Automation Update

Now provides a nifty `.pkg` as well as framework for automating the
SUID scans.

.gitignore

@@ -54,3 +54,6 @@ docs/_build/
 
 # Custom
 parse_transcripts.py
+distribution.xml
+resources
+scripts

LICENSE.md

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 University of Utah, Marriott Library, Apple Support
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -40,6 +40,24 @@ We recommend setting up (3) to occur periodically via LaunchDaemon, and to set i
 | `--mailto address`  | Send information to 'address' via email. 'address' can be given as a comma-separated list of addresses. |
 | `--hash function`   | Override the default hashing function. Give 'function' as '/path/to/function with parameters'.          |
 
+### Automated (via launchd)
+
+Included in this repository are three plists to be used with `launchd`: one for a recurring, periodic scan of the file system, and two for a per-logout scan.
+
+#### Periodic Scan
+
+The file `edu.utah.scl.suid_scan.periodic.plist` should be moved into `/Library/LaunchDaemons/` and configured appropriately for your desired settings. This will cause SUID Scan to run on an interval (by default, every 30 minutes).
+
+#### Logout Scan
+
+To run a script on logout, move `edu.utah.scl.suid_scan.login.plist` and `edu.utah.scl.suid_scan.logout.plist` to `/Library/LaunchAgents/`, and the simple shell script `suid_scan.logout_wrapper.sh` to `/usr/local/bin/`.
+
+The way this system works is when a user logs in, the `.login` plist checks for the existence of a trigger file (by default it's `/private/tmp/edu.utah.scl.suid_scan.runatlogout`). If the file does not exist, it is created.
+
+When a user logs out, the `.logout` plist is executed. It checks for the trigger file, removes it, and then runs a scan.
+
+All SUID scan settings for this automated process should be configured in the `suid_scan.logout_wrapper.sh` script. By default it will produce a base scan, and then comparison scans after that.
+
 ## How it works
 
 When you run `suid_scan.py`, it starts by generating a list of all currently-mounted volumes. Then it executes a `find` process on each of these volumes to search for files that:

edu.utah.scl.suid_scan.login.plist

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>edu.utah.scl.suid_scan.login</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/usr/local/bin/suid_scan.logout_wrapper.sh</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<dict>
+		<key>PathState</key>
+		<dict>
+			<key>/private/tmp/edu.utah.scl.suid_scan.runatlogout</key>
+			<false/>
+		</dict>
+	</dict>
+</dict>
+</plist>

edu.utah.scl.suid_scan.logout.plist

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>edu.utah.scl.suid_scan.logout</string>
+	<key>LimitLoadToSessionType</key>
+	<array>
+		<string>LoginWindow</string>
+	</array>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/usr/local/bin/suid_scan.logout_wrapper.sh</string>
+	</array>
+	<key>RunAtLoad</key>
+	<false/>
+	<key>KeepAlive</key>
+	<dict>
+		<key>PathState</key>
+		<dict>
+			<key>/private/tmp/edu.utah.scl.suid_scan.runatlogout</key>
+			<true/>
+		</dict>
+	</dict>
+</dict>
+</plist>

edu.utah.scl.suid_scan_periodic.plist → edu.utah.scl.suid_scan.periodic.plist

@@ -3,7 +3,7 @@
 <plist version="1.0">
 <dict>
 	<key>Label</key>
-	<string>edu.utah.scl.suid_scan_periodic</string>
+	<string>edu.utah.scl.suid_scan.periodic</string>
 	<key>ProcessType</key>
 	<string>Background</string>
 	<key>ProgramArguments</key>
@@ -16,10 +16,6 @@
 		<!-- <string>--mailto</string><string>[email protected]</string> -->
 		<!-- <string>--hash</string><string>/path/to/hashfunction with parameters</string> -->
 	</array>
-	<key>StandardOutPath</key>
-	<string>/var/log/suid_scan_periodic_results.txt</string>
-	<key>StandardErrorPath</key>
-	<string>/var/log/suid_scan_periodic_errors.txt</string>
 	<key>StartInterval</key>
 	<!-- Change this value according to your preference. -->
 	<!-- The value is number of seconds between executions. -->

setup.py

@@ -0,0 +1,24 @@
+from distutils.core import setup
+import suid_scan
+
+setup(
+    name='SUID Scan',
+    version=suid_scan.__version__,
+    url='https://github.com/univ-of-utah-marriott-library-apple/suid_scan',
+    author='Pierce Darragh, Marriott Library IT Services',
+    author_email='[email protected]',
+    description='Simple script to help you check for files with execute-as bits set.',
+    license='MIT',
+    scripts=['suid_scan.py'],
+    classifiers=[
+        'Development Status :: 5 - Stable',
+        'Environment :: Console',
+        'Environment :: MacOS X',
+        'Intended Audience :: Information Technology',
+        'License :: OSI Approved :: MIT License',
+        'Natural Language :: English',
+        'Operating System :: MacOS :: MacOS X',
+        'Programming Language :: Python',
+        'Programming Language :: Python :: 2.7'
+    ],
+)

suid_scan.logout_wrapper.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# This short script toggles the "runatlogout" state for the two LaunchAgents
+# that should be installed:
+#   edu.utah.scl.suid_scan.login
+#   edu.utah.scl.suid_scan.logout
+# These allow for an on-logout scan of the filesystem for SUID/SGID files.
+#
+# For more information, see the GitHub repository at:
+#   https://github.com/univ-of-utah-marriott-library-apple/suid_scan
+
+# If you change the trigger file, update it in the plists too.
+TRIGGERFILE="/private/tmp/edu.utah.scl.suid_scan.runatlogout"
+BASESCAN="/var/log/suid_scan.base_scan.txt"
+NEWSCAN="/var/log/suid_scan.new_scan.txt"
+
+if [ -f "${TRIGGERFILE}" ]; then
+    rm -f "${TRIGGERFILE}"
+    # Enter whatever customization options you want here.
+    # If the base run has been complete, do a comparison scan. Otherwise,
+    # generate the base scan.
+    if [ -f "${BASESCAN}" ]; then
+        # Run a comparison scan.
+        /usr/local/bin/python /usr/local/bin/suid_scan.py \
+            --input "${BASESCAN}" \
+            --output "${NEWSCAN}"
+    else
+        # Run a base scan.
+        /usr/local/bin/python /usr/local/bin/suid_scan.py \
+            --output "${BASESCAN}"
+    fi
+else
+    touch "${TRIGGERFILE}"
+fi

suid_scan.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 
-__version__ = '1.1.0'
+__version__ = '1.1.1'
 
 import argparse
 import os
@@ -9,11 +9,6 @@
 import subprocess
 import sys
 
-# Gotta have access to the special places.
-if os.geteuid() != 0:
-    print("Must be root to run this script!")
-    sys.exit(1)
-
 # Sets the default hash function.
 HASHER = '/usr/bin/openssl sha1'
 
@@ -310,6 +305,12 @@ def usage():
 
 
 if __name__ == '__main__':
+    # Gotta have access to the special places.
+    if os.geteuid() != 0:
+        print("Must be root to run this script!")
+        sys.exit(1)
+
+    # Parse for command line arguments.
     parser = argparse.ArgumentParser(add_help=False)
     parser.add_argument('--help', action='store_true')
     parser.add_argument('--version', action='store_true')