lynis/include/tests_printers_spools

303 lines
14 KiB
Plaintext
Raw Normal View History

2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
# Copyright 2013-2016, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Printers and spools
#
#################################################################################
#
2015-03-23 21:38:37 +01:00
CUPSD_CONFIG_LOCS="/etc/cups /usr/local/etc/cups /private/etc/cups"
2014-08-26 17:33:55 +02:00
CUPSD_CONFIG_FILE=""
CUPSD_RUNNING=0
CUPSD_FOUND=0
LPD_RUNNING=0
PRINTING_DAEMON=""
2014-10-14 10:03:54 +02:00
QDAEMON_CONFIG_ENABLED=0
QDAEMON_CONFIG_FILE=""
QDAEMON_RUNNING=0
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
InsertSection "Printers and Spools"
#
#################################################################################
#
# Test : PRNT-2302
# Description : Check printcap file consistency
Register --test-no PRNT-2302 --os FreeBSD --weight L --network NO --description "Check for printcap consistency"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching /usr/sbin/chkprintcap"
2014-08-26 17:33:55 +02:00
if [ ! -f /usr/sbin/chkprintcap ]; then
Display --indent 2 --text "- Checking chkprintcap" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: /usr/sbin/chkprintcap NOT found, test skipped."
2014-08-26 17:33:55 +02:00
else
LogText "Result: /usr/sbin/chkprintcap found"
2014-08-26 17:33:55 +02:00
FIND=`/usr/sbin/chkprintcap > /dev/null ; echo $?`
# Only an exit code of zero should come back. Use string instead of integer, due unexpected trash
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_OK}" --color GREEN
LogText "Result: chkprintcap did NOT gave any warnings"
2014-08-26 17:33:55 +02:00
else
Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_WARNING}" --color RED
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file"
LogText "Output from chkprintcap: ${FIND}"
LogText "Run chkprintcap and check the /etc/printcap file."
2014-08-26 17:33:55 +02:00
fi
fi
fi
#
#################################################################################
#
# Test : PRNT-2304
# Description : Check cupsd status
Register --test-no PRNT-2304 --weight L --network NO --description "Check cupsd status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking cupsd status"
2014-09-19 01:19:07 +02:00
#FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd`
IsRunning cupsd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: cups daemon running"
2014-08-26 17:33:55 +02:00
CUPSD_RUNNING=1; PRINTING_DAEMON="cups"
else
Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: cups daemon not running, cups daemon tests skipped"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : PRNT-2306
# Description : Check CUPSd configuration file
if [ ${CUPSD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching cupsd configuration file"
2014-08-26 17:33:55 +02:00
for I in ${CUPSD_CONFIG_LOCS}; do
if [ -f ${I}/cupsd.conf ]; then
if FileIsReadable ${I}/cupsd.conf; then
CUPSD_CONFIG_FILE="${I}/cupsd.conf"
LogText "Result: found ${CUPSD_CONFIG_FILE}"
fi
2014-08-26 17:33:55 +02:00
fi
done
if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then
Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_OK}" --color GREEN
LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})"
2014-08-26 17:33:55 +02:00
CUPSD_FOUND=1
else
Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_NOT_FOUND}" --color RED
LogText "Result: configuration file not found"
LogText "Development: no CUPS configuration file found"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : PRNT-2307
# Description : Check CUPSd configuration file permissions
2014-09-19 11:44:43 +02:00
# To Do : Add function
2014-08-26 17:33:55 +02:00
if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking CUPS configuration file permissions"
2014-08-26 17:33:55 +02:00
FIND=`ls -l ${CUPSD_CONFIG_FILE} | cut -c 2-10`
LogText "Result: found ${FIND}"
2014-09-19 11:44:43 +02:00
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
2014-08-26 17:33:55 +02:00
AddHP 1 1
else
Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
AddHP 1 2
fi
fi
#
#################################################################################
#
# Test : PRNT-2308
# Description : Check CUPS daemon network configuration
if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd network configuration"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# Checking network addresses
LogText "Test: Checking CUPS daemon listening network addresses"
2014-08-26 17:33:55 +02:00
FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep -v "/" | awk '{ print $2 }'`
N=0
for I in ${FIND}; do
LogText "Found network address: ${I}"
N=$((N + 1))
2014-08-26 17:33:55 +02:00
FOUND=1
done
if [ ${FOUND} -eq 0 ]; then
ReportException "${TEST_NO}:1" "No listen statement found in CUPS configuration file"
fi
# Check if daemon is only running on localhost
if [ ${N} -eq 1 ]; then
if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
LogText "Result: CUPS daemon only running on localhost"
2014-08-26 17:33:55 +02:00
AddHP 2 2
else
LogText "Result: CUPS daemon running on one or more interfaces (not limited to localhost)"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to listen on the network"
AddHP 1 2
fi
else
LogText "Result: CUPS daemon is running on several network addresses"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to run on several network addresses"
AddHP 1 2
fi
# Checking sockets
LogText "Test: Checking cups daemon listening sockets"
2014-08-26 17:33:55 +02:00
FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep "/" | awk '{ print $2 }'`
for I in ${FIND}; do
LogText "Found socket address: ${I}"
N=$((N + 1))
2014-08-26 17:33:55 +02:00
done
if [ ${N} -eq 0 ]; then
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_NONE}" --color WHITE
LogText "Result: no addresses found on which CUPS daemon is listening"
2014-08-26 17:33:55 +02:00
else
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: CUPS daemon is listening on network/socket"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : PRNT-2314
# Description : Check lpd status
Register --test-no PRNT-2314 --weight L --network NO --description "Check lpd status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking lpd status"
2014-08-26 17:33:55 +02:00
IsRunning lpd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: lp daemon running"
2014-08-26 17:33:55 +02:00
LPD_RUNNING=1; PRINTING_DAEMON="lp"
else
Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
LogText "Result: lp daemon not running"
2014-08-26 17:33:55 +02:00
AddHP 4 4
fi
fi
#
#################################################################################
#
# Test : PRNT-23xx
# Description : Test Linux printcap file
#if [ ${CUPSD_RUNNING} -eq 1 -a ! "${CUPSD_CONFIG_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no PRNT-23xx--preqs-met ${PREQS_MET} --weight L --network NO --description "Check cupsd address configuration"
#if [ ${SKIPTEST} -eq 0 ]; then
#if [ "${OS}" = "Linux" ]; then
2014-09-15 12:01:09 +02:00
# echo " - Testing printcap file [Test not implemented yet]"
2014-08-26 17:33:55 +02:00
# # Check printcap with checkpc command
#fi
#
#################################################################################
2014-10-14 10:03:54 +02:00
#
# Test : PRNT-2416
# Description : Check /etc/qconfig file
Register --test-no PRNT-2316 --os AIX --weight L --network NO --description "Checking /etc/qconfig file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking /etc/qconfig"
2014-10-14 10:03:54 +02:00
QDAEMON_CONFIG_FILE="/etc/qconfig"
FileIsReadable ${QDAEMON_CONFIG_FILE}
if [ ${CANREAD} -eq 1 ]; then
2014-10-21 00:03:42 +02:00
FIND=`grep -v "^\*" ${QDAEMON_CONFIG_FILE} | egrep "backend|device"`
2014-10-19 12:43:15 +02:00
if [ ! "${FIND}" = "" ]; then
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN
2014-10-14 10:03:54 +02:00
QDAEMON_CONFIG_ENABLED=1
else
LogText "Result: ${QDAEMON_CONFIG_FILE} is empty. No printers are defined"
2014-10-14 10:03:54 +02:00
Display --indent 2 --text "- Checking /etc/qconfig file" --result EMPTY --color WHITE
fi
else
LogText "Result: Can not read ${QDAEMON_CONFIG_FILE} (no permission)"
2014-10-14 10:03:54 +02:00
fi
fi
#
#################################################################################
#
# Test : PRNT-2418
# Description : Check qdaemon printer spooler status
Register --test-no PRNT-2418 --os AIX --weight L --network NO --description "Checking qdaemon printer spooler status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking qdaemon status"
2014-10-14 10:03:54 +02:00
IsRunning qdaemon
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: qdaemon daemon running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_RUNNING}" --color GREEN
2014-10-14 10:03:54 +02:00
QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon"
else
if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then
LogText "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color RED
2014-10-14 10:03:54 +02:00
ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs"
else
LogText "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
2014-10-14 10:03:54 +02:00
fi
fi
fi
#
#################################################################################
#
# Test : PRNT-2420
# Description : Checking old print jobs
Register --test-no PRNT-2420 --os AIX --weight L --network NO --description "Checking old print jobs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking old print jobs"
2014-10-14 10:03:54 +02:00
DirectoryExists /var/spool/lpd/qdir
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
FIND=`find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'`
LogText "Found old print job: ${FILE}"
N=$((N + 1))
2014-10-14 10:03:54 +02:00
done
LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW
2014-10-14 10:03:54 +02:00
ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"
2014-10-14 10:03:54 +02:00
else
LogText "Result: Old print jobs not found in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_NONE}" --color GREEN
2014-10-14 10:03:54 +02:00
fi
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
Report "printing_daemon=${PRINTING_DAEMON}"
2014-08-26 17:33:55 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com