diff --git a/include/tests_accounting b/include/tests_accounting index 93cd2162..4d05f4d6 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -42,7 +42,7 @@ Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW LogText "Result: No accounting information available" LogText "Remark: Possibly there is another location where the accounting data is stored" - ReportSuggestion ${TEST_NO} "Enable process accounting" + ReportSuggestion "${TEST_NO}" "Enable process accounting" AddHP 2 3 fi fi @@ -61,7 +61,7 @@ Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW LogText "Result: No accounting information available" LogText "Remark: Possibly there is another location where the accounting data is stored" - ReportSuggestion ${TEST_NO} "Enable process accounting" + ReportSuggestion "${TEST_NO}" "Enable process accounting" AddHP 2 3 fi fi @@ -90,7 +90,7 @@ Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW LogText "Result: No accounting information available (${ROOTDIR}var/account/pacct, ${ROOTDIR}var/log/account/pact nor ${ROOTDIR}var/log/pact exist)" LogText "Remark: Possibly there is another location where the accounting data is stored" - ReportSuggestion ${TEST_NO} "Enable process accounting" + ReportSuggestion "${TEST_NO}" "Enable process accounting" AddHP 2 3 fi fi @@ -111,7 +111,7 @@ else LogText "Result: sysstat disabled via ${ROOTDIR}etc/default/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE - ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)" + ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (disabled)" fi elif [ -f ${ROOTDIR}etc/cron.d/sysstat ]; then FIND=$(${GREPBINARY} -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat) @@ -121,12 +121,12 @@ else LogText "Result: sysstat disabled via ${ROOTDIR}etc/cron.d/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE - ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)" + ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (cron disabled)" fi else LogText "Result: sysstat not found via ${ROOTDIR}etc/default/sysstat or ${ROOTDIR}etc/cron.d/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_NOT_FOUND}" --color YELLOW - ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)" + ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (no results)" fi fi # @@ -151,7 +151,7 @@ LogText "Result: auditd not active" Display --indent 2 --text "- Checking auditd" --result "${STATUS_NOT_FOUND}" --color WHITE if [ ! "${VMTYPE}" = "openvz" ]; then - ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information" + ReportSuggestion "${TEST_NO}" "Enable auditd to collect audit information" fi AddHP 0 1 Report "linux_auditd_running=0" @@ -171,7 +171,7 @@ LogText "Result: auditd rules empty" Display --indent 4 --text "- Checking audit rules" --result "${STATUS_SUGGESTION}" --color YELLOW AddHP 0 2 - ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules" + ReportSuggestion "${TEST_NO}" "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules" else LogText "Result: found auditd rules" Display --indent 4 --text "- Checking audit rules" --result "${STATUS_OK}" --color GREEN @@ -206,7 +206,7 @@ else LogText "Result: could not find auditd configuration file" Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_FOUND}" --color RED - ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file" + ReportSuggestion "${TEST_NO}" "Determine the location of auditd configuration file" fi fi # @@ -229,12 +229,12 @@ else LogText "Result: can't find log file ${FIND} on disk" Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Check auditd log file location" + ReportSuggestion "${TEST_NO}" "Check auditd log file location" fi else LogText "Result: no log file found" Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "Auditd log file is defined but can not be found on disk" + ReportWarning "${TEST_NO}" "Auditd log file is defined but can not be found on disk" fi fi # @@ -258,7 +258,7 @@ Report "audit_trail_tool[]=snoopy" else Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_NOT_FOUND}" --color YELLOW - ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via ${ROOTDIR}etc/ld.so.preload" + ReportSuggestion "${TEST_NO}" "Snoopy is installed but not loaded via ${ROOTDIR}etc/ld.so.preload" AddHP 3 3 fi else diff --git a/include/tests_authentication b/include/tests_authentication index b29ff65d..786bec64 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -56,7 +56,7 @@ if [ "${USER}" = "toor" ]; then LogText "BSD note: default there is a user 'toor' installed. This account is considered useless unless it" LogText "is assigned a password and used for daily operations or emergencies. ie: bad shell for root user." - ReportSuggestion ${TEST_NO} "Use vipw to delete the 'toor' user if not used." + ReportSuggestion "${TEST_NO}" "Use vipw to delete the 'toor' user if not used." fi done else @@ -87,7 +87,7 @@ Display --indent 2 --text "- Unique UIDs" --result "${STATUS_WARNING}" --color RED LogText "Result: found multiple accounts with same UID" LogText "Output (non-unique UIDs): ${FIND}" - ReportWarning ${TEST_NO} "Multiple accounts found with same UID" + ReportWarning "${TEST_NO}" "Multiple accounts found with same UID" fi else Display --indent 2 --text "- Unique UIDs" --result "${STATUS_SKIPPED}" --color WHITE @@ -115,7 +115,7 @@ Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_WARNING}" --color RED LogText "Result: chkgrp found some errors. Run the tool manually to see details." LogText "chkgrp output: ${FIND}" - ReportWarning ${TEST_NO} "chkgrp reported inconsistencies in /etc/group file" + ReportWarning "${TEST_NO}" "chkgrp reported inconsistencies in /etc/group file" fi fi # @@ -147,7 +147,7 @@ LogText "Result: grpck binary didn't find any errors in the group files" else Display --indent 2 --text "- Consistency of group files (grpck)" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "grpck binary found errors in one or more group files" + ReportWarning "${TEST_NO}" "grpck binary found errors in one or more group files" fi unset FIND fi @@ -181,12 +181,12 @@ FOUND=1 else LogText "Result: shell ${SHELL} does not exist" - ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${SHELL} does not exist" + ReportSuggestion "${TEST_NO}" "Determine if account is needed, as shell ${SHELL} does not exist" fi fi done if [ ${FOUND} -eq 1 ]; then - ReportWarning ${TEST_NO} "Possible harmful shell found (for passwordless account!)" + ReportWarning "${TEST_NO}" "Possible harmful shell found (for passwordless account!)" fi fi else @@ -225,12 +225,12 @@ FOUND=1 else LogText "Result: shell ${SHELL} does not exist" - ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${SHELL} does not exist" + ReportSuggestion "${TEST_NO}" "Determine if account is needed, as shell ${SHELL} does not exist" fi fi done if [ ${FOUND} -eq 1 ]; then - ReportWarning ${TEST_NO} "Possible harmful shell found (for passwordless account!)" + ReportWarning "${TEST_NO}" "Possible harmful shell found (for passwordless account!)" fi fi else @@ -259,7 +259,7 @@ Report "auth_groups_nonunique[]=${I}" LogText "Non-unique group: ${I}" done - ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct any inconsistencies" + ReportSuggestion "${TEST_NO}" "Check your /etc/group file and correct any inconsistencies" fi fi # @@ -283,7 +283,7 @@ Report "auth_groups_nonunique[]=${I}" LogText "Non-unique group: ${I}" done - ReportSuggestion ${TEST_NO} "Check your ${ROOTDIR}etc/group file and correct any inconsistencies" + ReportSuggestion "${TEST_NO}" "Check your ${ROOTDIR}etc/group file and correct any inconsistencies" fi fi # @@ -319,7 +319,7 @@ else Display --indent 2 --text "- Password file consistency" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: pwck found one or more errors/warnings in the password file." - ReportSuggestion ${TEST_NO} "Run pwck manually and correct any errors in the password file" + ReportSuggestion "${TEST_NO}" "Run pwck manually and correct any errors in the password file" AddHP 0 2 fi fi @@ -563,7 +563,7 @@ Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN else for I in ${FIND}; do - ReportWarning ${TEST_NO} "Found passwordless account (${I})" + ReportWarning "${TEST_NO}" "Found passwordless account (${I})" done Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_WARNING}" --color RED fi @@ -630,7 +630,7 @@ if [ ${FOUND} -eq 0 ]; then Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: no PAM modules for password strength testing found" - ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc" + ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc" AddHP 0 3 else Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN @@ -851,7 +851,7 @@ if [ -z "${FIND}" -o "${FIND}" = "0" ]; then LogText "Result: password minimum age is not configured" Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW - ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs" + ReportSuggestion "${TEST_NO}" "Configure minimum password age in /etc/login.defs" AddHP 0 1 else LogText "Result: password needs to be at least ${FIND} days old" @@ -865,7 +865,7 @@ if [ -z "${FIND}" -o "${FIND}" = "99999" ]; then LogText "Result: password aging limits are not configured" Display --indent 2 --text "- User password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW - ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs" + ReportSuggestion "${TEST_NO}" "Configure maximum password age in /etc/login.defs" AddHP 0 1 else LogText "Result: max password age is ${FIND} days" @@ -933,7 +933,7 @@ else LogText "Result: option present, no password needed at single user mode login" Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "No password needed for single user mode login" + ReportWarning "${TEST_NO}" "No password needed for single user mode login" AddHP 0 1 fi else @@ -963,7 +963,7 @@ else LogText "Result: option present, no password needed at single user mode login" Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Set password for system boot" + ReportSuggestion "${TEST_NO}" "Set password for system boot" AddHP 0 1 fi else @@ -1042,8 +1042,8 @@ if [ ${FOUND} -eq 0 ]; then LogText "Result: option not set, no password needed at single user mode boot" Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "No password set for single mode" - ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface" + ReportWarning "${TEST_NO}" "No password set for single mode" + ReportSuggestion "${TEST_NO}" "Set password for single user mode to minimize physical access attack surface" AddHP 0 2 else LogText "Result: option set, password is needed at single user mode boot" @@ -1136,11 +1136,11 @@ AddHP 2 2 elif [ ${GOOD_UMASK} -eq 1 -a ${WEAK_UMASK} -eq 1 ]; then Display --indent 4 --text "- umask (/etc/profile and /etc/profile.d)" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Some umasks found could be more strict (e.g. 027)" + ReportSuggestion "${TEST_NO}" "Some umasks found could be more strict (e.g. 027)" AddHP 1 2 else Display --indent 4 --text "- umask (/etc/profile and /etc/profile.d)" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)" + ReportSuggestion "${TEST_NO}" "Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)" AddHP 0 2 fi else @@ -1174,7 +1174,7 @@ if [ "${FIND}" = "" ]; then LogText "Result: umask value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027" + ReportSuggestion "${TEST_NO}" "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then LogText "Result: umask is ${FIND}, which is fine" @@ -1183,7 +1183,7 @@ else LogText "Result: found umask ${FIND}, which could be improved" Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027" + ReportSuggestion "${TEST_NO}" "Default umask in /etc/login.defs could be more strict like 027" AddHP 0 2 fi else @@ -1221,7 +1221,7 @@ if [ "${FIND}" = "" ]; then LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027" + ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then LogText "Result: umask is ${FIND}, which is fine" @@ -1230,7 +1230,7 @@ else LogText "Result: found umask ${FIND}, which could be improved" Display --indent 4 --text "- umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027" + ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rc could be more strict like 027" AddHP 0 2 fi else @@ -1265,7 +1265,7 @@ Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_OK}" --color GREEN else Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_WEAK}" --color YELLOW - ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027" + ReportSuggestion "${TEST_NO}" "Umask in /etc/login.conf could be more strict like 027" fi else LogText "Result: no umask setting found in /etc/login.conf, which is unexpected" @@ -1284,7 +1284,7 @@ if [ "${FIND2}" = "" ]; then LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027" + ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then LogText "Result: umask is ${FIND2}, which is fine" @@ -1293,7 +1293,7 @@ else LogText "Result: found umask ${FIND2}, which could be improved" Display --indent 4 --text "- umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027" + ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rcS could be more strict like 027" AddHP 0 2 fi else @@ -1458,7 +1458,7 @@ AddHP 3 3 else AddHP 0 1 - #ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged using pam_tally2 or /etc/login.defs" + #ReportSuggestion "${TEST_NO}" "Configure failed login attempts to be logged using pam_tally2 or /etc/login.defs" fi fi # diff --git a/include/tests_banners b/include/tests_banners index f9f26104..7fa94da6 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -108,7 +108,7 @@ else LogText "Result: Found only ${COUNT} key words (5 or more suggested), to warn unauthorized users and could be increased" Display --indent 4 --text "- ${FILE} contents" --result "${STATUS_WEAK}" --color YELLOW - ReportSuggestion ${TEST_NO} "Add a legal banner to ${FILE}, to warn unauthorized users" + ReportSuggestion "${TEST_NO}" "Add a legal banner to ${FILE}, to warn unauthorized users" AddHP 0 1 Report "weak_banner_file[]=${FILE}" fi @@ -161,7 +161,7 @@ else LogText "Result: Found only ${COUNT} key words, to warn unauthorized users and could be increased" Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result "${STATUS_WEAK}" --color YELLOW - ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users" + ReportSuggestion "${TEST_NO}" "Add legal banner to /etc/issue.net, to warn unauthorized users" AddHP 0 1 fi fi diff --git a/include/tests_boot_services b/include/tests_boot_services index fe6e316e..2c239b64 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -338,7 +338,7 @@ else Display --indent 4 --text "- Checking for password protection" --result "${STATUS_NONE}" --color RED LogText "Result: Didn't find hashed password line in GRUB boot file!" - ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)" + ReportSuggestion "${TEST_NO}" "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)" AddHP 0 2 fi else @@ -420,13 +420,13 @@ if [ "${MACHINE_ROLE}" = "server" -o "${MACHINE_ROLE}" = "workstation" ]; then Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED LogText "Result: no password set for LILO. Bootloader is unprotected to dropping to single user mode or unauthorized access to devices/data." - ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=': password=" - ReportWarning ${TEST_NO} "No password set on LILO bootloader" + ReportSuggestion "${TEST_NO}" "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=': password=" + ReportWarning "${TEST_NO}" "No password set on LILO bootloader" AddHP 0 2 elif [ "${MACHINE_ROLE}" = "personal" ]; then Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color yellow LogText "Result: no password set for LILO. Bootloader is unprotected to dropping to single user mode or unauthorized access to devices/data." - ReportSuggestion ${TEST_NO} "No password set on LILO bootloader. Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=': password=" + ReportSuggestion "${TEST_NO}" "No password set on LILO bootloader. Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=': password=" AddHP 1 2 else LogText "Result: no password set for LILO, with unknown machine role" @@ -501,8 +501,8 @@ FIND=$(${GREPBINARY} '^boot' ${ROOTDIR}etc/boot.conf) if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking boot option" --result "${STATUS_WARNING}" --color RED - #ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode." - ReportWarning ${TEST_NO} "System can be booted into single user mode without password" + #ReportSuggestion "${TEST_NO}" "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode." + ReportWarning "${TEST_NO}" "System can be booted into single user mode without password" else Display --indent 4 --text "- Checking boot option" --result "${STATUS_OK}" --color GREEN LogText "Ok, boot option is enabled." @@ -511,7 +511,7 @@ Display --indent 2 --text "- Checking ${ROOTDIR}etc/boot.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW LogText "Result: no ${ROOTDIR}etc/boot.conf found. When using the default boot loader, physical" LogText "access to the server can be used to possibly enter single user mode." - ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time." + ReportSuggestion "${TEST_NO}" "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time." fi if [ ${FOUND} -eq 1 ]; then LogText "Result: found OpenBSD boot loader" @@ -645,7 +645,7 @@ LogText "Result: found ${COUNT} services" fi elif [ -z "${sRUNLEVEL}" ]; then - ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup" + ReportSuggestion "${TEST_NO}" "Determine runlevel and services at startup" else LogText "Result: skipping further actions" fi @@ -716,7 +716,7 @@ LogText "Test: Checking ${CHECKFILE} file for writable bit" if IsWorldWritable ${CHECKFILE}; then FOUND=1 - ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}" + ReportWarning "${TEST_NO}" "Found writable startup script ${CHECKFILE}" LogText "Result: warning, file ${CHECKFILE} is world writable" else LogText "Result: good, file ${CHECKFILE} not world writable" @@ -727,7 +727,7 @@ # Check results if [ ${FOUND} -eq 1 ]; then Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-" + ReportWarning "${TEST_NO}" "Found world writable startup scripts" "-" "-" LogText "Result: found one or more scripts which are possibly writable by other users" AddHP 0 3 else @@ -938,7 +938,7 @@ LogText "Test: Checking ${CHECKFILE} file for writable bit" if IsWorldWritable ${CHECKFILE}; then FOUND=1 - ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}" + ReportWarning "${TEST_NO}" "Found writable startup script ${CHECKFILE}" LogText "Result: warning, file ${CHECKFILE} is world writable" else LogText "Result: good, file ${CHECKFILE} not world writable" @@ -949,7 +949,7 @@ # Check results if [ ${FOUND} -eq 1 ]; then Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-" + ReportWarning "${TEST_NO}" "Found world writable startup scripts" "-" "-" LogText "Result: found one or more scripts which are possibly writable by other users" AddHP 0 3 else diff --git a/include/tests_crypto b/include/tests_crypto index 96dc067a..44f19cdc 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -123,7 +123,7 @@ Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_NONE}" --color GREEN else Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_FOUND}" --color RED - ReportSuggestion ${TEST_NO} "Check available certificates for expiration" + ReportSuggestion "${TEST_NO}" "Check available certificates for expiration" fi fi diff --git a/include/tests_custom.template b/include/tests_custom.template index e8de448f..38dfaf0a 100644 --- a/include/tests_custom.template +++ b/include/tests_custom.template @@ -134,7 +134,7 @@ Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_OK}" --color GREEN else Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_WARNING}" --color RED - ReportSuggestion ${TEST_NO} "This is a suggestion" + ReportSuggestion "${TEST_NO}" "This is a suggestion" fi fi # diff --git a/include/tests_databases b/include/tests_databases index 5778dd1c..f950fa9c 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -89,7 +89,7 @@ FIND=$(${MYSQLCLIENTBINARY} --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql 2>/dev/null; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: Login succeeded, no MySQL root password set!" - ReportWarning ${TEST_NO} "No MySQL root password set" + ReportWarning "${TEST_NO}" "No MySQL root password set" Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED AddHP 0 5 else @@ -160,7 +160,7 @@ if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then LogText "Result: no authorization enabled via parameter or configuration file" Report "mongodb_authorization_disabled=1" - ReportWarning ${TEST_NO} "MongoDB instance allows any user to access databases" + ReportWarning "${TEST_NO}" "MongoDB instance allows any user to access databases" Display --indent 4 --text "- Checking MongoDB authorization" --result "${STATUS_DISABLED}" --color RED else if IsVerbose; then Display --indent 4 --text "- Checking MongoDB authorization" --result "${STATUS_ENABLED}" --color GREEN; fi diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 8f97d8c2..36201fcf 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -307,7 +307,7 @@ if [ -z "${FIND}" ]; then LogText "Result: No SHA256 or SHA512 found for creating checksums" Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW - ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE" + ReportSuggestion "${TEST_NO}" "Use SHA256 or SHA512 to create checksums in AIDE" AddHP 1 3 else LogText "Result: Found SHA256 or SHA512 found for creating checksums" @@ -330,7 +330,7 @@ else LogText "Result: No file integrity tools found" Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_NOT_FOUND}" --color YELLOW - ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files" + ReportSuggestion "${TEST_NO}" "Install a file integrity tool to monitor changes to critical and sensitive files" AddHP 0 5 fi fi diff --git a/include/tests_filesystems b/include/tests_filesystems index 398b2530..96087094 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -44,7 +44,7 @@ if [ -L ${I} ]; then ShowSymlinkPath ${I} LogText "Result: ${I} is a symlink. Manual check required to determine exact file system options" - ReportSuggestion ${TEST_NO} "Symlinked mount point needs to be checked manually" "${I}" "" + ReportSuggestion "${TEST_NO}" "Symlinked mount point needs to be checked manually" "${I}" "" Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE elif [ -d ${I} ]; then LogText "Result: directory ${I} exists" @@ -56,7 +56,7 @@ if IsEmpty "${FIND}"; then LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system" Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separate partition" + ReportSuggestion "${TEST_NO}" "To decrease the impact of a full ${I} file system, place ${I} on a separate partition" AddHP 9 10 else LogText "Result: found ${I} as a separated mount point" @@ -327,8 +327,8 @@ else Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})" - #ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap partition (${FIND})" - ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" + #ReportWarning "${TEST_NO}" "Possible incorrect mount options used for swap partition (${FIND})" + ReportSuggestion "${TEST_NO}" "Check your /etc/fstab file for swap partition mount options" LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)" fi fi @@ -396,7 +396,7 @@ LogText "private information and should be deleted it not being used actively. Use a tool like lsof to" LogText "see which programs possibly are using a particular file. Some systems can cleanup temporary" LogText "directories by setting a boot option." - ReportSuggestion ${TEST_NO} "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days" + ReportSuggestion "${TEST_NO}" "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days" fi fi # @@ -415,7 +415,7 @@ AddHP 3 3 else Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_WARNING}" --color RED - ReportSuggestion ${TEST_NO} "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit" + ReportSuggestion "${TEST_NO}" "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit" AddHP 0 3 fi unset FIND @@ -438,7 +438,7 @@ AddHP 3 3 else Display --indent 2 --text "- Checking ${ROOTDIR}var/tmp sticky bit" --result "${STATUS_WARNING}" --color RED - ReportSuggestion ${TEST_NO} "Set the sticky bit on ${ROOTDIR}var/tmp, to prevent users deleting (by other owned) files in the /var/tmp directory." "/var/tmp" "text:Set sticky bit" + ReportSuggestion "${TEST_NO}" "Set the sticky bit on ${ROOTDIR}var/tmp, to prevent users deleting (by other owned) files in the /var/tmp directory." "/var/tmp" "text:Set sticky bit" AddHP 0 3 fi unset FIND @@ -716,7 +716,7 @@ else LogText "Result: database not found" Display --indent 2 --text "- Checking Locate database" --result "${STATUS_NOT_FOUND}" --color YELLOW - ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file." + ReportSuggestion "${TEST_NO}" "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file." fi fi # @@ -782,7 +782,7 @@ AddHP 2 3 if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi # Tip to disable a particular module if it is not loaded TODO - #ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'" + #ReportSuggestion "${TEST_NO}" "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'" FOUND=1 AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} " else diff --git a/include/tests_firewalls b/include/tests_firewalls index dabb7a97..67f21020 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -128,7 +128,7 @@ "ACCEPT") LogText "Result: Found ACCEPT for ${chainname} (table: ${table})" Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "ACCEPT" --color YELLOW - #ReportSuggestion ${TEST_NO} "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})" + #ReportSuggestion "${TEST_NO}" "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})" AddHP 1 3 ;; "DROP") @@ -139,7 +139,7 @@ *) Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "other" --color YELLOW LogText "Result: Unknown policy: ${policy}" - #ReportSuggestion ${TEST_NO} "Check iptables ${chainname} (table: ${table}) chain policy" + #ReportSuggestion "${TEST_NO}" "Check iptables ${chainname} (table: ${table}) chain policy" ;; esac fi @@ -162,7 +162,7 @@ FIREWALL_EMPTY_RULESET=1 LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active" + ReportWarning "${TEST_NO}" "iptables module(s) loaded, but no rules active" else LogText "Result: one or more rules are available (${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN @@ -187,7 +187,7 @@ LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." LogText "Output: iptables rule numbers: ${FIND}" - ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used" + ReportSuggestion "${TEST_NO}" "Check iptables rules to see which rules are currently not used" LogText "Tip: iptables --list --numeric --line-numbers --verbose" fi fi @@ -282,7 +282,7 @@ else Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED LogText "Result: found one or more warnings in the pf filter rules" - ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" + ReportWarning "${TEST_NO}" "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" fi else LogText "Result: /etc/pf.conf does NOT exist" @@ -548,7 +548,7 @@ else Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW LogText "Result: no host based firewall/packet filter found or configured" - ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic" + ReportSuggestion "${TEST_NO}" "Configure a firewall/packet filter to filter incoming and outgoing traffic" AddHP 0 5 fi fi diff --git a/include/tests_hardening b/include/tests_hardening index 12af3c9b..8b8ae452 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -76,7 +76,7 @@ # Report suggestion is one or more compilers can be better hardened if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then LogText "Result: at least one compiler could be better hardened by restricting executable access to root or group only" - ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only" + ReportSuggestion "${TEST_NO}" "Harden compilers like restricting access to root user only" fi fi fi @@ -99,7 +99,7 @@ else Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED fi - ReportSuggestion ${TEST_NO} "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC" + ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC" AddHP 1 3 LogText "Result: no malware scanner found" fi diff --git a/include/tests_homedirs b/include/tests_homedirs index e8226bed..13a91d86 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -141,7 +141,7 @@ EOF LogText "Result: the following files seem to be of the wrong file type:" LogText "Output: ${FIND}" LogText "Info: above files could be redirected files to avoid logging and should be investigated" - ReportWarning ${TEST_NO} "Incorrect file type found for shell history file" + ReportWarning "${TEST_NO}" "Incorrect file type found for shell history file" fi LogText "Remark: History files are normally of the type 'file'. Symbolic links and other types are suspicious." else diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 40cd9cf0..61a66066 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -45,7 +45,7 @@ INETD_PACKAGE_INSTALLED=1 LogText "Result: inetd is installed" Display --indent 2 --text "- Installed inetd package" --result "${STATUS_FOUND}" --color YELLOW - #ReportSuggestion ${TEST_NO} "If there are no inetd services required, it is recommended that the daemon be removed" + #ReportSuggestion "${TEST_NO}" "If there are no inetd services required, it is recommended that the daemon be removed" else LogText "Result: inetd is NOT installed" Display --indent 2 --text "- Installed inetd package" --result "${STATUS_NOT_FOUND}" --color GREEN @@ -105,7 +105,7 @@ else LogText "Result: found services in inetd, even though inetd is not running" Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service" + ReportSuggestion "${TEST_NO}" "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service" fi fi # @@ -141,7 +141,7 @@ if PackageIsInstalled "xinetd"; then LogText "Result: xinetd is installed" Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_FOUND}" --color YELLOW - ReportSuggestion ${TEST_NO} "If there are no xinetd services required, it is recommended that the daemon be removed" + ReportSuggestion "${TEST_NO}" "If there are no xinetd services required, it is recommended that the daemon be removed" else LogText "Result: xinetd is NOT installed" Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_OK}" --color GREEN @@ -200,7 +200,7 @@ else LogText "Result: found services in ${XINETD_CONFIG_DIR}, even though xinetd is not running" Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_FOUND}" --color YELLOW - ReportSuggestion ${TEST_NO} "Although xinetd is not running, make sure no services are enabled in ${XINETD_CONFIG_DIR}, or remove xinetd service" + ReportSuggestion "${TEST_NO}" "Although xinetd is not running, make sure no services are enabled in ${XINETD_CONFIG_DIR}, or remove xinetd service" fi fi # @@ -264,7 +264,7 @@ else LogText "Result: tcp_wrappers is NOT installed" Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_SUGGESTION}" --color YELLOW - #ReportSuggestion ${TEST_NO} "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed" + #ReportSuggestion "${TEST_NO}" "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed" fi fi # @@ -283,7 +283,7 @@ if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh client is installed" Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Remove rsh client when it is not in use or replace with the more secure SSH package" + ReportSuggestion "${TEST_NO}" "Remove rsh client when it is not in use or replace with the more secure SSH package" else LogText "Result: rsh client is NOT installed" Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_OK}" --color GREEN @@ -317,7 +317,7 @@ # if [ ${FOUND} -eq 1 ]; then # LogText "Result: found one or more Rsh Trust Files" # Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_SUGGESTION}" --color YELLOW - # ReportSuggestion ${TEST_NO} "Remove every Rsh Trust Files as they can allow unauthenticated access to a system" + # ReportSuggestion "${TEST_NO}" "Remove every Rsh Trust Files as they can allow unauthenticated access to a system" # else # LogText "Result: no Rsh Trust Files found" # Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_OK}" --color GREEN @@ -340,7 +340,7 @@ if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh server is installed" Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Remove the rsh-server package and replace with a more secure alternative like SSH" + ReportSuggestion "${TEST_NO}" "Remove the rsh-server package and replace with a more secure alternative like SSH" Report "insecure_service[]=rsh-server" else LogText "Result: rsh server is NOT installed" @@ -362,7 +362,7 @@ LogText "Result: telnet client is installed" Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_FOUND}" --color YELLOW # Telnet client usage might be used for troubleshooting instead of system administration - #ReportSuggestion ${TEST_NO} "telnet client contain numerous security exposures and have been replaced with the more secure SSH package" + #ReportSuggestion "${TEST_NO}" "telnet client contain numerous security exposures and have been replaced with the more secure SSH package" else LogText "Result: telnet client is NOT installed" Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_OK}" --color GREEN @@ -385,7 +385,7 @@ if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet server is installed" Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_FOUND}" --color YELLOW - ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package and replace with SSH when possible" + ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package and replace with SSH when possible" Report "insecure_service[]=telnet-server" else LogText "Result: telnet server is NOT installed" @@ -411,7 +411,7 @@ if [ -n "${FOUND}" ]; then LogText "Result: NIS client is installed" Display --indent 2 --text "- Checking NIS client installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "NIS client should be removed if not required. Use a more secure alternative or a protocol that can use encrypted communications." + ReportSuggestion "${TEST_NO}" "NIS client should be removed if not required. Use a more secure alternative or a protocol that can use encrypted communications." else LogText "Result: NIS client is NOT installed" Display --indent 2 --text "- Checking NIS client installation" --result "${STATUS_OK}" --color GREEN @@ -435,7 +435,7 @@ if [ -n "${FOUND}" ]; then LogText "Result: NIS server is installed" Display --indent 2 --text "- Checking NIS server installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services" + ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services" else LogText "Result: NIS server is NOT installed" Display --indent 2 --text "- Checking NIS server installation" --result "${STATUS_OK}" --color GREEN @@ -459,7 +459,7 @@ if [ -n "${FOUND}" ]; then LogText "Result: TFTP client is installed" Display --indent 2 --text "- Checking TFTP client installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server)" + ReportSuggestion "${TEST_NO}" "It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server)" else LogText "Result: TFTP client is NOT installed" Display --indent 2 --text "- Checking TFTP client installation" --result "${STATUS_OK}" --color GREEN @@ -483,7 +483,7 @@ if [ -n "${FOUND}" ]; then LogText "Result: TFTP server is installed" Display --indent 2 --text "- Checking TFTP server installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of tftp services" + ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of tftp services" else LogText "Result: TFTP server is NOT installed" Display --indent 2 --text "- Checking TFTP server installation" --result "${STATUS_OK}" --color GREEN diff --git a/include/tests_kernel b/include/tests_kernel index 1a78bfcc..a77ac69a 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -144,7 +144,7 @@ Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result "${STATUS_FOUND}" --color GREEN else Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result "${STATUS_NONE}" --color YELLOW - ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support" + ReportSuggestion "${TEST_NO}" "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support" fi else Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result "${STATUS_SKIPPED}" --color YELLOW @@ -394,7 +394,7 @@ LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" else LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." - ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz" + ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz" fi LogText "Test: Using apt-cache policy to determine if there is an update available" FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') @@ -406,7 +406,7 @@ LogText "Result: Exception occurred, no output from apt-cache policy" if [ ${HAS_VMLINUZ} -eq 1 ]; then ReportException "${TEST_NO}:01" - ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy to determine why its output is empty" + ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty" fi LogText "Result: apt-cache policy did not return an installed kernel version" else @@ -422,7 +422,7 @@ else Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW LogText "Result: kernel update available according 'apt-cache policy'." - ReportSuggestion ${TEST_NO} "Determine priority for available kernel update" + ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update" fi fi else @@ -465,13 +465,13 @@ TMP_COLOR="GREEN" if [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -gt 1 ]; then LogText "Result: 'ProcessSizeMax=0' and 'Storage=none' are set multiple times in systemd configuration files. Check config!" - ReportSuggestion ${TEST_NO} "Check systemd configuration for duplicate entries of core dump settings" + ReportSuggestion "${TEST_NO}" "Check systemd configuration for duplicate entries of core dump settings" TMP_COLOR="YELLOW" fi Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_DISABLED}" --color "${TMP_COLOR}" elif [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] || [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then LogText "Result: 'ProcessSizeMax=0' and 'Storage=none' are set in ${ROOTDIR}etc/systemd/coredump.conf but overwritten in subdir config files" - ReportSuggestion ${TEST_NO} "Check systemd configuration for overwriting core dump settings" + ReportSuggestion "${TEST_NO}" "Check systemd configuration for overwriting core dump settings" Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color YELLOW AddHP 0 1 elif ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] ) || \ @@ -479,7 +479,7 @@ ( [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] ) || \ ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then LogText "Result: core dumps are explicitely enabled in systemd configuration files" - ReportSuggestion ${TEST_NO} "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')" + ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')" Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color RED AddHP 0 1 else @@ -755,7 +755,7 @@ AddHP 5 5 elif [ ${REBOOT_NEEDED} -eq 1 ]; then Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_YES}" --color RED - ReportWarning ${TEST_NO} "Reboot of system is most likely needed" "" "text:reboot" + ReportWarning "${TEST_NO}" "Reboot of system is most likely needed" "" "text:reboot" AddHP 0 5 else Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_UNKNOWN}" --color YELLOW diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index eba7504d..9599a708 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -106,7 +106,7 @@ # Add suggestion if one or more sysctls have a different value than scan profile if [ ${FOUND} -eq 1 ]; then LogText "Result: found ${N} keys that can use tuning, according scan profile" - ReportSuggestion ${TEST_NO} "One or more sysctl values differ from the scan profile and could be tweaked" "" "Change sysctl value or disable test (skip-test=${TEST_NO}:)" + ReportSuggestion "${TEST_NO}" "One or more sysctl values differ from the scan profile and could be tweaked" "" "Change sysctl value or disable test (skip-test=${TEST_NO}:)" fi fi # diff --git a/include/tests_logging b/include/tests_logging index 7e595049..9c2ae9a6 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -47,7 +47,7 @@ if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" - ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured." + ReportSuggestion "${TEST_NO}" "Check if any syslog daemon is running and correctly configured." AddHP 0 3 else Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_OK}" --color GREEN @@ -92,7 +92,7 @@ else LogText "Result: Syslog-NG configuration file seems NOT to be consistent" Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED - ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s" + ReportSuggestion "${TEST_NO}" "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s" fi fi # @@ -191,7 +191,7 @@ else LogText "Result: No klogd found" Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED - ReportWarning ${TEST_NO} "klogd is not running, which could lead to missing kernel messages in log files" + ReportWarning "${TEST_NO}" "klogd is not running, which could lead to missing kernel messages in log files" fi else LogText "Result: test skipped, because other facility is being used to log kernel messages" @@ -210,7 +210,7 @@ Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED LogText "Result: minilogd found in process list" # minilogd daemon seems to be running - ReportWarning ${TEST_NO} "minilogd is running, which should normally not be running" + ReportWarning "${TEST_NO}" "minilogd is running, which should normally not be running" else Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: No minilogd is running" @@ -247,7 +247,7 @@ else Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_WARNING}" --color RED LogText "Result: No logrotate configuration found" - ReportSuggestion ${TEST_NO} "Check if log files are properly rotated" + ReportSuggestion "${TEST_NO}" "Check if log files are properly rotated" fi fi # @@ -328,8 +328,8 @@ else Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED LogText "Result: No loghost entry found" - ReportWarning ${TEST_NO} "No loghost entry found" - ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services" + ReportWarning "${TEST_NO}" "No loghost entry found" + ReportSuggestion "${TEST_NO}" "Add a loghost entry to /etc/inet/hosts or other name services" fi fi # @@ -421,7 +421,7 @@ if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then Report "remote_syslog_configured=0" LogText "Result: no remote logging found" - ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection" + ReportSuggestion "${TEST_NO}" "Enable logging to an external logging host for archiving purposes and additional protection" AddHP 1 3 Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW else @@ -556,7 +556,7 @@ Report "deleted_file[]=${I}" done Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW - ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why." + ReportSuggestion "${TEST_NO}" "Check what deleted files are still in use and why." else LogText "Result: no deleted files found" Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_DONE}" --color GREEN diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 15d675a3..972bbb8a 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -83,7 +83,7 @@ Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED elif [ $? -eq 2 ]; then LogText "Result: AppArmor is enabled, but no policy is loaded" - ReportSuggestion ${TEST_NO} "Load AppArmor policies" + ReportSuggestion "${TEST_NO}" "Load AppArmor policies" Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN Report "apparmor_enabled=1" Report "apparmor_policy_loaded=0" @@ -148,7 +148,7 @@ Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN else LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})." - ReportWarning ${TEST_NO} "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" + ReportWarning "${TEST_NO}" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED fi Display --indent 8 --text "Current SELinux mode: ${FIND}" diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index a5d116fc..63b43804 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -286,7 +286,7 @@ Report "postfix_config_error=1" Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_WARNING}" --color RED LogText "Result: found an error or warning in the Postfix configuration. Manual check suggested." - ReportSuggestion ${TEST_NO} "Found a configuration error in Postfix" "${POSTFIX_CONFIGFILE}" "text:run postconf > /dev/null" + ReportSuggestion "${TEST_NO}" "Found a configuration error in Postfix" "${POSTFIX_CONFIGFILE}" "text:run postconf > /dev/null" else LogText "Result: all looks to be fine with Postfix configuration" if IsVerbose; then Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_OK}" --color GREEN; fi @@ -327,8 +327,8 @@ if [ ${SHOWWARNING} -eq 1 ]; then Display --indent 6 --text "- Postfix banner" --result "${STATUS_WARNING}" --color RED LogText "Result: found OS, or mail_name in SMTP banner, and/or mail_name contains 'Postfix'." - ReportWarning ${TEST_NO} "Found some information disclosure in SMTP banner (OS or software name)" - ReportSuggestion ${TEST_NO} "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})" + ReportWarning "${TEST_NO}" "Found some information disclosure in SMTP banner (OS or software name)" + ReportSuggestion "${TEST_NO}" "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})" else if IsVerbose; then Display --indent 6 --text "- Postfix banner" --result "${STATUS_OK}" --color GREEN; fi fi diff --git a/include/tests_malware b/include/tests_malware index e8d680c1..6718a10b 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -297,7 +297,7 @@ else Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: freshclam is not running" - ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database" + ReportSuggestion "${TEST_NO}" "Confirm that freshclam is properly configured and keeps updating the ClamAV database" fi fi # diff --git a/include/tests_memory_processes b/include/tests_memory_processes index fc1789dc..6c1bf558 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -85,7 +85,7 @@ LogText "Result: found one or more dead or zombie processes" LogText "Output: PIDs ${FIND}" Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_FOUND}" --color RED - ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes" + ReportSuggestion "${TEST_NO}" "Check the output of ps for dead or zombie processes" fi fi # @@ -110,7 +110,7 @@ LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured." LogText "Output: PIDs ${FIND}" Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_FOUND}" --color RED - ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests" + ReportSuggestion "${TEST_NO}" "Check process listing for processes waiting for IO requests" fi fi # diff --git a/include/tests_nameservices b/include/tests_nameservices index aa60885b..59983cac 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -84,7 +84,7 @@ if [ ${COUNT} -gt 6 ]; then LogText "Result: Found ${COUNT} search domains" Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW - ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers" + ReportWarning "${TEST_NO}" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers" else LogText "Result: Found ${COUNT} search domains" Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN @@ -95,7 +95,7 @@ if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW - ReportWarning ${TEST_NO} "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" + ReportWarning "${TEST_NO}" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" else LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" fi @@ -204,7 +204,7 @@ Display --indent 6 --text "Domain name: ${DOMAINNAME}" else Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_UNKNOWN}" --color YELLOW - ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name" + ReportSuggestion "${TEST_NO}" "Check DNS configuration for the dns domain name" fi fi # @@ -324,7 +324,7 @@ else LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}" Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file" + ReportWarning "${TEST_NO}" "Errors discovered in BIND configuration file" fi else LogText "Result: named-checkconf not found, skipping test" @@ -347,8 +347,8 @@ else LogText "Result: possible BIND version available in version banner" Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "Found BIND version in banner" - ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file" + ReportWarning "${TEST_NO}" "Found BIND version in banner" + ReportSuggestion "${TEST_NO}" "The version in BIND can be masked by defining 'version none' in the configuration file" AddHP 0 2 fi fi @@ -599,7 +599,7 @@ else LogText "Result: No entry found for ${HOSTNAME} in ${ROOTDIR}etc/hosts" Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_NOT_FOUND}" --color YELLOW - ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving" + ReportSuggestion "${TEST_NO}" "Add the IP name and FQDN to /etc/hosts for proper name resolving" LogText "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections" fi else @@ -621,7 +621,7 @@ LogText "Output: ${DATA}" Display --indent 4 --text "- Hostname mapped to localhost" --result "${STATUS_FOUND}" --color YELLOW LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface." - ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system" + ReportSuggestion "${TEST_NO}" "Split resolving between localhost and the hostname of the system" else LogText "Result: this server hostname is not mapped to a local address" Display --indent 4 --text "- Hostname mapped to localhost" --result "${STATUS_NOT_FOUND}" --color GREEN @@ -654,7 +654,7 @@ LogText "Result: this server hostname is not mapped to a local address" Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Information: Ensure that localhost resolves back to 127.0.0.1 (and/or ::1)." - ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system" "/etc/hosts" "text:Check your localhost line" + ReportSuggestion "${TEST_NO}" "Split resolving between localhost and the hostname of the system" "/etc/hosts" "text:Check your localhost line" fi fi # diff --git a/include/tests_networking b/include/tests_networking index 36b86671..22dbcb53 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -147,8 +147,8 @@ Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED LogText "Result: nameserver ${I} does NOT respond" LogText "Exit-code from dig: ${DNSRESPONSE}" - ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)." - ReportWarning ${TEST_NO} "Nameserver ${I} does not respond" + ReportSuggestion "${TEST_NO}" "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)." + ReportWarning "${TEST_NO}" "Nameserver ${I} does not respond" fi else LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed" @@ -171,9 +171,9 @@ if [ ${NUMBERACTIVENS} -lt 2 ]; then Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED LogText "Result: less than 2 responsive nameservers found" - ReportWarning ${TEST_NO} "Couldn't find 2 responsive nameservers" + ReportWarning "${TEST_NO}" "Couldn't find 2 responsive nameservers" LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc." - ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible" + ReportSuggestion "${TEST_NO}" "Check your resolv.conf file and fill in a backup nameserver if possible" AddHP 1 2 else Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_OK}" --color GREEN @@ -489,7 +489,7 @@ # Check if this interface was whitelisted if [ ${WHITELISTED} -eq 0 ]; then FOUNDPROMISC=1 - ReportWarning ${TEST_NO} "Found promiscuous interface (${I})" + ReportWarning "${TEST_NO}" "Found promiscuous interface (${I})" LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic" else LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)" @@ -539,7 +539,7 @@ ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}) if [ -z "${ISWHITELISTED}" ]; then FOUNDPROMISC=1 - ReportWarning ${TEST_NO} "Found promiscuous interface" "${I}" "text:Determine if this mode is required or whitelist interface in profile" + ReportWarning "${TEST_NO}" "Found promiscuous interface" "${I}" "text:Determine if this mode is required or whitelist interface in profile" LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic" else LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)" diff --git a/include/tests_php b/include/tests_php index b58d1758..d84b181a 100644 --- a/include/tests_php +++ b/include/tests_php @@ -230,7 +230,7 @@ if [ ${FOUND} -eq 0 ]; then LogText "Result: all PHP functions can be executed" Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_NONE}" --color YELLOW - ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions" + ReportSuggestion "${TEST_NO}" "Harden PHP by disabling risky functions" LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)" AddHP 0 1 else @@ -268,8 +268,8 @@ FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ -n "${FIND}" ]; then Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" - ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off" + ReportWarning "${TEST_NO}" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" + ReportSuggestion "${TEST_NO}" "Change the register_globals line to: register_globals = Off" LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting." AddHP 1 2 else @@ -302,7 +302,7 @@ if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED - ReportSuggestion ${TEST_NO} "Turn off PHP information exposure" "expose_php = Off" "-" + ReportSuggestion "${TEST_NO}" "Turn off PHP information exposure" "expose_php = Off" "-" Report "Result: expose_php option is turned on, which can expose useful information for an attacker" AddHP 1 3 else @@ -325,7 +325,7 @@ if [ -n "${FIND}" ]; then Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls" - ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules" + ReportSuggestion "${TEST_NO}" "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules" AddHP 0 1 else Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_OFF}" --color GREEN @@ -347,7 +347,7 @@ if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW LogText "Result: allow_url_fopen option is turned on, which can be used for downloads via PHP and is a security risk" - ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP" + ReportSuggestion "${TEST_NO}" "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP" AddHP 0 1 else Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_OFF}" --color GREEN @@ -370,7 +370,7 @@ if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW Report "Result: allow_url_include option is turned on, which can be used for downloads via PHP and is a risk" - ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP" + ReportSuggestion "${TEST_NO}" "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP" AddHP 0 1 else Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_OFF}" --color GREEN @@ -419,7 +419,7 @@ # if [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then # LogText "Test: Check Suhosin for PHP 7 is not enabled" # LogText "Result: Suhosin for PHP 7 is in alpha stage and should not be used in production" - # ReportSuggestion ${TEST_NO} "Disable Suhosin for PHP 7" + # ReportSuggestion "${TEST_NO}" "Disable Suhosin for PHP 7" # Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED # Display --indent 6 --text "- Suhosin is enabled for PHP 7" --result "${STATUS_WARNING}" --color RED # AddHP 0 1 @@ -433,7 +433,7 @@ # if [ ${FOUND} -eq 0 ]; then # LogText "Result: Suhosin extension is not enabled" # Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED - # ReportSuggestion ${TEST_NO} "Harden PHP by enabling suhosin extension" + # ReportSuggestion "${TEST_NO}" "Harden PHP by enabling suhosin extension" # LogText "suhosin extension is not enabled" # AddHP 0 1 # else @@ -449,7 +449,7 @@ # else # LogText "Result: Suhosin simulation mode is active" # Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_WARNING}" --color RED - # ReportSuggestion ${TEST_NO} "Harden PHP by deactivating suhosin simulation mode" + # ReportSuggestion "${TEST_NO}" "Harden PHP by deactivating suhosin simulation mode" # LogText "suhosin simulation mode is active" # AddHP 0 1 # fi diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 12329cc8..4d037bf7 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -372,7 +372,7 @@ else Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED LogText "Result: Zypper found one or more installed packages which are vulnerable." - ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed" + ReportWarning "${TEST_NO}" "Found one or more vulnerable packages installed" # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line FIND=$(${ZYPPERBINARY} --non-interactive lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) LogText "List of vulnerable packages/version:" @@ -487,7 +487,7 @@ COUNT=$((COUNT + 1)) LogText "Found unpurged package: ${J}" done - ReportSuggestion ${TEST_NO} "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts." + ReportSuggestion "${TEST_NO}" "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts." fi else LogText "Result: dpkg can NOT be found on this system, test skipped" @@ -510,7 +510,7 @@ else Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_WARNING}" --color YELLOW LogText "Result: found ${FIND} unused distfiles" - ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD." + ReportSuggestion "${TEST_NO}" "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD." fi fi fi @@ -561,7 +561,7 @@ # Decrease hardening points for every found vulnerable package AddHP 1 2 done - ReportWarning ${TEST_NO} "Found one or more vulnerable packages. Run: dnf upgrade" + ReportWarning "${TEST_NO}" "Found one or more vulnerable packages. Run: dnf upgrade" Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_WARNING}" --color RED else LogText "Result: no security updates found" @@ -618,13 +618,13 @@ LogText "Result: no cron job is configured for debsecan" Display --indent 4 --text "- debsecan cron job" --result "${STATUS_NOT_FOUND}" --color YELLOW AddHP 1 3 - ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled" + ReportSuggestion "${TEST_NO}" "Check debsecan cron job and ensure it is enabled" fi else LogText "Result: debsecan is not installed." Display --indent 4 --text "- debsecan utility" --result "${STATUS_NOT_FOUND}" --color YELLOW AddHP 0 2 - ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages." + ReportSuggestion "${TEST_NO}" "Install debsecan to check for vulnerabilities on installed packages." fi fi # @@ -655,7 +655,7 @@ else LogText "Result: debsums utility is not installed." AddHP 0 2 - ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database." + ReportSuggestion "${TEST_NO}" "Install debsums utility for the verification of packages with known good database." fi fi # @@ -702,7 +702,7 @@ else Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable." - ReportWarning ${TEST_NO} "Found one or more vulnerable packages." + ReportWarning "${TEST_NO}" "Found one or more vulnerable packages." LogText "List of vulnerable packages/version:" for I in $(${ROOTDIR}usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do VULNERABLE_PACKAGES_FOUND=1 @@ -755,7 +755,7 @@ LogText "Vulnerable package: ${ITEM}" AddHP 1 2 done - ReportWarning ${TEST_NO} "Found vulnerable packages" "${COUNT} vulnerable packages" "text:Run pkg audit" + ReportWarning "${TEST_NO}" "Found vulnerable packages" "${COUNT} vulnerable packages" "text:Run pkg audit" else LogText "Result: found an exit code greater than zero, yet no output" fi @@ -786,8 +786,8 @@ else Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result "${STATUS_WARNING}" --color RED LogText "Result: Portaudit found one or more installed packages which are vulnerable." - ReportWarning ${TEST_NO} "Found one or more vulnerable packages." - ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" + ReportWarning "${TEST_NO}" "Found one or more vulnerable packages." + ReportSuggestion "${TEST_NO}" "Update your system with portupgrade or other tools" LogText "List of vulnerable packages/version:" for PKG in $(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do VULNERABLE_PACKAGES_FOUND=1 @@ -812,7 +812,7 @@ if [ -z "${FIND}" -o "${FIND}" = "0" ]; then LogText "Result: YUM package update management failed" Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "YUM is not properly configured or registered for this platform (no repolist found)" + ReportWarning "${TEST_NO}" "YUM is not properly configured or registered for this platform (no repolist found)" else LogText "Result: YUM repository available (${FIND})" Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_OK}" --color GREEN @@ -838,8 +838,8 @@ else LogText "Result: One or more duplicate packages found" Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "Found one or more duplicate packages installed" - ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems" + ReportWarning "${TEST_NO}" "Found one or more duplicate packages installed" + ReportSuggestion "${TEST_NO}" "Run package-cleanup to solve duplicate package problems" fi # Check for package database problems @@ -851,13 +851,13 @@ else LogText "Result: One or more problems found in package database" Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "Found one or more problems in the package database" - ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems" + ReportWarning "${TEST_NO}" "Found one or more problems in the package database" + ReportSuggestion "${TEST_NO}" "Run package-cleanup to solve package problems" fi else Display --indent 2 --text "- yum-utils package not installed" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: YUM utils package not found" - ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database" + ReportSuggestion "${TEST_NO}" "Install package 'yum-utils' for better consistency checking of the package database" fi fi # @@ -927,12 +927,12 @@ LogText "Vulnerable package: ${I}" AddHP 1 2 done - ReportWarning ${TEST_NO} "Found one or more vulnerable packages." + ReportWarning "${TEST_NO}" "Found one or more vulnerable packages." fi else LogText "Result: yum-security package not found" Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_SKIPPED}" --color YELLOW - ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)" + ReportSuggestion "${TEST_NO}" "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)" fi fi # @@ -973,7 +973,7 @@ AddHP 3 3 else Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED - ReportWarning ${TEST_NO} "No GPG signing option found in yum.conf" + ReportWarning "${TEST_NO}" "No GPG signing option found in yum.conf" AddHP 2 3 fi fi @@ -1019,7 +1019,7 @@ AddHP 3 3 else Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory" + ReportWarning "${TEST_NO}" "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory" AddHP 0 3 fi else @@ -1043,8 +1043,8 @@ else LogText "Result: package database is most likely NOT consistent" Display --indent 2 --text "- Checking APT package database" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "apt-get check returned a non successful exit code." - ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check." + ReportWarning "${TEST_NO}" "apt-get check returned a non successful exit code." + ReportSuggestion "${TEST_NO}" "Run apt-get to perform a manual package database consistency check." fi fi # @@ -1080,7 +1080,7 @@ # Check if we get the proper line back and amount of security patches available if [ -z "${FIND}" ]; then LogText "Result: did not find security updates line" - ReportSuggestion ${TEST_NO} "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result" + ReportSuggestion "${TEST_NO}" "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result" ReportException "${TEST_NO}:1" "Apt-check did not provide any result" else if [ "${FIND}" = "0" ]; then @@ -1113,8 +1113,8 @@ fi if [ ${SCAN_PERFORMED} -eq 1 ]; then if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then - ReportWarning ${TEST_NO} "Found one or more vulnerable packages." - ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades" + ReportWarning "${TEST_NO}" "Found one or more vulnerable packages." + ReportSuggestion "${TEST_NO}" "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades" Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_WARNING}" --color RED else Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_OK}" --color GREEN @@ -1173,7 +1173,7 @@ fi else LogText "Result: glsa-check tool not found" - ReportSuggestion ${TEST_NO} "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks." + ReportSuggestion "${TEST_NO}" "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks." fi fi # @@ -1205,7 +1205,7 @@ else LogText "Result: ${ROOTDIR}usr/bin/apt-show-versions not found" Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE - ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes" + ReportSuggestion "${TEST_NO}" "Install package apt-show-versions for patch management purposes" fi fi @@ -1219,7 +1219,7 @@ LogText "Test: checking for package audit tool" if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_NONE}" --color RED - ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages" + ReportSuggestion "${TEST_NO}" "Install a package audit tool to determine vulnerable packages" LogText "Result: no package audit tool found" else Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN diff --git a/include/tests_printers_spools b/include/tests_printers_spools index d7483d63..148bc007 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -55,7 +55,7 @@ LogText "Result: chkprintcap did NOT gave any warnings" else Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_WARNING}" --color RED - ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file" + ReportSuggestion "${TEST_NO}" "Run chkprintcap manually to test printcap file" LogText "Output from chkprintcap: ${FIND}" LogText "Run chkprintcap and check the ${ROOTDIR}etc/printcap file" fi @@ -124,7 +124,7 @@ ;; * ) Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED - ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict." + ReportSuggestion "${TEST_NO}" "Access to CUPS configuration could be more strict." AddHP 1 2 ;; esac @@ -157,12 +157,12 @@ AddHP 2 2 else LogText "Result: CUPS daemon running on one or more interfaces (not limited to localhost)" - ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to listen on the network" + ReportSuggestion "${TEST_NO}" "Check CUPS configuration if it really needs to listen on the network" AddHP 1 2 fi else LogText "Result: CUPS daemon is running on several network addresses" - ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to run on several network addresses" + ReportSuggestion "${TEST_NO}" "Check CUPS configuration if it really needs to run on several network addresses" AddHP 1 2 fi @@ -240,7 +240,7 @@ if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then LogText "Result: qdaemon daemon not running" Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color RED - ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs" + ReportSuggestion "${TEST_NO}" "Activate print spooler daemon (qdaemon) in order to process print jobs" else LogText "Result: qdaemon daemon not running" Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE @@ -267,7 +267,7 @@ done LogText "Result: Found ${COUNT} old print jobs in /var/spool/lpd/qdir" Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW - ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed" + ReportSuggestion "${TEST_NO}" "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed" LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed" else LogText "Result: Old print jobs not found in /var/spool/lpd/qdir" diff --git a/include/tests_shells b/include/tests_shells index 480166be..f440da5a 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -61,7 +61,7 @@ LogText "Result: Found insecure console in ${ROOTDIR}etc/ttys. Single user mode login without password allowed!" LogText "Output ${ROOTDIR}etc/ttys:" LogText "${FIND}" - ReportWarning ${TEST_NO} "Found unprotected console in ${ROOTDIR}etc/ttys" + ReportWarning "${TEST_NO}" "Found unprotected console in ${ROOTDIR}etc/ttys" LogText "Possible solution: Change the console line from 'secure' to 'insecure'." fi fi diff --git a/include/tests_snmp b/include/tests_snmp index 20c61f3b..6253f542 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -93,7 +93,7 @@ AddHP 2 2 else Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_WARNING}" --color RED - ReportWarning ${TEST_NO} "Found easy guessable SNMP community string" + ReportWarning "${TEST_NO}" "Found easy guessable SNMP community string" fi fi # diff --git a/include/tests_squid b/include/tests_squid index f6070507..075ecbb4 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -135,8 +135,8 @@ if [ -n "${FIND}" ]; then LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED - ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access" - ReportWarning ${TEST_NO} "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive" + ReportSuggestion "${TEST_NO}" "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access" + ReportWarning "${TEST_NO}" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive" AddHP 0 2 else LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions" @@ -231,13 +231,13 @@ if IsEmpty "${FIND}"; then LogText "Result: no Safe_ports found" Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW - ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" + ReportSuggestion "${TEST_NO}" "Check if Squid has been configured to restrict access to all safe ports" else LogText "Result: checking ACL safe ports" FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }') if IsEmpty "${FIND2}"; then Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW - ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" + ReportSuggestion "${TEST_NO}" "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" AddHP 0 1 else LogText "Result: Safe_ports found" @@ -256,7 +256,7 @@ AddHP 1 1 else Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_FOUND}" --color RED - ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}" + ReportWarning "${TEST_NO}" "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}" AddHP 0 1 fi done @@ -282,7 +282,7 @@ LogText "Result: option reply_body_max_size not configured" Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED AddHP 1 2 - ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests." + ReportSuggestion "${TEST_NO}" "Configure Squid option reply_body_max_size to limit the upper size of requests." else LogText "Result: option reply_body_max_size configured" LogText "Output: ${FIND}" @@ -309,7 +309,7 @@ LogText "Result: option httpd_suppress_version_string not configured" Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW AddHP 1 2 - ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version." + ReportSuggestion "${TEST_NO}" "Configure Squid option httpd_suppress_version_string (on) to suppress the version." else LogText "Result: option httpd_suppress_version_string configured" LogText "Output: ${FIND}" diff --git a/include/tests_ssh b/include/tests_ssh index eb3b9134..5c8b3775 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -267,13 +267,13 @@ AddHP 3 3 elif [ "${RESULT}" = "MIDSCORED" ]; then LogText "Result: OpenSSH option ${OPTIONNAME} is configured reasonably" - ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-" + ReportSuggestion "${TEST_NO}" "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-" ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}" Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW AddHP 1 3 elif [ "${RESULT}" = "WEAK" ]; then LogText "Result: OpenSSH option ${OPTIONNAME} is in a weak configuration state and should be fixed" - ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-" + ReportSuggestion "${TEST_NO}" "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-" ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}" Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW AddHP 0 3 diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index bfc5192d..3d3ceab5 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -149,7 +149,7 @@ if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then Display --indent 6 --text "- Checking empty /etc/exports" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: ${ROOTDIR}etc/exports seems to have no exported file systems" - ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system" + ReportSuggestion "${TEST_NO}" "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system" fi fi # @@ -164,7 +164,7 @@ if [ -n "${sFIND}" ]; then LogText "Result: all client are allowed to access a NFS share in /etc/exports" Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW - ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports" + ReportSuggestion "${TEST_NO}" "Specify clients that are allowed to access a NFS share /etc/exports" AddHP 2 3 else LogText "Result: only some clients are allowed to access a NFS share" diff --git a/include/tests_time b/include/tests_time index 4513cb9a..d3bda505 100644 --- a/include/tests_time +++ b/include/tests_time @@ -189,7 +189,7 @@ NTP_CONFIG_TYPE_STARTUP=1 # Only show suggestion when ntpdate is enabled, however ntpd is not running if [ ${NTP_DAEMON_RUNNING} -eq 0 ]; then - ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is advised to run it at least daily or use a NTP daemon" + ReportSuggestion "${TEST_NO}" "Although ntpdate is enabled in rc.conf, it is advised to run it at least daily or use a NTP daemon" fi else LogText "Result: ntpdate is not enabled in rc.conf" @@ -202,7 +202,7 @@ else Display --indent 2 --text "- Checking for a running NTP daemon or client" --result "${STATUS_WARNING}" --color RED LogText "Result: Could not find a NTP daemon or client" - ReportSuggestion ${TEST_NO} "Use NTP daemon or NTP client to prevent time issues." + ReportSuggestion "${TEST_NO}" "Use NTP daemon or NTP client to prevent time issues." AddHP 0 2 fi else @@ -241,7 +241,7 @@ LogText "Result: Found one or more association ID's" else Display --indent 2 --text "- Checking valid association ID's" --result "${STATUS_WARNING}" --color RED - ReportSuggestion ${TEST_NO} "Check ntp.conf for properly configured NTP servers and a correctly functioning name service." + ReportSuggestion "${TEST_NO}" "Check ntp.conf for properly configured NTP servers and a correctly functioning name service." fi fi # @@ -276,7 +276,7 @@ else Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED LogText "Result: Found ${COUNT} high stratum (16) peers)" - ReportSuggestion ${TEST_NO} "Check ntpq peers output for stratum 16 peers" + ReportSuggestion "${TEST_NO}" "Check ntpq peers output for stratum 16 peers" fi fi fi @@ -302,7 +302,7 @@ LogText "Unreliable peer: ${I}" Report "ntp_unreliable_peer[]=${I}" done - ReportSuggestion ${TEST_NO} "Check ntpq peers output for unreliable ntp peers and correct/replace them" + ReportSuggestion "${TEST_NO}" "Check ntpq peers output for unreliable ntp peers and correct/replace them" fi fi # @@ -324,7 +324,7 @@ Display --indent 2 --text "- Checking selected time source" --result "${STATUS_WARNING}" --color RED LogText "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with." LogText "Local source: ${FIND}" - ReportSuggestion ${TEST_NO} "Check ntpq peers output for selected time source" + ReportSuggestion "${TEST_NO}" "Check ntpq peers output for selected time source" fi fi # @@ -340,7 +340,7 @@ if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_NONE}" --color YELLOW LogText "Result: No other time source candidates found" - ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates" + ReportSuggestion "${TEST_NO}" "Check ntpq peers output for time source candidates" else Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_OK}" --color GREEN LogText "Result: Found one or more candidates to synchronize time with." @@ -371,7 +371,7 @@ LogText "Falseticker found: ${I}" Report "ntp_falseticker[]=${I}" done - ReportSuggestion ${TEST_NO} "Check ntpq peers output for falsetickers" + ReportSuggestion "${TEST_NO}" "Check ntpq peers output for falsetickers" fi fi # @@ -387,7 +387,7 @@ if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking NTP version" --result "${STATUS_UNKNOWN}" --color YELLOW LogText "Result: No NTP version found" - ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version" + ReportSuggestion "${TEST_NO}" "Check ntpq output for NTP protocol version" else Display --indent 2 --text "- Checking NTP version" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found NTP version ${FIND}" @@ -438,7 +438,7 @@ else LogText "Result: ${FILE} is empty. The step-tickers contain no configured NTP servers" Display --indent 2 --text "- Checking NTP step-tickers file" --result "EMPTY FILE" --color YELLOW - ReportSuggestion ${TEST_NO} "Use step-tickers file for quicker time synchronization" + ReportSuggestion "${TEST_NO}" "Use step-tickers file for quicker time synchronization" fi else LogText "Result: ${FILE} is not empty, which is fine" @@ -455,7 +455,7 @@ done if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "SOME MISSING" --color YELLOW - ReportSuggestion ${TEST_NO} "Some time servers missing in step-tickers file" + ReportSuggestion "${TEST_NO}" "Some time servers missing in step-tickers file" AddHP 3 4 else Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "${STATUS_OK}" --color GREEN diff --git a/include/tests_tooling b/include/tests_tooling index 328a48fa..00c37369 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -182,7 +182,7 @@ Display --indent 2 --text "- Automation tooling" --result "${STATUS_FOUND}" --color GREEN else Display --indent 2 --text "- Automation tooling" --result "${STATUS_NOT_FOUND}" --color YELLOW - ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management" + ReportSuggestion "${TEST_NO}" "Determine if automation tools are present for system management" fi fi # @@ -412,7 +412,7 @@ AddHP 2 2 else Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_NONE}" --color YELLOW - #ReportSuggestion ${TEST_NO} "Install and configure automated intrusion detection/prevention tools" + #ReportSuggestion "${TEST_NO}" "Install and configure automated intrusion detection/prevention tools" AddHP 0 2 fi fi diff --git a/include/tests_usb b/include/tests_usb index 36058490..24c74982 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -75,7 +75,7 @@ LogText "Result: usb-storage driver is not explicitly disabled" Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE if [ "${USBGUARD_FOUND}" -eq "0" ]; then - ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft" + ReportSuggestion "${TEST_NO}" "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft" fi AddHP 2 3 else @@ -117,7 +117,7 @@ Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW # To-Be-Added: create documentation and enable the suggestion #if [ ${USBGUARD_FOUND} -eq 0 ]; then - # ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft" + # ReportSuggestion "${TEST_NO}" "Disable USB devices authorization, to prevent unauthorized storage or data theft" #fi AddHP 0 3 else @@ -160,7 +160,7 @@ Display --indent 6 --text "- Restore controller device state" --result "${USBGUARD_RESTORE_POLICY}" --color YELLOW LogText " Consider changing RestoreControllerDeviceState to \"false\"" # TODO: assign TEST_NO, create documentation, and enable the suggestion - # ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "RestoreControllerDeviceState (${USBGUARD_RESTORE_POLICY} --> false)" + # ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "RestoreControllerDeviceState (${USBGUARD_RESTORE_POLICY} --> false)" AddHP 0 1 ;; "false") @@ -171,7 +171,7 @@ LogText "Result: Invalid configuration for RestoreControllerDeviceState" Display --indent 6 --text "- Restore controller device state" --result "Invalid" --color RED # TODO: assign TEST_NO, create documentation, and enable the suggestion - # ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "RestoreControllerDeviceState invalid \"${USBGUARD_RESTORE_POLICY}\"" + # ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "RestoreControllerDeviceState invalid \"${USBGUARD_RESTORE_POLICY}\"" AddHP 0 1 ;; esac @@ -191,7 +191,7 @@ Display --indent 6 --text "- Rule for controllers connected before daemon starts" --result "${USBGUARD_CONTROLLER_POLICY}" --color YELLOW LogText " Consider changing PresentControllerPolicy to \"apply-policy\", \"block\" or \"reject\"" # TODO: assign TEST_NO, create documentation, and enable the suggestion - # ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "PresentControllerPolicy (${USBGUARD_CONTROLLER_POLICY} --> (apply-policy|block|reject)" + # ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "PresentControllerPolicy (${USBGUARD_CONTROLLER_POLICY} --> (apply-policy|block|reject)" AddHP 0 1 ;; "apply-policy" | "block" | "reject") @@ -202,7 +202,7 @@ LogText "Result: Invalid configuration for PresentControllerPolicy" Display --indent 6 --text "- Rule for controllers connected before daemon starts" --result "Invalid" --color RED # TODO: assign TEST_NO, create documentation, and enable the suggestion - # ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "PresentControllerPolicy invalid \"${USBGUARD_CONTROLLER_POLICY}\"" + # ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "PresentControllerPolicy invalid \"${USBGUARD_CONTROLLER_POLICY}\"" AddHP 0 1 ;; esac @@ -221,7 +221,7 @@ Display --indent 6 --text "- Rule for devices connected before daemon starts" --result "${USBGUARD_DEVICE_POLICY}" --color YELLOW LogText " Consider changing PresentDevicePolicy to \"apply-policy\", \"block\" or \"reject\"" # TODO: assign TEST_NO, create documentation, and enable the suggestion - # ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "PresentDevicePolicy (${USBGUARD_DEVICE_POLICY} --> (apply-policy|block|reject)" + # ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "PresentDevicePolicy (${USBGUARD_DEVICE_POLICY} --> (apply-policy|block|reject)" AddHP 0 1 ;; "apply-policy" | "block" | "reject") @@ -232,7 +232,7 @@ LogText "Result: Invalid configuration for PresentDevicePolicy" Display --indent 6 --text "- Rule for devices connected before daemon starts" --result "Invalid" --color RED # TODO: assign TEST_NO, create documentation, and enable the suggestion - # ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "PresentDevicePolicy invalid \"${USBGUARD_DEVICE_POLICY}\"" + # ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "PresentDevicePolicy invalid \"${USBGUARD_DEVICE_POLICY}\"" AddHP 0 1 ;; esac @@ -251,7 +251,7 @@ Display --indent 6 --text "- Rule for devices inserted after daemon starts" --result "${USBGUARD_INSERTED_POLICY}" --color YELLOW LogText " Consider changing InsertedDevicePolicy to \"apply-policy\", \"block\" or \"reject\"" # TODO: assign TEST_NO, create documentation, and enable the suggestion - # ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "InsertedDevicePolicy (${USBGUARD_INSERTED_POLICY} --> (apply-policy|block|reject)" + # ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "InsertedDevicePolicy (${USBGUARD_INSERTED_POLICY} --> (apply-policy|block|reject)" AddHP 0 1 ;; "apply-policy" | "block" | "reject") @@ -262,7 +262,7 @@ LogText "Result: Invalid configuration for InsertedDevicePolicy" Display --indent 6 --text "- Rule for devices inserted after daemon starts" --result "Invalid" --color RED # TODO: assign TEST_NO, create documentation, and enable the suggestion - # ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "InsertedDevicePolicy invalid \"${USBGUARD_INSERTED_POLICY}\"" + # ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "InsertedDevicePolicy invalid \"${USBGUARD_INSERTED_POLICY}\"" AddHP 0 1 ;; esac @@ -281,7 +281,7 @@ Display --indent 6 --text "- Rule for devices not in RuleFile" --result "${USBGUARD_DEFAULT_POLICY}" --color YELLOW LogText " Consider changing ImplicitPolicyTarget to \"block\" or \"reject\"" # TODO: assign TEST_NO, create documentation, and enable the suggestion - # ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "ImplicitPolicyTarget (${USBGUARD_DEFAULT_POLICY} --> (block|reject)" + # ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "ImplicitPolicyTarget (${USBGUARD_DEFAULT_POLICY} --> (block|reject)" AddHP 0 1 ;; "block"|"reject") @@ -292,7 +292,7 @@ LogText "Result: Invalid configuration for ImplicitPolicyTarget" Display --indent 6 --text "- Rule for devices not in RuleFile" --result "Invalid" --color RED # TODO: assign TEST_NO, create documentation, and enable the suggestion - # ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "ImplicitPolicyTarget invalid \"${USBGUARD_DEFAULT_POLICY}\"" + # ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "ImplicitPolicyTarget invalid \"${USBGUARD_DEFAULT_POLICY}\"" AddHP 0 1 ;; esac @@ -319,7 +319,7 @@ LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)" Display --indent 4 --text "- RuleFile" --result "${STATUS_NOT_FOUND}" --color RED # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion - #ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies" + #ReportSuggestion "${TEST_NO}" "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies" AddHP 0 1 fi @@ -327,14 +327,14 @@ Display --indent 4 --text "- Configuration" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: Configuration not found" # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion - #ReportSuggestion ${TEST_NO} "USBGuard configuration file not found, consider reinstalling" + #ReportSuggestion "${TEST_NO}" "USBGuard configuration file not found, consider reinstalling" AddHP 0 7 fi else LogText "Result: USBGuard not found" Display --indent 2 --text "- Checking USBGuard" --result "${STATUS_NOT_FOUND}" --color WHITE # To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion - #ReportSuggestion ${TEST_NO} "Install USBGuard to allow for fine-grained control of USB authorization" + #ReportSuggestion "${TEST_NO}" "Install USBGuard to allow for fine-grained control of USB authorization" AddHP 0 8 fi diff --git a/include/tests_webservers b/include/tests_webservers index 01bb3f93..54db20d7 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -257,7 +257,7 @@ else Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_NOT_FOUND}" --color WHITE AddHP 2 3 - ReportSuggestion ${TEST_NO} "Install Apache mod_evasive to guard webserver against DoS/brute force attempts" + ReportSuggestion "${TEST_NO}" "Install Apache mod_evasive to guard webserver against DoS/brute force attempts" fi fi # @@ -276,7 +276,7 @@ else Display --indent 10 --text "mod_reqtimeout/mod_qos" --result "${STATUS_NOT_FOUND}" --color WHITE AddHP 2 3 - ReportSuggestion ${TEST_NO} "Install Apache mod_reqtimeout or mod_qos to guard webserver against Slowloris attacks" + ReportSuggestion "${TEST_NO}" "Install Apache mod_reqtimeout or mod_qos to guard webserver against Slowloris attacks" fi fi # @@ -294,7 +294,7 @@ else Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_NOT_FOUND}" --color WHITE AddHP 2 3 - ReportSuggestion ${TEST_NO} "Install Apache modsecurity to guard webserver against web application attacks" + ReportSuggestion "${TEST_NO}" "Install Apache modsecurity to guard webserver against web application attacks" fi fi # @@ -480,7 +480,7 @@ else LogText "Result: No SSL configuration found" Display --indent 6 --text "- SSL configured" --result "${STATUS_NO}" --color RED - ReportSuggestion ${TEST_NO} "Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy" + ReportSuggestion "${TEST_NO}" "Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy" AddHP 1 5 fi if [ ${NGINX_SSL_SUGGESTION} -eq 1 ]; then @@ -520,7 +520,7 @@ fi # Report suggestion if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then - ReportSuggestion ${TEST_NO} "Check your nginx access log for proper functioning" + ReportSuggestion "${TEST_NO}" "Check your nginx access log for proper functioning" fi fi # @@ -541,7 +541,7 @@ fi # Report suggestion if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then - ReportSuggestion ${TEST_NO} "Check your nginx error_log statements" + ReportSuggestion "${TEST_NO}" "Check your nginx error_log statements" fi fi # @@ -566,7 +566,7 @@ fi # Report suggestion if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then - ReportSuggestion ${TEST_NO} "Check your nginx error_log statements and disable debug mode" + ReportSuggestion "${TEST_NO}" "Check your nginx error_log statements and disable debug mode" fi fi # diff --git a/plugins/custom_plugin.template b/plugins/custom_plugin.template index 17dada3a..3841ce00 100644 --- a/plugins/custom_plugin.template +++ b/plugins/custom_plugin.template @@ -72,7 +72,7 @@ Display --indent 2 --text "- Checking if everything is OK..." --result OK --color GREEN else Display --indent 2 --text "- Checking if everything is OK..." --result WARNING --color RED - ReportSuggestion ${TEST_NO} "This is a suggestion" + ReportSuggestion "${TEST_NO}" "This is a suggestion" fi fi #