mirror of https://github.com/CISOfy/lynis.git
Code style improvement: quote argument
This commit is contained in:
parent
94ba30e765
commit
09f29a5e64
|
@ -42,7 +42,7 @@
|
|||
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
LogText "Result: No accounting information available"
|
||||
LogText "Remark: Possibly there is another location where the accounting data is stored"
|
||||
ReportSuggestion ${TEST_NO} "Enable process accounting"
|
||||
ReportSuggestion "${TEST_NO}" "Enable process accounting"
|
||||
AddHP 2 3
|
||||
fi
|
||||
fi
|
||||
|
@ -61,7 +61,7 @@
|
|||
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
LogText "Result: No accounting information available"
|
||||
LogText "Remark: Possibly there is another location where the accounting data is stored"
|
||||
ReportSuggestion ${TEST_NO} "Enable process accounting"
|
||||
ReportSuggestion "${TEST_NO}" "Enable process accounting"
|
||||
AddHP 2 3
|
||||
fi
|
||||
fi
|
||||
|
@ -90,7 +90,7 @@
|
|||
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
LogText "Result: No accounting information available (${ROOTDIR}var/account/pacct, ${ROOTDIR}var/log/account/pact nor ${ROOTDIR}var/log/pact exist)"
|
||||
LogText "Remark: Possibly there is another location where the accounting data is stored"
|
||||
ReportSuggestion ${TEST_NO} "Enable process accounting"
|
||||
ReportSuggestion "${TEST_NO}" "Enable process accounting"
|
||||
AddHP 2 3
|
||||
fi
|
||||
fi
|
||||
|
@ -111,7 +111,7 @@
|
|||
else
|
||||
LogText "Result: sysstat disabled via ${ROOTDIR}etc/default/sysstat"
|
||||
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
|
||||
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)"
|
||||
ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (disabled)"
|
||||
fi
|
||||
elif [ -f ${ROOTDIR}etc/cron.d/sysstat ]; then
|
||||
FIND=$(${GREPBINARY} -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat)
|
||||
|
@ -121,12 +121,12 @@
|
|||
else
|
||||
LogText "Result: sysstat disabled via ${ROOTDIR}etc/cron.d/sysstat"
|
||||
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
|
||||
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)"
|
||||
ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (cron disabled)"
|
||||
fi
|
||||
else
|
||||
LogText "Result: sysstat not found via ${ROOTDIR}etc/default/sysstat or ${ROOTDIR}etc/cron.d/sysstat"
|
||||
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)"
|
||||
ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (no results)"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -151,7 +151,7 @@
|
|||
LogText "Result: auditd not active"
|
||||
Display --indent 2 --text "- Checking auditd" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
if [ ! "${VMTYPE}" = "openvz" ]; then
|
||||
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
|
||||
ReportSuggestion "${TEST_NO}" "Enable auditd to collect audit information"
|
||||
fi
|
||||
AddHP 0 1
|
||||
Report "linux_auditd_running=0"
|
||||
|
@ -171,7 +171,7 @@
|
|||
LogText "Result: auditd rules empty"
|
||||
Display --indent 4 --text "- Checking audit rules" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
AddHP 0 2
|
||||
ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules"
|
||||
ReportSuggestion "${TEST_NO}" "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules"
|
||||
else
|
||||
LogText "Result: found auditd rules"
|
||||
Display --indent 4 --text "- Checking audit rules" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -206,7 +206,7 @@
|
|||
else
|
||||
LogText "Result: could not find auditd configuration file"
|
||||
Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_FOUND}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file"
|
||||
ReportSuggestion "${TEST_NO}" "Determine the location of auditd configuration file"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -229,12 +229,12 @@
|
|||
else
|
||||
LogText "Result: can't find log file ${FIND} on disk"
|
||||
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check auditd log file location"
|
||||
ReportSuggestion "${TEST_NO}" "Check auditd log file location"
|
||||
fi
|
||||
else
|
||||
LogText "Result: no log file found"
|
||||
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "Auditd log file is defined but can not be found on disk"
|
||||
ReportWarning "${TEST_NO}" "Auditd log file is defined but can not be found on disk"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -258,7 +258,7 @@
|
|||
Report "audit_trail_tool[]=snoopy"
|
||||
else
|
||||
Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via ${ROOTDIR}etc/ld.so.preload"
|
||||
ReportSuggestion "${TEST_NO}" "Snoopy is installed but not loaded via ${ROOTDIR}etc/ld.so.preload"
|
||||
AddHP 3 3
|
||||
fi
|
||||
else
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
if [ "${USER}" = "toor" ]; then
|
||||
LogText "BSD note: default there is a user 'toor' installed. This account is considered useless unless it"
|
||||
LogText "is assigned a password and used for daily operations or emergencies. ie: bad shell for root user."
|
||||
ReportSuggestion ${TEST_NO} "Use vipw to delete the 'toor' user if not used."
|
||||
ReportSuggestion "${TEST_NO}" "Use vipw to delete the 'toor' user if not used."
|
||||
fi
|
||||
done
|
||||
else
|
||||
|
@ -87,7 +87,7 @@
|
|||
Display --indent 2 --text "- Unique UIDs" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: found multiple accounts with same UID"
|
||||
LogText "Output (non-unique UIDs): ${FIND}"
|
||||
ReportWarning ${TEST_NO} "Multiple accounts found with same UID"
|
||||
ReportWarning "${TEST_NO}" "Multiple accounts found with same UID"
|
||||
fi
|
||||
else
|
||||
Display --indent 2 --text "- Unique UIDs" --result "${STATUS_SKIPPED}" --color WHITE
|
||||
|
@ -115,7 +115,7 @@
|
|||
Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: chkgrp found some errors. Run the tool manually to see details."
|
||||
LogText "chkgrp output: ${FIND}"
|
||||
ReportWarning ${TEST_NO} "chkgrp reported inconsistencies in /etc/group file"
|
||||
ReportWarning "${TEST_NO}" "chkgrp reported inconsistencies in /etc/group file"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -147,7 +147,7 @@
|
|||
LogText "Result: grpck binary didn't find any errors in the group files"
|
||||
else
|
||||
Display --indent 2 --text "- Consistency of group files (grpck)" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "grpck binary found errors in one or more group files"
|
||||
ReportWarning "${TEST_NO}" "grpck binary found errors in one or more group files"
|
||||
fi
|
||||
unset FIND
|
||||
fi
|
||||
|
@ -181,12 +181,12 @@
|
|||
FOUND=1
|
||||
else
|
||||
LogText "Result: shell ${SHELL} does not exist"
|
||||
ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${SHELL} does not exist"
|
||||
ReportSuggestion "${TEST_NO}" "Determine if account is needed, as shell ${SHELL} does not exist"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
ReportWarning ${TEST_NO} "Possible harmful shell found (for passwordless account!)"
|
||||
ReportWarning "${TEST_NO}" "Possible harmful shell found (for passwordless account!)"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
|
@ -225,12 +225,12 @@
|
|||
FOUND=1
|
||||
else
|
||||
LogText "Result: shell ${SHELL} does not exist"
|
||||
ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${SHELL} does not exist"
|
||||
ReportSuggestion "${TEST_NO}" "Determine if account is needed, as shell ${SHELL} does not exist"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
ReportWarning ${TEST_NO} "Possible harmful shell found (for passwordless account!)"
|
||||
ReportWarning "${TEST_NO}" "Possible harmful shell found (for passwordless account!)"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
|
@ -259,7 +259,7 @@
|
|||
Report "auth_groups_nonunique[]=${I}"
|
||||
LogText "Non-unique group: ${I}"
|
||||
done
|
||||
ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct any inconsistencies"
|
||||
ReportSuggestion "${TEST_NO}" "Check your /etc/group file and correct any inconsistencies"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -283,7 +283,7 @@
|
|||
Report "auth_groups_nonunique[]=${I}"
|
||||
LogText "Non-unique group: ${I}"
|
||||
done
|
||||
ReportSuggestion ${TEST_NO} "Check your ${ROOTDIR}etc/group file and correct any inconsistencies"
|
||||
ReportSuggestion "${TEST_NO}" "Check your ${ROOTDIR}etc/group file and correct any inconsistencies"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -319,7 +319,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Password file consistency" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
LogText "Result: pwck found one or more errors/warnings in the password file."
|
||||
ReportSuggestion ${TEST_NO} "Run pwck manually and correct any errors in the password file"
|
||||
ReportSuggestion "${TEST_NO}" "Run pwck manually and correct any errors in the password file"
|
||||
AddHP 0 2
|
||||
fi
|
||||
fi
|
||||
|
@ -563,7 +563,7 @@
|
|||
Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
ReportWarning ${TEST_NO} "Found passwordless account (${I})"
|
||||
ReportWarning "${TEST_NO}" "Found passwordless account (${I})"
|
||||
done
|
||||
Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_WARNING}" --color RED
|
||||
fi
|
||||
|
@ -630,7 +630,7 @@
|
|||
if [ ${FOUND} -eq 0 ]; then
|
||||
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
LogText "Result: no PAM modules for password strength testing found"
|
||||
ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
|
||||
ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
|
||||
AddHP 0 3
|
||||
else
|
||||
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -851,7 +851,7 @@
|
|||
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
|
||||
LogText "Result: password minimum age is not configured"
|
||||
Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs"
|
||||
ReportSuggestion "${TEST_NO}" "Configure minimum password age in /etc/login.defs"
|
||||
AddHP 0 1
|
||||
else
|
||||
LogText "Result: password needs to be at least ${FIND} days old"
|
||||
|
@ -865,7 +865,7 @@
|
|||
if [ -z "${FIND}" -o "${FIND}" = "99999" ]; then
|
||||
LogText "Result: password aging limits are not configured"
|
||||
Display --indent 2 --text "- User password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs"
|
||||
ReportSuggestion "${TEST_NO}" "Configure maximum password age in /etc/login.defs"
|
||||
AddHP 0 1
|
||||
else
|
||||
LogText "Result: max password age is ${FIND} days"
|
||||
|
@ -933,7 +933,7 @@
|
|||
else
|
||||
LogText "Result: option present, no password needed at single user mode login"
|
||||
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "No password needed for single user mode login"
|
||||
ReportWarning "${TEST_NO}" "No password needed for single user mode login"
|
||||
AddHP 0 1
|
||||
fi
|
||||
else
|
||||
|
@ -963,7 +963,7 @@
|
|||
else
|
||||
LogText "Result: option present, no password needed at single user mode login"
|
||||
Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Set password for system boot"
|
||||
ReportSuggestion "${TEST_NO}" "Set password for system boot"
|
||||
AddHP 0 1
|
||||
fi
|
||||
else
|
||||
|
@ -1042,8 +1042,8 @@
|
|||
if [ ${FOUND} -eq 0 ]; then
|
||||
LogText "Result: option not set, no password needed at single user mode boot"
|
||||
Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "No password set for single mode"
|
||||
ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface"
|
||||
ReportWarning "${TEST_NO}" "No password set for single mode"
|
||||
ReportSuggestion "${TEST_NO}" "Set password for single user mode to minimize physical access attack surface"
|
||||
AddHP 0 2
|
||||
else
|
||||
LogText "Result: option set, password is needed at single user mode boot"
|
||||
|
@ -1136,11 +1136,11 @@
|
|||
AddHP 2 2
|
||||
elif [ ${GOOD_UMASK} -eq 1 -a ${WEAK_UMASK} -eq 1 ]; then
|
||||
Display --indent 4 --text "- umask (/etc/profile and /etc/profile.d)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Some umasks found could be more strict (e.g. 027)"
|
||||
ReportSuggestion "${TEST_NO}" "Some umasks found could be more strict (e.g. 027)"
|
||||
AddHP 1 2
|
||||
else
|
||||
Display --indent 4 --text "- umask (/etc/profile and /etc/profile.d)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)"
|
||||
ReportSuggestion "${TEST_NO}" "Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)"
|
||||
AddHP 0 2
|
||||
fi
|
||||
else
|
||||
|
@ -1174,7 +1174,7 @@
|
|||
if [ "${FIND}" = "" ]; then
|
||||
LogText "Result: umask value is not configured (most likely it will have the default 022 value)"
|
||||
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
|
||||
ReportSuggestion "${TEST_NO}" "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
|
||||
AddHP 1 2
|
||||
elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then
|
||||
LogText "Result: umask is ${FIND}, which is fine"
|
||||
|
@ -1183,7 +1183,7 @@
|
|||
else
|
||||
LogText "Result: found umask ${FIND}, which could be improved"
|
||||
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027"
|
||||
ReportSuggestion "${TEST_NO}" "Default umask in /etc/login.defs could be more strict like 027"
|
||||
AddHP 0 2
|
||||
fi
|
||||
else
|
||||
|
@ -1221,7 +1221,7 @@
|
|||
if [ "${FIND}" = "" ]; then
|
||||
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
|
||||
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027"
|
||||
ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027"
|
||||
AddHP 1 2
|
||||
elif [ "${FIND}" = "077" -o "${FIND}" = "027" -o "${FIND}" = "0077" -o "${FIND}" = "0027" ]; then
|
||||
LogText "Result: umask is ${FIND}, which is fine"
|
||||
|
@ -1230,7 +1230,7 @@
|
|||
else
|
||||
LogText "Result: found umask ${FIND}, which could be improved"
|
||||
Display --indent 4 --text "- umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027"
|
||||
ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rc could be more strict like 027"
|
||||
AddHP 0 2
|
||||
fi
|
||||
else
|
||||
|
@ -1265,7 +1265,7 @@
|
|||
Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_WEAK}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027"
|
||||
ReportSuggestion "${TEST_NO}" "Umask in /etc/login.conf could be more strict like 027"
|
||||
fi
|
||||
else
|
||||
LogText "Result: no umask setting found in /etc/login.conf, which is unexpected"
|
||||
|
@ -1284,7 +1284,7 @@
|
|||
if [ "${FIND2}" = "" ]; then
|
||||
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
|
||||
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027"
|
||||
ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027"
|
||||
AddHP 1 2
|
||||
elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then
|
||||
LogText "Result: umask is ${FIND2}, which is fine"
|
||||
|
@ -1293,7 +1293,7 @@
|
|||
else
|
||||
LogText "Result: found umask ${FIND2}, which could be improved"
|
||||
Display --indent 4 --text "- umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027"
|
||||
ReportSuggestion "${TEST_NO}" "Default umask in /etc/init.d/rcS could be more strict like 027"
|
||||
AddHP 0 2
|
||||
fi
|
||||
else
|
||||
|
@ -1458,7 +1458,7 @@
|
|||
AddHP 3 3
|
||||
else
|
||||
AddHP 0 1
|
||||
#ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged using pam_tally2 or /etc/login.defs"
|
||||
#ReportSuggestion "${TEST_NO}" "Configure failed login attempts to be logged using pam_tally2 or /etc/login.defs"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
|
|
@ -108,7 +108,7 @@
|
|||
else
|
||||
LogText "Result: Found only ${COUNT} key words (5 or more suggested), to warn unauthorized users and could be increased"
|
||||
Display --indent 4 --text "- ${FILE} contents" --result "${STATUS_WEAK}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Add a legal banner to ${FILE}, to warn unauthorized users"
|
||||
ReportSuggestion "${TEST_NO}" "Add a legal banner to ${FILE}, to warn unauthorized users"
|
||||
AddHP 0 1
|
||||
Report "weak_banner_file[]=${FILE}"
|
||||
fi
|
||||
|
@ -161,7 +161,7 @@
|
|||
else
|
||||
LogText "Result: Found only ${COUNT} key words, to warn unauthorized users and could be increased"
|
||||
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result "${STATUS_WEAK}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users"
|
||||
ReportSuggestion "${TEST_NO}" "Add legal banner to /etc/issue.net, to warn unauthorized users"
|
||||
AddHP 0 1
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -338,7 +338,7 @@
|
|||
else
|
||||
Display --indent 4 --text "- Checking for password protection" --result "${STATUS_NONE}" --color RED
|
||||
LogText "Result: Didn't find hashed password line in GRUB boot file!"
|
||||
ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
|
||||
ReportSuggestion "${TEST_NO}" "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
|
||||
AddHP 0 2
|
||||
fi
|
||||
else
|
||||
|
@ -420,13 +420,13 @@
|
|||
if [ "${MACHINE_ROLE}" = "server" -o "${MACHINE_ROLE}" = "workstation" ]; then
|
||||
Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: no password set for LILO. Bootloader is unprotected to dropping to single user mode or unauthorized access to devices/data."
|
||||
ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
|
||||
ReportWarning ${TEST_NO} "No password set on LILO bootloader"
|
||||
ReportSuggestion "${TEST_NO}" "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
|
||||
ReportWarning "${TEST_NO}" "No password set on LILO bootloader"
|
||||
AddHP 0 2
|
||||
elif [ "${MACHINE_ROLE}" = "personal" ]; then
|
||||
Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color yellow
|
||||
LogText "Result: no password set for LILO. Bootloader is unprotected to dropping to single user mode or unauthorized access to devices/data."
|
||||
ReportSuggestion ${TEST_NO} "No password set on LILO bootloader. Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
|
||||
ReportSuggestion "${TEST_NO}" "No password set on LILO bootloader. Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
|
||||
AddHP 1 2
|
||||
else
|
||||
LogText "Result: no password set for LILO, with unknown machine role"
|
||||
|
@ -501,8 +501,8 @@
|
|||
FIND=$(${GREPBINARY} '^boot' ${ROOTDIR}etc/boot.conf)
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 4 --text "- Checking boot option" --result "${STATUS_WARNING}" --color RED
|
||||
#ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
|
||||
ReportWarning ${TEST_NO} "System can be booted into single user mode without password"
|
||||
#ReportSuggestion "${TEST_NO}" "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
|
||||
ReportWarning "${TEST_NO}" "System can be booted into single user mode without password"
|
||||
else
|
||||
Display --indent 4 --text "- Checking boot option" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Ok, boot option is enabled."
|
||||
|
@ -511,7 +511,7 @@
|
|||
Display --indent 2 --text "- Checking ${ROOTDIR}etc/boot.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
LogText "Result: no ${ROOTDIR}etc/boot.conf found. When using the default boot loader, physical"
|
||||
LogText "access to the server can be used to possibly enter single user mode."
|
||||
ReportSuggestion ${TEST_NO} "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time."
|
||||
ReportSuggestion "${TEST_NO}" "Add 'boot' to the ${ROOTDIR}etc/boot.conf file to disable the default 5 seconds waiting time."
|
||||
fi
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
LogText "Result: found OpenBSD boot loader"
|
||||
|
@ -645,7 +645,7 @@
|
|||
LogText "Result: found ${COUNT} services"
|
||||
fi
|
||||
elif [ -z "${sRUNLEVEL}" ]; then
|
||||
ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
|
||||
ReportSuggestion "${TEST_NO}" "Determine runlevel and services at startup"
|
||||
else
|
||||
LogText "Result: skipping further actions"
|
||||
fi
|
||||
|
@ -716,7 +716,7 @@
|
|||
LogText "Test: Checking ${CHECKFILE} file for writable bit"
|
||||
if IsWorldWritable ${CHECKFILE}; then
|
||||
FOUND=1
|
||||
ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}"
|
||||
ReportWarning "${TEST_NO}" "Found writable startup script ${CHECKFILE}"
|
||||
LogText "Result: warning, file ${CHECKFILE} is world writable"
|
||||
else
|
||||
LogText "Result: good, file ${CHECKFILE} not world writable"
|
||||
|
@ -727,7 +727,7 @@
|
|||
# Check results
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-"
|
||||
ReportWarning "${TEST_NO}" "Found world writable startup scripts" "-" "-"
|
||||
LogText "Result: found one or more scripts which are possibly writable by other users"
|
||||
AddHP 0 3
|
||||
else
|
||||
|
@ -938,7 +938,7 @@
|
|||
LogText "Test: Checking ${CHECKFILE} file for writable bit"
|
||||
if IsWorldWritable ${CHECKFILE}; then
|
||||
FOUND=1
|
||||
ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}"
|
||||
ReportWarning "${TEST_NO}" "Found writable startup script ${CHECKFILE}"
|
||||
LogText "Result: warning, file ${CHECKFILE} is world writable"
|
||||
else
|
||||
LogText "Result: good, file ${CHECKFILE} not world writable"
|
||||
|
@ -949,7 +949,7 @@
|
|||
# Check results
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-"
|
||||
ReportWarning "${TEST_NO}" "Found world writable startup scripts" "-" "-"
|
||||
LogText "Result: found one or more scripts which are possibly writable by other users"
|
||||
AddHP 0 3
|
||||
else
|
||||
|
|
|
@ -123,7 +123,7 @@
|
|||
Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_NONE}" --color GREEN
|
||||
else
|
||||
Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_FOUND}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
|
||||
ReportSuggestion "${TEST_NO}" "Check available certificates for expiration"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
|
|
@ -134,7 +134,7 @@
|
|||
Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "This is a suggestion"
|
||||
ReportSuggestion "${TEST_NO}" "This is a suggestion"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
|
|
@ -89,7 +89,7 @@
|
|||
FIND=$(${MYSQLCLIENTBINARY} --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql 2>/dev/null; echo $?)
|
||||
if [ "${FIND}" = "0" ]; then
|
||||
LogText "Result: Login succeeded, no MySQL root password set!"
|
||||
ReportWarning ${TEST_NO} "No MySQL root password set"
|
||||
ReportWarning "${TEST_NO}" "No MySQL root password set"
|
||||
Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED
|
||||
AddHP 0 5
|
||||
else
|
||||
|
@ -160,7 +160,7 @@
|
|||
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
|
||||
LogText "Result: no authorization enabled via parameter or configuration file"
|
||||
Report "mongodb_authorization_disabled=1"
|
||||
ReportWarning ${TEST_NO} "MongoDB instance allows any user to access databases"
|
||||
ReportWarning "${TEST_NO}" "MongoDB instance allows any user to access databases"
|
||||
Display --indent 4 --text "- Checking MongoDB authorization" --result "${STATUS_DISABLED}" --color RED
|
||||
else
|
||||
if IsVerbose; then Display --indent 4 --text "- Checking MongoDB authorization" --result "${STATUS_ENABLED}" --color GREEN; fi
|
||||
|
|
|
@ -307,7 +307,7 @@
|
|||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: No SHA256 or SHA512 found for creating checksums"
|
||||
Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE"
|
||||
ReportSuggestion "${TEST_NO}" "Use SHA256 or SHA512 to create checksums in AIDE"
|
||||
AddHP 1 3
|
||||
else
|
||||
LogText "Result: Found SHA256 or SHA512 found for creating checksums"
|
||||
|
@ -330,7 +330,7 @@
|
|||
else
|
||||
LogText "Result: No file integrity tools found"
|
||||
Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files"
|
||||
ReportSuggestion "${TEST_NO}" "Install a file integrity tool to monitor changes to critical and sensitive files"
|
||||
AddHP 0 5
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -44,7 +44,7 @@
|
|||
if [ -L ${I} ]; then
|
||||
ShowSymlinkPath ${I}
|
||||
LogText "Result: ${I} is a symlink. Manual check required to determine exact file system options"
|
||||
ReportSuggestion ${TEST_NO} "Symlinked mount point needs to be checked manually" "${I}" ""
|
||||
ReportSuggestion "${TEST_NO}" "Symlinked mount point needs to be checked manually" "${I}" ""
|
||||
Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE
|
||||
elif [ -d ${I} ]; then
|
||||
LogText "Result: directory ${I} exists"
|
||||
|
@ -56,7 +56,7 @@
|
|||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system"
|
||||
Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separate partition"
|
||||
ReportSuggestion "${TEST_NO}" "To decrease the impact of a full ${I} file system, place ${I} on a separate partition"
|
||||
AddHP 9 10
|
||||
else
|
||||
LogText "Result: found ${I} as a separated mount point"
|
||||
|
@ -327,8 +327,8 @@
|
|||
else
|
||||
Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
|
||||
LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
|
||||
#ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap partition (${FIND})"
|
||||
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options"
|
||||
#ReportWarning "${TEST_NO}" "Possible incorrect mount options used for swap partition (${FIND})"
|
||||
ReportSuggestion "${TEST_NO}" "Check your /etc/fstab file for swap partition mount options"
|
||||
LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)"
|
||||
fi
|
||||
fi
|
||||
|
@ -396,7 +396,7 @@
|
|||
LogText "private information and should be deleted it not being used actively. Use a tool like lsof to"
|
||||
LogText "see which programs possibly are using a particular file. Some systems can cleanup temporary"
|
||||
LogText "directories by setting a boot option."
|
||||
ReportSuggestion ${TEST_NO} "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days"
|
||||
ReportSuggestion "${TEST_NO}" "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -415,7 +415,7 @@
|
|||
AddHP 3 3
|
||||
else
|
||||
Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
|
||||
ReportSuggestion "${TEST_NO}" "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
|
||||
AddHP 0 3
|
||||
fi
|
||||
unset FIND
|
||||
|
@ -438,7 +438,7 @@
|
|||
AddHP 3 3
|
||||
else
|
||||
Display --indent 2 --text "- Checking ${ROOTDIR}var/tmp sticky bit" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Set the sticky bit on ${ROOTDIR}var/tmp, to prevent users deleting (by other owned) files in the /var/tmp directory." "/var/tmp" "text:Set sticky bit"
|
||||
ReportSuggestion "${TEST_NO}" "Set the sticky bit on ${ROOTDIR}var/tmp, to prevent users deleting (by other owned) files in the /var/tmp directory." "/var/tmp" "text:Set sticky bit"
|
||||
AddHP 0 3
|
||||
fi
|
||||
unset FIND
|
||||
|
@ -716,7 +716,7 @@
|
|||
else
|
||||
LogText "Result: database not found"
|
||||
Display --indent 2 --text "- Checking Locate database" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
|
||||
ReportSuggestion "${TEST_NO}" "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -782,7 +782,7 @@
|
|||
AddHP 2 3
|
||||
if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi
|
||||
# Tip to disable a particular module if it is not loaded TODO
|
||||
#ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'"
|
||||
#ReportSuggestion "${TEST_NO}" "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'"
|
||||
FOUND=1
|
||||
AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} "
|
||||
else
|
||||
|
|
|
@ -128,7 +128,7 @@
|
|||
"ACCEPT")
|
||||
LogText "Result: Found ACCEPT for ${chainname} (table: ${table})"
|
||||
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "ACCEPT" --color YELLOW
|
||||
#ReportSuggestion ${TEST_NO} "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})"
|
||||
#ReportSuggestion "${TEST_NO}" "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})"
|
||||
AddHP 1 3
|
||||
;;
|
||||
"DROP")
|
||||
|
@ -139,7 +139,7 @@
|
|||
*)
|
||||
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "other" --color YELLOW
|
||||
LogText "Result: Unknown policy: ${policy}"
|
||||
#ReportSuggestion ${TEST_NO} "Check iptables ${chainname} (table: ${table}) chain policy"
|
||||
#ReportSuggestion "${TEST_NO}" "Check iptables ${chainname} (table: ${table}) chain policy"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
@ -162,7 +162,7 @@
|
|||
FIREWALL_EMPTY_RULESET=1
|
||||
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
|
||||
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active"
|
||||
ReportWarning "${TEST_NO}" "iptables module(s) loaded, but no rules active"
|
||||
else
|
||||
LogText "Result: one or more rules are available (${FIND} rules)"
|
||||
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -187,7 +187,7 @@
|
|||
LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
|
||||
LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
|
||||
LogText "Output: iptables rule numbers: ${FIND}"
|
||||
ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used"
|
||||
ReportSuggestion "${TEST_NO}" "Check iptables rules to see which rules are currently not used"
|
||||
LogText "Tip: iptables --list --numeric --line-numbers --verbose"
|
||||
fi
|
||||
fi
|
||||
|
@ -282,7 +282,7 @@
|
|||
else
|
||||
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: found one or more warnings in the pf filter rules"
|
||||
ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
|
||||
ReportWarning "${TEST_NO}" "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
|
||||
fi
|
||||
else
|
||||
LogText "Result: /etc/pf.conf does NOT exist"
|
||||
|
@ -548,7 +548,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW
|
||||
LogText "Result: no host based firewall/packet filter found or configured"
|
||||
ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic"
|
||||
ReportSuggestion "${TEST_NO}" "Configure a firewall/packet filter to filter incoming and outgoing traffic"
|
||||
AddHP 0 5
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
# Report suggestion is one or more compilers can be better hardened
|
||||
if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then
|
||||
LogText "Result: at least one compiler could be better hardened by restricting executable access to root or group only"
|
||||
ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only"
|
||||
ReportSuggestion "${TEST_NO}" "Harden compilers like restricting access to root user only"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
@ -99,7 +99,7 @@
|
|||
else
|
||||
Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED
|
||||
fi
|
||||
ReportSuggestion ${TEST_NO} "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC"
|
||||
ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC"
|
||||
AddHP 1 3
|
||||
LogText "Result: no malware scanner found"
|
||||
fi
|
||||
|
|
|
@ -141,7 +141,7 @@ EOF
|
|||
LogText "Result: the following files seem to be of the wrong file type:"
|
||||
LogText "Output: ${FIND}"
|
||||
LogText "Info: above files could be redirected files to avoid logging and should be investigated"
|
||||
ReportWarning ${TEST_NO} "Incorrect file type found for shell history file"
|
||||
ReportWarning "${TEST_NO}" "Incorrect file type found for shell history file"
|
||||
fi
|
||||
LogText "Remark: History files are normally of the type 'file'. Symbolic links and other types are suspicious."
|
||||
else
|
||||
|
|
|
@ -45,7 +45,7 @@
|
|||
INETD_PACKAGE_INSTALLED=1
|
||||
LogText "Result: inetd is installed"
|
||||
Display --indent 2 --text "- Installed inetd package" --result "${STATUS_FOUND}" --color YELLOW
|
||||
#ReportSuggestion ${TEST_NO} "If there are no inetd services required, it is recommended that the daemon be removed"
|
||||
#ReportSuggestion "${TEST_NO}" "If there are no inetd services required, it is recommended that the daemon be removed"
|
||||
else
|
||||
LogText "Result: inetd is NOT installed"
|
||||
Display --indent 2 --text "- Installed inetd package" --result "${STATUS_NOT_FOUND}" --color GREEN
|
||||
|
@ -105,7 +105,7 @@
|
|||
else
|
||||
LogText "Result: found services in inetd, even though inetd is not running"
|
||||
Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service"
|
||||
ReportSuggestion "${TEST_NO}" "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -141,7 +141,7 @@
|
|||
if PackageIsInstalled "xinetd"; then
|
||||
LogText "Result: xinetd is installed"
|
||||
Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "If there are no xinetd services required, it is recommended that the daemon be removed"
|
||||
ReportSuggestion "${TEST_NO}" "If there are no xinetd services required, it is recommended that the daemon be removed"
|
||||
else
|
||||
LogText "Result: xinetd is NOT installed"
|
||||
Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -200,7 +200,7 @@
|
|||
else
|
||||
LogText "Result: found services in ${XINETD_CONFIG_DIR}, even though xinetd is not running"
|
||||
Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Although xinetd is not running, make sure no services are enabled in ${XINETD_CONFIG_DIR}, or remove xinetd service"
|
||||
ReportSuggestion "${TEST_NO}" "Although xinetd is not running, make sure no services are enabled in ${XINETD_CONFIG_DIR}, or remove xinetd service"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -264,7 +264,7 @@
|
|||
else
|
||||
LogText "Result: tcp_wrappers is NOT installed"
|
||||
Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
#ReportSuggestion ${TEST_NO} "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed"
|
||||
#ReportSuggestion "${TEST_NO}" "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -283,7 +283,7 @@
|
|||
if [ ${FOUND} -eq 1 ]; then
|
||||
LogText "Result: rsh client is installed"
|
||||
Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Remove rsh client when it is not in use or replace with the more secure SSH package"
|
||||
ReportSuggestion "${TEST_NO}" "Remove rsh client when it is not in use or replace with the more secure SSH package"
|
||||
else
|
||||
LogText "Result: rsh client is NOT installed"
|
||||
Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -317,7 +317,7 @@
|
|||
# if [ ${FOUND} -eq 1 ]; then
|
||||
# LogText "Result: found one or more Rsh Trust Files"
|
||||
# Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
# ReportSuggestion ${TEST_NO} "Remove every Rsh Trust Files as they can allow unauthenticated access to a system"
|
||||
# ReportSuggestion "${TEST_NO}" "Remove every Rsh Trust Files as they can allow unauthenticated access to a system"
|
||||
# else
|
||||
# LogText "Result: no Rsh Trust Files found"
|
||||
# Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -340,7 +340,7 @@
|
|||
if [ ${FOUND} -eq 1 ]; then
|
||||
LogText "Result: rsh server is installed"
|
||||
Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Remove the rsh-server package and replace with a more secure alternative like SSH"
|
||||
ReportSuggestion "${TEST_NO}" "Remove the rsh-server package and replace with a more secure alternative like SSH"
|
||||
Report "insecure_service[]=rsh-server"
|
||||
else
|
||||
LogText "Result: rsh server is NOT installed"
|
||||
|
@ -362,7 +362,7 @@
|
|||
LogText "Result: telnet client is installed"
|
||||
Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_FOUND}" --color YELLOW
|
||||
# Telnet client usage might be used for troubleshooting instead of system administration
|
||||
#ReportSuggestion ${TEST_NO} "telnet client contain numerous security exposures and have been replaced with the more secure SSH package"
|
||||
#ReportSuggestion "${TEST_NO}" "telnet client contain numerous security exposures and have been replaced with the more secure SSH package"
|
||||
else
|
||||
LogText "Result: telnet client is NOT installed"
|
||||
Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -385,7 +385,7 @@
|
|||
if [ ${FOUND} -eq 1 ]; then
|
||||
LogText "Result: telnet server is installed"
|
||||
Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package and replace with SSH when possible"
|
||||
ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package and replace with SSH when possible"
|
||||
Report "insecure_service[]=telnet-server"
|
||||
else
|
||||
LogText "Result: telnet server is NOT installed"
|
||||
|
@ -411,7 +411,7 @@
|
|||
if [ -n "${FOUND}" ]; then
|
||||
LogText "Result: NIS client is installed"
|
||||
Display --indent 2 --text "- Checking NIS client installation" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "NIS client should be removed if not required. Use a more secure alternative or a protocol that can use encrypted communications."
|
||||
ReportSuggestion "${TEST_NO}" "NIS client should be removed if not required. Use a more secure alternative or a protocol that can use encrypted communications."
|
||||
else
|
||||
LogText "Result: NIS client is NOT installed"
|
||||
Display --indent 2 --text "- Checking NIS client installation" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -435,7 +435,7 @@
|
|||
if [ -n "${FOUND}" ]; then
|
||||
LogText "Result: NIS server is installed"
|
||||
Display --indent 2 --text "- Checking NIS server installation" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services"
|
||||
ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services"
|
||||
else
|
||||
LogText "Result: NIS server is NOT installed"
|
||||
Display --indent 2 --text "- Checking NIS server installation" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -459,7 +459,7 @@
|
|||
if [ -n "${FOUND}" ]; then
|
||||
LogText "Result: TFTP client is installed"
|
||||
Display --indent 2 --text "- Checking TFTP client installation" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server)"
|
||||
ReportSuggestion "${TEST_NO}" "It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server)"
|
||||
else
|
||||
LogText "Result: TFTP client is NOT installed"
|
||||
Display --indent 2 --text "- Checking TFTP client installation" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -483,7 +483,7 @@
|
|||
if [ -n "${FOUND}" ]; then
|
||||
LogText "Result: TFTP server is installed"
|
||||
Display --indent 2 --text "- Checking TFTP server installation" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of tftp services"
|
||||
ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of tftp services"
|
||||
else
|
||||
LogText "Result: TFTP server is NOT installed"
|
||||
Display --indent 2 --text "- Checking TFTP server installation" --result "${STATUS_OK}" --color GREEN
|
||||
|
|
|
@ -144,7 +144,7 @@
|
|||
Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result "${STATUS_NONE}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
|
||||
ReportSuggestion "${TEST_NO}" "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
|
||||
fi
|
||||
else
|
||||
Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result "${STATUS_SKIPPED}" --color YELLOW
|
||||
|
@ -394,7 +394,7 @@
|
|||
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
|
||||
else
|
||||
LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date."
|
||||
ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz"
|
||||
ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz"
|
||||
fi
|
||||
LogText "Test: Using apt-cache policy to determine if there is an update available"
|
||||
FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
|
||||
|
@ -406,7 +406,7 @@
|
|||
LogText "Result: Exception occurred, no output from apt-cache policy"
|
||||
if [ ${HAS_VMLINUZ} -eq 1 ]; then
|
||||
ReportException "${TEST_NO}:01"
|
||||
ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy to determine why its output is empty"
|
||||
ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty"
|
||||
fi
|
||||
LogText "Result: apt-cache policy did not return an installed kernel version"
|
||||
else
|
||||
|
@ -422,7 +422,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
|
||||
LogText "Result: kernel update available according 'apt-cache policy'."
|
||||
ReportSuggestion ${TEST_NO} "Determine priority for available kernel update"
|
||||
ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
|
@ -465,13 +465,13 @@
|
|||
TMP_COLOR="GREEN"
|
||||
if [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -gt 1 ] || [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -gt 1 ]; then
|
||||
LogText "Result: 'ProcessSizeMax=0' and 'Storage=none' are set multiple times in systemd configuration files. Check config!"
|
||||
ReportSuggestion ${TEST_NO} "Check systemd configuration for duplicate entries of core dump settings"
|
||||
ReportSuggestion "${TEST_NO}" "Check systemd configuration for duplicate entries of core dump settings"
|
||||
TMP_COLOR="YELLOW"
|
||||
fi
|
||||
Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_DISABLED}" --color "${TMP_COLOR}"
|
||||
elif [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] || [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then
|
||||
LogText "Result: 'ProcessSizeMax=0' and 'Storage=none' are set in ${ROOTDIR}etc/systemd/coredump.conf but overwritten in subdir config files"
|
||||
ReportSuggestion ${TEST_NO} "Check systemd configuration for overwriting core dump settings"
|
||||
ReportSuggestion "${TEST_NO}" "Check systemd configuration for overwriting core dump settings"
|
||||
Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color YELLOW
|
||||
AddHP 0 1
|
||||
elif ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] ) || \
|
||||
|
@ -479,7 +479,7 @@
|
|||
( [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] ) || \
|
||||
( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then
|
||||
LogText "Result: core dumps are explicitely enabled in systemd configuration files"
|
||||
ReportSuggestion ${TEST_NO} "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')"
|
||||
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')"
|
||||
Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color RED
|
||||
AddHP 0 1
|
||||
else
|
||||
|
@ -755,7 +755,7 @@
|
|||
AddHP 5 5
|
||||
elif [ ${REBOOT_NEEDED} -eq 1 ]; then
|
||||
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_YES}" --color RED
|
||||
ReportWarning ${TEST_NO} "Reboot of system is most likely needed" "" "text:reboot"
|
||||
ReportWarning "${TEST_NO}" "Reboot of system is most likely needed" "" "text:reboot"
|
||||
AddHP 0 5
|
||||
else
|
||||
Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
|
|
|
@ -106,7 +106,7 @@
|
|||
# Add suggestion if one or more sysctls have a different value than scan profile
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
LogText "Result: found ${N} keys that can use tuning, according scan profile"
|
||||
ReportSuggestion ${TEST_NO} "One or more sysctl values differ from the scan profile and could be tweaked" "" "Change sysctl value or disable test (skip-test=${TEST_NO}:<sysctl-key>)"
|
||||
ReportSuggestion "${TEST_NO}" "One or more sysctl values differ from the scan profile and could be tweaked" "" "Change sysctl value or disable test (skip-test=${TEST_NO}:<sysctl-key>)"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
|
|
@ -47,7 +47,7 @@
|
|||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
|
||||
ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured."
|
||||
ReportSuggestion "${TEST_NO}" "Check if any syslog daemon is running and correctly configured."
|
||||
AddHP 0 3
|
||||
else
|
||||
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -92,7 +92,7 @@
|
|||
else
|
||||
LogText "Result: Syslog-NG configuration file seems NOT to be consistent"
|
||||
Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
|
||||
ReportSuggestion "${TEST_NO}" "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -191,7 +191,7 @@
|
|||
else
|
||||
LogText "Result: No klogd found"
|
||||
Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED
|
||||
ReportWarning ${TEST_NO} "klogd is not running, which could lead to missing kernel messages in log files"
|
||||
ReportWarning "${TEST_NO}" "klogd is not running, which could lead to missing kernel messages in log files"
|
||||
fi
|
||||
else
|
||||
LogText "Result: test skipped, because other facility is being used to log kernel messages"
|
||||
|
@ -210,7 +210,7 @@
|
|||
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: minilogd found in process list"
|
||||
# minilogd daemon seems to be running
|
||||
ReportWarning ${TEST_NO} "minilogd is running, which should normally not be running"
|
||||
ReportWarning "${TEST_NO}" "minilogd is running, which should normally not be running"
|
||||
else
|
||||
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: No minilogd is running"
|
||||
|
@ -247,7 +247,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: No logrotate configuration found"
|
||||
ReportSuggestion ${TEST_NO} "Check if log files are properly rotated"
|
||||
ReportSuggestion "${TEST_NO}" "Check if log files are properly rotated"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -328,8 +328,8 @@
|
|||
else
|
||||
Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: No loghost entry found"
|
||||
ReportWarning ${TEST_NO} "No loghost entry found"
|
||||
ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services"
|
||||
ReportWarning "${TEST_NO}" "No loghost entry found"
|
||||
ReportSuggestion "${TEST_NO}" "Add a loghost entry to /etc/inet/hosts or other name services"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -421,7 +421,7 @@
|
|||
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
|
||||
Report "remote_syslog_configured=0"
|
||||
LogText "Result: no remote logging found"
|
||||
ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
|
||||
ReportSuggestion "${TEST_NO}" "Enable logging to an external logging host for archiving purposes and additional protection"
|
||||
AddHP 1 3
|
||||
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
|
||||
else
|
||||
|
@ -556,7 +556,7 @@
|
|||
Report "deleted_file[]=${I}"
|
||||
done
|
||||
Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why."
|
||||
ReportSuggestion "${TEST_NO}" "Check what deleted files are still in use and why."
|
||||
else
|
||||
LogText "Result: no deleted files found"
|
||||
Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_DONE}" --color GREEN
|
||||
|
|
|
@ -83,7 +83,7 @@
|
|||
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
|
||||
elif [ $? -eq 2 ]; then
|
||||
LogText "Result: AppArmor is enabled, but no policy is loaded"
|
||||
ReportSuggestion ${TEST_NO} "Load AppArmor policies"
|
||||
ReportSuggestion "${TEST_NO}" "Load AppArmor policies"
|
||||
Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN
|
||||
Report "apparmor_enabled=1"
|
||||
Report "apparmor_policy_loaded=0"
|
||||
|
@ -148,7 +148,7 @@
|
|||
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
|
||||
ReportWarning ${TEST_NO} "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
|
||||
ReportWarning "${TEST_NO}" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
|
||||
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
|
||||
fi
|
||||
Display --indent 8 --text "Current SELinux mode: ${FIND}"
|
||||
|
|
|
@ -286,7 +286,7 @@
|
|||
Report "postfix_config_error=1"
|
||||
Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: found an error or warning in the Postfix configuration. Manual check suggested."
|
||||
ReportSuggestion ${TEST_NO} "Found a configuration error in Postfix" "${POSTFIX_CONFIGFILE}" "text:run postconf > /dev/null"
|
||||
ReportSuggestion "${TEST_NO}" "Found a configuration error in Postfix" "${POSTFIX_CONFIGFILE}" "text:run postconf > /dev/null"
|
||||
else
|
||||
LogText "Result: all looks to be fine with Postfix configuration"
|
||||
if IsVerbose; then Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_OK}" --color GREEN; fi
|
||||
|
@ -327,8 +327,8 @@
|
|||
if [ ${SHOWWARNING} -eq 1 ]; then
|
||||
Display --indent 6 --text "- Postfix banner" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: found OS, or mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
|
||||
ReportWarning ${TEST_NO} "Found some information disclosure in SMTP banner (OS or software name)"
|
||||
ReportSuggestion ${TEST_NO} "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
|
||||
ReportWarning "${TEST_NO}" "Found some information disclosure in SMTP banner (OS or software name)"
|
||||
ReportSuggestion "${TEST_NO}" "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
|
||||
else
|
||||
if IsVerbose; then Display --indent 6 --text "- Postfix banner" --result "${STATUS_OK}" --color GREEN; fi
|
||||
fi
|
||||
|
|
|
@ -297,7 +297,7 @@
|
|||
else
|
||||
Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
LogText "Result: freshclam is not running"
|
||||
ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
|
||||
ReportSuggestion "${TEST_NO}" "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
|
|
@ -85,7 +85,7 @@
|
|||
LogText "Result: found one or more dead or zombie processes"
|
||||
LogText "Output: PIDs ${FIND}"
|
||||
Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_FOUND}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes"
|
||||
ReportSuggestion "${TEST_NO}" "Check the output of ps for dead or zombie processes"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -110,7 +110,7 @@
|
|||
LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured."
|
||||
LogText "Output: PIDs ${FIND}"
|
||||
Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_FOUND}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests"
|
||||
ReportSuggestion "${TEST_NO}" "Check process listing for processes waiting for IO requests"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
|
|
@ -84,7 +84,7 @@
|
|||
if [ ${COUNT} -gt 6 ]; then
|
||||
LogText "Result: Found ${COUNT} search domains"
|
||||
Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW
|
||||
ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
|
||||
ReportWarning "${TEST_NO}" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
|
||||
else
|
||||
LogText "Result: Found ${COUNT} search domains"
|
||||
Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
@ -95,7 +95,7 @@
|
|||
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
|
||||
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
|
||||
Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
|
||||
ReportWarning ${TEST_NO} "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
|
||||
ReportWarning "${TEST_NO}" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
|
||||
else
|
||||
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
|
||||
fi
|
||||
|
@ -204,7 +204,7 @@
|
|||
Display --indent 6 --text "Domain name: ${DOMAINNAME}"
|
||||
else
|
||||
Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name"
|
||||
ReportSuggestion "${TEST_NO}" "Check DNS configuration for the dns domain name"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -324,7 +324,7 @@
|
|||
else
|
||||
LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
|
||||
Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file"
|
||||
ReportWarning "${TEST_NO}" "Errors discovered in BIND configuration file"
|
||||
fi
|
||||
else
|
||||
LogText "Result: named-checkconf not found, skipping test"
|
||||
|
@ -347,8 +347,8 @@
|
|||
else
|
||||
LogText "Result: possible BIND version available in version banner"
|
||||
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "Found BIND version in banner"
|
||||
ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file"
|
||||
ReportWarning "${TEST_NO}" "Found BIND version in banner"
|
||||
ReportSuggestion "${TEST_NO}" "The version in BIND can be masked by defining 'version none' in the configuration file"
|
||||
AddHP 0 2
|
||||
fi
|
||||
fi
|
||||
|
@ -599,7 +599,7 @@
|
|||
else
|
||||
LogText "Result: No entry found for ${HOSTNAME} in ${ROOTDIR}etc/hosts"
|
||||
Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving"
|
||||
ReportSuggestion "${TEST_NO}" "Add the IP name and FQDN to /etc/hosts for proper name resolving"
|
||||
LogText "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections"
|
||||
fi
|
||||
else
|
||||
|
@ -621,7 +621,7 @@
|
|||
LogText "Output: ${DATA}"
|
||||
Display --indent 4 --text "- Hostname mapped to localhost" --result "${STATUS_FOUND}" --color YELLOW
|
||||
LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface."
|
||||
ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system"
|
||||
ReportSuggestion "${TEST_NO}" "Split resolving between localhost and the hostname of the system"
|
||||
else
|
||||
LogText "Result: this server hostname is not mapped to a local address"
|
||||
Display --indent 4 --text "- Hostname mapped to localhost" --result "${STATUS_NOT_FOUND}" --color GREEN
|
||||
|
@ -654,7 +654,7 @@
|
|||
LogText "Result: this server hostname is not mapped to a local address"
|
||||
Display --indent 4 --text "- Localhost mapping to IP address" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
LogText "Information: Ensure that localhost resolves back to 127.0.0.1 (and/or ::1)."
|
||||
ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system" "/etc/hosts" "text:Check your localhost line"
|
||||
ReportSuggestion "${TEST_NO}" "Split resolving between localhost and the hostname of the system" "/etc/hosts" "text:Check your localhost line"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
|
|
@ -147,8 +147,8 @@
|
|||
Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED
|
||||
LogText "Result: nameserver ${I} does NOT respond"
|
||||
LogText "Exit-code from dig: ${DNSRESPONSE}"
|
||||
ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
|
||||
ReportWarning ${TEST_NO} "Nameserver ${I} does not respond"
|
||||
ReportSuggestion "${TEST_NO}" "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
|
||||
ReportWarning "${TEST_NO}" "Nameserver ${I} does not respond"
|
||||
fi
|
||||
else
|
||||
LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed"
|
||||
|
@ -171,9 +171,9 @@
|
|||
if [ ${NUMBERACTIVENS} -lt 2 ]; then
|
||||
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: less than 2 responsive nameservers found"
|
||||
ReportWarning ${TEST_NO} "Couldn't find 2 responsive nameservers"
|
||||
ReportWarning "${TEST_NO}" "Couldn't find 2 responsive nameservers"
|
||||
LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
|
||||
ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
|
||||
ReportSuggestion "${TEST_NO}" "Check your resolv.conf file and fill in a backup nameserver if possible"
|
||||
AddHP 1 2
|
||||
else
|
||||
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -489,7 +489,7 @@
|
|||
# Check if this interface was whitelisted
|
||||
if [ ${WHITELISTED} -eq 0 ]; then
|
||||
FOUNDPROMISC=1
|
||||
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
|
||||
ReportWarning "${TEST_NO}" "Found promiscuous interface (${I})"
|
||||
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
|
||||
else
|
||||
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
|
||||
|
@ -539,7 +539,7 @@
|
|||
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
|
||||
if [ -z "${ISWHITELISTED}" ]; then
|
||||
FOUNDPROMISC=1
|
||||
ReportWarning ${TEST_NO} "Found promiscuous interface" "${I}" "text:Determine if this mode is required or whitelist interface in profile"
|
||||
ReportWarning "${TEST_NO}" "Found promiscuous interface" "${I}" "text:Determine if this mode is required or whitelist interface in profile"
|
||||
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
|
||||
else
|
||||
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
|
||||
|
|
|
@ -230,7 +230,7 @@
|
|||
if [ ${FOUND} -eq 0 ]; then
|
||||
LogText "Result: all PHP functions can be executed"
|
||||
Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_NONE}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions"
|
||||
ReportSuggestion "${TEST_NO}" "Harden PHP by disabling risky functions"
|
||||
LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
|
||||
AddHP 0 1
|
||||
else
|
||||
|
@ -268,8 +268,8 @@
|
|||
FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
||||
if [ -n "${FIND}" ]; then
|
||||
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
|
||||
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
|
||||
ReportWarning "${TEST_NO}" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
|
||||
ReportSuggestion "${TEST_NO}" "Change the register_globals line to: register_globals = Off"
|
||||
LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
|
||||
AddHP 1 2
|
||||
else
|
||||
|
@ -302,7 +302,7 @@
|
|||
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Turn off PHP information exposure" "expose_php = Off" "-"
|
||||
ReportSuggestion "${TEST_NO}" "Turn off PHP information exposure" "expose_php = Off" "-"
|
||||
Report "Result: expose_php option is turned on, which can expose useful information for an attacker"
|
||||
AddHP 1 3
|
||||
else
|
||||
|
@ -325,7 +325,7 @@
|
|||
if [ -n "${FIND}" ]; then
|
||||
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
|
||||
Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
|
||||
ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules"
|
||||
ReportSuggestion "${TEST_NO}" "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules"
|
||||
AddHP 0 1
|
||||
else
|
||||
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_OFF}" --color GREEN
|
||||
|
@ -347,7 +347,7 @@
|
|||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
|
||||
LogText "Result: allow_url_fopen option is turned on, which can be used for downloads via PHP and is a security risk"
|
||||
ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
|
||||
ReportSuggestion "${TEST_NO}" "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
|
||||
AddHP 0 1
|
||||
else
|
||||
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_OFF}" --color GREEN
|
||||
|
@ -370,7 +370,7 @@
|
|||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
|
||||
Report "Result: allow_url_include option is turned on, which can be used for downloads via PHP and is a risk"
|
||||
ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
|
||||
ReportSuggestion "${TEST_NO}" "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
|
||||
AddHP 0 1
|
||||
else
|
||||
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_OFF}" --color GREEN
|
||||
|
@ -419,7 +419,7 @@
|
|||
# if [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then
|
||||
# LogText "Test: Check Suhosin for PHP 7 is not enabled"
|
||||
# LogText "Result: Suhosin for PHP 7 is in alpha stage and should not be used in production"
|
||||
# ReportSuggestion ${TEST_NO} "Disable Suhosin for PHP 7"
|
||||
# ReportSuggestion "${TEST_NO}" "Disable Suhosin for PHP 7"
|
||||
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED
|
||||
# Display --indent 6 --text "- Suhosin is enabled for PHP 7" --result "${STATUS_WARNING}" --color RED
|
||||
# AddHP 0 1
|
||||
|
@ -433,7 +433,7 @@
|
|||
# if [ ${FOUND} -eq 0 ]; then
|
||||
# LogText "Result: Suhosin extension is not enabled"
|
||||
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED
|
||||
# ReportSuggestion ${TEST_NO} "Harden PHP by enabling suhosin extension"
|
||||
# ReportSuggestion "${TEST_NO}" "Harden PHP by enabling suhosin extension"
|
||||
# LogText "suhosin extension is not enabled"
|
||||
# AddHP 0 1
|
||||
# else
|
||||
|
@ -449,7 +449,7 @@
|
|||
# else
|
||||
# LogText "Result: Suhosin simulation mode is active"
|
||||
# Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_WARNING}" --color RED
|
||||
# ReportSuggestion ${TEST_NO} "Harden PHP by deactivating suhosin simulation mode"
|
||||
# ReportSuggestion "${TEST_NO}" "Harden PHP by deactivating suhosin simulation mode"
|
||||
# LogText "suhosin simulation mode is active"
|
||||
# AddHP 0 1
|
||||
# fi
|
||||
|
|
|
@ -372,7 +372,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Zypper found one or more installed packages which are vulnerable."
|
||||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed"
|
||||
ReportWarning "${TEST_NO}" "Found one or more vulnerable packages installed"
|
||||
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
|
||||
FIND=$(${ZYPPERBINARY} --non-interactive lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
|
||||
LogText "List of vulnerable packages/version:"
|
||||
|
@ -487,7 +487,7 @@
|
|||
COUNT=$((COUNT + 1))
|
||||
LogText "Found unpurged package: ${J}"
|
||||
done
|
||||
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
|
||||
ReportSuggestion "${TEST_NO}" "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
|
||||
fi
|
||||
else
|
||||
LogText "Result: dpkg can NOT be found on this system, test skipped"
|
||||
|
@ -510,7 +510,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_WARNING}" --color YELLOW
|
||||
LogText "Result: found ${FIND} unused distfiles"
|
||||
ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
|
||||
ReportSuggestion "${TEST_NO}" "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
@ -561,7 +561,7 @@
|
|||
# Decrease hardening points for every found vulnerable package
|
||||
AddHP 1 2
|
||||
done
|
||||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages. Run: dnf upgrade"
|
||||
ReportWarning "${TEST_NO}" "Found one or more vulnerable packages. Run: dnf upgrade"
|
||||
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
|
||||
else
|
||||
LogText "Result: no security updates found"
|
||||
|
@ -618,13 +618,13 @@
|
|||
LogText "Result: no cron job is configured for debsecan"
|
||||
Display --indent 4 --text "- debsecan cron job" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
AddHP 1 3
|
||||
ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled"
|
||||
ReportSuggestion "${TEST_NO}" "Check debsecan cron job and ensure it is enabled"
|
||||
fi
|
||||
else
|
||||
LogText "Result: debsecan is not installed."
|
||||
Display --indent 4 --text "- debsecan utility" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
AddHP 0 2
|
||||
ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages."
|
||||
ReportSuggestion "${TEST_NO}" "Install debsecan to check for vulnerabilities on installed packages."
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -655,7 +655,7 @@
|
|||
else
|
||||
LogText "Result: debsums utility is not installed."
|
||||
AddHP 0 2
|
||||
ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database."
|
||||
ReportSuggestion "${TEST_NO}" "Install debsums utility for the verification of packages with known good database."
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -702,7 +702,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
|
||||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
|
||||
ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
|
||||
LogText "List of vulnerable packages/version:"
|
||||
for I in $(${ROOTDIR}usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
|
||||
VULNERABLE_PACKAGES_FOUND=1
|
||||
|
@ -755,7 +755,7 @@
|
|||
LogText "Vulnerable package: ${ITEM}"
|
||||
AddHP 1 2
|
||||
done
|
||||
ReportWarning ${TEST_NO} "Found vulnerable packages" "${COUNT} vulnerable packages" "text:Run pkg audit"
|
||||
ReportWarning "${TEST_NO}" "Found vulnerable packages" "${COUNT} vulnerable packages" "text:Run pkg audit"
|
||||
else
|
||||
LogText "Result: found an exit code greater than zero, yet no output"
|
||||
fi
|
||||
|
@ -786,8 +786,8 @@
|
|||
else
|
||||
Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Portaudit found one or more installed packages which are vulnerable."
|
||||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
|
||||
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
|
||||
ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
|
||||
ReportSuggestion "${TEST_NO}" "Update your system with portupgrade or other tools"
|
||||
LogText "List of vulnerable packages/version:"
|
||||
for PKG in $(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
|
||||
VULNERABLE_PACKAGES_FOUND=1
|
||||
|
@ -812,7 +812,7 @@
|
|||
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
|
||||
LogText "Result: YUM package update management failed"
|
||||
Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "YUM is not properly configured or registered for this platform (no repolist found)"
|
||||
ReportWarning "${TEST_NO}" "YUM is not properly configured or registered for this platform (no repolist found)"
|
||||
else
|
||||
LogText "Result: YUM repository available (${FIND})"
|
||||
Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -838,8 +838,8 @@
|
|||
else
|
||||
LogText "Result: One or more duplicate packages found"
|
||||
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "Found one or more duplicate packages installed"
|
||||
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems"
|
||||
ReportWarning "${TEST_NO}" "Found one or more duplicate packages installed"
|
||||
ReportSuggestion "${TEST_NO}" "Run package-cleanup to solve duplicate package problems"
|
||||
fi
|
||||
|
||||
# Check for package database problems
|
||||
|
@ -851,13 +851,13 @@
|
|||
else
|
||||
LogText "Result: One or more problems found in package database"
|
||||
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "Found one or more problems in the package database"
|
||||
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems"
|
||||
ReportWarning "${TEST_NO}" "Found one or more problems in the package database"
|
||||
ReportSuggestion "${TEST_NO}" "Run package-cleanup to solve package problems"
|
||||
fi
|
||||
else
|
||||
Display --indent 2 --text "- yum-utils package not installed" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
LogText "Result: YUM utils package not found"
|
||||
ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database"
|
||||
ReportSuggestion "${TEST_NO}" "Install package 'yum-utils' for better consistency checking of the package database"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -927,12 +927,12 @@
|
|||
LogText "Vulnerable package: ${I}"
|
||||
AddHP 1 2
|
||||
done
|
||||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
|
||||
ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
|
||||
fi
|
||||
else
|
||||
LogText "Result: yum-security package not found"
|
||||
Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_SKIPPED}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
|
||||
ReportSuggestion "${TEST_NO}" "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -973,7 +973,7 @@
|
|||
AddHP 3 3
|
||||
else
|
||||
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED
|
||||
ReportWarning ${TEST_NO} "No GPG signing option found in yum.conf"
|
||||
ReportWarning "${TEST_NO}" "No GPG signing option found in yum.conf"
|
||||
AddHP 2 3
|
||||
fi
|
||||
fi
|
||||
|
@ -1019,7 +1019,7 @@
|
|||
AddHP 3 3
|
||||
else
|
||||
Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory"
|
||||
ReportWarning "${TEST_NO}" "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory"
|
||||
AddHP 0 3
|
||||
fi
|
||||
else
|
||||
|
@ -1043,8 +1043,8 @@
|
|||
else
|
||||
LogText "Result: package database is most likely NOT consistent"
|
||||
Display --indent 2 --text "- Checking APT package database" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "apt-get check returned a non successful exit code."
|
||||
ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check."
|
||||
ReportWarning "${TEST_NO}" "apt-get check returned a non successful exit code."
|
||||
ReportSuggestion "${TEST_NO}" "Run apt-get to perform a manual package database consistency check."
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -1080,7 +1080,7 @@
|
|||
# Check if we get the proper line back and amount of security patches available
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: did not find security updates line"
|
||||
ReportSuggestion ${TEST_NO} "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result"
|
||||
ReportSuggestion "${TEST_NO}" "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result"
|
||||
ReportException "${TEST_NO}:1" "Apt-check did not provide any result"
|
||||
else
|
||||
if [ "${FIND}" = "0" ]; then
|
||||
|
@ -1113,8 +1113,8 @@
|
|||
fi
|
||||
if [ ${SCAN_PERFORMED} -eq 1 ]; then
|
||||
if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then
|
||||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
|
||||
ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
|
||||
ReportWarning "${TEST_NO}" "Found one or more vulnerable packages."
|
||||
ReportSuggestion "${TEST_NO}" "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
|
||||
Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_WARNING}" --color RED
|
||||
else
|
||||
Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -1173,7 +1173,7 @@
|
|||
fi
|
||||
else
|
||||
LogText "Result: glsa-check tool not found"
|
||||
ReportSuggestion ${TEST_NO} "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks."
|
||||
ReportSuggestion "${TEST_NO}" "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks."
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -1205,7 +1205,7 @@
|
|||
else
|
||||
LogText "Result: ${ROOTDIR}usr/bin/apt-show-versions not found"
|
||||
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE
|
||||
ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
|
||||
ReportSuggestion "${TEST_NO}" "Install package apt-show-versions for patch management purposes"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -1219,7 +1219,7 @@
|
|||
LogText "Test: checking for package audit tool"
|
||||
if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then
|
||||
Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_NONE}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
|
||||
ReportSuggestion "${TEST_NO}" "Install a package audit tool to determine vulnerable packages"
|
||||
LogText "Result: no package audit tool found"
|
||||
else
|
||||
Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN
|
||||
|
|
|
@ -55,7 +55,7 @@
|
|||
LogText "Result: chkprintcap did NOT gave any warnings"
|
||||
else
|
||||
Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file"
|
||||
ReportSuggestion "${TEST_NO}" "Run chkprintcap manually to test printcap file"
|
||||
LogText "Output from chkprintcap: ${FIND}"
|
||||
LogText "Run chkprintcap and check the ${ROOTDIR}etc/printcap file"
|
||||
fi
|
||||
|
@ -124,7 +124,7 @@
|
|||
;;
|
||||
* )
|
||||
Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
|
||||
ReportSuggestion "${TEST_NO}" "Access to CUPS configuration could be more strict."
|
||||
AddHP 1 2
|
||||
;;
|
||||
esac
|
||||
|
@ -157,12 +157,12 @@
|
|||
AddHP 2 2
|
||||
else
|
||||
LogText "Result: CUPS daemon running on one or more interfaces (not limited to localhost)"
|
||||
ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to listen on the network"
|
||||
ReportSuggestion "${TEST_NO}" "Check CUPS configuration if it really needs to listen on the network"
|
||||
AddHP 1 2
|
||||
fi
|
||||
else
|
||||
LogText "Result: CUPS daemon is running on several network addresses"
|
||||
ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to run on several network addresses"
|
||||
ReportSuggestion "${TEST_NO}" "Check CUPS configuration if it really needs to run on several network addresses"
|
||||
AddHP 1 2
|
||||
fi
|
||||
|
||||
|
@ -240,7 +240,7 @@
|
|||
if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then
|
||||
LogText "Result: qdaemon daemon not running"
|
||||
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs"
|
||||
ReportSuggestion "${TEST_NO}" "Activate print spooler daemon (qdaemon) in order to process print jobs"
|
||||
else
|
||||
LogText "Result: qdaemon daemon not running"
|
||||
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
|
||||
|
@ -267,7 +267,7 @@
|
|||
done
|
||||
LogText "Result: Found ${COUNT} old print jobs in /var/spool/lpd/qdir"
|
||||
Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
|
||||
ReportSuggestion "${TEST_NO}" "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
|
||||
LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"
|
||||
else
|
||||
LogText "Result: Old print jobs not found in /var/spool/lpd/qdir"
|
||||
|
|
|
@ -61,7 +61,7 @@
|
|||
LogText "Result: Found insecure console in ${ROOTDIR}etc/ttys. Single user mode login without password allowed!"
|
||||
LogText "Output ${ROOTDIR}etc/ttys:"
|
||||
LogText "${FIND}"
|
||||
ReportWarning ${TEST_NO} "Found unprotected console in ${ROOTDIR}etc/ttys"
|
||||
ReportWarning "${TEST_NO}" "Found unprotected console in ${ROOTDIR}etc/ttys"
|
||||
LogText "Possible solution: Change the console line from 'secure' to 'insecure'."
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -93,7 +93,7 @@
|
|||
AddHP 2 2
|
||||
else
|
||||
Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "Found easy guessable SNMP community string"
|
||||
ReportWarning "${TEST_NO}" "Found easy guessable SNMP community string"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
|
|
@ -135,8 +135,8 @@
|
|||
if [ -n "${FIND}" ]; then
|
||||
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
|
||||
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
|
||||
ReportWarning ${TEST_NO} "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
|
||||
ReportSuggestion "${TEST_NO}" "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
|
||||
ReportWarning "${TEST_NO}" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
|
||||
AddHP 0 2
|
||||
else
|
||||
LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
|
||||
|
@ -231,13 +231,13 @@
|
|||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: no Safe_ports found"
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
|
||||
ReportSuggestion "${TEST_NO}" "Check if Squid has been configured to restrict access to all safe ports"
|
||||
else
|
||||
LogText "Result: checking ACL safe ports"
|
||||
FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }')
|
||||
if IsEmpty "${FIND2}"; then
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
|
||||
ReportSuggestion "${TEST_NO}" "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
|
||||
AddHP 0 1
|
||||
else
|
||||
LogText "Result: Safe_ports found"
|
||||
|
@ -256,7 +256,7 @@
|
|||
AddHP 1 1
|
||||
else
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_FOUND}" --color RED
|
||||
ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}"
|
||||
ReportWarning "${TEST_NO}" "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}"
|
||||
AddHP 0 1
|
||||
fi
|
||||
done
|
||||
|
@ -282,7 +282,7 @@
|
|||
LogText "Result: option reply_body_max_size not configured"
|
||||
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
|
||||
AddHP 1 2
|
||||
ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests."
|
||||
ReportSuggestion "${TEST_NO}" "Configure Squid option reply_body_max_size to limit the upper size of requests."
|
||||
else
|
||||
LogText "Result: option reply_body_max_size configured"
|
||||
LogText "Output: ${FIND}"
|
||||
|
@ -309,7 +309,7 @@
|
|||
LogText "Result: option httpd_suppress_version_string not configured"
|
||||
Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
AddHP 1 2
|
||||
ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
|
||||
ReportSuggestion "${TEST_NO}" "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
|
||||
else
|
||||
LogText "Result: option httpd_suppress_version_string configured"
|
||||
LogText "Output: ${FIND}"
|
||||
|
|
|
@ -267,13 +267,13 @@
|
|||
AddHP 3 3
|
||||
elif [ "${RESULT}" = "MIDSCORED" ]; then
|
||||
LogText "Result: OpenSSH option ${OPTIONNAME} is configured reasonably"
|
||||
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-"
|
||||
ReportSuggestion "${TEST_NO}" "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-"
|
||||
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
|
||||
Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
AddHP 1 3
|
||||
elif [ "${RESULT}" = "WEAK" ]; then
|
||||
LogText "Result: OpenSSH option ${OPTIONNAME} is in a weak configuration state and should be fixed"
|
||||
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-"
|
||||
ReportSuggestion "${TEST_NO}" "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-"
|
||||
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
|
||||
Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
AddHP 0 3
|
||||
|
|
|
@ -149,7 +149,7 @@
|
|||
if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
|
||||
Display --indent 6 --text "- Checking empty /etc/exports" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
LogText "Result: ${ROOTDIR}etc/exports seems to have no exported file systems"
|
||||
ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
|
||||
ReportSuggestion "${TEST_NO}" "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -164,7 +164,7 @@
|
|||
if [ -n "${sFIND}" ]; then
|
||||
LogText "Result: all client are allowed to access a NFS share in /etc/exports"
|
||||
Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports"
|
||||
ReportSuggestion "${TEST_NO}" "Specify clients that are allowed to access a NFS share /etc/exports"
|
||||
AddHP 2 3
|
||||
else
|
||||
LogText "Result: only some clients are allowed to access a NFS share"
|
||||
|
|
|
@ -189,7 +189,7 @@
|
|||
NTP_CONFIG_TYPE_STARTUP=1
|
||||
# Only show suggestion when ntpdate is enabled, however ntpd is not running
|
||||
if [ ${NTP_DAEMON_RUNNING} -eq 0 ]; then
|
||||
ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is advised to run it at least daily or use a NTP daemon"
|
||||
ReportSuggestion "${TEST_NO}" "Although ntpdate is enabled in rc.conf, it is advised to run it at least daily or use a NTP daemon"
|
||||
fi
|
||||
else
|
||||
LogText "Result: ntpdate is not enabled in rc.conf"
|
||||
|
@ -202,7 +202,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Checking for a running NTP daemon or client" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Could not find a NTP daemon or client"
|
||||
ReportSuggestion ${TEST_NO} "Use NTP daemon or NTP client to prevent time issues."
|
||||
ReportSuggestion "${TEST_NO}" "Use NTP daemon or NTP client to prevent time issues."
|
||||
AddHP 0 2
|
||||
fi
|
||||
else
|
||||
|
@ -241,7 +241,7 @@
|
|||
LogText "Result: Found one or more association ID's"
|
||||
else
|
||||
Display --indent 2 --text "- Checking valid association ID's" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Check ntp.conf for properly configured NTP servers and a correctly functioning name service."
|
||||
ReportSuggestion "${TEST_NO}" "Check ntp.conf for properly configured NTP servers and a correctly functioning name service."
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -276,7 +276,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Found ${COUNT} high stratum (16) peers)"
|
||||
ReportSuggestion ${TEST_NO} "Check ntpq peers output for stratum 16 peers"
|
||||
ReportSuggestion "${TEST_NO}" "Check ntpq peers output for stratum 16 peers"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
@ -302,7 +302,7 @@
|
|||
LogText "Unreliable peer: ${I}"
|
||||
Report "ntp_unreliable_peer[]=${I}"
|
||||
done
|
||||
ReportSuggestion ${TEST_NO} "Check ntpq peers output for unreliable ntp peers and correct/replace them"
|
||||
ReportSuggestion "${TEST_NO}" "Check ntpq peers output for unreliable ntp peers and correct/replace them"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -324,7 +324,7 @@
|
|||
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with."
|
||||
LogText "Local source: ${FIND}"
|
||||
ReportSuggestion ${TEST_NO} "Check ntpq peers output for selected time source"
|
||||
ReportSuggestion "${TEST_NO}" "Check ntpq peers output for selected time source"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -340,7 +340,7 @@
|
|||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_NONE}" --color YELLOW
|
||||
LogText "Result: No other time source candidates found"
|
||||
ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates"
|
||||
ReportSuggestion "${TEST_NO}" "Check ntpq peers output for time source candidates"
|
||||
else
|
||||
Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: Found one or more candidates to synchronize time with."
|
||||
|
@ -371,7 +371,7 @@
|
|||
LogText "Falseticker found: ${I}"
|
||||
Report "ntp_falseticker[]=${I}"
|
||||
done
|
||||
ReportSuggestion ${TEST_NO} "Check ntpq peers output for falsetickers"
|
||||
ReportSuggestion "${TEST_NO}" "Check ntpq peers output for falsetickers"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -387,7 +387,7 @@
|
|||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking NTP version" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
LogText "Result: No NTP version found"
|
||||
ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version"
|
||||
ReportSuggestion "${TEST_NO}" "Check ntpq output for NTP protocol version"
|
||||
else
|
||||
Display --indent 2 --text "- Checking NTP version" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found NTP version ${FIND}"
|
||||
|
@ -438,7 +438,7 @@
|
|||
else
|
||||
LogText "Result: ${FILE} is empty. The step-tickers contain no configured NTP servers"
|
||||
Display --indent 2 --text "- Checking NTP step-tickers file" --result "EMPTY FILE" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Use step-tickers file for quicker time synchronization"
|
||||
ReportSuggestion "${TEST_NO}" "Use step-tickers file for quicker time synchronization"
|
||||
fi
|
||||
else
|
||||
LogText "Result: ${FILE} is not empty, which is fine"
|
||||
|
@ -455,7 +455,7 @@
|
|||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "SOME MISSING" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Some time servers missing in step-tickers file"
|
||||
ReportSuggestion "${TEST_NO}" "Some time servers missing in step-tickers file"
|
||||
AddHP 3 4
|
||||
else
|
||||
Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "${STATUS_OK}" --color GREEN
|
||||
|
|
|
@ -182,7 +182,7 @@
|
|||
Display --indent 2 --text "- Automation tooling" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
Display --indent 2 --text "- Automation tooling" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management"
|
||||
ReportSuggestion "${TEST_NO}" "Determine if automation tools are present for system management"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -412,7 +412,7 @@
|
|||
AddHP 2 2
|
||||
else
|
||||
Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_NONE}" --color YELLOW
|
||||
#ReportSuggestion ${TEST_NO} "Install and configure automated intrusion detection/prevention tools"
|
||||
#ReportSuggestion "${TEST_NO}" "Install and configure automated intrusion detection/prevention tools"
|
||||
AddHP 0 2
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -75,7 +75,7 @@
|
|||
LogText "Result: usb-storage driver is not explicitly disabled"
|
||||
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
|
||||
if [ "${USBGUARD_FOUND}" -eq "0" ]; then
|
||||
ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
|
||||
ReportSuggestion "${TEST_NO}" "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
|
||||
fi
|
||||
AddHP 2 3
|
||||
else
|
||||
|
@ -117,7 +117,7 @@
|
|||
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
|
||||
# To-Be-Added: create documentation and enable the suggestion
|
||||
#if [ ${USBGUARD_FOUND} -eq 0 ]; then
|
||||
# ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft"
|
||||
# ReportSuggestion "${TEST_NO}" "Disable USB devices authorization, to prevent unauthorized storage or data theft"
|
||||
#fi
|
||||
AddHP 0 3
|
||||
else
|
||||
|
@ -160,7 +160,7 @@
|
|||
Display --indent 6 --text "- Restore controller device state" --result "${USBGUARD_RESTORE_POLICY}" --color YELLOW
|
||||
LogText " Consider changing RestoreControllerDeviceState to \"false\""
|
||||
# TODO: assign TEST_NO, create documentation, and enable the suggestion
|
||||
# ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "RestoreControllerDeviceState (${USBGUARD_RESTORE_POLICY} --> false)"
|
||||
# ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "RestoreControllerDeviceState (${USBGUARD_RESTORE_POLICY} --> false)"
|
||||
AddHP 0 1
|
||||
;;
|
||||
"false")
|
||||
|
@ -171,7 +171,7 @@
|
|||
LogText "Result: Invalid configuration for RestoreControllerDeviceState"
|
||||
Display --indent 6 --text "- Restore controller device state" --result "Invalid" --color RED
|
||||
# TODO: assign TEST_NO, create documentation, and enable the suggestion
|
||||
# ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "RestoreControllerDeviceState invalid \"${USBGUARD_RESTORE_POLICY}\""
|
||||
# ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "RestoreControllerDeviceState invalid \"${USBGUARD_RESTORE_POLICY}\""
|
||||
AddHP 0 1
|
||||
;;
|
||||
esac
|
||||
|
@ -191,7 +191,7 @@
|
|||
Display --indent 6 --text "- Rule for controllers connected before daemon starts" --result "${USBGUARD_CONTROLLER_POLICY}" --color YELLOW
|
||||
LogText " Consider changing PresentControllerPolicy to \"apply-policy\", \"block\" or \"reject\""
|
||||
# TODO: assign TEST_NO, create documentation, and enable the suggestion
|
||||
# ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "PresentControllerPolicy (${USBGUARD_CONTROLLER_POLICY} --> (apply-policy|block|reject)"
|
||||
# ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "PresentControllerPolicy (${USBGUARD_CONTROLLER_POLICY} --> (apply-policy|block|reject)"
|
||||
AddHP 0 1
|
||||
;;
|
||||
"apply-policy" | "block" | "reject")
|
||||
|
@ -202,7 +202,7 @@
|
|||
LogText "Result: Invalid configuration for PresentControllerPolicy"
|
||||
Display --indent 6 --text "- Rule for controllers connected before daemon starts" --result "Invalid" --color RED
|
||||
# TODO: assign TEST_NO, create documentation, and enable the suggestion
|
||||
# ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "PresentControllerPolicy invalid \"${USBGUARD_CONTROLLER_POLICY}\""
|
||||
# ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "PresentControllerPolicy invalid \"${USBGUARD_CONTROLLER_POLICY}\""
|
||||
AddHP 0 1
|
||||
;;
|
||||
esac
|
||||
|
@ -221,7 +221,7 @@
|
|||
Display --indent 6 --text "- Rule for devices connected before daemon starts" --result "${USBGUARD_DEVICE_POLICY}" --color YELLOW
|
||||
LogText " Consider changing PresentDevicePolicy to \"apply-policy\", \"block\" or \"reject\""
|
||||
# TODO: assign TEST_NO, create documentation, and enable the suggestion
|
||||
# ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "PresentDevicePolicy (${USBGUARD_DEVICE_POLICY} --> (apply-policy|block|reject)"
|
||||
# ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "PresentDevicePolicy (${USBGUARD_DEVICE_POLICY} --> (apply-policy|block|reject)"
|
||||
AddHP 0 1
|
||||
;;
|
||||
"apply-policy" | "block" | "reject")
|
||||
|
@ -232,7 +232,7 @@
|
|||
LogText "Result: Invalid configuration for PresentDevicePolicy"
|
||||
Display --indent 6 --text "- Rule for devices connected before daemon starts" --result "Invalid" --color RED
|
||||
# TODO: assign TEST_NO, create documentation, and enable the suggestion
|
||||
# ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "PresentDevicePolicy invalid \"${USBGUARD_DEVICE_POLICY}\""
|
||||
# ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "PresentDevicePolicy invalid \"${USBGUARD_DEVICE_POLICY}\""
|
||||
AddHP 0 1
|
||||
;;
|
||||
esac
|
||||
|
@ -251,7 +251,7 @@
|
|||
Display --indent 6 --text "- Rule for devices inserted after daemon starts" --result "${USBGUARD_INSERTED_POLICY}" --color YELLOW
|
||||
LogText " Consider changing InsertedDevicePolicy to \"apply-policy\", \"block\" or \"reject\""
|
||||
# TODO: assign TEST_NO, create documentation, and enable the suggestion
|
||||
# ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "InsertedDevicePolicy (${USBGUARD_INSERTED_POLICY} --> (apply-policy|block|reject)"
|
||||
# ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "InsertedDevicePolicy (${USBGUARD_INSERTED_POLICY} --> (apply-policy|block|reject)"
|
||||
AddHP 0 1
|
||||
;;
|
||||
"apply-policy" | "block" | "reject")
|
||||
|
@ -262,7 +262,7 @@
|
|||
LogText "Result: Invalid configuration for InsertedDevicePolicy"
|
||||
Display --indent 6 --text "- Rule for devices inserted after daemon starts" --result "Invalid" --color RED
|
||||
# TODO: assign TEST_NO, create documentation, and enable the suggestion
|
||||
# ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "InsertedDevicePolicy invalid \"${USBGUARD_INSERTED_POLICY}\""
|
||||
# ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "InsertedDevicePolicy invalid \"${USBGUARD_INSERTED_POLICY}\""
|
||||
AddHP 0 1
|
||||
;;
|
||||
esac
|
||||
|
@ -281,7 +281,7 @@
|
|||
Display --indent 6 --text "- Rule for devices not in RuleFile" --result "${USBGUARD_DEFAULT_POLICY}" --color YELLOW
|
||||
LogText " Consider changing ImplicitPolicyTarget to \"block\" or \"reject\""
|
||||
# TODO: assign TEST_NO, create documentation, and enable the suggestion
|
||||
# ReportSuggestion ${TEST_NO} "Consider hardening USBGuard configuration" "ImplicitPolicyTarget (${USBGUARD_DEFAULT_POLICY} --> (block|reject)"
|
||||
# ReportSuggestion "${TEST_NO}" "Consider hardening USBGuard configuration" "ImplicitPolicyTarget (${USBGUARD_DEFAULT_POLICY} --> (block|reject)"
|
||||
AddHP 0 1
|
||||
;;
|
||||
"block"|"reject")
|
||||
|
@ -292,7 +292,7 @@
|
|||
LogText "Result: Invalid configuration for ImplicitPolicyTarget"
|
||||
Display --indent 6 --text "- Rule for devices not in RuleFile" --result "Invalid" --color RED
|
||||
# TODO: assign TEST_NO, create documentation, and enable the suggestion
|
||||
# ReportSuggestion ${TEST_NO} "Fix USBGuard configuration" "ImplicitPolicyTarget invalid \"${USBGUARD_DEFAULT_POLICY}\""
|
||||
# ReportSuggestion "${TEST_NO}" "Fix USBGuard configuration" "ImplicitPolicyTarget invalid \"${USBGUARD_DEFAULT_POLICY}\""
|
||||
AddHP 0 1
|
||||
;;
|
||||
esac
|
||||
|
@ -319,7 +319,7 @@
|
|||
LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)"
|
||||
Display --indent 4 --text "- RuleFile" --result "${STATUS_NOT_FOUND}" --color RED
|
||||
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
|
||||
#ReportSuggestion ${TEST_NO} "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies"
|
||||
#ReportSuggestion "${TEST_NO}" "Install USBGuard RuleFile" "\"man usbguard\" for instructions to install initial policies"
|
||||
AddHP 0 1
|
||||
fi
|
||||
|
||||
|
@ -327,14 +327,14 @@
|
|||
Display --indent 4 --text "- Configuration" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: Configuration not found"
|
||||
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
|
||||
#ReportSuggestion ${TEST_NO} "USBGuard configuration file not found, consider reinstalling"
|
||||
#ReportSuggestion "${TEST_NO}" "USBGuard configuration file not found, consider reinstalling"
|
||||
AddHP 0 7
|
||||
fi
|
||||
else
|
||||
LogText "Result: USBGuard not found"
|
||||
Display --indent 2 --text "- Checking USBGuard" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
# To-Be-Added: assign TEST_NO, create documentation, and enable the suggestion
|
||||
#ReportSuggestion ${TEST_NO} "Install USBGuard to allow for fine-grained control of USB authorization"
|
||||
#ReportSuggestion "${TEST_NO}" "Install USBGuard to allow for fine-grained control of USB authorization"
|
||||
AddHP 0 8
|
||||
fi
|
||||
|
||||
|
|
|
@ -257,7 +257,7 @@
|
|||
else
|
||||
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
AddHP 2 3
|
||||
ReportSuggestion ${TEST_NO} "Install Apache mod_evasive to guard webserver against DoS/brute force attempts"
|
||||
ReportSuggestion "${TEST_NO}" "Install Apache mod_evasive to guard webserver against DoS/brute force attempts"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -276,7 +276,7 @@
|
|||
else
|
||||
Display --indent 10 --text "mod_reqtimeout/mod_qos" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
AddHP 2 3
|
||||
ReportSuggestion ${TEST_NO} "Install Apache mod_reqtimeout or mod_qos to guard webserver against Slowloris attacks"
|
||||
ReportSuggestion "${TEST_NO}" "Install Apache mod_reqtimeout or mod_qos to guard webserver against Slowloris attacks"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -294,7 +294,7 @@
|
|||
else
|
||||
Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
AddHP 2 3
|
||||
ReportSuggestion ${TEST_NO} "Install Apache modsecurity to guard webserver against web application attacks"
|
||||
ReportSuggestion "${TEST_NO}" "Install Apache modsecurity to guard webserver against web application attacks"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -480,7 +480,7 @@
|
|||
else
|
||||
LogText "Result: No SSL configuration found"
|
||||
Display --indent 6 --text "- SSL configured" --result "${STATUS_NO}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy"
|
||||
ReportSuggestion "${TEST_NO}" "Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy"
|
||||
AddHP 1 5
|
||||
fi
|
||||
if [ ${NGINX_SSL_SUGGESTION} -eq 1 ]; then
|
||||
|
@ -520,7 +520,7 @@
|
|||
fi
|
||||
# Report suggestion
|
||||
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
|
||||
ReportSuggestion ${TEST_NO} "Check your nginx access log for proper functioning"
|
||||
ReportSuggestion "${TEST_NO}" "Check your nginx access log for proper functioning"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -541,7 +541,7 @@
|
|||
fi
|
||||
# Report suggestion
|
||||
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
|
||||
ReportSuggestion ${TEST_NO} "Check your nginx error_log statements"
|
||||
ReportSuggestion "${TEST_NO}" "Check your nginx error_log statements"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -566,7 +566,7 @@
|
|||
fi
|
||||
# Report suggestion
|
||||
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
|
||||
ReportSuggestion ${TEST_NO} "Check your nginx error_log statements and disable debug mode"
|
||||
ReportSuggestion "${TEST_NO}" "Check your nginx error_log statements and disable debug mode"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
|
|
@ -72,7 +72,7 @@
|
|||
Display --indent 2 --text "- Checking if everything is OK..." --result OK --color GREEN
|
||||
else
|
||||
Display --indent 2 --text "- Checking if everything is OK..." --result WARNING --color RED
|
||||
ReportSuggestion ${TEST_NO} "This is a suggestion"
|
||||
ReportSuggestion "${TEST_NO}" "This is a suggestion"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
|
Loading…
Reference in New Issue