2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2017-02-09 13:35:40 +01:00
# Copyright 2007-2017, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Name services
#
#################################################################################
#
2015-01-03 12:45:22 +01:00
InsertSection "Name services"
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
BIND_RUNNING=0
2016-09-10 16:12:44 +02:00
BIND_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/bind ${ROOTDIR}usr/local/etc ${ROOTDIR}usr/local/etc/namedb"
2016-07-30 16:41:34 +02:00
BIND_CONFIG_LOCATION=""
2014-08-26 17:33:55 +02:00
POWERDNS_RUNNING=0
2016-09-10 16:12:44 +02:00
POWERDNS_CONFIG_LOCS="${ROOTDIR}etc/powerdns ${ROOTDIR}usr/local/etc"
2014-08-26 17:33:55 +02:00
POWERDNS_AUTH_CONFIG_LOCATION=""
POWERDNS_AUTH_MASTER=0
POWERDNS_AUTH_SLAVE=0
2015-09-06 21:38:21 +02:00
UNBOUND_CONFIG_OK=0
2014-08-26 17:33:55 +02:00
YPBIND_RUNNING=0
#
#################################################################################
#
# Test : NAME-4016
# Description : Check main domain (domain <domain name> in /etc/resolv.conf)
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4016 --weight L --network NO --category security --description "Check /etc/resolv.conf default domain"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-10 16:12:44 +02:00
LogText "Test: check ${ROOTDIR}etc/resolv.conf for default domain"
if [ -f ${ROOTDIR}etc/resolv.conf ]; then
LogText "Result: ${ROOTDIR}etc/resolv.conf found"
FIND=$(${AWKBINARY} '/^domain/ { print $2 }' ${ROOTDIR}etc/resolv.conf)
if [ -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: no default domain found"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_NONE}" --color WHITE; fi
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: found default domain"
LogText "Output: ${FIND}"
Report "resolv_conf_domain=${FIND}"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
RESOLV_DOMAINNAME="${FIND}"
fi
fi
fi
#
#################################################################################
#
# Test : NAME-4018
# Description : Check search domains in /etc/resolv.conf
# Notes : Maximum of one search keyword is allowed in /etc/resolv.conf
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4018 --weight L --network NO --category security --description "Check /etc/resolv.conf search domains"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
N=0
2016-09-10 16:12:44 +02:00
LogText "Test: check ${ROOTDIR}etc/resolv.conf for search domains"
if [ -f ${ROOTDIR}etc/resolv.conf ]; then
LogText "Result: ${ROOTDIR}etc/resolv.conf found"
FIND=$(${AWKBINARY} '/^search/ { print $2 }' ${ROOTDIR}etc/resolv.conf)
if [ -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: no search domains found, default domain is being used"
2016-09-10 16:12:44 +02:00
else
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
2015-12-21 21:17:15 +01:00
LogText "Found search domain: ${I}"
Report "resolv_conf_search_domain[]=${I}"
2016-05-03 14:57:53 +02:00
N=$((N + 1))
2014-08-26 17:33:55 +02:00
done
# Warn if we have more than 6 search domains, which is maximum in most resolvers
if [ ${N} -gt 6 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Found ${N} search domains"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW
2016-08-10 07:24:10 +02:00
ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: Found ${N} search domains"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
fi
2017-03-12 17:01:58 +01:00
# Check amount of search domains (max 1)
FIND=$(${GREPBINARY} -c "^search" ${ROOTDIR}etc/resolv.conf)
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
ReportWarning ${TEST_NO} "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
else
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
fi
2016-09-10 16:12:44 +02:00
else
LogText "Result: ${ROOTDIR}etc/resolv.conf does not exist, skipping test"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking search domains" --result "${STATUS_NOT_FOUND}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NAME-4020
# Description : Check non default resolv.conf options
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4020 --weight L --network NO --category security --description "Check non default options"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-10 16:12:44 +02:00
LogText "Test: check ${ROOTDIR}etc/resolv.conf for non default options"
if [ -f ${ROOTDIR}etc/resolv.conf ]; then
LogText "Result: ${ROOTDIR}etc/resolv.conf found"
FIND=$(${GREPBINARY} "^options" ${ROOTDIR}etc/resolv.conf | ${AWKBINARY} '{ print $2 }')
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: no specific other options configured in /etc/resolv.conf"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi
2016-09-10 16:12:44 +02:00
else
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
2015-12-21 21:17:15 +01:00
LogText "Found option: ${I}"
Report "resolv_conf_option[]=${I}"
2014-08-26 17:33:55 +02:00
#rotate --> add performance tune point
#timeout <3 --> add performe tune point
done
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: /etc/resolv.conf not found, test skipped"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NOT_FOUND}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NAME-4024
# Description : Check Solaris uname -n output
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4024 --os Solaris --weight L --network NO --category security --description "Solaris uname -n output"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-10 16:12:44 +02:00
FIND=$(${UNAMEBINARY} -n)
2015-12-21 21:17:15 +01:00
LogText "Result: 'uname -n' returned ${FIND}"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking uname -n output" --result "${STATUS_DONE}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : NAME-4026
# Description : Check Solaris /etc/nodename
# Notes : If a system is standalone, /etc/nodename should contain a system name only, not FQDN
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4026 --os Solaris --weight L --network NO --category security --description "Check /etc/nodename"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: checking /etc/nodename"
2014-08-26 17:33:55 +02:00
if [ -f /etc/nodename ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/nodename exists"
2017-03-06 08:41:21 +01:00
FIND=$(cat /etc/nodename)
2015-12-21 21:17:15 +01:00
LogText "Output: ${FIND}"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking /etc/nodename" --result "${STATUS_DONE}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/nodename could not be found"
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking /etc/nodename" --result "NONE FOUND" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NAME-4028
# Description : Check DNS domain name
2016-08-25 15:31:33 +02:00
# To Do : ${GREPBINARY} ^DOMAINNAME /etc/conf.d/domainname (remove "'s)
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4028 --weight L --network NO --category security --description "Check domain name"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
DOMAINNAME=""
# NIS
2015-12-21 21:17:15 +01:00
#LogText "Test: Checking file /etc/domainname"
2014-08-26 17:33:55 +02:00
#if [ -f /etc/domainname ]; then
2015-12-21 21:17:15 +01:00
# LogText "Result: file /etc/domainname exists"
2017-03-06 08:41:21 +01:00
# FIND2=$(cat /etc/domainname)
2014-08-26 17:33:55 +02:00
# if [ ! "${FIND}" = "" ]; then
2015-12-21 21:17:15 +01:00
# LogText "Found domain name: ${FIND}"
2014-08-26 17:33:55 +02:00
# DOMAINNAME="${FIND}"
# else
2015-12-21 21:17:15 +01:00
# LogText "Result: no domain name found in file"
2014-08-26 17:33:55 +02:00
# fi
# else
2015-12-21 21:17:15 +01:00
# LogText "Result: file /etc/domainname does not exist"
2014-08-26 17:33:55 +02:00
#fi
2015-12-21 21:17:15 +01:00
LogText "Test: Checking if dnsdomainname command is available"
2016-10-23 16:25:38 +02:00
if [ ! -z "${DNSDOMAINNAMEBINARY}" ]; then
2016-09-10 16:12:44 +02:00
FIND2=$(${DNSDOMAINNAMEBINARY} 2> /dev/null)
2014-08-26 17:33:55 +02:00
if [ ! "${FIND2}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: dnsdomainname command returned a value"
LogText "Found domain name: ${FIND2}"
2014-08-26 17:33:55 +02:00
DOMAINNAME="${FIND2}"
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: dnsdomainname command returned no value"
2014-08-26 17:33:55 +02:00
fi
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: dnsdomainname binary not found, skip specific test"
2014-08-26 17:33:55 +02:00
fi
# If files and commands can't be found, use defined value from resolv.conf
2016-09-10 16:12:44 +02:00
if [ -z "${DOMAINNAME}" ]; then
if [ ! -z "${RESOLV_DOMAINNAME}" ]; then
LogText "Result: using domain name from ${ROOTDIR}etc/resolv.conf"
2014-08-26 17:33:55 +02:00
DOMAINNAME=${RESOLV_DOMAINNAME}
2016-09-10 16:12:44 +02:00
else
2016-10-23 16:25:38 +02:00
LogText "Result: using domain name from FQDN hostname (${FQDN})"
DOMAINNAME=$(echo ${FQDN} | ${AWKBINARY} -F. '{print $2}')
2014-08-26 17:33:55 +02:00
fi
fi
2016-10-23 16:25:38 +02:00
if [ ! -z "${DOMAINNAME}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found domain name"
Report "domainname=${DOMAINNAME}"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
Display --indent 6 --text "Domain name: ${DOMAINNAME}"
2016-09-10 16:12:44 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_UNKNOWN}" --color YELLOW
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name"
fi
fi
#
#################################################################################
#
# Test : NAME-4032
# Description : Check name service caching daemon (NSCD) status
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4032 --weight L --network NO --category security --description "Check nscd status"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: checking nscd status"
2014-09-19 00:56:51 +02:00
IsRunning nscd
if [ ${RUNNING} -eq 1 ]; then
2015-09-06 21:38:21 +02:00
NAME_CACHE_USED=1
2015-12-21 21:17:15 +01:00
LogText "Result: nscd is running"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking nscd status" --result "${STATUS_RUNNING}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: nscd is not running"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 2 --text "- Checking nscd status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
2015-09-06 21:38:21 +02:00
#
# Test : NAME-4034
# Description : Check name service caching daemon (Unbound) status
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4034 --weight L --network NO --category security --description "Check Unbound status"
2015-09-06 21:38:21 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: checking Unbound (unbound) status"
2015-09-06 21:38:21 +02:00
IsRunning unbound
if [ ${RUNNING} -eq 1 ]; then
UNBOUND_RUNNING=1
NAME_CACHE_USED=1
2015-12-21 21:17:15 +01:00
LogText "Result: Unbound daemon is running"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_RUNNING}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: Unbound daemon is not running"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
2016-09-10 16:12:44 +02:00
fi
2015-09-06 21:38:21 +02:00
fi
#
#################################################################################
#
# Test : NAME-4036
# Description : Checking Unbound configuration file
if [ ${UNBOUND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4036 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Unbound configuration file"
2015-09-06 21:38:21 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
A bunch of Solaris compatibility tweaks (#367)
* Work around Solaris' /bin/sh not being POSIX.
If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be. Exec it right away.
* Work around Solaris 'which' command oddity.
Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.
This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.
Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.
* Improved alternate-sh exec to avoid looping.
* Solaris' /usr/ucb/echo supports -n.
* Check for the best hash type that openssl supports.
When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.
* Solaris does not support sed -i; use a tempfile.
* Use the full path for modinfo.
When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.
* Solaris find does not support -maxdepth.
This mirrors the logic already in tests_homedirs.
* Use PSBINARY instead of ps.
* Work around Solaris' date not supporting +%s.
Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds. A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.
* Revert to using sha1 for HOSTID.
* Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
FIND=$(which unbound-checkconf | grep -v "no [^ ]* in ")
2015-09-06 21:38:21 +02:00
if [ ! "${FIND}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: running unbound-checkconf"
2015-09-06 21:38:21 +02:00
# Don't capture any output, just gather exit code (0 is fine, otherwise bad)
2017-03-06 08:41:21 +01:00
FIND=$(unbound-checkconf > /dev/null 2>&1)
2015-09-06 21:38:21 +02:00
if [ $? -eq 0 ]; then
UNBOUND_CONFIG_OK=1
2015-12-21 21:17:15 +01:00
LogText "Result: Configuration is fine"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking configuration file" --result "${STATUS_OK}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: Unbound daemon is not running"
2015-09-06 21:38:21 +02:00
Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW
2016-08-10 07:24:10 +02:00
ReportWarning "${TEST_NO}" "Found Unbound configuration file issues (run unbound-checkconf)"
2015-09-06 21:38:21 +02:00
fi
else
2015-12-21 21:17:15 +01:00
LogText "Result: skipped, can't find unbound-checkconf utility"
2015-09-06 21:38:21 +02:00
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : NAME-4202
# Description : Check if BIND is running
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4202 --weight L --network NO --category security --description "Check BIND status"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking for running BIND instance"
2014-09-19 00:56:51 +02:00
IsRunning named
if [ ${RUNNING} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found BIND process"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking BIND status" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
BIND_RUNNING=1
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: BIND not running"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 2 --text "- Checking BIND status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NAME-4204
# Description : Check configuration file of BIND
if [ ${BIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search BIND configuration file"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Search BIND configuration file"
2014-08-26 17:33:55 +02:00
for I in ${BIND_CONFIG_LOCS}; do
if [ -f ${I}/named.conf ]; then
BIND_CONFIG_LOCATION="${I}/named.conf"
2015-12-21 21:17:15 +01:00
LogText "Result: found configuration file (${BIND_CONFIG_LOCATION})"
2014-08-26 17:33:55 +02:00
fi
done
2016-07-30 16:41:34 +02:00
if [ ! -z "${BIND_CONFIG_LOCATION}" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_FOUND}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NAME-4206
# Description : Check BIND configuration file consistency
if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4206 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check BIND configuration consistency"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: searching for named-checkconf binary"
2014-08-26 17:33:55 +02:00
if [ ! "${NAMEDCHECKCONFBINARY}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: named-checkconf is installed"
2017-03-06 08:41:21 +01:00
FIND=$(${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?)
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "0" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_OK}" --color GREEN
2014-08-26 17:33:55 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_WARNING}" --color RED
2014-08-26 17:33:55 +02:00
ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file"
fi
else
2015-12-21 21:17:15 +01:00
LogText "Result: named-checkconf not found, skipping test"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NAME-4208
# Description : Check DNS server type (master, slave, caching, forwarding)
2016-07-24 17:22:00 +02:00
#Register --test-no NAME-4050 --weight L --network NO --category security --description "Check nscd status"
2014-08-26 17:33:55 +02:00
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : NAME-4210
# Description : Check if we can determine useful information from banner
if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Trying to determine version from banner"
2017-03-06 08:41:21 +01:00
FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*")
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: no useful information in banner found"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN
2014-08-26 17:33:55 +02:00
AddHP 2 2
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: possible BIND version available in version banner"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_WARNING}" --color RED
2016-08-10 07:13:27 +02:00
ReportWarning ${TEST_NO} "Found BIND version in banner"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file"
AddHP 0 2
fi
fi
#
#################################################################################
#
# Test : NAME-4212
# Description : Check version option in BIND configuration
#if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
#Register --test-no NAME-4212 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check version setting in configuration"
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Test : NAME-4220
# Description : Check if we can perform a zone transfer of primary domain
2016-07-24 17:22:00 +02:00
#Register --test-no NAME-4220 --weight L --network NO --category security --description "Check zone transfer"
2014-08-26 17:33:55 +02:00
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : NAME-4222
# Description : Check if we can perform a zone transfer of PTR (of primary domain)
2016-07-24 17:22:00 +02:00
#Register --test-no NAME-4222 --weight L --network NO --category security --description "Check zone transfer"
2014-08-26 17:33:55 +02:00
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : NAME-4230
# Description : Check if PowerDNS is running
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4230 --weight L --network NO --category security --description "Check PowerDNS status"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking for running PowerDNS instance"
2014-09-19 00:56:51 +02:00
IsRunning pdns_server
if [ ${RUNNING} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found PowerDNS process"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_RUNNING}" --color GREEN
2014-08-26 17:33:55 +02:00
POWERDNS_RUNNING=1
else
2015-12-21 21:17:15 +01:00
LogText "Result: PowerDNS not running"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NAME-4232
# Description : Check PowerDNS configuration file
if [ ${POWERDNS_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search PowerDNS configuration file"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Search PowerDNS configuration file"
2014-08-26 17:33:55 +02:00
for I in ${POWERDNS_CONFIG_LOCS}; do
if [ -f ${I}/pdns.conf ]; then
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
2015-12-21 21:17:15 +01:00
LogText "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})"
2014-08-26 17:33:55 +02:00
fi
done
if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_FOUND}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# # Test : NAME-4234
# # Description : Check PowerDNS configuration file consistency
# if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
# Register --test-no NAME-4234 --weight L --network NO --category security --description "Check PowerDNS configuration consistency"
2014-08-26 17:33:55 +02:00
# if [ ${SKIPTEST} -eq 0 ]; then
# fi
#
#################################################################################
#
# Test : NAME-4236
# Description : Check PowerDNS server backends
if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS backends"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking for PowerDNS backends"
2016-09-10 16:12:44 +02:00
FIND=$(${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! -z "${FIND}" ]; then
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
2015-12-21 21:17:15 +01:00
LogText "Found backend: ${I}"
2014-08-26 17:33:55 +02:00
done
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_FOUND}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no PowerDNS backends found"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_NOT_FOUND}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NAME-4238
2017-03-06 08:41:21 +01:00
# Description : Check PowerDNS authoritative status
2016-09-10 16:12:44 +02:00
if [ ${POWERDNS_RUNNING} -eq 1 -a ! -z "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2017-03-06 08:41:21 +01:00
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritative status"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking for PowerDNS master status"
2016-09-10 16:12:44 +02:00
FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Found master=yes in configuration file"
2017-03-06 08:41:21 +01:00
Display --indent 4 --text "- PowerDNS authoritative master: YES"
2014-08-26 17:33:55 +02:00
POWERDNS_AUTH_MASTER=1
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: most likely not master (no master=yes)"
2017-03-06 08:41:21 +01:00
Display --indent 4 --text "- PowerDNS authoritative master: NO"
2014-08-26 17:33:55 +02:00
fi
2015-12-21 21:17:15 +01:00
LogText "Test: Checking for PowerDNS slave status"
2016-09-10 16:12:44 +02:00
FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Found slave=yes in configuration file"
2017-03-06 08:41:21 +01:00
Display --indent 4 --text "- PowerDNS authoritative slave: YES"
2014-08-26 17:33:55 +02:00
POWERDNS_AUTH_SLAVE=1
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: most likely not slave (no slave=yes)"
2017-03-06 08:41:21 +01:00
Display --indent 4 --text "- PowerDNS authoritative slave: NO"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NAME-4302
# Description : Check NIS ypbind daemon status
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4304 --weight L --network NO --category security --description "Check NIS ypbind status"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking status of ypbind daemon"
2014-09-19 00:56:51 +02:00
IsRunning ypbind
if [ ${RUNNING} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: ypbind is running"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
YPBIND_RUNNING=1
2016-03-12 19:08:53 +01:00
IsRunning ypldap
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: ypldap is running"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN
2016-03-12 19:08:53 +01:00
else
2015-10-16 11:52:25 +02:00
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
2016-03-12 19:08:53 +01:00
fi
2014-08-26 17:33:55 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: ypbind is not active"
2016-06-18 11:14:01 +02:00
if IsVerbose; then Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : NAME-4306
# Description : Check NIS domain
# Notes : FreeBSD: sysctl kern.domainname
if [ ${YPBIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NIS domain"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-03-06 08:41:21 +01:00
LogText "Test: Checking $(domainname) for NIS domain value"
2016-09-10 16:12:44 +02:00
FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)")
if [ ! -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Value: ${FIND}"
2014-08-26 17:33:55 +02:00
NISDOMAIN="${FIND}"
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no NIS domain found in command output"
2014-08-26 17:33:55 +02:00
fi
# Solaris / Linux style
2016-09-10 16:12:44 +02:00
LogText "Test: Checking file ${ROOTDIR}etc/defaultdomain"
if [ -f ${ROOTDIR}etc/defaultdomain ]; then
LogText "Result: file ${ROOTDIR}etc/defaultdomain exists"
2017-03-06 08:41:21 +01:00
FIND2=$(cat ${ROOTDIR}etc/defaultdomain)
2016-09-10 16:12:44 +02:00
if [ ! -z "${FIND2}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Output: ${FIND2}"
2014-08-26 17:33:55 +02:00
NISDOMAIN="${FIND2}"
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no NIS domain found in file"
2014-08-26 17:33:55 +02:00
fi
fi
# Red Hat style
2016-09-10 16:12:44 +02:00
LogText "Test: checking ${ROOTDIR}etc/sysconfig/network"
if [ -f ${ROOTDIR}etc/sysconfig/network ]; then
LogText "Result: file ${ROOTDIR}etc/sysconfig/network exists"
2015-12-21 21:17:15 +01:00
LogText "Test: checking NISDOMAIN value in file"
2016-09-10 16:12:44 +02:00
FIND3=$(${GREPBINARY} "^NISDOMAIN" ${ROOTDIR}etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g')
if [ ! -z "${FIND3}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Found NIS domain: ${FIND3}"
2014-08-26 17:33:55 +02:00
NISDOMAIN="${FIND3}"
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: No NIS domain found in file"
2014-08-26 17:33:55 +02:00
fi
2016-09-10 16:12:44 +02:00
else
LogText "Result: file ${ROOTDIR}etc/sysconfig/network does not exist"
2014-08-26 17:33:55 +02:00
fi
2015-04-07 17:20:11 +02:00
if [ ! "${SYSCTLBINARY}" = "" ]; then
# Check sysctl (e.g. FreeBSD)
2015-12-21 21:17:15 +01:00
LogText "Test: checking sysctl for kern.domainname"
2016-09-10 16:12:44 +02:00
FIND=$(${SYSCTLBINARY} -a 2>&1 | ${GREPBINARY} "^kern.domainname" | ${AWKBINARY} -F: '{ print $2 }' | ${SEDBINARY} 's/ //g' | ${GREPBINARY} -v "^$")
2015-04-07 17:20:11 +02:00
if [ ! "${FIND}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found NIS domain via sysctl"
2015-04-07 17:20:11 +02:00
NISDOMAIN="${FIND}"
fi
2014-08-26 17:33:55 +02:00
fi
# Check if we found any NIS domain
2016-09-10 16:12:44 +02:00
if [ ! -z "${NISDOMAIN}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Found NIS domain: ${NISDOMAIN}"
Report "nisdomain=${NISDOMAIN}"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: No NIS domain found"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_UNKNOWN}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
2016-09-10 16:12:44 +02:00
if [ -f ${ROOTDIR}etc/hosts ]; then Display --indent 2 --text "- Checking ${ROOTDIR}etc/hosts"; fi
2014-08-26 17:33:55 +02:00
# Test : NAME-4402
# Description : Check /etc/hosts configuration
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4402 --weight L --network NO --category security --description "Check duplicate line in /etc/hosts"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-10 16:12:44 +02:00
LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts"
if [ -f ${ROOTDIR}etc/hosts ]; then
sFIND=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${AWKBINARY} '{ print $1, $2 }' | ${SORTBINARY} | ${UNIQBINARY} -d)
2014-08-26 17:33:55 +02:00
if [ "${sFIND}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: OK, no duplicate lines found"
2016-09-10 16:12:44 +02:00
Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN
else
2015-12-21 21:17:15 +01:00
LogText "Found duplicate line: ${sFIND}"
LogText "Result: found duplicate line"
2016-09-10 16:12:44 +02:00
Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts"
2014-08-26 17:33:55 +02:00
fi
else
2016-09-10 16:12:44 +02:00
LogText "Result: ${ROOTDIR}etc/hosts not found, test skipped"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "Searching duplicate line" --result "${STATUS_SKIPPED}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
2016-09-10 16:12:44 +02:00
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Test : NAME-4404
# Description : Check /etc/hosts contains an entry for this server name
2014-12-05 17:11:34 +01:00
if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4404 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/hosts contains an entry for this server name"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Check /etc/hosts contains an entry for this server name"
2014-08-26 17:33:55 +02:00
if [ -f /etc/hosts ]; then
2016-09-10 16:12:44 +02:00
sFIND=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' /etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
2014-08-26 17:33:55 +02:00
if [ "${sFIND}" != "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN
2014-08-26 17:33:55 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: No entry found for ${HOSTNAME} in /etc/hosts"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_SUGGESTION}" --color YELLOW
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving"
2015-12-21 21:17:15 +01:00
LogText "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections"
2014-08-26 17:33:55 +02:00
fi
fi
fi
#
#################################################################################
#
# Test : NAME-4406
# Description : Check server hostname mapping
2014-12-05 17:11:34 +01:00
if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Check server hostname not locally mapped in /etc/hosts"
2017-03-06 08:41:21 +01:00
sFIND=$(${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
2016-09-10 16:12:44 +02:00
if [ ! "${sFIND}" = "" ]; then
LogText "Result: Found this server hostname mapped to a local address"
LogText "Output: ${sFIND}"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface."
ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system"
2014-08-26 17:33:55 +02:00
else
2016-09-10 16:12:44 +02:00
LogText "Result: this server hostname is not mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_OK}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
2016-09-13 17:27:25 +02:00
#
# Test : NAME-4408
# Description : Check localhost entry
2016-10-28 11:48:20 +02:00
if [ ! -z "${GETENT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON="No getent binary"; else PREQS_MET="NO"; SKIPREASON=""; fi
2016-09-13 17:27:25 +02:00
Register --test-no NAME-4408 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check localhost entry"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check server hostname not locally mapped in /etc/hosts"
2016-11-05 11:55:11 +01:00
FIND=$(${GETENT_BINARY} hosts localhost | ${AWKBINARY} '{print $1}' | ${SORTBINARY} | ${TRBINARY} -d '\n')
2016-09-13 17:27:25 +02:00
if [ "${FIND}" = "127.0.0.1" ]; then
LogText "Result: localhost mapped to 127.0.0.1"
Display --indent 4 --text "- Checking /etc/hosts (localhost to IP)" --result "${STATUS_OK}" --color GREEN
report "localhost-mapped-to=${FIND}"
elif [ "${FIND}" = "::1" ]; then
LogText "Result: localhost mapped to ::1"
2016-11-05 11:55:11 +01:00
Display --indent 4 --text "- Checking /etc/hosts (localhost to IP)" --result "${STATUS_OK}" --color GREEN
report "localhost-mapped-to=${FIND}"
elif [ "${FIND}" = "127.0.0.1::1" ]; then
LogText "Result: localhost mapped to 127.0.0.1 and ::1"
2016-09-13 17:27:25 +02:00
Display --indent 4 --text "- Checking /etc/hosts (localhost to IP)" --result "${STATUS_OK}" --color GREEN
report "localhost-mapped-to=${FIND}"
else
LogText "Output: ${FIND}"
LogText "Result: this server hostname is not mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost to IP)" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Information: Ensure that localhost resolves back to 127.0.0.1 (and/or ::1)."
ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system" "/etc/hosts" "text:Check your localhost line"
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
2016-04-28 12:58:33 +02:00
Report "name_cache_used=${NAME_CACHE_USED}"
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2016-03-13 16:03:46 +01:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
