Fix implicit special bit requirement for Linux permissions

elysium-suite · Dec 5, 2022 · c5ddda0 · c5ddda0
1 parent 12bd001
commit c5ddda0
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -150,7 +150,7 @@ message = "Malicious user 'user' can't read /etc/shadow"
 	type = "FileExists"     # conditions. This means they all must pass for a check
 	path = "/etc/shadow"    # to be considered successful.
 
-	[[check.passoverride]]  # If you a check to succeed if just one condition
+	[[check.passoverride]]  # If you want a check to succeed when any condition
 	type = "UserExistsNot"  # passes, regardless of other pass checks, use
 	user = "user"           # an override pass (passoverride). This is a logical OR.
 	                        # passoverride is overridden by fail conditions.

diff --git a/checks_linux.go b/checks_linux.go
@@ -140,8 +140,11 @@ func (c cond) PermissionIs() (bool, error) {
 	}
 
 	c.Value = strings.TrimSpace(c.Value)
+
 	if len(c.Value) == 9 {
-		c.Value = "-" + c.Value
+		// If we're provided a mode string of only 9 characters, we'll assume
+		// that the 0th bit is irrelevant and should be a wildcard
+		c.Value = "?" + c.Value
 	} else if len(c.Value) != 10 {
 		fail("Your permission string is the wrong length (should be 9 or 10 characters):", c.Value)
 		return false, errors.New("Invalid user permission string")

diff --git a/docs/checks.md b/docs/checks.md
@@ -52,7 +52,7 @@ value = 'NOPASSWD'
 ```
 type = 'FileContains'
 path = 'C:\Users\coolUser\Desktop\Forensic Question 1.txt'
-value = 'ANSWER:\sCool[a-zA-Z]+VariedAnswer'
+value = 'ANSWER:\s*Cool[a-zA-Z]+VariedAnswer'
 ```
 
 **FileEquals**: pass if file equals sha256 hash
@@ -71,7 +71,13 @@ path = 'C:\test.txt'
 name = 'BUILTIN\Administrators'
 ```
 
-> Get owner of the file in both Windows and Linux. Both use golang libraries instead of commands to perform this check.
+```
+type = 'FileOwner'
+path = '/etc/passwd'
+name = 'root'
+```
+
+> Get owner of the file in both Windows and Linux. You can see the owner of a file on Windows using PowerShell: `(Get-Acl [FILENAME]).Owner`. For Linux, use `ls -la FILENAME`.
 
 
 **FirewallUp**: pass if firewall is active
@@ -133,7 +139,7 @@ type = 'PermissionIsNot'
 path = '/bin/bash'
 value = '???s????w?'
 ```
-So if `/bin/bash` is no longer world writable OR no longer SUID, the check will pass. If you want to ensure both attributes are removed, you should use two conditions in the same check.
+So if `/bin/bash` is no longer world writable OR no longer SUID, the check will pass. If you want to ensure both attributes are removed, you should use two conditions in the same check (`pass` for writeable bit, in addition to `pass` for SUID bit).
 
 For Windows, get a users permission of the file using `(Get-Acl [FILENAME]).Access`.