please unset it the group writing bit"
RET=$XCCDF_RESULT_FAIL
fi
if [[ ${perm:8:1} != '-' ]]
then
echo "Alias '$name' contains command '$command', which is is world writable"
echo "Please unset it the world writing bit"
RET=$XCCDF_RESULT_FAIL
fi
owner="`stat -c '%U' $fullpath`"
if [[ "$owner" != "root" ]]
then
echo "Alias '$name' contains command '$command', which is not owned by root"
echo "Please chown this file to root:root"
RET=$XCCDF_RESULT_FAIL
fi
fi
fi
# it is an included file
if [[ "$is_command" == "0" ]]
then
# does it exist?
if ! [[ -f $included_file ]]
then
echo "Alias '$name' includes file '$included_file', which does not exist"
[ "$RET" == $XCCDF_RESULT_FAIL ] || RET=$XCCDF_RESULT_INFORMATIONAL
else
# is this file secure? (means not world/group writable + owned by root
perm="`stat -L -c '%A' $included_file`"
if [[ ${perm:5:1} != '-' ]]
then
echo "Alias '$name' includes file '$included_file', which is is group writable"
echo "Please unset it the group writing bit"
RET=$XCCDF_RESULT_FAIL
fi
if [[ ${perm:8:1} != '-' ]]
then
echo "Alias '$name' includes file '$included_file', which is is world writable"
echo "Please unset it the world writing bit"
RET=$XCCDF_RESULT_FAIL
fi
owner="`stat -c '%U' $fullpath`"
if [[ "$owner" != "root" ]]
then
echo "Alias '$name' includes file '$included_file', which is not owned by root"
echo "Please chown this file to root:root"
RET=$XCCDF_RESULT_FAIL
fi
fi
fi
done<<EOF
`bash -l -c 'alias' | grep '^alias ' | sed 's/^alias//'`
EOF
exit $RET
|