mirror of
https://github.com/CISOfy/lynis.git
synced 2025-07-23 05:44:45 +02:00
Style changes
This commit is contained in:
Michael Boelen
parent
4e139f4d71
commit
08036358ea
@ -43,7 +43,7 @@
|
||||
# Description : Check for a running NTP daemon
|
||||
if [ -f /sys/hypervisor/type ]; then
|
||||
# Skip NTP tests if we are in a DomU xen instance YYY
|
||||
FIND=`cat /sys/hypervisor/type`
|
||||
FIND=$(cat /sys/hypervisor/type)
|
||||
if [ "${FIND}" = "xen" ]; then PREQS_MET="NO"; else PREQS_MET="YES"; fi
|
||||
else
|
||||
PREQS_MET="YES"
|
||||
@ -106,7 +106,7 @@
|
||||
for I in ${CRONTAB_FILES}; do
|
||||
if [ -f ${I} ]; then
|
||||
LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
|
||||
FIND=`${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#'`
|
||||
FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
||||
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
|
||||
@ -127,11 +127,11 @@
|
||||
# Check cron jobs
|
||||
for I in ${CRON_DIRS}; do
|
||||
if [ -d ${I} ]; then
|
||||
FIND=`ls ${I} | ${GREPBINARY} -v FIFO`
|
||||
FIND=$(${LSBINARY} ${I} | ${GREPBINARY} -v FIFO)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
for J in ${FIND}; do
|
||||
LogText "Test: checking for ntpdate or rdate in ${I}/${J}"
|
||||
FIND2=`${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#"`
|
||||
FIND2=$(${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#")
|
||||
if [ ! "${FIND2}" = "" ]; then
|
||||
LogText "Positive match found: ${FIND2}"
|
||||
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
||||
@ -165,7 +165,7 @@
|
||||
# Configuration file for *BSD
|
||||
if [ -f /etc/rc.conf ]; then
|
||||
LogText "Test: Checking if ntpdate is enabled at startup in *BSD"
|
||||
FIND=`${GREPBINARY} 'ntpdate_enable="YES"' /etc/rc.conf`
|
||||
FIND=$(${GREPBINARY} 'ntpdate_enable="YES"' /etc/rc.conf)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: ntpdate is enabled in rc.conf"
|
||||
FOUND=1
|
||||
@ -203,8 +203,8 @@
|
||||
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Check the status of time synchronization via timedatectl"
|
||||
FIND=`${TIMEDATECTL} status | ${GREPBINARY} "NTP synchronized: yes"`
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${TIMEDATECTL} status | ${GREPBINARY} "NTP synchronized: yes")
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: time not synchronized via NTP"
|
||||
ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized"
|
||||
fi
|
||||
@ -218,8 +218,8 @@
|
||||
Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check active NTP associations ID's"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking for NTP association ID's from ntpq peers list"
|
||||
FIND=`${NTPQBINARY} -p -n | ${GREPBINARY} "No association ID's returned"`
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} "No association ID's returned")
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking valid association ID's" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found one or more association ID's"
|
||||
else
|
||||
@ -237,16 +237,17 @@
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
LogText "Test: Checking stratum 16 sources from ntpq peers list"
|
||||
FIND=`${NTPQBINARY} -p -n | ${AWKBINARY} '{ if ($3=="16") { print $1 } }'`
|
||||
FIND=$(${NTPQBINARY} -p -n | ${AWKBINARY} '{ if ($3=="16") { print $1 }}')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: All peers are lower than stratum 16"
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
LogText "Found stratum 16 peer: ${I}"
|
||||
FIND2=`${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE}`
|
||||
if [ "${FIND2}" = "" ]; then
|
||||
FIND2=$(${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE})
|
||||
if [ -z "${FIND2}" ]; then
|
||||
N=$((N + 1))
|
||||
Report "ntp_stratum_16_peer[]=${I}"
|
||||
else
|
||||
LogText "Output: host ${I} ignored by profile"
|
||||
fi
|
||||
@ -258,8 +259,7 @@
|
||||
else
|
||||
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Found one or more high stratum (16) peers)"
|
||||
ReportSuggestion ${TEST_NO} "Check ntpq peers output"
|
||||
ReportWarning ${TEST_NO} "Found one or more stratum 16 peers"
|
||||
ReportSuggestion ${TEST_NO} "Check ntpq peers output for startum 16 peers"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
@ -297,9 +297,9 @@
|
||||
Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check selected time source"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking selected time source"
|
||||
FIND=`${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ if ($4=="l") { print $1 } }'`
|
||||
FIND2=`${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }'`
|
||||
if [ "${FIND}" = "" -a ! "${FIND2}" = "" ]; then
|
||||
FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ if ($4=="l") { print $1 } }')
|
||||
FIND2=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }')
|
||||
if [ -z "${FIND}" -a ! -z "${FIND2}" ]; then
|
||||
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN
|
||||
FIND2=`echo ${FIND2} | sed 's/*//g'`
|
||||
LogText "Result: Found selected time source (value: ${FIND2})"
|
||||
@ -319,8 +319,8 @@
|
||||
Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check preffered time source"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking preferred time source"
|
||||
FIND=`${NTPQBINARY} -p -n | ${GREPBINARY} '^+' | ${AWKBINARY} '{ print $1 }'`
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} '^+' | ${AWKBINARY} '{ print $1 }')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_NONE}" --color YELLOW
|
||||
LogText "Result: No other time source candidates found"
|
||||
ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates"
|
||||
@ -328,7 +328,7 @@
|
||||
Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: Found one or more candidates to synchronize time with."
|
||||
for I in ${FIND}; do
|
||||
I=`echo ${I} | sed 's/+//g'`
|
||||
I=$(echo ${I} | sed 's/+//g')
|
||||
LogText "Candidate found: ${I}"
|
||||
done
|
||||
fi
|
||||
@ -342,15 +342,15 @@
|
||||
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking preferred time source"
|
||||
FIND=`${NTPQBINARY} -p -n | ${GREPBINARY} '^x'`
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} '^x')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: No falsetickers found (items preceeding with an 'x')"
|
||||
else
|
||||
Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_NONE}" --color YELLOW
|
||||
LogText "Result: Found one or more falsetickers (items preceeding with an 'x')"
|
||||
for I in ${FIND}; do
|
||||
I=`echo ${I} | sed 's/x//g'`
|
||||
I=$(echo ${I} | sed 's/x//g')
|
||||
LogText "Falseticker found: ${I}"
|
||||
Report "ntp_falseticker[]=${I}"
|
||||
done
|
||||
@ -366,8 +366,8 @@
|
||||
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP protocol version"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)"
|
||||
FIND=`${NTPQBINARY} -c ntpversion | ${AWKBINARY} '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'`
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${NTPQBINARY} -c ntpversion | ${AWKBINARY} '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking NTP version" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
LogText "Result: No NTP version found"
|
||||
ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version"
|
||||
@ -405,7 +405,7 @@
|
||||
else
|
||||
LogText "Result: /etc/ntp/step-tickers is not empty, which is fine"
|
||||
Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN
|
||||
sFIND=`${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0'`
|
||||
sFIND=$(${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0')
|
||||
for I in ${sFIND}; do
|
||||
FIND=`${GREPBINARY} ^${I} ${FILE} | wc -l`
|
||||
if [ ${FIND} -gt 0 ]; then
|
||||
@ -455,7 +455,7 @@ WaitForKeyPress
|
||||
if [ -f ${FILE} ]; then
|
||||
LogText "Result: found ${FILE}"
|
||||
if IsWorldWritable ${FILE}; then
|
||||
ReportWarning "${TEST_NO}" "Found world writable configuration file"
|
||||
ReportWarning "${TEST_NO}" "Found world writable configuration file" "${FILE}" ""
|
||||
fi
|
||||
Report "ntp_config_file[]=${FILE}"
|
||||
fi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user