ModElephant/bash_audit.sh

## bash_audit.sh
#!/bin/bash

# Run this script in your bash profile to audit PATHs and check for potential PATH interceptions.
# This isn't perfect but it's better than nothing. See here for a full discussion:
# http://modelephant.net/?p=95

# N.B. All paths to external binaries are full paths to the macOS ones and are protected by SIP.
# This protects against PATH interception in this script

# set -x

function log() {
    # echo $1
    return
}

function error() {
    >&2 /usr/bin/printf "\033[1;31m $1 \033[0m"
}

function check_file() {
    check_permissions $1
    check_owner $1
}

function check_permissions() {
    if [ ! -f $1 -a ! -d $1 ]; then
        log "File or directory $1 doesn't exist"
        return
    fi

    if [[ -w $1 ]]; then
        error "$1 is writable by current user"
    else
        log "Profile $1 has good permissions"
    fi
}

function check_owner() {
    if [ ! -f $1 ]; then
        log "File or directory $1 doesn't exist"
        return
    fi

    OWNER=`/usr/bin/stat -f "%Su" $1`
    if [[ $OWNER -ne "root" ]]; then
        error "$1 is owned by $OWNER instead of root"
    else
        log "Profile $1 has the correct owner"
    fi
}

# Check profiles are owned by root and not writable by current user. The root part matters because
# a malicious process could delete a file owned by root, rewrite it then mark it not writable. It
# would then be owned the the current user.
check_file /etc/profile
check_file ~/.bash_profile
check_file ~/.bash_login
check_file ~/.profile

# Check all paths are also owned by root and unwritable
export IFS=":"
for path in $PATH; do
  check_file "$path"
done

TMP_FILE=`/usr/bin/mktemp`
/usr/bin/plutil -extract Shell xml1 -o $TMP_FILE ~/Library/Preferences/com.apple.Terminal.plist
# Yuck! Cheap and dirty. Might switch to python
BASH_LINE=`/bin/cat $TMP_FILE | /usr/bin/grep "<string>/bin/bash</string>"`

if [[ -z "${BASH_LINE[0]}" ]]; then
    error "Wrong shell configured!"
fi
	#!/bin/bash

	# Run this script in your bash profile to audit PATHs and check for potential PATH interceptions.
	# This isn't perfect but it's better than nothing. See here for a full discussion:
	# http://modelephant.net/?p=95

	# N.B. All paths to external binaries are full paths to the macOS ones and are protected by SIP.
	# This protects against PATH interception in this script

	# set -x

	function log() {
	# echo $1
	return
	}

	function error() {
	>&2 /usr/bin/printf "\033[1;31m $1 \033[0m"
	}

	function check_file() {
	check_permissions $1
	check_owner $1
	}

	function check_permissions() {
	if [ ! -f $1 -a ! -d $1 ]; then
	log "File or directory $1 doesn't exist"
	return
	fi

	if [[ -w $1 ]]; then
	error "$1 is writable by current user"
	else
	log "Profile $1 has good permissions"
	fi
	}

	function check_owner() {
	if [ ! -f $1 ]; then
	log "File or directory $1 doesn't exist"
	return
	fi

	OWNER=`/usr/bin/stat -f "%Su" $1`
	if [[ $OWNER -ne "root" ]]; then
	error "$1 is owned by $OWNER instead of root"
	else
	log "Profile $1 has the correct owner"
	fi
	}

	# Check profiles are owned by root and not writable by current user. The root part matters because
	# a malicious process could delete a file owned by root, rewrite it then mark it not writable. It
	# would then be owned the the current user.
	check_file /etc/profile
	check_file ~/.bash_profile
	check_file ~/.bash_login
	check_file ~/.profile

	# Check all paths are also owned by root and unwritable
	export IFS=":"
	for path in $PATH; do
	check_file "$path"
	done

	TMP_FILE=`/usr/bin/mktemp`
	/usr/bin/plutil -extract Shell xml1 -o $TMP_FILE ~/Library/Preferences/com.apple.Terminal.plist
	# Yuck! Cheap and dirty. Might switch to python
	BASH_LINE=`/bin/cat $TMP_FILE \| /usr/bin/grep "<string>/bin/bash</string>"`

	if [[ -z "${BASH_LINE[0]}" ]]; then
	error "Wrong shell configured!"
	fi