bash_audit.sh

#!/bin/bash

# Run this script in your bash profile to audit PATHs and check for potential PATH interceptions.
# This isn't perfect but it's better than nothing. See here for a full discussion:
# http://modelephant.net/?p=95

# N.B. All paths to external binaries are full paths to the macOS ones and are protected by SIP.
# This protects against PATH interception in this script

# set -x

function log() {
    # echo $1
    return
}

function error() {
    >&2 /usr/bin/printf "\033[1;31m $1 \033[0m"
}

function check_file() {
    check_permissions $1
    check_owner $1
}

function check_permissions() {
    if [ ! -f $1 -a ! -d $1 ]; then
        log "File or directory $1 doesn't exist"
        return
    fi

    if [[ -w $1 ]]; then
        error "$1 is writable by current user"
    else
        log "Profile $1 has good permissions"
    fi
}

function check_owner() {
    if [ ! -f $1 ]; then
        log "File or directory $1 doesn't exist"
        return
    fi

    OWNER=`/usr/bin/stat -f "%Su" $1`
    if [[ $OWNER -ne "root" ]]; then
        error "$1 is owned by $OWNER instead of root"
    else
        log "Profile $1 has the correct owner"
    fi
}

# Check profiles are owned by root and not writable by current user. The root part matters because
# a malicious process could delete a file owned by root, rewrite it then mark it not writable. It
# would then be owned the the current user.
check_file /etc/profile
check_file ~/.bash_profile
check_file ~/.bash_login
check_file ~/.profile

# Check all paths are also owned by root and unwritable
export IFS=":"
for path in $PATH; do
  check_file "$path"
done

TMP_FILE=`/usr/bin/mktemp`
/usr/bin/plutil -extract Shell xml1 -o $TMP_FILE ~/Library/Preferences/com.apple.Terminal.plist
# Yuck! Cheap and dirty. Might switch to python
BASH_LINE=`/bin/cat $TMP_FILE | /usr/bin/grep "<string>/bin/bash</string>"`

if [[ -z "${BASH_LINE[0]}" ]]; then
    error "Wrong shell configured!"
fi