lynis/include/tests_databases

463 lines
24 KiB
Plaintext
Raw Normal View History

2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 15:48:03 +01:00
# Copyright 2007-2013, Michael Boelen
2021-01-07 15:22:19 +01:00
# Copyright 2007-2021, CISOfy
2016-03-13 15:48:03 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Databases
#
#################################################################################
#
# Paths to DATADIR
2016-09-10 16:12:44 +02:00
sMYSQLDBPATHS="${ROOTDIR}var/lib/mysql"
2014-08-26 17:33:55 +02:00
# Paths to my.cnf
2016-09-10 16:12:44 +02:00
sMYCNFLOCS="${ROOTDIR}etc/mysql/my.cnf ${ROOTDIR}usr/etc/my.cnf"
REDIS_CONFIGURATION_FILES=""
REDIS_CONFIGURATION_FOUND=0
2019-10-14 21:50:22 +02:00
MYSQL_RUNNING=0
DATABASE_ENGINE_RUNNING=0
MONGODB_RUNNING=0
POSTGRESQL_RUNNING=0
ORACLE_RUNNING=0
DB2_RUNNING=0
REDIS_RUNNING=0
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
InsertSection "${SECTION_DATABASES}"
2014-08-26 17:33:55 +02:00
# Test : DBS-1804
# Description : Check if MySQL is being used
Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2023-04-23 23:38:21 +02:00
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep")
2017-04-23 20:06:54 +02:00
if [ -z "${FIND}" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: MySQL process not active"
2017-03-09 12:28:05 +01:00
else
Display --indent 2 --text "- MySQL process status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: MySQL is active"
2014-08-26 17:33:55 +02:00
MYSQL_RUNNING=1
2016-07-24 19:46:45 +02:00
DATABASE_ENGINE_RUNNING=1
Report "mysql_running=${MYSQL_RUNNING}"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : DBS-1808
# Description : Check MySQL data directory
#Register --test-no DBS-1808 --weight L --network NO --category security --description "Checking MySQL data directory"
2014-08-26 17:33:55 +02:00
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#
#################################################################################
#
# Test : DBS-1812
# Description : Check data directory permissions
#Register --test-no DBS-1812 --weight L --network NO --category security --description "Checking MySQL data directory permissions"
2014-08-26 17:33:55 +02:00
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#
#################################################################################
#
# Test : DBS-1816
# Description : Check empty MySQL root password
# Notes : Only perform test when MySQL is running and client is available
2019-07-16 13:20:30 +02:00
if [ -n "${MYSQLCLIENTBINARY}" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="MySQL not installed, or not running"; fi
2016-08-13 11:17:01 +02:00
Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking MySQL root password"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Trying to login to local MySQL server without password"
# "-u root --password=" avoids ~/.my.cnf authentication settings
# "plugin = 'mysql_native_password' AND authentication_string = ''" avoids false positives when secure plugins are used
FIND=$(${MYSQLCLIENTBINARY} --default-auth=mysql_native_password --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql > /dev/null 2>&1; echo $?)
2018-04-23 10:56:26 +02:00
if [ "${FIND}" = "0" ]; then
LogText "Result: Login succeeded, no MySQL root password set!"
2019-12-18 12:17:46 +01:00
ReportWarning "${TEST_NO}" "No MySQL root password set"
Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED
AddHP 0 5
2016-09-10 16:12:44 +02:00
else
LogText "Result: Login did not succeed, so a MySQL root password is set"
if IsVerbose; then Display --indent 4 --text "- Checking MySQL root password" --result "${STATUS_OK}" --color GREEN; fi
2014-09-15 12:01:09 +02:00
AddHP 2 2
fi
else
LogText "Test skipped, MySQL daemon not running or no MySQL client available"
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
2017-02-10 13:07:30 +01:00
# Test : DBS-1818
# Description : Check MongoDB status
Register --test-no DBS-1818 --weight L --network NO --category security --description "Check status of MongoDB server"
if [ ${SKIPTEST} -eq 0 ]; then
if IsRunning "mongod"; then
MONGODB_RUNNING=1
DATABASE_ENGINE_RUNNING=1
Report "mongodb_running=1"
Display --indent 2 --text "- MongoDB status" --result "${STATUS_FOUND}" --color GREEN
fi
fi
# Test : DBS-1820
2017-02-10 17:18:23 +01:00
# Description : Check empty MongoDB authorization
# Notes : Authentication can be set via command line or configuration file
2017-02-10 17:18:23 +01:00
Register --test-no DBS-1820 --weight L --network NO --category security --description "Check for authorization in MongoDB"
if [ ${SKIPTEST} -eq 0 ]; then
2017-02-10 17:18:23 +01:00
MONGODB_AUTHORIZATION_ENABLED=0
2017-02-10 13:07:30 +01:00
if [ ${MONGODB_RUNNING} -eq 1 ]; then
MONGO_CONF_FILES="${ROOTDIR}etc/mongod.conf ${ROOTDIR}etc/mongodb.conf"
for FILE in ${MONGO_CONF_FILES}; do
if [ -f ${FILE} ]; then
LogText "Result: found MongoDB configuration file (${FILE})"
# YAML with quotes
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
LogText "Test: determine authorization setting in new style YAML format"
AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: \"enabled\"" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)")
if HasData "${AUTH_IN_CONFIG}"; then
LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format with quotes)"
MONGODB_AUTHORIZATION_ENABLED=1
fi
fi
# YAML without quotes
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)")
if HasData "${AUTH_IN_CONFIG}"; then
LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format without quotes)"
MONGODB_AUTHORIZATION_ENABLED=1
fi
fi
# Old style
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
2017-02-10 17:18:23 +01:00
LogText "Result: did NOT find authorization option enabled in configuration file (with YAML format)"
LogText "Test: now searching for old style configuration (auth = true) in configuration file"
AUTH_IN_CONFIG=$(${GREPBINARY} "auth = true" ${FILE} | ${GREPBINARY} -v "noauth" | ${GREPBINARY} -E -v "(^#|#auth)")
if IsEmpty "${AUTH_IN_CONFIG}"; then
LogText "Result: did NOT find auth = true in configuration file"
else
2017-02-10 17:18:23 +01:00
LogText "Result: GOOD, found authorization option enabled in configuration file (old format)"
MONGODB_AUTHORIZATION_ENABLED=1
fi
fi
else
LogText "Result: configuration file ${FILE} not found"
fi
done
2017-02-10 17:18:23 +01:00
# Now check authorization on the command line
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
if HasData "${PGREPBINARY}"; then
2017-02-10 13:07:30 +01:00
AUTH_ON_CMDLINE=$(for I in $(${PGREPBINARY} mongo); do cat /proc/${I}/cmdline | xargs -0 echo | ${GREPBINARY} -E "\-\-auth( |$)"; done)
2019-07-16 13:20:30 +02:00
if [ -n "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi
2017-02-10 13:07:30 +01:00
else
LogText "Result: skipped this part of the test, as pgrep is not available"
fi
fi
2017-02-10 17:18:23 +01:00
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
LogText "Result: no authorization enabled via parameter or configuration file"
Report "mongodb_authorization_disabled=1"
2019-12-18 12:17:46 +01:00
ReportWarning "${TEST_NO}" "MongoDB instance allows any user to access databases"
2017-02-10 17:18:23 +01:00
Display --indent 4 --text "- Checking MongoDB authorization" --result "${STATUS_DISABLED}" --color RED
else
2017-02-10 17:18:23 +01:00
if IsVerbose; then Display --indent 4 --text "- Checking MongoDB authorization" --result "${STATUS_ENABLED}" --color GREEN; fi
fi
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : DBS-1826
# Description : Check if PostgreSQL is being used
Register --test-no DBS-1826 --weight L --network NO --category security --description "Checking active PostgreSQL processes"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
if IsRunning "postgres"; then
Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: PostgreSQL is active"
2014-09-15 12:01:09 +02:00
POSTGRESQL_RUNNING=1
2016-07-24 19:46:45 +02:00
DATABASE_ENGINE_RUNNING=1
Report "postgresql_running=${POSTGRESQL_RUNNING}"
2016-09-10 16:12:44 +02:00
else
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: PostgreSQL process not active"
2014-09-15 12:01:09 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
2019-10-08 15:15:18 +02:00
#
# Test : DBS-1828
# Description : Test PostgreSQL configuration file(s)
#
# Authentication:
# /var/lib/pgsql/data/pg_hba.conf
#
# Configuration
# Arch /var/lib/postgres/data/postgresql.conf
# CentOS/Fedora /var/lib/pgsql/data/postgresql.conf
# Ubuntu /etc/postgresql/x.y/main/postgresql.conf
if [ "${POSTGRESQL_RUNNING}" -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="PostgreSQL not installed or not running"; fi
Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration"
if [ ${SKIPTEST} -eq 0 ]; then
FIND_PATHS=$(${LSBINARY} -d ${ROOTDIR}usr/local/pgsql/data* 2> /dev/null)
2023-09-13 16:15:05 +02:00
FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data"
CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g")
2019-10-08 15:15:18 +02:00
for CF in ${CONFIG_FILES}; do
Report "postgresql_config_file[]=${CF}"
LogText "Found configuration file (${CF})"
if IsWorldReadable ${CF}; then
LogText "Result: configuration file ${CF} is world readable, this might leak sensitive information!"
ReportWarning "${TEST_NO}" "PostgreSQL configuration file ${CF} is world readable and might leak sensitive details" "${CF}" "Use chmod 600 to change file permissions"
else
LogText "Result: great, configuration file ${CF} is not world readable"
fi
2019-10-08 15:15:18 +02:00
done
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : DBS-1840
# Description : Check if Oracle is being used
# Notes : tnslsnr: Oracle listener
# pmon: process monitor
# smon: system monitor
# dbwr: database writer
# lgwr: log writer
# arch: archiver (optional)
# ckpt: checkpoint (optional)
# reco: recovery (optional)
Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2023-04-23 23:38:21 +02:00
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep")
2017-04-23 20:06:54 +02:00
if [ -z "${FIND}" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: Oracle process(es) not active"
2016-09-10 16:12:44 +02:00
else
Display --indent 2 --text "- Oracle processes status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Oracle is active"
2014-08-26 17:33:55 +02:00
ORACLE_RUNNING=1
2016-07-24 19:46:45 +02:00
DATABASE_ENGINE_RUNNING=1
Report "oracle_running=${ORACLE_RUNNING}"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : DBS-1842
# Description : Check Oracle home paths from oratab
#Register --test-no DBS-1842 --weight L --network NO --category security --description "Checking Oracle home paths"
2014-08-26 17:33:55 +02:00
#if [ ${SKIPTEST} -eq 0 ]; then
# if [ -f /etc/oratab ]; then
# FIND=$(${GREPBINARY} -v "#" /etc/oratab | ${AWKBINARY} -F: "{ print $2 }")
2014-08-26 17:33:55 +02:00
# fi
#fi
#
#################################################################################
#
# Test : DBS-1860
2019-09-21 16:31:06 +02:00
# Description : Checks if a DB2 instance is currently running
Register --test-no DBS-1860 --weight L --network NO --category security --description "Checking active DB2 instances"
if [ ${SKIPTEST} -eq 0 ]; then
if IsRunning db2sysc; then
Display --indent 2 --text "- DB2 instance running" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: At least one DB2 instance is running"
DB2_RUNNING=1
2016-07-24 19:46:45 +02:00
DATABASE_ENGINE_RUNNING=1
Report "db2_running=${DB2_RUNNING}"
2016-09-10 16:12:44 +02:00
else
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- DB2 instance running" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: No DB2 instances are running"
fi
fi
#
#################################################################################
2016-07-24 19:46:45 +02:00
#
# Test : DBS-1880
# Description : Determine if redis is running
Register --test-no DBS-1880 --weight L --network NO --category security --description "Check for active Redis server"
if [ ${SKIPTEST} -eq 0 ]; then
if IsRunning redis-server; then
Display --indent 2 --text "- Redis (server) status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Redis is running"
2016-07-24 19:46:45 +02:00
REDIS_RUNNING=1
DATABASE_ENGINE_RUNNING=1
Report "redis_server_running=${REDIS_RUNNING}"
else
2016-07-24 19:46:45 +02:00
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Redis (server) status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: No Redis processes are running"
fi
fi
#
#################################################################################
#
# Test : DBS-1882
# Description : Determine Redis configuration
2016-08-13 11:17:01 +02:00
if [ ${REDIS_RUNNING} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running"; fi
Register --test-no DBS-1882 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
PATHS="${ROOTDIR}etc/redis ${ROOTDIR}usr/local/etc ${ROOTDIR}usr/local/etc/redis ${ROOTDIR}usr/local/redis/etc"
2018-09-19 13:29:03 +02:00
if [ ${QNAP_DEVICE} -eq 1 ]; then
PATHS="${PATHS} ${ROOTDIR}share/CACHEDEV1_DATA/.qpkg/QKVM/usr/etc/redis.conf"
fi
2024-03-12 13:38:04 +01:00
if [ -d "${ROOTDIR}snap" ]; then
for SNAP_PATH in $(${FINDBINARY} ${ROOTDIR}snap -name 'redis.conf' -type f | ${SEDBINARY} 's/redis.conf$//g'); do
PATHS="${PATHS} ${SNAP_PATH}"
done
fi
2017-03-09 12:28:05 +01:00
ALLFILES=$(${LSBINARY} ${ROOTDIR}etc/redis.conf 2> /dev/null)
FOUND=0
for DIR in ${PATHS}; do
LogText "Action: scanning directory (${DIR}) for Redis configuration files"
2016-09-10 16:12:44 +02:00
FILES=$(${LSBINARY} ${DIR}/*.conf 2> /dev/null)
2019-07-16 13:20:30 +02:00
if [ -n "${FILES}" ]; then
2017-03-09 12:28:05 +01:00
ALLFILES="${ALLFILES} ${FILES}"
else
LogText "Result: no configuration files found in this directory"
fi
done
for CONFFILE in ${ALLFILES}; do
if FileIsReadable ${CONFFILE}; then
LogText "Action: checking if ${CONFFILE} is a Sentinel configuration file"
# Exclude Sentinel configuration file
FIND=$(${GREPBINARY} "^sentinel " ${CONFFILE})
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2017-03-09 12:28:05 +01:00
LogText "Result: file is a Sentinel configuration file, skipping it"
else
LogText "Result: file is NOT a Sentinel configuration file. Now scanning if it is a Redis configuration file"
FIND=$(${GREPBINARY} "Redis" ${CONFFILE})
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2017-03-09 12:28:05 +01:00
REDIS_CONFIGURATION_FILES="${REDIS_CONFIGURATION_FILES} ${CONFFILE}"
REDIS_CONFIGURATION_FOUND=1
LogText "Result: found a Redis configuration file (${CONFFILE})"
else
2017-03-09 12:28:05 +01:00
LogText "Result: this file does not look like a Redis file (${CONFFILE})"
fi
2017-03-09 12:28:05 +01:00
fi
else
2017-03-09 12:28:05 +01:00
LogText "Could not read this file, so skipping it"
fi
done
# Sort the list of discovered configuration files so we can make them unique
2019-07-26 15:34:02 +02:00
REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | ${SEDBINARY} 's/^ //' | ${TRBINARY} ' ' '\n' | ${SORTBINARY} -u | ${TRBINARY} '\n' ' ')
for FILE in ${REDIS_CONFIGURATION_FILES}; do
if IsWorldReadable ${FILE}; then
LogText "Result: configuration file ${FILE} is world readable, this might leak sensitive information!"
ReportWarning "${TEST_NO}" "Redis configuration file ${FILE} is world readable and might leak sensitive details" "${FILE}" "Use chmod 640 to change file permissions"
else
LogText "Result: great, configuration file ${FILE} is not world readable"
fi
done
if [ ${REDIS_CONFIGURATION_FOUND} -eq 0 ]; then ReportException "${TEST_NO}" "Found Redis, but no configuration file. Report this if you know where it is located on your system."; fi
fi
#
#################################################################################
#
# Test : DBS-1884
2016-08-12 09:46:13 +02:00
# Description : Determine Redis configuration option: requirepass
2016-08-13 11:17:01 +02:00
if [ ${REDIS_RUNNING} -eq 1 -a ${REDIS_CONFIGURATION_FOUND} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running, or no configuration file found"; fi
Register --test-no DBS-1884 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis: requirepass option configured"
if [ ${SKIPTEST} -eq 0 ]; then
for FILE in ${REDIS_CONFIGURATION_FILES}; do
if FileIsReadable ${FILE}; then
if SearchItem "^requirepass" "${FILE}" "--sensitive"; then
LogText "Result: found 'requirepass' configured"
AddHP 3 3
Display --indent 4 --text "- Redis (requirepass configured)" --result "${STATUS_FOUND}" --color GREEN
Report "redis_requirepass=1"
else
AddHP 0 3
Display --indent 4 --text "- Redis (requirepass configured)" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Configure the 'requirepass' setting for Redis" "${FILE}" "text:configure 'requirepass' setting in ${FILE}"
Report "redis_requirepass=0"
fi
else
LogText "Result: test skipped, as we can't read configuration file"
fi
done
fi
#
#################################################################################
2016-07-24 19:46:45 +02:00
#
# Test : DBS-1886
# Description : Determine Redis configuration option: rename-command CONFIG
2016-08-13 11:17:01 +02:00
if [ ${REDIS_RUNNING} -eq 1 -a ${REDIS_CONFIGURATION_FOUND} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running, or no configuration found"; fi
Register --test-no DBS-1886 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis: rename-command CONFIG used"
if [ ${SKIPTEST} -eq 0 ]; then
for FILE in ${REDIS_CONFIGURATION_FILES}; do
if FileIsReadable ${FILE}; then
if SearchItem "^rename-command CONFIG" "${FILE}" "--sensitive"; then
LogText "Result: found 'rename-command CONFIG' configured"
AddHP 3 3
Display --indent 4 --text "- Redis (rename of CONFIG command)" --result "${STATUS_FOUND}" --color GREEN
Report "redis_rename_command_config=1"
else
AddHP 0 3
Display --indent 4 --text "- Redis (rename of CONFIG command)" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Use the 'rename-command CONFIG' setting for Redis" "${FILE}" "text:configure 'rename-command CONFIG' in ${FILE}"
Report "redis_rename_command_config=0"
fi
else
LogText "Result: test skipped, as we can't read configuration file"
fi
done
fi
#
#################################################################################
#
# Test : DBS-1888
# Description : Determine Redis configuration option: bind on localhost
2016-08-13 11:17:01 +02:00
if [ ${REDIS_RUNNING} -eq 1 -a ${REDIS_CONFIGURATION_FOUND} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running, or no configuration found"; fi
Register --test-no DBS-1888 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis: bind on localhost"
if [ ${SKIPTEST} -eq 0 ]; then
for FILE in ${REDIS_CONFIGURATION_FILES}; do
if FileIsReadable ${FILE}; then
if SearchItem "^bind (localhost|127\.)" "${FILE}" "--sensitive"; then
LogText "Result: found 'bind on localhost' configured"
AddHP 3 3
Display --indent 4 --text "- Redis (bind on localhost)" --result "${STATUS_FOUND}" --color GREEN
Report "redis_bind_localhost=1"
else
AddHP 0 3
Display --indent 4 --text "- Redis (bind on localhost)" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Use 'bind' setting to listen on localhost for Redis instance" "${FILE}" "text:configure 'bind localhost' in ${FILE}"
Report "redis_bind_localhost=0"
fi
else
LogText "Result: test skipped, as we can't read configuration file"
fi
done
fi
#
#################################################################################
#
2016-07-24 19:46:45 +02:00
if [ ${DATABASE_ENGINE_RUNNING} -eq 0 ]; then
Display --indent 4 --text "No database engines found"
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com