2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2019-01-31 14:47:35 +01:00
# Copyright 2007-2019, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# User, Group and authentication tests
#
#################################################################################
#
LDAP_AUTH_ENABLED=0
LDAP_PAM_ENABLED=0
2017-04-23 20:06:54 +02:00
LDAP_CONF_LOCATIONS="${ROOTDIR}etc/ldap.conf ${ROOTDIR}etc/ldap/ldap.conf ${ROOTDIR}etc/openldap/ldap.conf ${ROOTDIR}usr/local/etc/ldap.conf ${ROOTDIR}usr/local/etc/openldap/ldap.conf"
2017-10-19 11:33:09 +02:00
PAM_FILE_LOCATIONS="${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security"
2017-04-23 20:06:54 +02:00
SUDOERS_LOCATIONS="${ROOTDIR}etc/sudoers ${ROOTDIR}usr/local/etc/sudoers ${ROOTDIR}usr/pkg/etc/sudoers"
2014-08-26 17:33:55 +02:00
SUDOERS_FILE=""
#
#################################################################################
#
InsertSection "Users, Groups and Authentication"
# Test : AUTH-9204
# Description : Check users with UID zero (0)
2015-09-01 13:37:55 +02:00
# Notes : Ignores :0: in file if match is in NIS related line
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9204 --weight L --network NO --category security --description "Check users with an UID of zero"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
# Search accounts with UID 0
2015-12-21 21:17:15 +01:00
LogText "Test: Searching accounts with UID 0"
2019-04-29 11:47:11 +02:00
# Check if device is a QNAP, as the root user is called admin, and not root
if [ ${QNAP_DEVICE} -eq 1 ]; then
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
else
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
fi
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
2015-12-21 21:17:15 +01:00
LogText "Result: Found more than one administrator accounts"
2016-07-31 13:53:26 +02:00
ReportWarning "${TEST_NO}" "Multiple users with UID 0 found in passwd file"
2016-08-25 15:18:44 +02:00
for USER in ${FIND}; do
LogText "Administrator account: ${USER}"
Report "user_with_uid_zero[]=${USER}"
if [ "${USER}" = "toor" ]; then
2015-12-21 21:17:15 +01:00
LogText "BSD note: default there is a user 'toor' installed. This account is considered useless unless it"
LogText "is assigned a password and used for daily operations or emergencies. ie: bad shell for root user."
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Use vipw to delete the 'toor' user if not used."
fi
done
2016-07-31 13:53:26 +02:00
else
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: No accounts found with UID 0 other than root."
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : AUTH-9208
# Description : Check non-unique accounts
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9208 --weight L --network NO --category security --description "Check non-unique accounts in passwd file"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking for non-unique accounts"
2015-10-16 11:24:23 +02:00
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" -o "${OS}" = "OpenBSD" ]; then
2017-04-23 20:06:54 +02:00
PASSWD_FILE="${ROOTDIR}etc/master.passwd"
2014-08-26 17:33:55 +02:00
else
2017-04-23 20:06:54 +02:00
PASSWD_FILE="${ROOTDIR}etc/passwd"
2014-08-26 17:33:55 +02:00
fi
# Check password file
if [ -f ${PASSWD_FILE} ]; then
2016-09-08 21:04:17 +02:00
FIND=$(${GREPBINARY} -v '^#' ${PASSWD_FILE} | ${CUTBINARY} -d ':' -f3 | ${SORTBINARY} | uniq -d)
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "" ]; then
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- Unique UIDs" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: all accounts found in ${PASSWD_FILE} are unique"
2016-07-31 13:53:26 +02:00
else
Display --indent 2 --text "- Unique UIDs" --result "${STATUS_WARNING}" --color RED
2015-12-21 21:17:15 +01:00
LogText "Result: found multiple accounts with same UID"
LogText "Output (non-unique UIDs): ${FIND}"
2014-08-26 17:33:55 +02:00
ReportWarning ${TEST_NO} "Multiple accounts found with same UID"
fi
else
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- Unique UIDs" --result "${STATUS_SKIPPED}" --color WHITE
2015-12-21 21:17:15 +01:00
LogText "Result: test skipped, ${PASSWD_FILE} file not available"
2014-08-26 17:33:55 +02:00
fi
2016-10-27 08:46:23 +02:00
LogText "Remarks: Non unique UIDs can be a risk for the system or part of a configuration mistake"
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9212
# Description : Test group file with chkgrp tool (ie FreeBSD)
2016-07-31 21:15:31 +02:00
LogText "Prerequisite test: /usr/sbin/chkgrp"
2017-04-23 20:06:54 +02:00
if [ -x ${ROOTDIR}usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test group file"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking chkgrp tool" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)."
LogText "Test: Testing consistency of /etc/group file"
2017-04-23 20:06:54 +02:00
FIND=$(${ROOTDIR}usr/sbin/chkgrp | ${GREPBINARY} -v 'is fine')
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: chkgrp test performed, Group file seems to be ok."
2014-08-26 17:33:55 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_WARNING}" --color RED
2015-12-21 21:17:15 +01:00
LogText "Result: chkgrp found some errors. Run the tool manually to see details."
LogText "chkgrp output: ${FIND}"
2016-08-10 07:12:22 +02:00
ReportWarning ${TEST_NO} "chkgrp reported inconsistencies in /etc/group file"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : AUTH-9216
# Description : Check /etc/group and shadow group files
2016-07-31 13:45:21 +02:00
# Notes : Run grpck to test group files (most likely /etc/group and shadow group files)
2019-07-16 13:20:30 +02:00
if [ -n "${GRPCKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check group and shadow group files"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-07-31 13:45:21 +02:00
LogText "Test: Checking for grpck binary output"
2014-08-26 17:33:55 +02:00
2016-07-31 13:45:21 +02:00
case ${OS} in
"AIX") FIND=$(${GRPCKBINARY} -n ALL 2> /dev/null ; echo $?) ;;
"Linux")
if [ "${LINUX_VERSION}" = "SuSE" ]; then
FIND=$(${GRPCKBINARY} -q -r > /dev/null ; echo $?)
2016-08-10 07:12:22 +02:00
else
2016-07-31 13:45:21 +02:00
FIND=$(${GRPCKBINARY} -r 2> /dev/null ; echo $?)
fi
;;
*) FIND=$(${GRPCKBINARY} 2> /dev/null ; echo $?) ;;
2016-08-10 07:12:22 +02:00
esac
2014-08-26 17:33:55 +02:00
# Check exit-code
if [ "${FIND}" = "0" ]; then
2016-07-31 13:45:21 +02:00
Display --indent 2 --text "- Consistency of group files (grpck)" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: grpck binary didn't find any errors in the group files"
2016-07-31 13:45:21 +02:00
else
Display --indent 2 --text "- Consistency of group files (grpck)" --result "${STATUS_WARNING}" --color RED
2016-08-10 07:12:22 +02:00
ReportWarning ${TEST_NO} "grpck binary found errors in one or more group files"
2014-08-26 17:33:55 +02:00
fi
2016-07-31 13:45:21 +02:00
unset FIND
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9218
# Description : Check login shells for passwordless accounts
# Notes : Results should be checked
2016-07-31 13:34:17 +02:00
Register --test-no AUTH-9218 --os FreeBSD --weight L --network NO --category security --description "Check login shells for passwordless accounts"
2016-11-19 13:39:57 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Test: Checking login shells"
2017-04-23 20:06:54 +02:00
if [ -f ${ROOTDIR}etc/master.passwd ]; then
2016-11-19 13:39:57 +01:00
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
2016-11-19 13:39:57 +01:00
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
else
Display --indent 2 --text "- Login shells" --result "${STATUS_WARNING}" --color RED
for LINE in ${FIND}; do
LINE=$(echo ${LINE} | ${SEDBINARY} 's/!space!/ /g')
SHELL=$(echo ${LINE} | ${AWKBINARY} -F: '{ print $10 }')
LogText "Output: ${LINE}"
if [ -z "${SHELL}" ]; then
LogText "Result: found no shell on line"
else
LogText "Result: found possible harmful shell ${SHELL}"
if [ -f ${SHELL} ]; then
LogText "Result: shell ${SHELL} does exist"
FOUND=1
else
LogText "Result: shell ${SHELL} does not exist"
ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${SHELL} does not exist"
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
ReportWarning ${TEST_NO} "Possible harmful shell found (for passwordless account!)"
fi
fi
else
Display --indent 2 --text "- Login shells" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: No /etc/master.passwd file found"
fi
unset LINE SHELL
fi
#
#################################################################################
#
# Test : AUTH-9489
# Description : Check login shells for passwordless accounts
# Notes : Results should be checked
Register --test-no AUTH-9489 --os DragonFly --weight L --network NO --category security --description "Check login shells for passwordless accounts"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
2015-12-21 21:17:15 +01:00
LogText "Test: Checking login shells"
2017-04-23 20:06:54 +02:00
if [ -f ${ROOTDIR}etc/master.passwd ]; then
2014-08-26 17:33:55 +02:00
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
2017-04-23 20:06:54 +02:00
FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
if [ -z "${FIND}" ]; then
2016-07-31 13:34:17 +02:00
Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
else
Display --indent 2 --text "- Login shells" --result "${STATUS_WARNING}" --color RED
for LINE in ${FIND}; do
2016-09-08 21:04:17 +02:00
LINE=$(echo ${LINE} | ${SEDBINARY} 's/!space!/ /g')
2016-08-25 15:31:33 +02:00
SHELL=$(echo ${LINE} | ${AWKBINARY} -F: '{ print $10 }')
2016-07-31 13:34:17 +02:00
LogText "Output: ${LINE}"
if [ -z "${SHELL}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found no shell on line"
2016-07-31 13:34:17 +02:00
else
LogText "Result: found possible harmful shell ${SHELL}"
if [ -f ${SHELL} ]; then
LogText "Result: shell ${SHELL} does exist"
2014-08-26 17:33:55 +02:00
FOUND=1
2016-07-31 13:34:17 +02:00
else
LogText "Result: shell ${SHELL} does not exist"
ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${SHELL} does not exist"
2014-08-26 17:33:55 +02:00
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
2016-07-31 13:34:17 +02:00
ReportWarning ${TEST_NO} "Possible harmful shell found (for passwordless account!)"
2014-08-26 17:33:55 +02:00
fi
2016-07-31 13:34:17 +02:00
fi
2014-08-26 17:33:55 +02:00
else
2016-07-31 13:34:17 +02:00
Display --indent 2 --text "- Login shells" --result "${STATUS_SKIPPED}" --color WHITE
2017-04-23 20:06:54 +02:00
LogText "Result: No ${ROOTDIR}etc/master.passwd file found"
2014-08-26 17:33:55 +02:00
fi
2016-07-31 13:34:17 +02:00
unset LINE SHELL
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9222
2016-07-31 13:29:23 +02:00
# Description : Check unique group IDs
Register --test-no AUTH-9222 --weight L --network NO --category security --description "Check unique groups (IDs)"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking for non unique group ID's in /etc/group"
2017-04-23 20:06:54 +02:00
FIND=$(${GREPBINARY} -v '^#' ${ROOTDIR}etc/group | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $3 }' | ${SORTBINARY} | uniq -d)
2017-02-11 21:25:25 +01:00
if [ -z "${FIND}" ]; then
2016-07-31 13:29:23 +02:00
Display --indent 2 --text "- Unique group IDs" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: All group ID's are unique"
2017-02-11 21:25:25 +01:00
Report "auth_group_ids_unique=1"
2016-07-31 13:29:23 +02:00
else
Display --indent 2 --text "- Unique group IDs" --result "${STATUS_WARNING}" --color RED
2015-12-21 21:17:15 +01:00
LogText "Result: Found the same group ID multiple times"
2017-02-11 21:25:25 +01:00
for I in ${FIND}; do
Report "auth_groups_nonunique[]=${I}"
LogText "Non-unique group: ${I}"
done
2016-07-31 13:29:23 +02:00
ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct any inconsistencies"
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9226
2016-07-31 13:29:23 +02:00
# Description : Check unique group names
2017-02-11 21:25:25 +01:00
if [ -f ${ROOTDIR}etc/group ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-31 13:29:23 +02:00
Register --test-no AUTH-9226 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unique group names"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-02-11 21:25:25 +01:00
LogText "Test: Checking for non unique group names in ${ROOTDIR}etc/group"
FIND=$(${GREPBINARY} -v '^#' ${ROOTDIR}etc/group | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $1 }' | ${SORTBINARY} | uniq -d)
2016-07-31 13:25:35 +02:00
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Unique group names" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: All group names are unique"
2017-02-11 21:25:25 +01:00
Report "auth_group_names_unique=1"
2016-07-31 13:25:35 +02:00
else
2017-02-11 21:25:25 +01:00
Display --indent 2 --text "- Unique group names" --result "${STATUS_WARNING}" --color RED
2015-12-21 21:17:15 +01:00
LogText "Result: Found the same group name multiple times"
2017-02-11 21:25:25 +01:00
for I in ${FIND}; do
Report "auth_groups_nonunique[]=${I}"
LogText "Non-unique group: ${I}"
done
ReportSuggestion ${TEST_NO} "Check your ${ROOTDIR}etc/group file and correct any inconsistencies"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : AUTH-9228
2015-09-24 20:24:46 +02:00
# Description : Check password file consistency with pwck
# Notes : Operating systems include Linux, Solaris
2017-04-23 20:06:54 +02:00
if [ -x ${ROOTDIR}usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9228 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check password file consistency with pwck"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking password file consistency (pwck)"
2015-09-24 20:24:46 +02:00
TESTED=0
2015-09-24 21:26:55 +02:00
case ${OS} in
2015-09-24 20:24:46 +02:00
"Linux")
2017-04-23 20:06:54 +02:00
FIND=$(${ROOTDIR}usr/sbin/pwck -q -r 2> /dev/null; echo $?)
2015-09-24 20:24:46 +02:00
TESTED=1
;;
"Solaris")
2017-04-23 20:06:54 +02:00
FIND=$(${ROOTDIR}usr/sbin/pwck 2> /dev/null; echo $?)
2015-09-24 20:24:46 +02:00
TESTED=1
;;
*)
2017-04-23 20:06:54 +02:00
LogText "Dev: found ${ROOTDIR}usr/sbin/pwck, but unsure how to call it on this operating system"
ReportException "${TEST_NO}:1" "Found ${ROOTDIR}usr/sbin/pwck, but unsure how to call it on this operating system"
2015-09-24 20:24:46 +02:00
;;
esac
# Only display if this test has been executed
if [ ${TESTED} -eq 1 -a "${FIND}" = "0" ]; then
2016-07-31 13:25:35 +02:00
Display --indent 2 --text "- Password file consistency" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: pwck check didn't find any problems"
2015-09-24 20:24:46 +02:00
AddHP 2 2
2016-07-31 13:23:09 +02:00
else
2016-07-31 13:25:35 +02:00
Display --indent 2 --text "- Password file consistency" --result "${STATUS_SUGGESTION}" --color YELLOW
2015-12-21 21:17:15 +01:00
LogText "Result: pwck found one or more errors/warnings in the password file."
2016-07-31 13:23:09 +02:00
ReportSuggestion ${TEST_NO} "Run pwck manually and correct any errors in the password file"
2015-09-24 20:24:46 +02:00
AddHP 0 2
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9234
2014-09-18 23:56:16 +02:00
# Description : Query user accounts
2016-01-11 01:31:08 +01:00
# Notes : AIX: 100+
# HPUX: 100+
2016-10-27 08:56:52 +02:00
# macOS doesn't have any user info in /etc/passwd, users are managed with opendirectoryd)
2014-08-26 17:33:55 +02:00
# OpenBSD/NetBSD: unknown
2014-12-05 20:08:10 +01:00
# Arch Linux / CentOS / Ubuntu: 1000+
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9234 --weight L --network NO --category security --description "Query user accounts"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-10-27 09:21:56 +02:00
LogText "Test: Read system users (including root user) from password database (e.g. /etc/passwd)"
2014-08-26 17:33:55 +02:00
FIND=""
2014-09-09 14:49:37 +02:00
2014-09-18 23:56:16 +02:00
case ${OS} in
2016-01-11 01:31:08 +01:00
"AIX")
LogText "AIX real users output (ID = 0, or 100+):"
2016-10-27 08:56:52 +02:00
FIND=$(${AWKBINARY} -F: '($3 >= 100 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd)
2016-01-11 01:31:08 +01:00
;;
2014-09-18 23:56:16 +02:00
"FreeBSD")
2015-12-21 21:17:15 +01:00
LogText "FreeBSD real users output (ID = 0, or 1000+, but not 65534):"
2016-10-27 08:56:52 +02:00
FIND=$(${AWKBINARY} -F: '($3 >= 1000 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd)
2014-09-18 23:56:16 +02:00
;;
2014-08-26 17:33:55 +02:00
2014-09-18 23:56:16 +02:00
"Linux")
2016-06-30 11:30:58 +02:00
UID_MIN=""
2017-04-23 20:06:54 +02:00
if [ -f ${ROOTDIR}etc/login.defs ]; then
2016-08-25 15:31:33 +02:00
UID_MIN=$(${GREPBINARY} "^UID_MIN" /etc/login.defs | ${AWKBINARY} '{print $2}')
2016-06-30 11:30:58 +02:00
LogText "Result: found minimal user id specified: ${UID_MIN}"
fi
if [ "${UID_MIN}" = "" ]; then UID_MIN="1000"; fi
LogText "Linux real users output (ID = 0, or ${UID_MIN}+, but not 65534):"
2016-10-27 08:56:52 +02:00
FIND=$(${AWKBINARY} -v UID_MIN="${UID_MIN}" -F: '($3 >= UID_MIN && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd)
;;
2016-11-05 11:53:22 +01:00
"macOS")
2016-10-27 09:21:56 +02:00
LogText "macOS real users output (ID = 0, or 500-599) using dscacheutil"
2016-10-27 09:13:57 +02:00
FIND_USERS=$(dscacheutil -q user | ${GREPBINARY} -A 3 -B 2 -e "^uid: 5[0-9][0-9]" | ${GREPBINARY} "^name: " | ${AWKBINARY} '{print $2}')
2019-07-16 13:20:30 +02:00
if [ -n "${FIND_USERS}" ]; then
2016-10-27 09:13:57 +02:00
for FUSERNAME in ${FIND_USERS}; do
FDETAILS=$(dscacheutil -q user -a name ${FUSERNAME} | ${GREPBINARY} "^uid: " | ${AWKBINARY} '{print $2}')
2016-10-27 09:40:13 +02:00
FIND="${FUSERNAME},${FDETAILS} ${FIND}"
2016-10-27 09:13:57 +02:00
done
else
FIND=""
fi
2014-09-18 23:56:16 +02:00
;;
2014-08-26 17:33:55 +02:00
2015-10-16 11:24:23 +02:00
"OpenBSD")
2015-12-21 21:17:15 +01:00
LogText "OpenBSD real users output (ID = 0, or 1000-60000, but not 32767):"
2016-10-27 08:56:52 +02:00
FIND=$(${AWKBINARY} -F: '($3 >= 1000 && $3 <= 60000 && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd)
2015-10-16 11:24:23 +02:00
;;
2014-09-18 23:56:16 +02:00
"Solaris")
2015-12-21 21:17:15 +01:00
LogText "Solaris real users output (ID =0, or 100+, but not 60001/65534):"
2016-10-27 08:56:52 +02:00
FIND=$(${AWKBINARY} -F: '($3 >= 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd)
2014-09-18 23:56:16 +02:00
;;
2016-10-27 08:56:52 +02:00
2014-09-18 23:56:16 +02:00
*)
# Want to help improving Lynis? Determine what user IDs belong to normal user accounts
ReportException "${TEST_NO}:1" "Can not determine user accounts"
;;
esac
2014-08-26 17:33:55 +02:00
# Check if we got any output
2016-10-27 09:13:57 +02:00
if [ -z "${FIND}" ]; then
2014-08-26 17:33:55 +02:00
Display --indent 4 --text "Result: No users found/unknown result"
2015-12-21 21:17:15 +01:00
LogText "Result: Querying of system users skipped"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_UNKNOWN}" --color YELLOW
2016-10-27 08:56:52 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_DONE}" --color GREEN
2014-08-26 17:33:55 +02:00
for I in ${FIND}; do
2019-07-16 13:20:30 +02:00
if [ -n "${I}" ]; then
2016-10-27 09:13:57 +02:00
LogText "Real user: ${I}"
Report "real_user[]=${I}"
fi
2014-08-26 17:33:55 +02:00
done
fi
fi
#
#################################################################################
#
# Test : AUTH-9240
# Description : Query NIS+ authentication support
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9240 --weight L --network NO --category security --description "Query NIS+ authentication support"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2014-09-09 14:49:37 +02:00
if [ -f /etc/nsswitch.conf ]; then
2016-08-25 15:31:33 +02:00
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus")
2017-04-23 20:06:54 +02:00
if [ -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: NIS+ authentication not enabled"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE
2017-04-23 20:06:54 +02:00
else
FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: NIS+ authentication enabled"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: NIS+ authentication not enabled"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE
2014-09-09 14:49:37 +02:00
fi
fi
else
2015-12-21 21:17:15 +01:00
LogText "Result: /etc/nsswitch.conf not found"
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9242
# Description : Query NIS authentication support
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9242 --weight L --network NO --category security --description "Query NIS authentication support"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2014-09-09 14:49:37 +02:00
if [ -f /etc/nsswitch.conf ]; then
2016-08-25 15:31:33 +02:00
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus")
2017-04-23 20:06:54 +02:00
if [ -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: NIS authentication not enabled"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE
2017-04-23 20:06:54 +02:00
else
2016-08-25 15:25:51 +02:00
FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: NIS authentication enabled"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: NIS authentication not enabled"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE
2014-09-09 14:49:37 +02:00
fi
fi
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: /etc/nsswitch.conf not found"
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9250
# Description : Check for sudoers file
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9250 --weight L --network NO --category security --description "Checking sudoers file"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${SUDOERS_LOCATIONS}; do
2015-12-21 21:17:15 +01:00
LogText "Test: checking presence ${I}"
2014-09-09 14:49:37 +02:00
if [ -f ${I} ]; then
FOUND=1
SUDOERS_FILE="${I}"
2015-12-21 21:17:15 +01:00
LogText "Result: found file (${SUDOERS_FILE})"
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: file ${I} not found"
2014-09-09 14:49:37 +02:00
fi
done
if [ ${FOUND} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: sudoers file found (${SUDOERS_FILE})"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- sudoers file" --result "${STATUS_FOUND}" --color GREEN
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: sudoers file NOT found"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : AUTH-9252
2019-02-28 10:15:57 +01:00
# Description : Check ownership and permissions for sudo configuration files
2019-07-16 13:20:30 +02:00
if [ -n "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2019-02-28 10:15:57 +01:00
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2019-02-28 10:19:09 +01:00
SUDO_CONFIG_FILES="${SUDOERS_FILE}"
SUDOERS_D="${SUDOERS_FILE}.d"
if [ -d "${SUDOERS_D}" ]; then
LogText "Test: checking drop-in directory (${SUDOERS_D})"
FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10)
FIND2=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}')
LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND2}"
if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND2}" = "00" ]; then
LogText "Result: directory ${SUDOERS_D} permissions/ownership OK"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: directory has possibly unsafe permissions/ownership"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
fi
SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)"
2014-09-09 14:49:37 +02:00
fi
2019-02-28 10:19:09 +01:00
for f in ${SUDO_CONFIG_FILES}; do
LogText "Test: checking file (${f})"
FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10)
FIND2=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}')
LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND2}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND2}" = "00" ]; then
LogText "Result: file ${f} permissions/ownership OK"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: file has possibly unsafe permissions/ownership"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
fi
done
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9254
# Description : Solaris test to check passwordless accounts
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9254 --os Solaris --weight L --network NO --root-only YES --category security --description "Solaris passwordless accounts"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-08-25 15:31:33 +02:00
FIND=$(logins -p | ${AWKBINARY} '{ print $1 }')
2017-04-23 20:06:54 +02:00
if [ -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: no passwordless accounts found"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN
else
2014-09-09 14:49:37 +02:00
for I in ${FIND}; do
2016-07-31 13:53:26 +02:00
ReportWarning ${TEST_NO} "Found passwordless account (${I})"
2014-09-09 14:49:37 +02:00
done
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_WARNING}" --color RED
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9262
# Description : Search for PAM password strength testing libraries
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9262 --weight L --network NO --category security --description "Checking presence password strength testing tools (PAM)"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
FOUND_CRACKLIB=0
FOUND_PASSWDQC=0
2016-03-22 04:30:47 +01:00
FOUND_PWQUALITY=0
2014-08-26 17:33:55 +02:00
# Cracklib
2016-03-22 04:30:47 +01:00
LogText "Searching PAM password testing modules (cracklib, passwdqc, pwquality)"
2014-08-26 17:33:55 +02:00
for I in ${PAM_FILE_LOCATIONS}; do
2016-03-22 04:30:47 +01:00
2014-08-26 17:33:55 +02:00
if [ -f ${I}/pam_cracklib.so ]; then
FOUND_CRACKLIB=1
2016-03-22 04:30:47 +01:00
FOUND=1
2015-12-21 21:17:15 +01:00
LogText "Result: found pam_cracklib.so (crack library PAM) in ${I}"
2014-08-26 17:33:55 +02:00
fi
2016-03-22 04:30:47 +01:00
if [ -f ${I}/pam_passwdqc.so ]; then
FOUND_PASSWDQC=1
FOUND=1
LogText "Result: found pam_passwdqc.so (passwd quality control PAM) in ${I}"
fi
if [ -f ${I}/pam_pwquality.so ]; then
FOUND_PWQUALITY=1
FOUND=1
LogText "Result: found pam_pwquality.so (password quality control PAM) in ${I}"
fi
2014-08-26 17:33:55 +02:00
done
2016-03-24 11:11:40 +01:00
2016-03-22 04:30:47 +01:00
# Cracklib
2014-08-26 17:33:55 +02:00
if [ ${FOUND_CRACKLIB} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: pam_cracklib.so found"
Report "pam_cracklib=1"
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: pam_cracklib.so NOT found (crack library PAM)"
2014-08-26 17:33:55 +02:00
fi
2016-03-24 11:11:40 +01:00
# Password quality control
2014-08-26 17:33:55 +02:00
if [ ${FOUND_PASSWDQC} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: pam_passwdqc.so found"
Report "pam_passwdqc=1"
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: pam_passwdqc.so NOT found (passwd quality control PAM)"
2016-03-22 04:30:47 +01:00
fi
2016-03-24 11:11:40 +01:00
# pwquality module
2016-03-22 04:30:47 +01:00
if [ ${FOUND_PWQUALITY} -eq 1 ]; then
LogText "Result: pam_pwquality.so found"
Report "pam_pwquality=1"
2017-04-23 20:06:54 +02:00
else
2016-03-22 04:30:47 +01:00
LogText "Result: pam_pwquality.so NOT found (pwquality control PAM)"
2014-08-26 17:33:55 +02:00
fi
if [ ${FOUND} -eq 0 ]; then
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
2015-12-21 21:17:15 +01:00
LogText "Result: no PAM modules for password strength testing found"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
2016-03-22 04:30:47 +01:00
AddHP 0 3
2017-04-23 20:06:54 +02:00
else
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: found at least one PAM module for password strength testing"
2016-03-22 04:30:47 +01:00
AddHP 3 3
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : AUTH-9264
# Description : Scan /etc/pam.conf file
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9264 --weight L --network NO --category security --description "Checking presence pam.conf"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking file /etc/pam.conf"
2017-04-23 20:06:54 +02:00
if [ -f ${ROOTDIR}etc/pam.conf ]; then
LogText "Result: file ${ROOTDIR}etc/pam.conf exists"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Test: searching PAM configuration files"
2017-04-23 20:06:54 +02:00
FIND=$(${EGREPBINARY} -v "^#" ${ROOTDIR}etc/pam.conf | ${EGREPBINARY} -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g')
if [ -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)"
2016-08-25 15:25:51 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: found one or more configuration lines"
2016-08-25 15:25:51 +02:00
for LINE in ${FIND}; do
2016-09-08 21:04:17 +02:00
LINE=$(echo ${LINE} | ${SEDBINARY} 's/:space:/ /g')
2016-08-25 15:25:51 +02:00
LogText "Found line: ${LINE}"
2014-09-09 14:49:37 +02:00
done
fi
2016-08-25 15:25:51 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/pam.conf could not be found"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- PAM configuration file (pam.conf)" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9266
# Description : Searching available PAM configurations (/etc/pam.d)
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9266 --weight L --network NO --category security --description "Checking presence pam.d files"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2019-07-26 10:57:44 +02:00
LogText "Test: Checking directory ${ROOTDIR}etc/pam.d"
2017-04-23 20:06:54 +02:00
if [ -d ${ROOTDIR}etc/pam.d ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: directory /etc/pam.d exists"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Test: searching PAM configuration files"
2019-07-26 10:57:44 +02:00
FIND=$(${FINDBINARY} ${ROOTDIR}etc/pam.d -not -name "*.pam-old" -type f -print | sort)
2016-08-25 15:25:51 +02:00
for FILE in ${FIND}; do
LogText "Found file: ${FILE}"
2014-09-09 14:49:37 +02:00
done
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: directory /etc/pam.d could not be found"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9268
# Description : Searching available PAM files
2016-03-03 12:48:42 +01:00
# Notes : PAM is used on AIX, FreeBSD, Linux, HPUX, Solaris
2014-08-26 17:33:55 +02:00
if [ ${OS} = "AIX" -o ${OS} = "Linux" -o ${OS} = "HPUX" -o ${OS} = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9268 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking presence pam.d files"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
2015-12-21 21:17:15 +01:00
LogText "Test: Searching pam modules"
2016-07-30 13:54:04 +02:00
for DIR in ${PAM_FILE_LOCATIONS}; do
LogText "Test: Checking ${DIR}"
if [ -d ${DIR} -a ! -L ${DIR} ]; then
LogText "Result: directory ${DIR} exists"
2016-03-03 12:48:42 +01:00
# Search in the specified directory
2019-06-06 14:13:05 +02:00
if [ "${OS}" = "AIX" -o "${OS}" = "Solaris" ]; then
# AIX/Solaris does not support -maxdepth
A bunch of Solaris compatibility tweaks (#367)
* Work around Solaris' /bin/sh not being POSIX.
If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be. Exec it right away.
* Work around Solaris 'which' command oddity.
Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.
This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.
Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.
* Improved alternate-sh exec to avoid looping.
* Solaris' /usr/ucb/echo supports -n.
* Check for the best hash type that openssl supports.
When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.
* Solaris does not support sed -i; use a tempfile.
* Use the full path for modinfo.
When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.
* Solaris find does not support -maxdepth.
This mirrors the logic already in tests_homedirs.
* Use PSBINARY instead of ps.
* Work around Solaris' date not supporting +%s.
Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds. A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.
* Revert to using sha1 for HOSTID.
* Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
FIND=$(find ${DIR} -type f -name "pam_*.so" -print | sort)
2017-04-23 20:06:54 +02:00
else
A bunch of Solaris compatibility tweaks (#367)
* Work around Solaris' /bin/sh not being POSIX.
If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be. Exec it right away.
* Work around Solaris 'which' command oddity.
Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.
This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.
Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.
* Improved alternate-sh exec to avoid looping.
* Solaris' /usr/ucb/echo supports -n.
* Check for the best hash type that openssl supports.
When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.
* Solaris does not support sed -i; use a tempfile.
* Use the full path for modinfo.
When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.
* Solaris find does not support -maxdepth.
This mirrors the logic already in tests_homedirs.
* Use PSBINARY instead of ps.
* Work around Solaris' date not supporting +%s.
Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds. A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.
* Revert to using sha1 for HOSTID.
* Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
FIND=$(find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort)
fi
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then FOUND=1; fi
2016-07-30 13:54:04 +02:00
for FILE in ${FIND}; do
LogText "Found file: ${FILE}"
Report "pam_module[]=${FILE}"
2014-08-26 17:33:55 +02:00
done
2016-07-30 13:54:04 +02:00
else
LogText "Result: directory ${DIR} could not be found or is a symlink to another directory"
2014-08-26 17:33:55 +02:00
fi
done
# Check if we found at least one module
if [ ${FOUND} -eq 0 ]; then
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- PAM modules" --result "${STATUS_NOT_FOUND}" --color WHITE
2015-12-21 21:17:15 +01:00
LogText "Result: no PAM modules found"
2016-07-30 13:54:04 +02:00
else
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- PAM modules" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
2019-08-26 08:01:43 +02:00
unset DIR FILE FIND
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9278
# Description : Search LDAP support in PAM files
2019-03-29 12:30:12 +01:00
Register --test-no AUTH-9278 --weight L --network NO --category security --description "Determine LDAP support in PAM files"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2019-03-29 12:30:12 +01:00
AUTH_FILES="${ROOTDIR}etc/pam.d/common-auth ${ROOTDIR}etc/pam.d/system-auth"
2019-03-29 12:26:12 +01:00
for FILE in ${AUTH_FILES}; do
LogText "Test: checking presence ${FILE}"
if [ -f ${FILE} ]; then
LogText "Result: file ${FILE} exists"
LogText "Test: checking presence LDAP module"
FIND=$(${GREPBINARY} "^auth.*ldap" ${FILE})
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2019-03-29 12:26:12 +01:00
LogText "Result: LDAP module present"
LogText "Output: ${FIND}"
LDAP_AUTH_ENABLED=1
LDAP_PAM_ENABLED=1
2019-03-29 12:30:12 +01:00
else
2019-03-29 12:26:12 +01:00
LogText "Result: LDAP module not found"
fi
2017-04-23 20:06:54 +02:00
else
2019-03-29 12:26:12 +01:00
LogText "Result: file ${FILE} not found, skipping test"
2014-09-09 14:49:37 +02:00
fi
2019-03-29 12:26:12 +01:00
done
2019-03-29 12:30:12 +01:00
2019-03-29 12:26:12 +01:00
if [ ${LDAP_PAM_ENABLED} -eq 1 ]; then
Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN
2017-04-23 20:06:54 +02:00
else
2019-03-29 12:26:12 +01:00
Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9282 and AUTH-9283
# Note : Every Linux based operating system seem to have different passwd
# options, so we have to check the version first.
if [ "${OS}" = "Linux" ]; then
if [ ${OS_REDHAT_OR_CLONE} -eq 0 ]; then
case ${LINUX_VERSION} in
"SuSE")
PREQS_MET="YES"
2018-12-17 09:58:57 +01:00
FIND=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
2016-08-25 15:31:33 +02:00
FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
2014-08-26 17:33:55 +02:00
;;
*)
PREQS_MET="YES"
2018-12-17 09:58:57 +01:00
FIND=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
2016-08-25 15:31:33 +02:00
FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
2014-08-26 17:33:55 +02:00
;;
esac
2018-12-17 09:58:57 +01:00
elif [ ${OS_REDHAT_OR_CLONE} -eq 1 ]; then
2018-12-17 09:55:41 +01:00
PREQS_MET="YES"
2018-12-17 09:58:57 +01:00
FIND=$(for I in $(${AWKBINARY} -F: '{print $1}' ${ROOTDIR}etc/passwd) ; do passwd -S $I | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done)
2018-12-17 09:55:41 +01:00
FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' ${ROOTDIR}etc/passwd) ; do passwd -S $I | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done)
2018-12-17 09:58:57 +01:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: skipping test for this Linux version"
2014-08-26 17:33:55 +02:00
ReportManual "AUTH-9282:01"
PREQS_MET="NO"
2018-12-17 09:58:57 +01:00
FIND=""
2014-08-26 17:33:55 +02:00
FIND2=""
fi
else
PREQS_MET="NO"
fi
# Test : AUTH-9282
# Description : Search password protected accounts without expire (Linux)
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9282 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking password protected account without expire date"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking Linux version and password expire date status"
2018-12-17 09:58:57 +01:00
if [ -z "${FIND}" ]; then
2017-04-23 20:06:54 +02:00
LogText "Result: all accounts seem to have an expire date"
Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found one or more accounts with expire date set"
2018-12-17 09:58:57 +01:00
for I in ${FIND}; do
2017-04-23 20:06:54 +02:00
LogText "Account without expire date: ${I}"
done
Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts"
fi
2014-08-26 17:33:55 +02:00
fi
2017-04-23 20:06:54 +02:00
#
#################################################################################
#
2014-08-26 17:33:55 +02:00
# Test : AUTH-9283
# Description : Search passwordless accounts
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking accounts without password"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking passwordless accounts"
2018-12-17 09:58:57 +01:00
if [ -z "${FIND2}" ]; then
2017-04-23 20:06:54 +02:00
LogText "Result: all accounts seem to have a password"
Display --indent 2 --text "- Accounts without password" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found one or more accounts without password"
for I in ${FIND2}; do
LogText "Account without password: ${I}"
Report "account_without_password=${I}"
done
Display --indent 2 --text "- Accounts without password" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found accounts without password"
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9286
# Description : Check user password aging
2015-10-27 12:42:41 +01:00
# Notes : MIN = minimum age, avoid rotation of passwords too quickly
# : MAX = maximum age, ensure regular change of passwords
2018-01-24 19:41:15 +01:00
PREQS_MET="NO"
if [ -f ${ROOTDIR}etc/login.defs ]; then
PREQS_MET="YES"
# Future TODO: check if PAM overrule these settings
fi
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking user password aging"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-23 20:06:54 +02:00
LogText "Test: Checking PASS_MIN_DAYS option in ${ROOTDIR}etc/login.defs"
FIND=$(${GREPBINARY} "^PASS_MIN_DAYS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="PASS_MIN_DAYS") { print $2 } }')
2019-07-16 19:05:28 +02:00
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: password minimum age is not configured"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW
2015-10-27 12:42:41 +01:00
ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs"
AddHP 0 1
2016-08-25 15:25:51 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: password needs to be at least ${FIND} days old"
2015-10-27 12:42:41 +01:00
PASSWORD_MINIMUM_DAYS=${FIND}
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- User password aging (minimum)" --result CONFIGURED --color GREEN
2015-10-27 12:42:41 +01:00
AddHP 3 3
fi
2017-04-23 20:06:54 +02:00
LogText "Test: Checking PASS_MAX_DAYS option in ${ROOTDIR}etc/login.defs "
FIND=$(${GREPBINARY} "^PASS_MAX_DAYS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="PASS_MAX_DAYS") { print $2 } }')
if [ -z "${FIND}" -o "${FIND}" = "99999" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: password aging limits are not configured"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- User password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW
2015-10-27 12:42:41 +01:00
ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs"
2014-09-09 14:49:37 +02:00
AddHP 0 1
2016-08-25 15:25:51 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: max password age is ${FIND} days"
2015-10-27 12:42:41 +01:00
PASSWORD_MAXIMUM_DAYS=${FIND}
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- User password aging (maximum)" --result CONFIGURED --color GREEN
2014-09-09 14:49:37 +02:00
AddHP 3 3
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
2015-12-22 16:00:51 +01:00
#
# Test : AUTH-9288
# Description : Determine which accounts have an expired password
2016-03-08 12:01:11 +01:00
# Notes : This test might not work (yet) on all platforms
2017-04-23 20:06:54 +02:00
if [ -f ${ROOTDIR}etc/shadow ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9288 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Checking for expired passwords"
2015-12-22 16:00:51 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-23 20:06:54 +02:00
if FileIsReadable ${ROOTDIR}etc/shadow; then
A bunch of Solaris compatibility tweaks (#367)
* Work around Solaris' /bin/sh not being POSIX.
If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be. Exec it right away.
* Work around Solaris 'which' command oddity.
Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.
This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.
Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.
* Improved alternate-sh exec to avoid looping.
* Solaris' /usr/ucb/echo supports -n.
* Check for the best hash type that openssl supports.
When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.
* Solaris does not support sed -i; use a tempfile.
* Use the full path for modinfo.
When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.
* Solaris find does not support -maxdepth.
This mirrors the logic already in tests_homedirs.
* Use PSBINARY instead of ps.
* Work around Solaris' date not supporting +%s.
Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds. A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.
* Revert to using sha1 for HOSTID.
* Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
2017-04-23 20:06:54 +02:00
if [ "${OS}" = "Solaris" ]; then
A bunch of Solaris compatibility tweaks (#367)
* Work around Solaris' /bin/sh not being POSIX.
If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be. Exec it right away.
* Work around Solaris 'which' command oddity.
Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.
This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.
Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.
* Improved alternate-sh exec to avoid looping.
* Solaris' /usr/ucb/echo supports -n.
* Check for the best hash type that openssl supports.
When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.
* Solaris does not support sed -i; use a tempfile.
* Use the full path for modinfo.
When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.
* Solaris find does not support -maxdepth.
This mirrors the logic already in tests_homedirs.
* Use PSBINARY instead of ps.
* Work around Solaris' date not supporting +%s.
Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds. A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.
* Revert to using sha1 for HOSTID.
* Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
NOW=$(nawk 'BEGIN{print srand()}')
2017-04-23 20:06:54 +02:00
else
A bunch of Solaris compatibility tweaks (#367)
* Work around Solaris' /bin/sh not being POSIX.
If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be. Exec it right away.
* Work around Solaris 'which' command oddity.
Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.
This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.
Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.
* Improved alternate-sh exec to avoid looping.
* Solaris' /usr/ucb/echo supports -n.
* Check for the best hash type that openssl supports.
When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.
* Solaris does not support sed -i; use a tempfile.
* Use the full path for modinfo.
When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.
* Solaris find does not support -maxdepth.
This mirrors the logic already in tests_homedirs.
* Use PSBINARY instead of ps.
* Work around Solaris' date not supporting +%s.
Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds. A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.
* Revert to using sha1 for HOSTID.
* Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
NOW=$(date "+%s")
fi
DAYS_SINCE_EPOCH=$((${NOW}/86400))
2016-04-28 09:15:54 +02:00
LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}"
2015-12-22 16:00:51 +01:00
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
2016-03-08 12:01:11 +01:00
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
2017-03-27 09:19:55 +02:00
FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2015-12-22 16:00:51 +01:00
for ACCOUNT in ${FIND}; do
LogText "Result: password of user ${ACCOUNT} has been expired"
Report "account_password_expired[]=${ACCOUNT}"
done
AddHP 0 10
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_FOUND}" --color RED
2015-12-22 16:00:51 +01:00
ReportSuggestion "${TEST_NO}" "Delete accounts which are no longer used"
2016-08-25 15:25:51 +02:00
else
2015-12-22 16:00:51 +01:00
LogText "Result: good, no passwords have been expired"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_OK}" --color GREEN
2015-12-22 16:00:51 +01:00
AddHP 10 10
fi
2017-04-23 20:06:54 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_SKIPPED}" --color YELLOW
2015-12-22 16:00:51 +01:00
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : AUTH-9304
# Description : Check if single user mode login is properly configured in Solaris
2015-07-22 16:28:11 +02:00
# Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9304 --os Solaris --weight L --network NO --category security --description "Check single user login configuration"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2014-09-09 14:49:37 +02:00
# Check if file exists (Solaris 10 does not have this file by default)
2017-04-23 20:06:54 +02:00
if [ -f ${ROOTDIR}etc/default/sulogin ]; then
LogText "Result: file ${ROOTDIR}etc/default/sulogin exists"
2015-12-21 21:17:15 +01:00
LogText "Test: checking presence PASSREQ=NO"
2017-04-23 20:06:54 +02:00
FIND=$(${GREPBINARY} "^PASSREQ=NO" ${ROOTDIR}etc/default/sulogin)
if [ -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: option not present or configured to request a password at single user mode login"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_OK}" --color GREEN
2014-09-09 14:49:37 +02:00
AddHP 1 1
2016-08-25 15:25:51 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: option present, no password needed at single user mode login"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_WARNING}" --color RED
2016-08-10 07:24:10 +02:00
ReportWarning ${TEST_NO} "No password needed for single user mode login"
2014-09-09 14:49:37 +02:00
AddHP 0 1
fi
2016-08-25 15:25:51 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/default/sulogin does not exist"
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9306
# Description : Check if authentication is needed to boot the system
# Notes : :d_boot_authenticate: is a good option for production machines to
# avoid unauthorized booting of systems. Option :d_boot_autentication@:
# disabled a required login.
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --category security --description "Check single boot authentication"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2014-09-09 14:49:37 +02:00
# Check if file exists
2015-12-21 21:17:15 +01:00
LogText "Test: Searching /tcb/files/auth/system/default"
2017-04-23 20:06:54 +02:00
if [ -f ${ROOTDIR}tcb/files/auth/system/default ]; then
LogText "Result: file ${ROOTDIR}tcb/files/auth/system/default exists"
2015-12-21 21:17:15 +01:00
LogText "Test: checking presence :d_boot_authenticate@:"
2016-08-25 15:31:33 +02:00
FIND=$(${GREPBINARY} "^:d_boot_authenticate@" /tcb/files/auth/system/default)
2016-08-25 15:25:51 +02:00
if [ -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: option not set, password is needed at boot"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_OK}" --color GREEN
2014-09-09 14:49:37 +02:00
AddHP 1 1
2016-08-25 15:25:51 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: option present, no password needed at single user mode login"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_SUGGESTION}" --color YELLOW
2014-09-09 14:49:37 +02:00
ReportSuggestion ${TEST_NO} "Set password for system boot"
AddHP 0 1
fi
2017-04-23 20:06:54 +02:00
else
LogText "Result: file ${ROOTDIR}tcb/files/auth/system/default does not exist"
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9308
# Description : Check single user mode login for Linux
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9308 --os Linux --weight L --network NO --category security --description "Check single user login configuration"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
2016-03-24 16:46:54 +01:00
TEST_PERFORMED=0
2016-03-24 17:16:14 +01:00
if [ ${HAS_SYSTEMD} -eq 0 ]; then
# Check inittab
2017-04-23 20:06:54 +02:00
LogText "Test: Searching ${ROOTDIR}etc/inittab"
if [ -f ${ROOTDIR}etc/inittab ]; then
2016-03-24 17:16:14 +01:00
TEST_PERFORMED=1
2017-04-23 20:06:54 +02:00
LogText "Result: file ${ROOTDIR}etc/inittab exists"
2016-03-24 17:16:14 +01:00
LogText "Test: checking presence sulogin for single user mode"
2017-02-28 20:18:47 +01:00
FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
2016-08-25 15:25:51 +02:00
FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
2016-03-24 17:16:14 +01:00
FOUND=1
LogText "Result: found sulogin, so single user is protected"
fi
2017-04-23 20:06:54 +02:00
else
LogText "Result: file ${ROOTDIR}etc/inittab does not exist"
2014-08-26 17:33:55 +02:00
fi
2016-03-24 17:16:14 +01:00
# Check init
2017-04-23 20:06:54 +02:00
LogText "Test: Searching ${ROOTDIR}etc/sysconfig/init"
if [ -f ${ROOTDIR}etc/sysconfig/init ]; then
2016-03-24 17:16:14 +01:00
TEST_PERFORMED=1
2017-04-23 20:06:54 +02:00
LogText "Result: file ${ROOTDIR}etc/sysconfig/init exists"
2016-03-24 17:16:14 +01:00
LogText "Test: checking presence sulogin for single user mode"
2017-04-23 20:06:54 +02:00
FIND=$(${GREPBINARY} "^SINGLE=/sbin/sulogin" ${ROOTDIR}etc/sysconfig/init)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-03-24 17:16:14 +01:00
FOUND=1
LogText "Result: found sulogin, so single user is protected"
fi
2017-04-23 20:06:54 +02:00
else
LogText "Result: file ${ROOTDIR}etc/sysconfig/init does not exist"
2014-08-26 17:33:55 +02:00
fi
fi
2016-03-24 16:46:54 +01:00
# Systemd support
2016-03-24 17:28:53 +01:00
SYSTEMD_DIRECTORY="/lib/systemd/system"
2016-03-24 16:46:54 +01:00
if [ -d ${SYSTEMD_DIRECTORY} ]; then
FILES="console-shell.service emergency.service rescue.service"
LogText "Test: going to check several systemd targets now"
for I in ${FILES}; do
2016-03-24 17:28:53 +01:00
FILE="${SYSTEMD_DIRECTORY}/${I}"
LogText "Test: checking if target ${I} is available (${FILE})"
2016-03-24 16:46:54 +01:00
if [ -f ${FILE} ]; then
# Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support)
TEST_PERFORMED=1
LogText "Result: found target ${I}"
2018-04-23 11:01:18 +02:00
FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin")
2016-03-24 16:46:54 +01:00
if [ "${FIND}" = "" ]; then
LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication"
2017-04-23 20:06:54 +02:00
else
2016-03-24 16:46:54 +01:00
LogText "Result: sulogin was found, which is a good measure to protect single user mode"
FOUND=1
fi
2017-04-23 20:06:54 +02:00
else
2016-03-24 16:46:54 +01:00
LogText "Result: target ${I} not found"
fi
done
fi
if [ ${TEST_PERFORMED} -eq 1 ]; then
2014-08-26 17:33:55 +02:00
if [ ${FOUND} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: option not set, no password needed at single user mode boot"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_WARNING}" --color RED
2016-08-10 07:24:10 +02:00
ReportWarning ${TEST_NO} "No password set for single mode"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface"
AddHP 0 2
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: option set, password is needed at single user mode boot"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_OK}" --color GREEN
2014-08-26 17:33:55 +02:00
AddHP 2 2
fi
2017-04-23 20:06:54 +02:00
else
LogText "Result: no tests performed"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : AUTH-9328
# Description : Check default umask in common files
# Notes: This test should be moved later to shells section
# /etc/login.defs
# pam_umask
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9328 --weight L --network NO --category security --description "Default umask values"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Determining default umask"
2016-08-06 10:13:33 +02:00
GOOD_UMASK=0
WEAK_UMASK=0
2014-08-26 17:33:55 +02:00
2016-08-06 10:13:33 +02:00
# /etc/profile.d
2017-04-23 20:06:54 +02:00
LogText "Test: Checking ${ROOTDIR}etc/profile.d directory"
if [ -d ${ROOTDIR}etc/profile.d ]; then
2016-08-06 10:13:33 +02:00
FOUND=0
2017-04-23 20:06:54 +02:00
FIND=$(ls ${ROOTDIR}etc/profile.d/* 2> /dev/null)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-08-06 10:13:33 +02:00
LogText "Result: found /etc/profile.d, with one or more files in it"
for FILE in ${FIND}; do
2016-09-08 21:04:17 +02:00
HAS_MASK=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }')
2016-08-06 10:13:33 +02:00
for MASK in ${HAS_MASK}; do
2017-03-07 20:23:08 +01:00
if [ "${MASK}" = "077" -o "${MASK}" = "027" -o "${MASK}" = "0077" -o "${MASK}" = "0027" ]; then
2016-08-06 10:13:33 +02:00
LogText "Result: found a strong umask '${MASK}' set in ${FILE}"
GOOD_UMASK=1
else
LogText "Result: found a weak umask '${MASK}' set in ${FILE}"
WEAK_UMASK=1
fi
done
done
else
LogText "Result: found /etc/profile.d, but it does not contain any files"
fi
else
LogText "Result: /etc/profile.d not found"
fi
# Test /etc/profile (only if we didn't find a good umask in profile.d)
2015-12-21 21:17:15 +01:00
LogText "Test: Checking /etc/profile"
2016-08-06 10:13:33 +02:00
if [ -f /etc/profile -a ${GOOD_UMASK} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/profile exists"
LogText "Test: Checking umask value in /etc/profile"
2016-09-08 21:04:17 +02:00
FIND=$(${GREPBINARY} "umask" /etc/profile | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }')
FIND2=$(${GREPBINARY} "umask" /etc/profile | ${SEDBINARY} 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }' | wc -l)
2014-08-26 17:33:55 +02:00
FOUND_UMASK=0
2015-08-20 18:46:06 +02:00
if [ "${FIND2}" = "0" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: did not find umask in /etc/profile"
2015-08-20 18:46:06 +02:00
elif [ "${FIND2}" = "1" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found umask (prefixed with spaces)"
2014-08-26 17:33:55 +02:00
FOUND_UMASK=1
2017-03-07 20:23:08 +01:00
if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" -a ! "${FIND}" = "0077" -a ! "${FIND}" = "0027" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found umask ${FIND}, which could be more strict"
2014-08-26 17:33:55 +02:00
WEAK_UMASK=1
2016-08-06 10:13:33 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: found umask ${FIND}, which is fine"
2016-08-06 10:13:33 +02:00
GOOD_UMASK=1
2014-08-26 17:33:55 +02:00
fi
# Found more than 1 umask value in profile
2016-08-06 10:13:33 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: found multiple umask values configured in /etc/profile"
2014-08-26 17:33:55 +02:00
FOUND_UMASK=1
for I in ${FIND}; do
2017-03-07 20:23:08 +01:00
if [ ! "${I}" = "077" -a ! "${I}" = "027" -a ! "${I}" = "0077" -a ! "${I}" = "0027" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: umask ${I} could be more strict"
2014-08-26 17:33:55 +02:00
WEAK_UMASK=1
2015-09-16 17:01:17 +02:00
AddHP 1 2
2016-08-06 10:13:33 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: Found umask ${I}, which is fine"
2015-09-16 17:01:17 +02:00
AddHP 2 2
2014-08-26 17:33:55 +02:00
fi
done
fi
if [ ${FOUND_UMASK} -eq 1 ]; then
if [ ${WEAK_UMASK} -eq 0 ]; then
2016-08-06 10:13:33 +02:00
Display --indent 4 --text "- umask (/etc/profile and /etc/profile.d)" --result "${STATUS_OK}" --color GREEN
2014-08-26 17:33:55 +02:00
AddHP 2 2
2016-08-06 10:13:33 +02:00
elif [ ${GOOD_UMASK} -eq 1 -a ${WEAK_UMASK} -eq 1 ]; then
Display --indent 4 --text "- umask (/etc/profile and /etc/profile.d)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Some umasks found could be more strict (e.g. 027)"
AddHP 1 2
else
Display --indent 4 --text "- umask (/etc/profile and /etc/profile.d)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)"
2014-08-26 17:33:55 +02:00
AddHP 0 2
fi
else
2016-03-17 20:54:28 +01:00
# Some operating systems don't have a default umask defined in /etc/profile (Debian)
LogText "Result: found no umask. Please check if this is correct"
2016-07-31 13:53:26 +02:00
Display --indent 4 --text "- umask (/etc/profile)" --result "${STATUS_NOT_FOUND}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
else
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/profile does not exist"
2014-08-26 17:33:55 +02:00
fi
# /etc/passwd
2015-12-21 21:17:15 +01:00
LogText "Test: Checking umask entries in /etc/passwd (pam_umask)"
2014-08-26 17:33:55 +02:00
if [ -f /etc/passwd ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/passwd exists"
LogText "Test: Checking umask value in /etc/passwd"
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "umask=" /etc/passwd)
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "" ]; then
ReportManual "AUTH-9328:03"
fi
else
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/passwd does not exist"
2014-08-26 17:33:55 +02:00
fi
# /etc/login.defs
2015-12-21 21:17:15 +01:00
LogText "Test: Checking /etc/login.defs"
2014-08-26 17:33:55 +02:00
if [ -f /etc/login.defs ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/login.defs exists"
LogText "Test: Checking umask value in /etc/login.defs"
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "^UMASK" /etc/login.defs | ${AWKBINARY} '{ print $2 }')
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: umask value is not configured (most likely it will have the default 022 value)"
2016-07-31 13:53:26 +02:00
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
2014-09-19 00:35:24 +02:00
AddHP 1 2
2017-03-07 20:23:08 +01:00
elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: umask is ${FIND}, which is fine"
2016-07-31 13:53:26 +02:00
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_OK}" --color GREEN
2014-09-19 00:35:24 +02:00
AddHP 2 2
2016-07-31 13:53:26 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: found umask ${FIND}, which could be improved"
2016-07-31 13:53:26 +02:00
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
2014-09-19 00:35:24 +02:00
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027"
AddHP 0 2
fi
2016-07-31 13:53:26 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/login.defs does not exist"
2014-09-19 00:35:24 +02:00
fi
2014-08-26 17:33:55 +02:00
2014-09-19 00:35:24 +02:00
# Red Hat /etc/init.d/functions
2015-12-21 21:17:15 +01:00
LogText "Test: Checking /etc/init.d/functions"
2014-09-19 00:35:24 +02:00
if [ -f /etc/init.d/functions ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/init.d/functions exists"
LogText "Test: Checking umask value in /etc/init.d/functions"
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "^umask" /etc/init.d/functions | ${AWKBINARY} '{ print $2 }')
2014-09-19 00:35:24 +02:00
if [ "${FIND}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: umask is not configured"
2016-07-31 13:53:26 +02:00
Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE
2017-03-07 20:23:08 +01:00
elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: umask is ${FIND}, which is fine"
2016-07-31 13:53:26 +02:00
Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_OK}" --color GREEN
2014-09-19 00:35:24 +02:00
AddHP 2 2
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: found umask ${FIND}, which could be improved"
2016-07-31 13:53:26 +02:00
Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_SUGGESTION}" --color YELLOW
2014-09-19 00:35:24 +02:00
AddHP 0 2
fi
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/init.d/functions does not exist"
2014-09-19 00:35:24 +02:00
fi
2014-08-26 17:33:55 +02:00
2015-07-16 17:02:15 +02:00
# /etc/init.d/rc
2015-12-21 21:17:15 +01:00
LogText "Test: Checking /etc/init.d/rc"
2014-09-19 00:35:24 +02:00
if [ -f /etc/init.d/rc ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/init.d/rc exists"
LogText "Test: Checking UMASK value in /etc/init.d/rc"
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} -i "^UMASK" /etc/init.d/rc | ${AWKBINARY} '{ print $2 }')
2014-09-19 00:35:24 +02:00
if [ "${FIND}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
2014-09-19 00:35:24 +02:00
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2
2017-03-07 20:23:08 +01:00
elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: umask is ${FIND}, which is fine"
2016-07-31 13:53:26 +02:00
Display --indent 4 --text "- umask (/etc/init.d/rc)" --result "${STATUS_OK}" --color GREEN
2014-09-19 00:35:24 +02:00
AddHP 2 2
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: found umask ${FIND}, which could be improved"
2016-07-31 13:53:26 +02:00
Display --indent 4 --text "- umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
2014-09-19 00:35:24 +02:00
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027"
AddHP 0 2
fi
else
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/init.d/rc does not exist"
2014-09-19 00:35:24 +02:00
fi
2014-08-26 17:33:55 +02:00
2015-09-10 21:07:06 +02:00
# FreeBSD
if [ -f /etc/login.conf ]; then
FOUND=0
WEAK_UMASK=0
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/login.conf exists"
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "umask" /etc/login.conf | ${SEDBINARY} 's/#.*//' | ${SEDBINARY} -E 's/^[[:cntrl:]]//' | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $2}' | ${AWKBINARY} -F= '{ if ($1=="umask") { print $2 }}')
2015-09-10 21:07:06 +02:00
if [ ! "${FIND}" = "" ]; then
for UMASK_VALUE in ${FIND}; do
2015-09-10 21:42:30 +02:00
case ${UMASK_VALUE} in
2015-09-10 21:07:06 +02:00
027|0027|077|0077)
2015-12-21 21:17:15 +01:00
LogText "Result: found umask value ${UMASK_VALUE}, which is fine"
2015-09-10 21:07:06 +02:00
AddHP 2 2
FOUND=1
;;
*)
AddHP 0 2
FOUND=1
WEAK_UMASK=1
2015-12-21 21:17:15 +01:00
LogText "Result: found umask value ${UMASK_VALUE}, which can be more strict"
2015-09-10 21:07:06 +02:00
;;
esac
done
fi
if [ ${FOUND} -eq 1 ]; then
if [ ${WEAK_UMASK} -eq 0 ]; then
2016-07-31 13:53:26 +02:00
Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_OK}" --color GREEN
2019-01-14 18:49:49 +01:00
else
Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_WEAK}" --color YELLOW
2015-09-10 21:07:06 +02:00
ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027"
fi
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no umask setting found in /etc/login.conf, which is unexpected"
2016-07-31 13:53:26 +02:00
Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_NONE}" --color YELLOW
2015-09-10 21:07:06 +02:00
fi
fi
2015-07-16 17:02:15 +02:00
# /etc/init.d/rcS
2015-12-21 21:17:15 +01:00
LogText "Test: Checking /etc/init.d/rcS"
2014-09-19 00:35:24 +02:00
if [ -f /etc/init.d/rcS ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/init.d/rcS exists"
LogText "Test: Checking if script runs another script."
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} -i "^exec " /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }')
2014-09-19 00:35:24 +02:00
if [ "${FIND}" = "" ]; then
2017-03-06 08:41:21 +01:00
FIND2=$(${GREPBINARY} -i "^UMASK" /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }')
2014-09-19 00:35:24 +02:00
if [ "${FIND2}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
2014-09-19 00:35:24 +02:00
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2
2017-04-23 20:06:54 +02:00
elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: umask is ${FIND2}, which is fine"
2016-07-31 13:53:26 +02:00
Display --indent 4 --text "- umask (/etc/init.d/rcS)" --result "${STATUS_OK}" --color GREEN
2014-09-19 00:35:24 +02:00
AddHP 2 2
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: found umask ${FIND2}, which could be improved"
2016-07-31 13:53:26 +02:00
Display --indent 4 --text "- umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
2014-09-19 00:35:24 +02:00
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027"
AddHP 0 2
fi
2017-04-23 20:06:54 +02:00
else
2014-09-19 00:35:24 +02:00
# Improve check
2015-12-21 21:17:15 +01:00
LogText "Result: exec line present in file, setting of umask not needed in this script"
LogText "Output: ${FIND}"
2014-09-19 00:35:24 +02:00
fi
else
2015-12-21 21:17:15 +01:00
LogText "Result: file /etc/init.d/rcS does not exist"
2014-09-19 00:35:24 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9340
# Description : Solaris account locking
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9340 --os Solaris --weight L --network NO --category security --description "Solaris account locking"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2014-09-19 00:35:24 +02:00
FOUND=0
2017-04-23 20:06:54 +02:00
if [ -f ${ROOTDIR}etc/security/policy.conf ]; then
LogText "Result: found ${ROOTDIR}etc/security/policy.conf"
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "^LOCK_AFTER_RETRIES" /etc/security/policy.conf)
2014-09-19 00:35:24 +02:00
if [ ! "${FIND}" = "" ]; then
FOUND=1
2015-12-21 21:17:15 +01:00
LogText "Result: account locking option set"
LogText "Output: ${FIND}"
2014-09-19 00:35:24 +02:00
AddHP 2 2
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: option LOCK_AFTER_RETRIES not set"
2014-09-19 00:35:24 +02:00
AddHP 1 2
fi
2017-04-23 20:06:54 +02:00
else
LogText "Result: ${ROOTDIR}etc/security/policy.conf does not exist"
2014-09-19 00:35:24 +02:00
fi
# If policy.conf does not exist, we most likely deal with a Solaris version below 10
# and we proceed with checking the softer option RETRIES in /etc/default/login
# which does not lock account, but discourages brute force password attacks.
if [ ${FOUND} -eq 0 ]; then
2017-04-23 20:06:54 +02:00
LogText "Test: checking ${ROOTDIR}etc/default/login"
if [ -f ${ROOTDIR}etc/default/login ]; then
LogText "Result: file ${ROOTDIR}etc/default/login exists"
FIND=$(${GREPBINARY} "^RETRIES" ${ROOTDIR}etc/default/login)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2014-09-19 00:35:24 +02:00
FOUND=1
2015-12-21 21:17:15 +01:00
LogText "Result: retries option configured"
LogText "Output: ${FIND}"
2014-09-19 00:35:24 +02:00
AddHP 2 2
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: retries option not configured"
2014-09-19 00:35:24 +02:00
AddHP 1 2
fi
2017-04-23 20:06:54 +02:00
else
LogText "Result: file ${ROOTDIR}etc/default/login does not exist"
2014-09-19 00:35:24 +02:00
fi
fi
if [ ${FOUND} -eq 1 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking account locking" --result "${STATUS_ENABLED}" --color GREEN
2017-04-23 20:06:54 +02:00
else
2014-09-19 00:35:24 +02:00
Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9402
# Description : Query LDAP authentication support
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9402 --weight L --network NO --category security --description "Query LDAP authentication support"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-23 20:06:54 +02:00
if [ -f ${ROOTDIR}etc/nsswitch.conf ]; then
FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap")
2014-09-19 00:35:24 +02:00
if [ "${FIND}" = "" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: LDAP authentication not enabled"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- LDAP authentication support" --result "NOT ENABLED" --color WHITE
else
2015-12-21 21:17:15 +01:00
LogText "Result: LDAP authentication enabled"
2016-07-31 13:53:26 +02:00
Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_ENABLED}" --color GREEN
2014-09-19 00:35:24 +02:00
LDAP_AUTH_ENABLED=1
fi
2016-07-31 13:53:26 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: /etc/nsswitch.conf not found"
2014-09-19 00:35:24 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : AUTH-9406
# Description : Check LDAP servers in client configuration
if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no AUTH-9406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query LDAP servers in client configuration"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: checking ldap.conf options"
2016-07-30 16:08:45 +02:00
for FILE in ${LDAP_CONF_LOCATIONS}; do
LogText "Test: checking ${FILE}"
if [ -f ${FILE} ]; then
LogText "Result: file ${FILE} exists, LDAP being used"
LDAP_CLIENT_CONFIG_FILE="${FILE}"
LogText "Test: checking LDAP servers in file ${FILE}"
2016-08-25 15:31:33 +02:00
FIND=$(${EGREPBINARY} "^host " ${FILE} | ${AWKBINARY} '{ print $2 }')
2016-07-30 16:08:45 +02:00
for SERVER in ${FIND}; do
Display --indent 6 --text "LDAP server: ${SERVER}"
LogText "Result: found LDAP server ${SERVER}"
Report "ldap_server[]=${SERVER}"
2014-09-19 00:35:24 +02:00
done
2016-07-30 16:08:45 +02:00
else
LogText "Result: ${FILE} does NOT exist"
2014-09-19 00:35:24 +02:00
fi
done
2016-07-30 16:08:45 +02:00
unset FILE FIND SERVER
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
2015-09-07 04:12:58 +02:00
#
2015-09-07 11:26:09 +02:00
# Test : AUTH-9408
# Description : Logging of failed login attempts
2019-08-08 13:28:17 +02:00
Register --test-no AUTH-9408 --weight L --network NO --category security --description "Logging of failed login attempts"
2015-09-07 04:12:58 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2019-07-18 11:33:28 +02:00
if [ -f "${ROOTDIR}etc/pam.conf" ]; then
FOUND_PAM_TALLY2=0
FOUND_TALLYLOG=0
if [ -s "${ROOTDIR}var/log/tallylog" ]; then
FOUND_TALLYLOG=1
LogText "Result: found ${ROOTDIR}var/log/tallylog with a size bigger than zero"
else
LogText "Result: did not find ${ROOTDIR}var/log/tallylog on disk or its file size is zero bytes"
fi
# Determine if pam_tally2 is available
2019-08-08 15:05:23 +02:00
for D in $(GetReportData --key "pam_module\\\[\\\]"); do
2019-07-18 11:33:28 +02:00
if ContainsString "pam_tally2" "${D}"; then
LogText "Result: found pam_tally2 module on disk"
FOUND_PAM_TALLY2=1
fi
done
if [ ${FOUND_PAM_TALLY2} -eq 1 -a ${FOUND_TALLYLOG} -eq 1 ]; then
LogText "Outcome: authentication failures are logged using pam_tally2"
AUTH_FAILED_LOGINS_LOGGED=1
Report "auth_failed_logins_tooling[]=pam_tally2"
else
LogText "Outcome: it looks like pam_tally2 is not configured to log failed login attempts"
fi
unset FOUND_PAM_TALLY2 FOUND_TALLYLOG
fi
# Also check /etc/logins.defs, although its usage decreased over the years
if [ -f ${ROOTDIR}etc/login.defs ]; then
LogText "Test: Checking FAILLOG_ENAB option in ${ROOTDIR}etc/login.defs "
FIND=$(${GREPBINARY} "^FAILLOG_ENAB" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }')
# Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value)
if [ "${FIND}" = "yes" ]; then
AUTH_FAILED_LOGINS_LOGGED=1
Report "auth_failed_logins_tooling[]=/etc/login.defs"
LogText "Result: FAILLOG_ENAB is set to 'yes'"
LogText "Outcome: failed login attempts are logged in ${ROOTDIR}var/log/faillog"
Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: failed login attempts may not logged"
Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_DISABLED}" --color YELLOW
fi
fi
if [ ${AUTH_FAILED_LOGINS_LOGGED} -eq 1 ]; then
2015-09-07 11:26:09 +02:00
AddHP 3 3
2017-04-23 20:06:54 +02:00
else
2015-09-07 04:12:58 +02:00
AddHP 0 1
2019-07-18 11:33:28 +02:00
#ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged using pam_tally2 or /etc/login.defs"
2015-09-07 04:12:58 +02:00
fi
fi
#
#################################################################################
2019-03-05 19:03:44 +01:00
#
# Test : AUTH-9409
# Description : Check for doas file
DOAS_FILE=""
Register --test-no AUTH-9409 --os OpenBSD --weight L --network NO --category security --description "Checking /etc/doas.conf file"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Test: checking presence /etc/doas.conf"
if [ -f /etc/doas.conf ]; then
DOAS_FILE=/etc/doas.conf
FOUND=1
LogText "Result: file /etc/doas.conf found"
else
LogText "Result: file /etc/doas.conf not found"
fi
if [ ${FOUND} -eq 1 ]; then
LogText "Result: /etc/doas.conf file found"
Display --indent 2 --text "- doas file" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: doas file NOT found"
Display --indent 2 --text "- doas file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : AUTH-9410
# Description : Check for doas file permissions
2019-07-16 13:20:30 +02:00
if [ -n "${DOAS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2019-03-05 19:03:44 +01:00
Register --test-no AUTH-9410 --os OpenBSD --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/doas.conf file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking /etc/doas.conf permissions"
FIND=$(ls -l ${DOAS_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: Found /etc/doas.conf file permissions: ${FIND}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
LogText "Result: file /etc/doas.conf has correct permissions"
Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: file has possibly unsafe file permissions"
Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_WARNING}" --color RED
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
2015-12-21 21:17:15 +01:00
Report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}"
Report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
Report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
2019-07-16 13:20:30 +02:00
if [ -n "${LDAP_CLIENT_CONFIG_FILE}" ]; then Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"; fi
2015-12-21 21:17:15 +01:00
Report "password_min_days=${PASSWORD_MINIMUM_DAYS}"
Report "password_max_days=${PASSWORD_MAXIMUM_DAYS}"
2014-08-26 17:33:55 +02:00
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2016-03-13 16:03:46 +01:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com