tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
lynis/include/tests_squid

329 lines
17 KiB
Plaintext
Raw Normal View History

Initial import
2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
Added link to website, blog, github
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
Preparation for release 3.0.3
2021-01-07 15:22:19 +01:00
# Copyright 2007-2021, CISOfy
Added link to website, blog, github
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
Initial import
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Squid
#
#################################################################################
#
Code enhancements
2017-04-23 20:06:54 +02:00
SQUID_DAEMON_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/squid ${ROOTDIR}etc/squid3 ${ROOTDIR}usr/local/etc/squid ${ROOTDIR}usr/local/squid/etc"
Initial import
2014-08-26 17:33:55 +02:00
SQUID_DAEMON_CONFIG=""
SQUID_DAEMON_UNSAFE_PORTS_LIST="22 23 25"
SQUID_DAEMON_RUNNING=0
#
#################################################################################
#
Add translate function for all sections + add EN and FR up to date languages files
2020-10-22 00:13:42 +02:00
InsertSection "${SECTION_SQUID_SUPPORT}"
Initial import
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Test : SQD-3602
# Description : Check for a running Squid daemon
# Notes : Search for squid(3) with a space, to avoid SquidGuard and other
# programs.
Rename of categories, introduction of groups
2016-07-24 17:22:00 +02:00
Register --test-no SQD-3602 --weight L --network NO --category security --description "Check for running Squid daemon"
Initial import
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Test: Searching for a Squid daemon"
Initial import
2014-08-26 17:33:55 +02:00
FOUND=0
# Check running processes
Various cleanups (#363) * Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
2017-03-06 08:41:21 +01:00
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
Initial import
2014-08-26 17:33:55 +02:00
SQUID_DAEMON_RUNNING=1
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: Squid daemon is running"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN
Code enhancements
2017-04-23 20:06:54 +02:00
else
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: No running Squid daemon found"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
Initial import
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : SQD-3604
# Description : Determine Squid daemon configuration file location
if [ ${SQUID_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Rename of categories, introduction of groups
2016-07-24 17:22:00 +02:00
Register --test-no SQD-3604 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid daemon file location"
Initial import
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Test: searching for squid.conf or squid3.conf file"
Initial import
2014-08-26 17:33:55 +02:00
for I in ${SQUID_DAEMON_CONFIG_LOCS}; do
# Checking squid.conf
if [ -f "${I}/squid.conf" ]; then
Lots of cleanups (#366) * Description fix: SafePerms works on files not dirs. All uses of SafePerms are on files (and indeed, it would reject directories which would have +x set). * Lots of whitespace cleanups. Enforce everywhere(?) the same indentations for if/fi blocks. The standard for the Lynis codebase is 4 spaces. But sometimes it's 1, sometimes 3, sometimes 8. These patches standardize all(?) if blocks but _not_ else's (which are usually indented 2, but sometimes zero); I was too lazy to identify those (see below). This diff is giant, but should not change code behavior at all; diff -w shows no changes apart from whitespace. FWIW I identified instances to check by using: perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1) Which produced output like: ./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then ./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated" ./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then ./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists" ...There's probably formal shellscript-beautification tools that I'm oblivious about. * More whitespace standardization. * Fix a syntax error. This looks like an if [ foo -o bar ]; was converted to if .. elif, but incompletely. * Add whitespace before closing ]. Without it, the shell thinks the ] is part of the last string, and emits warnings like: .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 20:23:08 +01:00
LogText "Result: ${I}/squid.conf exists"
SQUID_DAEMON_CONFIG="${I}/squid.conf"
Initial import
2014-08-26 17:33:55 +02:00
fi
# Checking squid3.conf
if [ -f "${I}/squid3.conf" ]; then
Lots of cleanups (#366) * Description fix: SafePerms works on files not dirs. All uses of SafePerms are on files (and indeed, it would reject directories which would have +x set). * Lots of whitespace cleanups. Enforce everywhere(?) the same indentations for if/fi blocks. The standard for the Lynis codebase is 4 spaces. But sometimes it's 1, sometimes 3, sometimes 8. These patches standardize all(?) if blocks but _not_ else's (which are usually indented 2, but sometimes zero); I was too lazy to identify those (see below). This diff is giant, but should not change code behavior at all; diff -w shows no changes apart from whitespace. FWIW I identified instances to check by using: perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1) Which produced output like: ./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then ./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated" ./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then ./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists" ...There's probably formal shellscript-beautification tools that I'm oblivious about. * More whitespace standardization. * Fix a syntax error. This looks like an if [ foo -o bar ]; was converted to if .. elif, but incompletely. * Add whitespace before closing ]. Without it, the shell thinks the ] is part of the last string, and emits warnings like: .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 20:23:08 +01:00
LogText "Result: ${I}/squid3.conf exists"
SQUID_DAEMON_CONFIG="${I}/squid3.conf"
Initial import
2014-08-26 17:33:55 +02:00
fi
done
Code enhancements
2017-04-23 20:06:54 +02:00
if [ -z "${SQUID_DAEMON_CONFIG}" ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: No Squid configuration file found"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Searching Squid configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
Code enhancements
2017-04-23 20:06:54 +02:00
else
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Searching Squid configuration" --result "${STATUS_FOUND}" --color GREEN
Initial import
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : SQD-3606
# Description : Check Squid version
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Rename of categories, introduction of groups
2016-07-24 17:22:00 +02:00
Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
Initial import
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
if [ -n "${SQUIDBINARY}" ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: Squid binary found (${SQUIDBINARY})"
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
# Skip check if a setuid/setgid bit is found
Code enhancements
2017-04-23 20:06:54 +02:00
FIND=$(${FINDBINARY} ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print)
if [ -z "${FIND}" ]; then
Various cleanups (#363) * Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
2017-03-06 08:41:21 +01:00
FIND2=$(${SQUIDBINARY} -v | ${AWKBINARY} '{ if ($3=="Version") { print $4 } }')
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
SQUID_VERSION="${FIND2}"
Code enhancements
2017-04-23 20:06:54 +02:00
else
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: test skipped for security reasons, setuid/setgid bit set"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking Squid version" --result "${STATUS_SKIPPED}" --color RED
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
fi
Code enhancements
2017-04-23 20:06:54 +02:00
else
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: no Squid binary found"
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
fi
Initial import
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : SQD-3610
# Description : Check Squid configuration options
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Adjusted descriptions
2019-03-15 13:52:55 +01:00
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather Squid settings"
Initial import
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
Various cleanups (#363) * Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g')
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
for I in ${FIND}; do
Various cleanups (#363) * Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
2017-03-06 08:41:21 +01:00
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Found Squid option: ${I}"
Report "squid_option=${I}"
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
done
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking defined Squid options" --result "${STATUS_DONE}" --color GREEN
Initial import
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : SQD-3613
Adjusted descriptions
2019-03-15 13:52:55 +01:00
# Description : Check Squid configuration file permissions
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Rename of categories, introduction of groups
2016-07-24 17:22:00 +02:00
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions"
Initial import
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
Various cleanups (#363) * Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
2017-03-06 08:41:21 +01:00
FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
Code style improvement: quote argument
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
ReportWarning "${TEST_NO}" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
Initial import
2014-08-26 17:33:55 +02:00
AddHP 0 2
Code enhancements
2017-04-23 20:06:54 +02:00
else
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_OK}" --color GREEN
Initial import
2014-08-26 17:33:55 +02:00
AddHP 2 2
fi
fi
#
#################################################################################
#
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
Display --indent 4 --text "- Checking Squid access control"
Initial import
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : SQD-3614
# Description : Check Squid authentication
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Rename of categories, introduction of groups
2016-07-24 17:22:00 +02:00
Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods"
Initial import
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Test: check auth_param option for authentication methods"
Various cleanups (#363) * Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "^auth_param" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }')
Code enhancements
2017-04-23 20:06:54 +02:00
if [ -z "${FIND}" ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW
Code enhancements
2017-04-23 20:06:54 +02:00
else
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_FOUND}" --color GREEN
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
for I in ${FIND}; do
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: found authentication method ${I}"
Report "squid_auth_method=${I}"
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
done
fi
Initial import
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : SQD-3616
# Description : Check external Squid authentication
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Rename of categories, introduction of groups
2016-07-24 17:22:00 +02:00
Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication"
Initial import
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Test: check external_acl_type option for external authentication helpers"
Various cleanups (#363) * Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "^external_acl_type" ${SQUID_DAEMON_CONFIG})
Code enhancements
2017-04-23 20:06:54 +02:00
if [ -z "${FIND}" ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "No external_acl_type found"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW
Code enhancements
2017-04-23 20:06:54 +02:00
else
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_FOUND}" --color GREEN
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
for I in ${FIND}; do
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: found external authentication method helper"
LogText "Output: ${FIND}"
#Report "squid_external_acl_type=TRUE"
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
done
fi
Initial import
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : SQD-3620
# Description : Check ACLs
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Rename of categories, introduction of groups
2016-07-24 17:22:00 +02:00
Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid access control lists"
Initial import
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
2017-04-30 17:59:35 +02:00
COUNT=0
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Test: checking ACLs"
Various cleanups (#363) * Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
if [ "${FIND}" = "" ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: No ACLs found"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED
Code enhancements
2017-04-23 20:06:54 +02:00
else
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
2017-04-30 17:59:35 +02:00
for ITEM in ${FIND}; do
COUNT=$((COUNT + 1))
ITEM=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found ACL: ${ITEM}"
#Report "squid_acl=${ITEM}" # TODO
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
done
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
2017-04-30 17:59:35 +02:00
LogText "Result: Found ${COUNT} ACLs"
Display --indent 6 --text "- Checking Access Control Lists" --result "${COUNT} ACLs FOUND" --color GREEN
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
fi
Initial import
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
2017-04-30 17:59:35 +02:00
# Test : SQD-3624
Fixed a typo
2019-09-21 16:31:06 +02:00
# Description : Check insecure ports in Safe_ports list
Initial import
2014-08-26 17:33:55 +02:00
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Rename of categories, introduction of groups
2016-07-24 17:22:00 +02:00
Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid safe ports"
Initial import
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Test: checking ACL Safe_ports http_access option"
Various cleanups (#363) * Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports")
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
2017-04-30 17:59:35 +02:00
if IsEmpty "${FIND}"; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: no Safe_ports found"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
Code style improvement: quote argument
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Check if Squid has been configured to restrict access to all safe ports"
Code enhancements
2017-04-23 20:06:54 +02:00
else
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: checking ACL safe ports"
Various cleanups (#363) * Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
2017-03-06 08:41:21 +01:00
FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }')
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
2017-04-30 17:59:35 +02:00
if IsEmpty "${FIND2}"; then
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
Code style improvement: quote argument
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
AddHP 0 1
Code enhancements
2017-04-23 20:06:54 +02:00
else
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: Safe_ports found"
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
2017-04-30 17:59:35 +02:00
for ITEM in ${FIND}; do
LogText "Found safe port: ${ITEM}"
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
done
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "${STATUS_FOUND}" --color GREEN
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
AddHP 1 1
fi
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
2017-04-30 17:59:35 +02:00
for ITEM in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
LogText "Test: Checking port ${ITEM} in Safe_ports list"
FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${ITEM}" ${SQUID_DAEMON_CONFIG})
if IsEmpty "${FIND2}"; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_NOT_FOUND}" --color GREEN
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
AddHP 1 1
Code enhancements
2017-04-23 20:06:54 +02:00
else
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
2017-04-30 17:59:35 +02:00
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_FOUND}" --color RED
Code style improvement: quote argument
2019-12-18 12:17:46 +01:00
ReportWarning "${TEST_NO}" "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}"
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
AddHP 0 1
fi
done
fi
Initial import
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
Display --indent 4 --text "- Checking Squid Denial of Service tuning options"
Initial import
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : SQD-3630 [T]
# Description : Check reply_body_max_size value
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Rename of categories, introduction of groups
2016-07-24 17:22:00 +02:00
Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option"
Initial import
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Test: checking option reply_body_max_size"
Various cleanups (#363) * Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
2017-04-30 17:59:35 +02:00
if IsEmpty "${FIND}"; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: option reply_body_max_size not configured"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
Initial import
2014-08-26 17:33:55 +02:00
AddHP 1 2
Code style improvement: quote argument
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Configure Squid option reply_body_max_size to limit the upper size of requests."
Code enhancements
2017-04-23 20:06:54 +02:00
else
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: option reply_body_max_size configured"
LogText "Output: ${FIND}"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_FOUND}" --color GREEN
Initial import
2014-08-26 17:33:55 +02:00
AddHP 2 2
fi
fi
#
#################################################################################
#
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then
Code cleanup and small enhancements
2014-09-15 12:01:09 +02:00
Display --indent 4 --text "- Checking Squid general options"
Initial import
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : SQD-3680
# Description : Check httpd_suppress_version_string
Use -n instead of ! -z
2019-07-16 13:20:30 +02:00
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a -n "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Propose fix some typos (#538)
2018-04-23 10:54:44 +02:00
Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppression"
Initial import
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
Various cleanups (#363) * Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on")
Code enhancements
2017-04-23 20:06:54 +02:00
if [ -z "${FIND}" ]; then
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: option httpd_suppress_version_string not configured"
Various cleanups (#363) * Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
2017-03-06 08:41:21 +01:00
Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW
Initial import
2014-08-26 17:33:55 +02:00
AddHP 1 2
Code style improvement: quote argument
2019-12-18 12:17:46 +01:00
ReportSuggestion "${TEST_NO}" "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
Code enhancements
2017-04-23 20:06:54 +02:00
else
Rename of logtext and report functions, upcoming year change
2015-12-21 21:17:15 +01:00
LogText "Result: option httpd_suppress_version_string configured"
LogText "Output: ${FIND}"
Replaced text strings to allow translations
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_FOUND}" --color GREEN
Initial import
2014-08-26 17:33:55 +02:00
AddHP 2 2
fi
fi
#
#################################################################################
#
Replaced old function names with new ones
2016-04-28 12:31:57 +02:00
WaitForKeyPress
Initial import
2014-08-26 17:33:55 +02:00
#
#================================================================================
Preparation for release 3.0.3
2021-01-07 15:22:19 +01:00
# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com