2014-08-26 17:33:55 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Lynis
|
|
|
|
# ------------------
|
|
|
|
#
|
2016-03-13 16:00:39 +01:00
|
|
|
# Copyright 2007-2013, Michael Boelen
|
|
|
|
# Copyright 2013-2016, CISOfy
|
|
|
|
#
|
|
|
|
# Website : https://cisofy.com
|
|
|
|
# Blog : http://linux-audit.com
|
|
|
|
# GitHub : https://github.com/CISOfy/lynis
|
2014-08-26 17:33:55 +02:00
|
|
|
#
|
|
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
|
|
# See LICENSE file for usage of this software.
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# User, Group and authentication tests
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
LDAP_AUTH_ENABLED=0
|
|
|
|
LDAP_PAM_ENABLED=0
|
|
|
|
LDAP_CONF_LOCATIONS="/etc/ldap.conf /etc/ldap/ldap.conf /etc/openldap/ldap.conf /usr/local/etc/ldap.conf /usr/local/etc/openldap/ldap.conf"
|
2016-03-03 12:48:42 +01:00
|
|
|
PAM_FILE_LOCATIONS="/lib/i386-linux-gnu/security /lib/security /lib/x86_64-linux-gnu/security /lib64/security /usr/lib /usr/lib/security"
|
2014-08-26 17:33:55 +02:00
|
|
|
SUDOERS_LOCATIONS="/etc/sudoers /usr/local/etc/sudoers /usr/pkg/etc/sudoers"
|
|
|
|
SUDOERS_FILE=""
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
InsertSection "Users, Groups and Authentication"
|
|
|
|
|
|
|
|
# Test : AUTH-9204
|
|
|
|
# Description : Check users with UID zero (0)
|
2015-09-01 13:37:55 +02:00
|
|
|
# Notes : Ignores :0: in file if match is in NIS related line
|
2014-08-26 17:33:55 +02:00
|
|
|
Register --test-no AUTH-9204 --weight L --network NO --description "Check users with an UID of zero"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
# Search accounts with UID 0
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Searching accounts with UID 0"
|
2015-09-01 13:37:55 +02:00
|
|
|
FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'`
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ ! "${FIND}" = "" ]; then
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: Found more than one administrator accounts"
|
2014-08-26 17:33:55 +02:00
|
|
|
ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file"
|
|
|
|
for I in ${FIND}; do
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Administrator account: ${I}"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ "${I}" = "toor" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "BSD note: default there is a user 'toor' installed. This account is considered useless unless it"
|
|
|
|
LogText "is assigned a password and used for daily operations or emergencies. ie: bad shell for root user."
|
2014-08-26 17:33:55 +02:00
|
|
|
ReportSuggestion ${TEST_NO} "Use vipw to delete the 'toor' user if not used."
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
else
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Search administrator accounts" --result OK --color GREEN
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: No accounts found with UID 0 other than root."
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9208
|
|
|
|
# Description : Check non-unique accounts
|
2015-07-22 12:21:36 +02:00
|
|
|
Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts in passwd file"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking for non-unique accounts"
|
2015-10-16 11:24:23 +02:00
|
|
|
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" -o "${OS}" = "OpenBSD" ]; then
|
2014-08-26 17:33:55 +02:00
|
|
|
PASSWD_FILE="/etc/master.passwd"
|
|
|
|
else
|
|
|
|
PASSWD_FILE="/etc/passwd"
|
|
|
|
fi
|
|
|
|
# Check password file
|
|
|
|
if [ -f ${PASSWD_FILE} ]; then
|
2015-10-10 13:25:14 +02:00
|
|
|
FIND=`grep -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d`
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ "${FIND}" = "" ]; then
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking for non-unique UIDs" --result OK --color GREEN
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: all accounts found in ${PASSWD_FILE} are unique"
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking for non-unique UIDs" --result WARNING --color RED
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found multiple accounts with same UID"
|
|
|
|
LogText "Output (non-unique UIDs): ${FIND}"
|
2014-08-26 17:33:55 +02:00
|
|
|
ReportWarning ${TEST_NO} "Multiple accounts found with same UID"
|
|
|
|
fi
|
|
|
|
else
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: test skipped, ${PASSWD_FILE} file not available"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9212
|
|
|
|
# Description : Test group file with chkgrp tool (ie FreeBSD)
|
|
|
|
if [ -f /usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
|
|
Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking chkgrp tool" --result FOUND --color GREEN
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)."
|
|
|
|
LogText "Test: Testing consistency of /etc/group file"
|
2014-08-26 17:33:55 +02:00
|
|
|
FIND=`/usr/sbin/chkgrp | grep -v 'is fine'`
|
|
|
|
if [ "${FIND}" = "" ]; then
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 4 --text "- Checking consistency of /etc/group file" --result OK --color GREEN
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: chkgrp test performed, Group file seems to be ok."
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 4 --text "- Checking consistency of /etc/group file" --result WARNING --color RED
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: chkgrp found some errors. Run the tool manually to see details."
|
|
|
|
LogText "chkgrp output: ${FIND}"
|
2014-08-26 17:33:55 +02:00
|
|
|
ReportWarning ${TEST_NO} "M" "chkgrp reported inconsistencies in /etc/group file"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9216
|
|
|
|
# Description : Check /etc/group and shadow group files
|
|
|
|
if [ ! "${GRPCKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
2014-09-08 23:51:27 +02:00
|
|
|
Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --description "Check group and shadow group files"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
# Test : run grpck to test group files (most likely /etc/group and shadow group files)
|
|
|
|
# Expected result : 0 (exit code)
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking for grpck binary"
|
2014-08-26 17:33:55 +02:00
|
|
|
|
|
|
|
if [ "${OS}" = "Linux" ]; then
|
|
|
|
# Read only mode
|
|
|
|
FIND=`${GRPCKBINARY} -r 2> /dev/null ; echo $?`
|
|
|
|
elif [ "${OS}" = "AIX" ]; then
|
2015-04-16 19:00:03 +02:00
|
|
|
FIND=`${GRPCKBINARY} -n ALL 2> /dev/null ; echo $?`
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
|
|
|
FIND=`${GRPCKBINARY} 2> /dev/null ; echo $?`
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Overrule for SuSE
|
|
|
|
if [ "${LINUX_VERSION}" = "SuSE" ]; then
|
2014-09-08 23:51:27 +02:00
|
|
|
FIND=`${GRPCKBINARY} -q -r > /dev/null ; echo $?`
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
|
|
|
|
# Check exit-code
|
|
|
|
if [ "${FIND}" = "0" ]; then
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking consistency of group files (grpck)" --result OK --color GREEN
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: grpck binary didn't find any errors in the group files"
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking consistency of group files (grpck)" --result WARNING --color RED
|
2014-08-26 17:33:55 +02:00
|
|
|
ReportWarning ${TEST_NO} "M" "grpck binary found errors in one or more group files"
|
|
|
|
ReportSuggestion ${TEST_NO} "Run grpck manually and check your group files"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9218
|
|
|
|
# Description : Check login shells for passwordless accounts
|
|
|
|
# Notes : Results should be checked
|
|
|
|
Register --test-no AUTH-9218 --os FreeBSD --weight L --network NO --description "Check harmful login shells"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
FOUND=0
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking login shells"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ -f /etc/master.passwd ]; then
|
|
|
|
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
|
2015-10-10 13:25:14 +02:00
|
|
|
FIND=`grep "[a-z]:\*:" /etc/master.passwd | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'`
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ "${FIND}" = "" ]; then
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking login shells" --result OK --color GREEN
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking login shells" --result WARNING --color RED
|
2014-08-26 17:33:55 +02:00
|
|
|
for I in ${FIND}; do
|
|
|
|
I=`echo ${I} | sed 's/!space!/ /g'`
|
|
|
|
J=`echo ${I} | awk -F: '{ print $10 }'`
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Output: ${I}"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ "${J}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found no shell on line"
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found possible harmful shell ${J}"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ -f ${J} ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: shell ${J} does exist"
|
2014-08-26 17:33:55 +02:00
|
|
|
FOUND=1
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: shell ${J} does not exist"
|
2015-01-15 23:21:17 +01:00
|
|
|
ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${J} does not exist"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
|
|
ReportWarning ${TEST_NO} "H" "Possible harmful shell found (for passwordless account!)"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
else
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking login shells" --result SKIPPED --color WHITE
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: No /etc/master.passwd file found"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9222
|
|
|
|
# Description : Check for non unique groups
|
|
|
|
Register --test-no AUTH-9222 --weight L --network NO --description "Check for non unique groups"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking for non unique group ID's in /etc/group"
|
2015-10-10 13:25:14 +02:00
|
|
|
FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d`
|
2014-09-09 14:49:37 +02:00
|
|
|
if [ "${FIND}" = "" ]; then
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking non unique group ID's" --result OK --color GREEN
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: All group ID's are unique"
|
2014-09-09 14:49:37 +02:00
|
|
|
else
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking non unique group ID's" --result WARNING --color RED
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: Found the same group ID multiple times"
|
|
|
|
LogText "Output: ${FIND}"
|
2014-09-09 14:49:37 +02:00
|
|
|
ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID"
|
2015-02-25 20:33:21 +01:00
|
|
|
#ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies"
|
2014-09-09 14:49:37 +02:00
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9226
|
|
|
|
# Description : Check non unique group names
|
|
|
|
if [ -f /etc/group ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
|
|
Register --test-no AUTH-9226 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check non unique group names"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking for non unique group names in /etc/group"
|
2015-10-10 13:25:14 +02:00
|
|
|
FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d`
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ "${FIND}" = "" ]; then
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking non unique group names" --result OK --color GREEN
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: All group names are unique"
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking non unique group names" --result WARNING --color WARNING
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: Found the same group name multiple times"
|
|
|
|
LogText "Output: ${FIND}"
|
2014-08-26 17:33:55 +02:00
|
|
|
ReportWarning ${TEST_NO} "M" "Found inconsistencies in group file (multiple occurences of a single group)"
|
|
|
|
ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9228
|
2015-09-24 20:24:46 +02:00
|
|
|
# Description : Check password file consistency with pwck
|
|
|
|
# Notes : Operating systems include Linux, Solaris
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
2015-09-24 20:24:46 +02:00
|
|
|
Register --test-no AUTH-9228 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency with pwck"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking password file consistency (pwck)"
|
2015-09-24 20:24:46 +02:00
|
|
|
TESTED=0
|
2015-09-24 21:26:55 +02:00
|
|
|
case ${OS} in
|
2015-09-24 20:24:46 +02:00
|
|
|
"Linux")
|
|
|
|
FIND=`/usr/sbin/pwck -q -r 2> /dev/null; echo $?`
|
|
|
|
TESTED=1
|
|
|
|
;;
|
|
|
|
"Solaris")
|
|
|
|
FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
|
|
|
|
TESTED=1
|
|
|
|
;;
|
|
|
|
*)
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Dev: found /usr/sbin/pwck, but unsure how to call it on this operating system"
|
2015-09-24 20:24:46 +02:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
# Only display if this test has been executed
|
|
|
|
if [ ${TESTED} -eq 1 -a "${FIND}" = "0" ]; then
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: pwck check didn't find any problems"
|
2015-09-24 20:24:46 +02:00
|
|
|
AddHP 2 2
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
2014-09-15 12:01:09 +02:00
|
|
|
Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: pwck found one or more errors/warnings in the password file."
|
2014-08-26 17:33:55 +02:00
|
|
|
ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
|
|
|
|
ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
|
2015-09-24 20:24:46 +02:00
|
|
|
AddHP 0 2
|
2014-09-09 14:49:37 +02:00
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9234
|
2014-09-18 23:56:16 +02:00
|
|
|
# Description : Query user accounts
|
2016-01-11 01:31:08 +01:00
|
|
|
# Notes : AIX: 100+
|
|
|
|
# HPUX: 100+
|
|
|
|
# Mac OS X: needs to be improved (just reading passwd file is not enough)
|
2014-08-26 17:33:55 +02:00
|
|
|
# OpenBSD/NetBSD: unknown
|
2014-12-05 20:08:10 +01:00
|
|
|
# Arch Linux / CentOS / Ubuntu: 1000+
|
2015-10-16 11:24:23 +02:00
|
|
|
Register --test-no AUTH-9234 --weight L --network NO --description "Query user accounts"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Read system users (including root user) from /etc/passwd"
|
2014-08-26 17:33:55 +02:00
|
|
|
FIND=""
|
2014-09-09 14:49:37 +02:00
|
|
|
|
2014-09-18 23:56:16 +02:00
|
|
|
case ${OS} in
|
2016-01-11 01:31:08 +01:00
|
|
|
"AIX")
|
|
|
|
LogText "AIX real users output (ID = 0, or 100+):"
|
|
|
|
FIND=`awk -F: '($3 >= 100 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
|
|
|
|
;;
|
|
|
|
|
2014-09-18 23:56:16 +02:00
|
|
|
"FreeBSD")
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "FreeBSD real users output (ID = 0, or 1000+, but not 65534):"
|
2016-01-11 01:31:08 +01:00
|
|
|
FIND=`awk -F: '($3 >= 1000 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
|
2014-09-18 23:56:16 +02:00
|
|
|
;;
|
2014-08-26 17:33:55 +02:00
|
|
|
|
2014-09-18 23:56:16 +02:00
|
|
|
"Linux")
|
2016-01-11 01:31:08 +01:00
|
|
|
LogText "Linux real users output (ID = 0, or 1000+, but not 65534):"
|
|
|
|
FIND=`awk -F: '($3 >= 1000 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
|
2014-09-18 23:56:16 +02:00
|
|
|
;;
|
2014-08-26 17:33:55 +02:00
|
|
|
|
2015-10-16 11:24:23 +02:00
|
|
|
"OpenBSD")
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "OpenBSD real users output (ID = 0, or 1000-60000, but not 32767):"
|
2016-01-11 01:31:08 +01:00
|
|
|
FIND=`awk -F: '($3 >= 1000 && $3 <= 60000 && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd`
|
2015-10-16 11:24:23 +02:00
|
|
|
;;
|
|
|
|
|
2014-09-18 23:56:16 +02:00
|
|
|
"Solaris")
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Solaris real users output (ID =0, or 100+, but not 60001/65534):"
|
2014-09-18 23:56:16 +02:00
|
|
|
FIND=`awk -F: '($3 >= 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
# Want to help improving Lynis? Determine what user IDs belong to normal user accounts
|
|
|
|
ReportException "${TEST_NO}:1" "Can not determine user accounts"
|
|
|
|
;;
|
|
|
|
esac
|
2014-08-26 17:33:55 +02:00
|
|
|
|
|
|
|
# Check if we got any output
|
|
|
|
if [ "${FIND}" = "" ]; then
|
|
|
|
Display --indent 4 --text "Result: No users found/unknown result"
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: Querying of system users skipped"
|
2014-09-18 23:56:16 +02:00
|
|
|
Display --indent 2 --text "- Query system users (non daemons)" --result UNKNOWN --color YELLOW
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
2014-09-18 23:56:16 +02:00
|
|
|
Display --indent 2 --text "- Query system users (non daemons)" --result DONE --color GREEN
|
2014-08-26 17:33:55 +02:00
|
|
|
for I in ${FIND}; do
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Real user: ${I}"
|
|
|
|
Report "real_user[]=${I}"
|
2014-08-26 17:33:55 +02:00
|
|
|
done
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9240
|
|
|
|
# Description : Query NIS+ authentication support
|
|
|
|
Register --test-no AUTH-9240 --weight L --network NO --description "Query NIS+ authentication support"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2014-09-09 14:49:37 +02:00
|
|
|
if [ -f /etc/nsswitch.conf ]; then
|
|
|
|
FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus"`
|
|
|
|
if [ "${FIND}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: NIS+ authentication not enabled"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
|
|
|
|
else
|
|
|
|
FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nisplus"`
|
|
|
|
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"`
|
|
|
|
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: NIS+ authentication enabled"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: NIS+ authentication not enabled"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: /etc/nsswitch.conf not found"
|
2014-09-09 14:49:37 +02:00
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9242
|
|
|
|
# Description : Query NIS authentication support
|
|
|
|
Register --test-no AUTH-9242 --weight L --network NO --description "Query NIS authentication support"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2014-09-09 14:49:37 +02:00
|
|
|
if [ -f /etc/nsswitch.conf ]; then
|
|
|
|
FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus"`
|
|
|
|
if [ "${FIND}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: NIS authentication not enabled"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
|
|
|
|
else
|
|
|
|
FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
|
|
|
|
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
|
|
|
|
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: NIS authentication enabled"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: NIS authentication not enabled"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: /etc/nsswitch.conf not found"
|
2014-09-09 14:49:37 +02:00
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9250
|
|
|
|
# Description : Check for sudoers file
|
|
|
|
Register --test-no AUTH-9250 --weight L --network NO --description "Checking sudoers file"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
FOUND=0
|
|
|
|
for I in ${SUDOERS_LOCATIONS}; do
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: checking presence ${I}"
|
2014-09-09 14:49:37 +02:00
|
|
|
if [ -f ${I} ]; then
|
|
|
|
FOUND=1
|
|
|
|
SUDOERS_FILE="${I}"
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found file (${SUDOERS_FILE})"
|
2014-09-09 14:49:37 +02:00
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file ${I} not found"
|
2014-09-09 14:49:37 +02:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
if [ ${FOUND} -eq 1 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: sudoers file found (${SUDOERS_FILE})"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: sudoers file NOT found"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9252
|
|
|
|
# Description : Check for sudoers file permissions
|
|
|
|
if [ ! "${SUDOERS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
|
|
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sudoers file"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions"
|
2014-09-09 14:49:37 +02:00
|
|
|
FIND=`ls -l ${SUDOERS_FILE} | cut -c 2-10`
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: Found file permissions: ${FIND}"
|
2014-09-09 14:49:37 +02:00
|
|
|
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file ${SUDOERS_FILE} has correct permissions"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file has possibly unsafe file permissions"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED
|
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9254
|
|
|
|
# Description : Solaris test to check passwordless accounts
|
|
|
|
Register --test-no AUTH-9254 --os Solaris --weight L --network NO --description "Solaris passwordless accounts"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2014-09-09 14:49:37 +02:00
|
|
|
FIND=`logins -p | awk '{ print $1 }'`
|
|
|
|
if [ "${FIND}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: no passwordless accounts found"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN
|
|
|
|
else
|
|
|
|
for I in ${FIND}; do
|
|
|
|
ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})"
|
|
|
|
done
|
|
|
|
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result WARNING --color RED
|
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9262
|
|
|
|
# Description : Search for PAM password strength testing libraries
|
|
|
|
Register --test-no AUTH-9262 --weight L --network NO --description "Checking presence password strength testing tools (PAM)"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
FOUND=0
|
|
|
|
FOUND_CRACKLIB=0
|
|
|
|
FOUND_PASSWDQC=0
|
|
|
|
|
|
|
|
# Cracklib
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Searching cracklib PAM module"
|
2014-08-26 17:33:55 +02:00
|
|
|
for I in ${PAM_FILE_LOCATIONS}; do
|
|
|
|
if [ -f ${I}/pam_cracklib.so ]; then
|
|
|
|
FOUND_CRACKLIB=1
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found pam_cracklib.so (crack library PAM) in ${I}"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
if [ ${FOUND_CRACKLIB} -eq 1 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: pam_cracklib.so found"
|
|
|
|
Report "pam_cracklib=1"
|
2014-08-26 17:33:55 +02:00
|
|
|
AddHP 3 3
|
|
|
|
FOUND=1
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: pam_cracklib.so NOT found (crack library PAM)"
|
2014-08-26 17:33:55 +02:00
|
|
|
AddHP 1 3
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Passwd quality control
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Searching passwdqc PAM module"
|
2014-08-26 17:33:55 +02:00
|
|
|
for I in ${PAM_FILE_LOCATIONS}; do
|
|
|
|
if [ -f ${I}/pam_passwdqc.so ]; then
|
|
|
|
FOUND_PASSWDQC=1
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found pam_passwdqc.so (passwd quality control PAM) in ${I}"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
if [ ${FOUND_PASSWDQC} -eq 1 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: pam_passwdqc.so found"
|
|
|
|
Report "pam_passwdqc=1"
|
2014-08-26 17:33:55 +02:00
|
|
|
AddHP 3 3
|
|
|
|
FOUND=1
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: pam_passwdqc.so NOT found (passwd quality control PAM)"
|
2014-08-26 17:33:55 +02:00
|
|
|
AddHP 1 3
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ ${FOUND} -eq 0 ]; then
|
|
|
|
Display --indent 2 --text "- Checking PAM password strength tools" --result "SUGGESTION" --color YELLOW
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: no PAM modules for password strength testing found"
|
2014-08-26 17:33:55 +02:00
|
|
|
ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
|
|
|
|
else
|
|
|
|
Display --indent 2 --text "- Checking PAM password strength tools" --result OK --color GREEN
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found at least one PAM module for password strength testing"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9264
|
|
|
|
# Description : Scan /etc/pam.conf file
|
|
|
|
Register --test-no AUTH-9264 --weight L --network NO --description "Checking presence pam.conf"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking file /etc/pam.conf"
|
2014-09-09 14:49:37 +02:00
|
|
|
if [ -f /etc/pam.conf ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/pam.conf exists"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: searching PAM configuration files"
|
2015-10-10 13:25:14 +02:00
|
|
|
FIND=`grep -v "^#" /etc/pam.conf | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'`
|
2014-09-09 14:49:37 +02:00
|
|
|
if [ "${FIND}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)"
|
2014-09-09 14:49:37 +02:00
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found one or more configuration lines"
|
2014-09-09 14:49:37 +02:00
|
|
|
for I in ${FIND}; do
|
2014-11-04 00:42:37 +01:00
|
|
|
I=`echo ${I} | sed 's/:space:/ /g'`
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Found line: ${I}"
|
2014-09-09 14:49:37 +02:00
|
|
|
done
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/pam.conf could not be found"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE
|
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9266
|
|
|
|
# Description : Searching available PAM configurations (/etc/pam.d)
|
|
|
|
Register --test-no AUTH-9266 --weight L --network NO --description "Checking presence pam.d files"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking directory /etc/pam.d"
|
2014-09-09 14:49:37 +02:00
|
|
|
if [ -d /etc/pam.d ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: directory /etc/pam.d exists"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: searching PAM configuration files"
|
2014-09-09 14:49:37 +02:00
|
|
|
FIND=`find /etc/pam.d -type f -print | sort`
|
|
|
|
for I in ${FIND}; do
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Found file: ${I}"
|
2014-09-09 14:49:37 +02:00
|
|
|
done
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: directory /etc/pam.d could not be found"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE
|
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9268
|
|
|
|
# Description : Searching available PAM files
|
2016-03-03 12:48:42 +01:00
|
|
|
# Notes : PAM is used on AIX, FreeBSD, Linux, HPUX, Solaris
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ ${OS} = "AIX" -o ${OS} = "Linux" -o ${OS} = "HPUX" -o ${OS} = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
|
|
Register --test-no AUTH-9268 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking presence pam.d files"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
FOUND=0
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Searching pam modules"
|
2014-08-26 17:33:55 +02:00
|
|
|
for I in ${PAM_FILE_LOCATIONS}; do
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking ${I}"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ -d ${I} -a ! -L ${I} ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: directory ${I} exists"
|
2016-03-03 12:48:42 +01:00
|
|
|
# Search in the specified directory
|
|
|
|
FIND=`find ${I} -maxdepth 1 -type f -name "pam_*.so" -print | sort`
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ ! "${FIND}" = "" ]; then FOUND=1; fi
|
|
|
|
for I in ${FIND}; do
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Found file: ${I}"
|
|
|
|
Report "pam_module[]=${I}"
|
2014-08-26 17:33:55 +02:00
|
|
|
done
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: directory ${I} could not be found or is a symlink to another directory"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
# Check if we found at least one module
|
|
|
|
if [ ${FOUND} -eq 0 ]; then
|
|
|
|
Display --indent 2 --text "- Checking PAM modules" --result "NOT FOUND" --color WHITE
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: no PAM modules found"
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
|
|
|
Display --indent 2 --text "- Checking PAM modules" --result FOUND --color GREEN
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9278
|
|
|
|
# Description : Search LDAP support in PAM files
|
|
|
|
Register --test-no AUTH-9278 --weight L --network NO --description "Checking LDAP pam status"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: checking presence /etc/pam.d/common-auth"
|
2014-09-09 14:49:37 +02:00
|
|
|
if [ -f /etc/pam.d/common-auth ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/pam.d/common-auth exists"
|
|
|
|
LogText "Test: checking presence LDAP module"
|
2015-10-10 13:25:14 +02:00
|
|
|
FIND=`grep "^auth.*ldap" /etc/pam.d/common-auth`
|
2014-09-09 14:49:37 +02:00
|
|
|
if [ ! "${FIND}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: LDAP module present"
|
|
|
|
LogText "Output: ${FIND}"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN
|
2014-08-26 17:33:55 +02:00
|
|
|
LDAP_AUTH_ENABLED=1
|
|
|
|
LDAP_PAM_ENABLED=1
|
2014-09-09 14:49:37 +02:00
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: LDAP module not found"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/pam.d/common-auth not found, skipping test"
|
2014-09-09 14:49:37 +02:00
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9282 and AUTH-9283
|
|
|
|
# Note : Every Linux based operating system seem to have different passwd
|
|
|
|
# options, so we have to check the version first.
|
|
|
|
if [ "${OS}" = "Linux" ]; then
|
|
|
|
if [ ${OS_REDHAT_OR_CLONE} -eq 0 ]; then
|
|
|
|
case ${LINUX_VERSION} in
|
|
|
|
"SuSE")
|
|
|
|
PREQS_MET="YES"
|
2014-09-09 14:49:37 +02:00
|
|
|
FIND=`passwd -a -S 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }'`
|
|
|
|
FIND2=`passwd -a -S 2> /dev/null | awk '{ if ($2=="NP") print $1 }'`
|
2014-08-26 17:33:55 +02:00
|
|
|
;;
|
|
|
|
*)
|
|
|
|
PREQS_MET="YES"
|
2014-09-09 14:49:37 +02:00
|
|
|
FIND=`passwd --all --status 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }'`
|
|
|
|
FIND2=`passwd --all --status 2> /dev/null | awk '{ if ($2=="NP") print $1 }'`
|
2014-08-26 17:33:55 +02:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: skipping test for this Linux version"
|
2014-08-26 17:33:55 +02:00
|
|
|
ReportManual "AUTH-9282:01"
|
|
|
|
PREQS_MET="NO"
|
|
|
|
FIND=""
|
|
|
|
FIND2=""
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
PREQS_MET="NO"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Test : AUTH-9282
|
|
|
|
# Description : Search password protected accounts without expire (Linux)
|
|
|
|
Register --test-no AUTH-9282 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking password protected account without expire date"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking Linux version and password expire date status"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ "${FIND}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: all accounts seem to have an expire date"
|
2014-08-26 17:33:55 +02:00
|
|
|
Display --indent 2 --text "- Checking accounts without expire date" --result OK --color GREEN
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found one or more accounts with expire date set"
|
2014-08-26 17:33:55 +02:00
|
|
|
for I in ${FIND}; do
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Account without expire date: ${I}"
|
2014-08-26 17:33:55 +02:00
|
|
|
done
|
|
|
|
Display --indent 2 --text "- Checking accounts without expire date" --result SUGGESTION --color YELLOW
|
|
|
|
ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
# Test : AUTH-9283
|
|
|
|
# Description : Search passwordless accounts
|
|
|
|
Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking accounts without password"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking passwordless accounts"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ "${FIND2}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: all accounts seem to have a password"
|
2014-08-26 17:33:55 +02:00
|
|
|
Display --indent 2 --text "- Checking accounts without password" --result OK --color GREEN
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found one or more accounts without password"
|
2014-08-26 17:33:55 +02:00
|
|
|
for I in ${FIND2}; do
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Account without password: ${I}"
|
|
|
|
Report "account_without_password=${I}"
|
2014-08-26 17:33:55 +02:00
|
|
|
done
|
|
|
|
Display --indent 2 --text "- Checking accounts without password" --result WARNING --color RED
|
|
|
|
ReportWarning ${TEST_NO} "Found accounts without password"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9286
|
|
|
|
# Description : Check user password aging
|
2015-10-27 12:42:41 +01:00
|
|
|
# Notes : MIN = minimum age, avoid rotation of passwords too quickly
|
|
|
|
# : MAX = maximum age, ensure regular change of passwords
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
|
|
Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking user password aging"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking PASS_MIN_DAYS option in /etc/login.defs "
|
2015-10-27 12:42:41 +01:00
|
|
|
FIND=`grep "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }'`
|
|
|
|
if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: password minimum age is not configured"
|
2015-10-27 12:42:41 +01:00
|
|
|
Display --indent 2 --text "- Checking user password aging (minimum)" --result DISABLED --color YELLOW
|
|
|
|
ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs"
|
|
|
|
AddHP 0 1
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: password needs to be at least ${FIND} days old"
|
2015-10-27 12:42:41 +01:00
|
|
|
PASSWORD_MINIMUM_DAYS=${FIND}
|
|
|
|
Display --indent 2 --text "- Checking user password aging (minimum)" --result CONFIGURED --color GREEN
|
|
|
|
AddHP 3 3
|
|
|
|
fi
|
|
|
|
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
|
2014-09-09 14:49:37 +02:00
|
|
|
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
|
|
|
|
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: password aging limits are not configured"
|
2015-10-27 12:42:41 +01:00
|
|
|
Display --indent 2 --text "- Checking user password aging (maximum)" --result DISABLED --color YELLOW
|
|
|
|
ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs"
|
2014-09-09 14:49:37 +02:00
|
|
|
AddHP 0 1
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: max password age is ${FIND} days"
|
2015-10-27 12:42:41 +01:00
|
|
|
PASSWORD_MAXIMUM_DAYS=${FIND}
|
|
|
|
Display --indent 2 --text "- Checking user password aging (maximum)" --result CONFIGURED --color GREEN
|
2014-09-09 14:49:37 +02:00
|
|
|
AddHP 3 3
|
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
2015-12-22 16:00:51 +01:00
|
|
|
#
|
|
|
|
# Test : AUTH-9288
|
|
|
|
# Description : Determine which accounts have an expired password
|
2016-03-08 12:01:11 +01:00
|
|
|
# Notes : This test might not work (yet) on all platforms
|
2015-12-22 16:00:51 +01:00
|
|
|
if [ -f /etc/shadow ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
|
|
Register --test-no AUTH-9288 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for expired passwords"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
if FileIsReadable /etc/shadow; then
|
|
|
|
DAYS_SINCE_EPOCH=$((`date --utc +%s`/86400))
|
|
|
|
logtext "Data: Days since epoch is ${DAYS_SINCE_EPOCH}"
|
|
|
|
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
|
2016-03-08 12:01:11 +01:00
|
|
|
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
|
|
|
|
FIND=`egrep -v ":[\!\*x](\*)?:" /etc/shadow | awk -v today=${DAYS_SINCE_EPOCH} -F: '{ if (today>$3+$5) { print $1 }}'`
|
2015-12-22 16:00:51 +01:00
|
|
|
if [ ! "${FIND}" = "" ]; then
|
|
|
|
for ACCOUNT in ${FIND}; do
|
|
|
|
LogText "Result: password of user ${ACCOUNT} has been expired"
|
|
|
|
Report "account_password_expired[]=${ACCOUNT}"
|
|
|
|
done
|
|
|
|
AddHP 0 10
|
|
|
|
Display --indent 2 --text "- Checking expired passwords" --result FOUND --color RED
|
|
|
|
ReportSuggestion "${TEST_NO}" "Delete accounts which are no longer used"
|
|
|
|
else
|
|
|
|
LogText "Result: good, no passwords have been expired"
|
|
|
|
Display --indent 2 --text "- Checking expired passwords" --result OK --color GREEN
|
|
|
|
AddHP 10 10
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
Display --indent 2 --text "- Checking expired passwords" --result SKIPPED --color YELLOW
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
2014-08-26 17:33:55 +02:00
|
|
|
#
|
|
|
|
# Test : AUTH-9304
|
|
|
|
# Description : Check if single user mode login is properly configured in Solaris
|
2015-07-22 16:28:11 +02:00
|
|
|
# Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d
|
2014-08-26 17:33:55 +02:00
|
|
|
Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2014-09-09 14:49:37 +02:00
|
|
|
# Check if file exists (Solaris 10 does not have this file by default)
|
|
|
|
if [ -f /etc/default/sulogin ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/default/sulogin exists"
|
|
|
|
LogText "Test: checking presence PASSREQ=NO"
|
2014-09-09 14:49:37 +02:00
|
|
|
FIND=`grep "^PASSREQ=NO" /etc/default/sulogin`
|
|
|
|
if [ "${FIND}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: option not present or configured to request a password at single user mode login"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN
|
|
|
|
AddHP 1 1
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: option present, no password needed at single user mode login"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED
|
|
|
|
ReportWarning ${TEST_NO} "H" "No password needed for single user mode login"
|
|
|
|
AddHP 0 1
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/default/sulogin does not exist"
|
2014-09-09 14:49:37 +02:00
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9306
|
|
|
|
# Description : Check if authentication is needed to boot the system
|
|
|
|
# Notes : :d_boot_authenticate: is a good option for production machines to
|
|
|
|
# avoid unauthorized booting of systems. Option :d_boot_autentication@:
|
|
|
|
# disabled a required login.
|
|
|
|
Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --description "Check single boot authentication"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2014-09-09 14:49:37 +02:00
|
|
|
# Check if file exists
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Searching /tcb/files/auth/system/default"
|
2014-09-09 14:49:37 +02:00
|
|
|
if [ -f /tcb/files/auth/system/default ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /tcb/files/auth/system/default exists"
|
|
|
|
LogText "Test: checking presence :d_boot_authenticate@:"
|
2014-09-09 14:49:37 +02:00
|
|
|
FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default`
|
|
|
|
if [ "${FIND}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: option not set, password is needed at boot"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN
|
|
|
|
AddHP 1 1
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: option present, no password needed at single user mode login"
|
2014-09-09 14:49:37 +02:00
|
|
|
Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW
|
|
|
|
ReportSuggestion ${TEST_NO} "Set password for system boot"
|
|
|
|
AddHP 0 1
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /tcb/files/auth/system/default does not exist"
|
2014-09-09 14:49:37 +02:00
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9308
|
|
|
|
# Description : Check single user mode login for Linux
|
|
|
|
Register --test-no AUTH-9308 --os Linux --weight L --network NO --description "Check single user login configuration"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
FOUND=0
|
|
|
|
# Check if file exists
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Searching /etc/inittab"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ -f /etc/inittab ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/inittab exists"
|
|
|
|
LogText "Test: checking presence sulogin for single user mode"
|
2015-12-21 15:17:25 +01:00
|
|
|
FIND=`egrep "^~~:S:(respawn|wait):/sbin/sulogin" /etc/inittab`
|
|
|
|
FIND2=`egrep "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab`
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
|
|
|
|
FOUND=1
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found sulogin, so single user is protected"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/inittab does not exist"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
|
|
|
|
# Check if file exists
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Searching /etc/sysconfig/init"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ -f /etc/sysconfig/init ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/sysconfig/init exists"
|
|
|
|
LogText "Test: checking presence sulogin for single user mode"
|
2014-08-26 17:33:55 +02:00
|
|
|
FIND=`grep "^SINGLE=/sbin/sulogin" /etc/sysconfig/init`
|
|
|
|
if [ ! "${FIND}" = "" ]; then
|
|
|
|
FOUND=1
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found sulogin, so single user is protected"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
else
|
2016-01-16 20:14:38 +01:00
|
|
|
LogText "Result: file /etc/sysconfig/init does not exist"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
if [ -f /etc/inittab -o -f /etc/sysconfig/init ]; then
|
|
|
|
if [ ${FOUND} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: option not set, no password needed at single user mode boot"
|
2014-08-26 17:33:55 +02:00
|
|
|
Display --indent 2 --text "- Checking Linux single user mode authentication" --result WARNING --color RED
|
|
|
|
ReportWarning ${TEST_NO} "L" "No password set for single mode"
|
|
|
|
ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface"
|
|
|
|
AddHP 0 2
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: option set, password is needed at single user mode boot"
|
2014-08-26 17:33:55 +02:00
|
|
|
Display --indent 2 --text "- Checking Linux single user mode authentication" --result OK --color GREEN
|
|
|
|
AddHP 2 2
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: No inittab or init file found, unsure if system is protected"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9328
|
|
|
|
# Description : Check default umask in common files
|
|
|
|
# Notes: This test should be moved later to shells section
|
|
|
|
# /etc/login.defs
|
|
|
|
# pam_umask
|
|
|
|
Register --test-no AUTH-9328 --weight L --network NO --description "Default umask values"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
Display --indent 2 --text "- Determining default umask"
|
|
|
|
|
|
|
|
# /etc/profile
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking /etc/profile"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ -f /etc/profile ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/profile exists"
|
|
|
|
LogText "Test: Checking umask value in /etc/profile"
|
2014-08-26 17:33:55 +02:00
|
|
|
FIND=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }'`
|
|
|
|
FIND2=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }' | wc -l`
|
|
|
|
WEAK_UMASK=0
|
|
|
|
FOUND_UMASK=0
|
2015-08-20 18:46:06 +02:00
|
|
|
if [ "${FIND2}" = "0" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: did not find umask in /etc/profile"
|
2015-09-12 15:19:21 +02:00
|
|
|
#YYY possibly weak umask
|
2015-08-20 18:46:06 +02:00
|
|
|
elif [ "${FIND2}" = "1" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found umask (prefixed with spaces)"
|
2014-08-26 17:33:55 +02:00
|
|
|
FOUND_UMASK=1
|
|
|
|
if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found umask ${FIND}, which could be more strict"
|
2014-08-26 17:33:55 +02:00
|
|
|
WEAK_UMASK=1
|
2015-09-16 17:01:17 +02:00
|
|
|
AddHP 1 2
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found umask ${FIND}, which is fine"
|
2015-09-16 17:01:17 +02:00
|
|
|
AddHP 2 2
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
# Found more than 1 umask value in profile
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found multiple umask values configured in /etc/profile"
|
2014-08-26 17:33:55 +02:00
|
|
|
FOUND_UMASK=1
|
|
|
|
for I in ${FIND}; do
|
|
|
|
if [ ! "${I}" = "077" -a ! "${I}" = "027" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: umask ${I} could be more strict"
|
2014-08-26 17:33:55 +02:00
|
|
|
WEAK_UMASK=1
|
2015-09-16 17:01:17 +02:00
|
|
|
AddHP 1 2
|
2014-08-26 17:33:55 +02:00
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: Found umask ${I}, which is fine"
|
2015-09-16 17:01:17 +02:00
|
|
|
AddHP 2 2
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ ${FOUND_UMASK} -eq 1 ]; then
|
|
|
|
if [ ${WEAK_UMASK} -eq 0 ]; then
|
|
|
|
Display --indent 4 --text "- Checking umask (/etc/profile)" --result OK --color GREEN
|
|
|
|
AddHP 2 2
|
|
|
|
else
|
|
|
|
Display --indent 4 --text "- Checking umask (/etc/profile)" --result SUGGESTION --color YELLOW
|
|
|
|
ReportSuggestion ${TEST_NO} "Default umask in /etc/profile could be more strict like 027"
|
|
|
|
AddHP 0 2
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found no umask. Please check if this is correct"
|
2014-08-26 17:33:55 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/profile)" --result "NOT FOUND" --color YELLOW
|
|
|
|
ReportException "${TEST_NO}:01"
|
|
|
|
ReportManual "AUTH-9328:01"
|
|
|
|
AddHP 0 2
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/profile does not exist"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
|
|
|
|
# /etc/passwd
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking umask entries in /etc/passwd (pam_umask)"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ -f /etc/passwd ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/passwd exists"
|
|
|
|
LogText "Test: Checking umask value in /etc/passwd"
|
2014-08-26 17:33:55 +02:00
|
|
|
FIND=`grep "umask=" /etc/passwd`
|
|
|
|
if [ "${FIND}" = "" ]; then
|
|
|
|
ReportManual "AUTH-9328:03"
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/passwd does not exist"
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
|
|
|
|
# /etc/login.defs
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking /etc/login.defs"
|
2014-08-26 17:33:55 +02:00
|
|
|
if [ -f /etc/login.defs ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/login.defs exists"
|
|
|
|
LogText "Test: Checking umask value in /etc/login.defs"
|
2014-08-26 17:33:55 +02:00
|
|
|
FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'`
|
|
|
|
if [ "${FIND}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: umask value is not configured (most likely it will have the default 022 value)"
|
2014-08-26 17:33:55 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW
|
|
|
|
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
|
2014-09-19 00:35:24 +02:00
|
|
|
AddHP 1 2
|
|
|
|
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: umask is ${FIND}, which is fine"
|
2014-09-19 00:35:24 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result OK --color GREEN
|
|
|
|
AddHP 2 2
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found umask ${FIND}, which could be improved"
|
2014-09-19 00:35:24 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW
|
|
|
|
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027"
|
|
|
|
AddHP 0 2
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/login.defs does not exist"
|
2014-09-19 00:35:24 +02:00
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
|
2014-09-19 00:35:24 +02:00
|
|
|
# Red Hat /etc/init.d/functions
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking /etc/init.d/functions"
|
2014-09-19 00:35:24 +02:00
|
|
|
if [ -f /etc/init.d/functions ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/init.d/functions exists"
|
|
|
|
LogText "Test: Checking umask value in /etc/init.d/functions"
|
2014-09-19 00:35:24 +02:00
|
|
|
FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'`
|
|
|
|
if [ "${FIND}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: umask is not configured"
|
2014-09-19 00:35:24 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result NONE --color WHITE
|
|
|
|
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: umask is ${FIND}, which is fine"
|
2014-09-19 00:35:24 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result OK --color GREEN
|
|
|
|
AddHP 2 2
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found umask ${FIND}, which could be improved"
|
2014-09-19 00:35:24 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result SUGGESTION --color YELLOW
|
|
|
|
AddHP 0 2
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/init.d/functions does not exist"
|
2014-09-19 00:35:24 +02:00
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
|
2015-07-16 17:02:15 +02:00
|
|
|
# /etc/init.d/rc
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking /etc/init.d/rc"
|
2014-09-19 00:35:24 +02:00
|
|
|
if [ -f /etc/init.d/rc ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/init.d/rc exists"
|
|
|
|
LogText "Test: Checking UMASK value in /etc/init.d/rc"
|
2014-09-19 00:35:24 +02:00
|
|
|
FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'`
|
|
|
|
if [ "${FIND}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
|
2014-09-19 00:35:24 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW
|
|
|
|
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027"
|
|
|
|
AddHP 1 2
|
|
|
|
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: umask is ${FIND}, which is fine"
|
2014-09-19 00:35:24 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result OK --color GREEN
|
|
|
|
AddHP 2 2
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found umask ${FIND}, which could be improved"
|
2014-09-19 00:35:24 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW
|
|
|
|
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027"
|
|
|
|
AddHP 0 2
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/init.d/rc does not exist"
|
2014-09-19 00:35:24 +02:00
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
|
2015-09-10 21:07:06 +02:00
|
|
|
# FreeBSD
|
|
|
|
if [ -f /etc/login.conf ]; then
|
|
|
|
FOUND=0
|
|
|
|
WEAK_UMASK=0
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/login.conf exists"
|
2015-10-10 13:25:14 +02:00
|
|
|
FIND=`grep "umask" /etc/login.conf | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'`
|
2015-09-10 21:07:06 +02:00
|
|
|
if [ ! "${FIND}" = "" ]; then
|
|
|
|
for UMASK_VALUE in ${FIND}; do
|
2015-09-10 21:42:30 +02:00
|
|
|
case ${UMASK_VALUE} in
|
2015-09-10 21:07:06 +02:00
|
|
|
027|0027|077|0077)
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found umask value ${UMASK_VALUE}, which is fine"
|
2015-09-10 21:07:06 +02:00
|
|
|
AddHP 2 2
|
|
|
|
FOUND=1
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
AddHP 0 2
|
|
|
|
FOUND=1
|
|
|
|
WEAK_UMASK=1
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found umask value ${UMASK_VALUE}, which can be more strict"
|
2015-09-10 21:07:06 +02:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
|
|
if [ ${WEAK_UMASK} -eq 0 ]; then
|
|
|
|
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result OK --color GREEN
|
|
|
|
else
|
2015-09-10 21:46:23 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result WEAK --color YELLOW
|
2015-09-10 21:07:06 +02:00
|
|
|
ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027"
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: no umask setting found in /etc/login.conf, which is unexpected"
|
2015-09-10 21:46:23 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result NONE --color YELLOW
|
2015-09-10 21:07:06 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2015-07-16 17:02:15 +02:00
|
|
|
# /etc/init.d/rcS
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking /etc/init.d/rcS"
|
2014-09-19 00:35:24 +02:00
|
|
|
if [ -f /etc/init.d/rcS ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/init.d/rcS exists"
|
|
|
|
LogText "Test: Checking if script runs another script."
|
2014-09-19 00:35:24 +02:00
|
|
|
FIND=`grep -i "^exec " /etc/init.d/rcS | awk '{ print $2 }'`
|
|
|
|
if [ "${FIND}" = "" ]; then
|
|
|
|
FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'`
|
|
|
|
if [ "${FIND2}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
|
2014-09-19 00:35:24 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW
|
|
|
|
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027"
|
|
|
|
AddHP 1 2
|
|
|
|
elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: umask is ${FIND2}, which is fine"
|
2014-09-19 00:35:24 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result OK --color GREEN
|
|
|
|
AddHP 2 2
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found umask ${FIND2}, which could be improved"
|
2014-09-19 00:35:24 +02:00
|
|
|
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW
|
|
|
|
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027"
|
|
|
|
AddHP 0 2
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
# Improve check
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: exec line present in file, setting of umask not needed in this script"
|
|
|
|
LogText "Output: ${FIND}"
|
2014-09-19 00:35:24 +02:00
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/init.d/rcS does not exist"
|
2014-09-19 00:35:24 +02:00
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9340
|
|
|
|
# Description : Solaris account locking
|
|
|
|
Register --test-no AUTH-9340 --os Solaris --weight L --network NO --description "Solaris account locking"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2014-09-19 00:35:24 +02:00
|
|
|
FOUND=0
|
|
|
|
if [ -f /etc/security/policy.conf ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found /etc/security/policy.conf"
|
2014-09-19 00:35:24 +02:00
|
|
|
FIND=`grep "^LOCK_AFTER_RETRIES" /etc/security/policy.conf`
|
|
|
|
if [ ! "${FIND}" = "" ]; then
|
|
|
|
FOUND=1
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: account locking option set"
|
|
|
|
LogText "Output: ${FIND}"
|
2014-09-19 00:35:24 +02:00
|
|
|
AddHP 2 2
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: option LOCK_AFTER_RETRIES not set"
|
2014-09-19 00:35:24 +02:00
|
|
|
AddHP 1 2
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: /etc/security/policy.conf does not exist"
|
2014-09-19 00:35:24 +02:00
|
|
|
fi
|
|
|
|
# If policy.conf does not exist, we most likely deal with a Solaris version below 10
|
|
|
|
# and we proceed with checking the softer option RETRIES in /etc/default/login
|
|
|
|
# which does not lock account, but discourages brute force password attacks.
|
|
|
|
if [ ${FOUND} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: checking /etc/default/login"
|
2014-09-19 00:35:24 +02:00
|
|
|
if [ -f /etc/default/login ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/default/login exists"
|
2014-09-19 00:35:24 +02:00
|
|
|
FIND=`grep "^RETRIES" /etc/default/login`
|
|
|
|
if [ ! "${FIND}" = "" ]; then
|
|
|
|
FOUND=1
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: retries option configured"
|
|
|
|
LogText "Output: ${FIND}"
|
2014-09-19 00:35:24 +02:00
|
|
|
AddHP 2 2
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: retries option not configured"
|
2014-09-19 00:35:24 +02:00
|
|
|
AddHP 1 2
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file /etc/default/login does not exist"
|
2014-09-19 00:35:24 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
|
|
Display --indent 2 --text "- Checking account locking" --result "ENABLED" --color GREEN
|
|
|
|
else
|
|
|
|
Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW
|
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9402
|
|
|
|
# Description : Query LDAP authentication support
|
|
|
|
Register --test-no AUTH-9402 --weight L --network NO --description "Query LDAP authentication support"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2014-09-19 00:35:24 +02:00
|
|
|
if [ -f /etc/nsswitch.conf ]; then
|
|
|
|
FIND=`egrep "^passwd" /etc/nsswitch.conf | grep "ldap"`
|
|
|
|
if [ "${FIND}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: LDAP authentication not enabled"
|
2014-09-19 00:35:24 +02:00
|
|
|
Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: LDAP authentication enabled"
|
2014-09-19 00:35:24 +02:00
|
|
|
Display --indent 2 --text "- Checking LDAP authentication support" --result "ENABLED" --color GREEN
|
|
|
|
LDAP_AUTH_ENABLED=1
|
|
|
|
fi
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: /etc/nsswitch.conf not found"
|
2014-09-19 00:35:24 +02:00
|
|
|
fi
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
# Test : AUTH-9406
|
|
|
|
# Description : Check LDAP servers in client configuration
|
|
|
|
if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
|
|
Register --test-no AUTH-9406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration"
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: checking ldap.conf options"
|
2014-09-19 00:35:24 +02:00
|
|
|
for I in ${LDAP_CONF_LOCATIONS}; do
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: checking ${I}"
|
2014-09-19 00:35:24 +02:00
|
|
|
if [ -f ${I} ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: file ${I} exists, LDAP being used"
|
2015-07-16 17:02:15 +02:00
|
|
|
LDAP_CLIENT_CONFIG_FILE="${I}"
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: checking LDAP servers in file ${I}"
|
2014-09-19 00:35:24 +02:00
|
|
|
FIND2=`egrep "^host " ${I} | awk '{ print $2 }'`
|
|
|
|
for I in ${FIND2}; do
|
|
|
|
Display --indent 6 --text "LDAP server: ${I}"
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: found LDAP server ${I}"
|
|
|
|
Report "ldap_server[]=${I}"
|
2014-09-19 00:35:24 +02:00
|
|
|
done
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: ${I} does NOT exist"
|
2014-09-19 00:35:24 +02:00
|
|
|
fi
|
|
|
|
done
|
2014-08-26 17:33:55 +02:00
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
2015-09-07 04:12:58 +02:00
|
|
|
#
|
2015-09-07 11:26:09 +02:00
|
|
|
# Test : AUTH-9408
|
|
|
|
# Description : Logging of failed login attempts
|
2015-09-07 04:12:58 +02:00
|
|
|
if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
2015-09-07 11:26:09 +02:00
|
|
|
Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Logging of failed login attempts via /etc/login.defs"
|
2015-09-07 04:12:58 +02:00
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Test: Checking FAILLOG_ENAB option in /etc/login.defs "
|
2015-09-07 04:12:58 +02:00
|
|
|
FIND=`grep "^FAILLOG_ENAB" /etc/login.defs | awk '{ if ($1=="FAILLOG_ENAB") { print $2 } }'`
|
2015-09-07 11:26:09 +02:00
|
|
|
# Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value)
|
|
|
|
if [ "${FIND}" = "yes" ]; then
|
|
|
|
AUTH_FAILED_LOGINS_LOGGED=1
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: failed login attempts are logged in /var/log/faillog"
|
2015-09-07 11:26:09 +02:00
|
|
|
Display --indent 2 --text "- Logging failed login attempts" --result ENABLED --color GREEN
|
|
|
|
AddHP 3 3
|
|
|
|
else
|
2015-12-21 21:17:15 +01:00
|
|
|
LogText "Result: failed login attempts are not logged"
|
2015-09-07 04:12:58 +02:00
|
|
|
Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW
|
2015-09-07 11:26:09 +02:00
|
|
|
#ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog"
|
2015-09-07 04:12:58 +02:00
|
|
|
AddHP 0 1
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
2014-08-26 17:33:55 +02:00
|
|
|
#
|
|
|
|
|
2015-12-21 21:17:15 +01:00
|
|
|
Report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}"
|
|
|
|
Report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
|
|
|
|
Report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
|
2015-07-16 17:02:15 +02:00
|
|
|
if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then
|
2015-12-21 21:17:15 +01:00
|
|
|
Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"
|
2015-07-16 17:02:15 +02:00
|
|
|
fi
|
2015-12-21 21:17:15 +01:00
|
|
|
Report "password_min_days=${PASSWORD_MINIMUM_DAYS}"
|
|
|
|
Report "password_max_days=${PASSWORD_MAXIMUM_DAYS}"
|
2014-08-26 17:33:55 +02:00
|
|
|
|
|
|
|
wait_for_keypress
|
|
|
|
|
|
|
|
#
|
|
|
|
#================================================================================
|
2015-12-21 21:17:15 +01:00
|
|
|
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com
|