From 5dbe4f20fcbe0591396d996d748454ab5278770d Mon Sep 17 00:00:00 2001 From: Capashenn Date: Thu, 21 Mar 2019 18:24:06 +0100 Subject: [PATCH 001/132] Add some default permfile/permdir --- default.prf | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/default.prf b/default.prf index ef474b1f..d7c35e66 100644 --- a/default.prf +++ b/default.prf @@ -332,7 +332,28 @@ openldap:slapd.conf:owner:ldap-root: #permfile:/etc/inetd.conf:rw-------:root:-:WARN: #permfile:/etc/fstab:rw-r--r--:root:-:WARN: permfile:/etc/lilo.conf:rw-------:root:-:WARN: - +permfile:/boot/grub2/grub.cfg:rw-------:root:root:WARN: +permfile:/boot/grub/grub.cfg:rw-------:root:root:WARN: +permfile:/boot/grub2/user.cfg:rw-------:root:root:WARN: +permfile:/etc/motd:rw-r--r--:root:root:WARN: +permfile:/etc/issue:rw-r--r--:root:root:WARN: +permfile:/etc/issue.net:rw-r--r--:root:root:WARN: +permfile:/etc/hosts.allow:rw-r--r--:root:root:WARN: +permfile:/etc/hosts.deny:rw-r--r--:root:root:WARN: +permfile:/etc/crontab:rw-------:root:-:WARN: +permfile:/etc/cron.allow:rw-------:root:-:WARN: +permfile:/etc/cron.deny:rw-------:root:-:WARN: +permfile:/etc/at.allow:rw-------:root:-:WARN: +permfile:/etc/at.deny:rw-------:root:-:WARN: +permfile:/etc/ssh/sshd_config:rw-------:root:-:WARN: +permfile:/etc/passwd:rw-r--r--:root:-:WARN: +permfile:/etc/shadow:---------:root:-:WARN: +permfile:/etc/group:rw-r--r--:root:-:WARN: +permfile:/etc/gshadow:---------:root:-:WARN: +permfile:/etc/passwd-:rw-r--r--:root:-:WARN: +permfile:/etc/shadow-:---------:root:-:WARN: +permfile:/etc/group-:rw-r--r--:root:-:WARN: +permfile:/etc/gshadow-:---------:root:-:WARN: ################################################################################# # @@ -343,6 +364,11 @@ permfile:/etc/lilo.conf:rw-------:root:-:WARN: ################################################################################# permdir:/root/.ssh:rwx------:root:-:WARN: +permdir:/etc/cron.hourly:rwx------:root:root:WARN: +permdir:/etc/cron.daily:rwx------:root:root:WARN: +permdir:/etc/cron.weekly:rwx------:root:root:WARN: +permdir:/etc/cron.monthly:rwx------:root:root:WARN: +permdir:/etc/cron.d:rwx------:root:root:WARN: # Scan for a program/binary in BINPATHs #scanbinary:Rootkit Hunter:rkhunter: From 605c381eb6063435b5da13ca2f8b3a91fe9b0aa9 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:22:20 +0100 Subject: [PATCH 002/132] [PKGS-7410] add support for DPKG-based systems to gather installed kernel packages --- include/tests_ports_packages | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 1426a068..ff28678f 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1247,8 +1247,20 @@ Register --test-no PKGS-7410 --weight L --network NO --category security --description "Count installed kernel packages" if [ ${SKIPTEST} -eq 0 ]; then KERNELS=0 - if [ ! -z "${RPMBINARY}" ]; then - LogText "Test: Checking how many kernel packages are installed" + LogText "Test: Checking how many kernel packages are installed" + + if [ ! -z "${DPKGBINARY}" ]; then + KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} "linux-image-[0-9]" | ${WCBINARY} -l) + if [ ${KERNELS} -eq 0 ]; then + LogText "Result: found no kernels from dpkg -l output, which is unexpected" + ReportException "KRNL-5840:2" "Could not find any kernel packages from DPKG output" + elif [ ${KERNELS} -gt 5 ]; then + LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" + ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages" "${KERNELS} kernels" "text:validate dpkg -l output and perform cleanup with apt autoremove" + else + LogText "Result: found ${KERNELS} kernel packages on the system, which is fine" + fi + elif [ ! -z "${RPMBINARY}" ]; then KERNELS=$(${RPMBINARY} -q kernel 2> /dev/null | ${WCBINARY} -l) if [ ${KERNELS} -eq 0 ]; then LogText "Result: found no kernels from rpm -q kernel output, which is unexpected" @@ -1256,12 +1268,12 @@ elif [ ${KERNELS} -gt 5 ]; then LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)" - AddHP 4 5 else - LogText "Result: found ${KERNELS} on the system, which is fine" - AddHP 1 1 + LogText "Result: found ${KERNELS} kernel packages on the system, which is fine" fi fi + + Report "installed_kernel_packages=${KERNELS}" fi # ################################################################################# From de2ef2c3e718ac22a11a98808b1a1795c559b487 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:23:45 +0100 Subject: [PATCH 003/132] Add apt and dpkg binaries --- include/binaries | 1 + include/consts | 2 ++ 2 files changed, 3 insertions(+) diff --git a/include/binaries b/include/binaries index 18b54b2a..ec9a634f 100644 --- a/include/binaries +++ b/include/binaries @@ -99,6 +99,7 @@ afick.pl) AFICKBINARY=${BINARY}; LogText " Found known binary: afick (file integrity checker) - ${BINARY}" ;; aide) AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;; apache2) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;; + apt) APTBINARY=${BINARY}; LogText " Found known binary: apt (package manager) - ${BINARY}" ;; arch-audit) ARCH_AUDIT_BINARY="${BINARY}"; LogText " Found known binary: arch-audit (auditing utility to test for vulnerable packages) - ${BINARY}" ;; auditd) AUDITDBINARY=${BINARY}; LogText " Found known binary: auditd (audit framework) - ${BINARY}" ;; awk) AWKBINARY=${BINARY}; LogText " Found known binary: awk (string tool) - ${BINARY}" ;; diff --git a/include/consts b/include/consts index 671ed1ca..1abe26f9 100644 --- a/include/consts +++ b/include/consts @@ -46,6 +46,7 @@ unset LANG # # == Variable initializing == # + APTBINARY="" ARCH_AUDIT_BINARY="" AUDITORNAME="" AUDITCTLBINARY="" @@ -99,6 +100,7 @@ unset LANG DNFBINARY="" DOCKERBINARY="" DOCKER_DAEMON_RUNNING=0 + DPKGBINARY="" ECHOCMD="" ERROR_ON_WARNINGS=0 FAIL2BANBINARY="" From 20da48bdfeaaf5405e695ae10bff80c45d9c1de4 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:24:01 +0100 Subject: [PATCH 004/132] Switch to development version --- CHANGELOG.md | 7 +++++++ lynis | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3522551..2a41b2eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Lynis Changelog +## Lynis 2.7.4 (not released yet) + +### Changed +- PKGS-7410 - add support for DPKG-based systems to gather installed kernel packages + +--------------------------------------------------------------------------------- + ## Lynis 2.7.3 (2019-03-21) ### Added diff --git a/lynis b/lynis index 15d509ea..e6263074 100755 --- a/lynis +++ b/lynis @@ -35,10 +35,10 @@ PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com" # Version details - PROGRAM_RELEASE_DATE="2019-03-21" + PROGRAM_RELEASE_DATE="2019-03-29" PROGRAM_RELEASE_TIMESTAMP=1553157295 - PROGRAM_RELEASE_TYPE="final" # dev or final - PROGRAM_VERSION="2.7.3" + PROGRAM_RELEASE_TYPE="dev" # dev or final + PROGRAM_VERSION="2.7.4" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" From f9bcf26f25e2bd07c05e840362530abfda438a79 Mon Sep 17 00:00:00 2001 From: Capashenn <37273010+Capashenn@users.noreply.github.com> Date: Fri, 29 Mar 2019 12:26:12 +0100 Subject: [PATCH 005/132] fix issue #612 (#677) LDAP support for Red Hat and others (fix issue #612) --- include/tests_authentication | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index fe8ece41..9fe8af43 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -700,23 +700,29 @@ # Description : Search LDAP support in PAM files Register --test-no AUTH-9278 --weight L --network NO --category security --description "Checking LDAP pam status" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking presence /etc/pam.d/common-auth" - if [ -f /etc/pam.d/common-auth ]; then - LogText "Result: file /etc/pam.d/common-auth exists" - LogText "Test: checking presence LDAP module" - FIND=$(${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth) - if [ ! "${FIND}" = "" ]; then - LogText "Result: LDAP module present" - LogText "Output: ${FIND}" - Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN - LDAP_AUTH_ENABLED=1 - LDAP_PAM_ENABLED=1 + AUTH_FILES="/etc/pam.d/common-auth /etc/pam.d/system-auth" + for FILE in ${AUTH_FILES}; do + LogText "Test: checking presence ${FILE}" + if [ -f ${FILE} ]; then + LogText "Result: file ${FILE} exists" + LogText "Test: checking presence LDAP module" + FIND=$(${GREPBINARY} "^auth.*ldap" ${FILE}) + if [ ! "${FIND}" = "" ]; then + LogText "Result: LDAP module present" + LogText "Output: ${FIND}" + LDAP_AUTH_ENABLED=1 + LDAP_PAM_ENABLED=1 + else + LogText "Result: LDAP module not found" + fi else - LogText "Result: LDAP module not found" - Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE + LogText "Result: file ${FILE} not found, skipping test" fi + done + if [ ${LDAP_PAM_ENABLED} -eq 1 ]; then + Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN else - LogText "Result: file /etc/pam.d/common-auth not found, skipping test" + Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # From 8a9edeb40b018dec05f9dc0418971e50f55026db Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:30:12 +0100 Subject: [PATCH 006/132] [AUTH-9278] style change, description, allow different root directory --- include/tests_authentication | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 9fe8af43..2ede2b7d 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -698,27 +698,28 @@ # # Test : AUTH-9278 # Description : Search LDAP support in PAM files - Register --test-no AUTH-9278 --weight L --network NO --category security --description "Checking LDAP pam status" + Register --test-no AUTH-9278 --weight L --network NO --category security --description "Determine LDAP support in PAM files" if [ ${SKIPTEST} -eq 0 ]; then - AUTH_FILES="/etc/pam.d/common-auth /etc/pam.d/system-auth" + AUTH_FILES="${ROOTDIR}etc/pam.d/common-auth ${ROOTDIR}etc/pam.d/system-auth" for FILE in ${AUTH_FILES}; do LogText "Test: checking presence ${FILE}" if [ -f ${FILE} ]; then LogText "Result: file ${FILE} exists" LogText "Test: checking presence LDAP module" FIND=$(${GREPBINARY} "^auth.*ldap" ${FILE}) - if [ ! "${FIND}" = "" ]; then + if [ ! -z "${FIND}" ]; then LogText "Result: LDAP module present" LogText "Output: ${FIND}" LDAP_AUTH_ENABLED=1 LDAP_PAM_ENABLED=1 - else + else LogText "Result: LDAP module not found" fi else LogText "Result: file ${FILE} not found, skipping test" fi done + if [ ${LDAP_PAM_ENABLED} -eq 1 ]; then Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN else From c36917ae83ca1cbab8b2ba88fa680361190286df Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:32:08 +0100 Subject: [PATCH 007/132] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a41b2eb..caf75ed3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Lynis 2.7.4 (not released yet) ### Changed +- AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems - PKGS-7410 - add support for DPKG-based systems to gather installed kernel packages --------------------------------------------------------------------------------- From 3702ae67b5ddb71df60701fabe691cf114db8670 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:53:13 +0100 Subject: [PATCH 008/132] [PKGS-7420] Detect toolkit to automatically download and apply upgrades --- include/tests_ports_packages | 40 ++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index ff28678f..05f150a6 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1278,6 +1278,46 @@ # ################################################################################# # + # Test : PKGS-7420 + # Description : Detect toolkit to automatically download and apply upgrades + Register --test-no PKGS-7420 --weight L --network NO --category security --description "Detect toolkit to automatically download and apply upgrades" + if [ ${SKIPTEST} -eq 0 ]; then + UNATTENDED_UPGRADES_TOOLKIT=0 + UNATTENDED_UPGRADES_TOOL="" + if [ -f "${ROOTDIR}bin/auter" ]; then + UNATTENDED_UPGRADES_TOOL="auter" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=auter" + fi + if [ -f "${ROOTDIR}sbin/yum-cron" ]; then + UNATTENDED_UPGRADES_TOOL="yum-cron" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=yum-cron" + fi + if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then + UNATTENDED_UPGRADES_TOOL="unattended-upgrade" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=unattended-upgrade" + fi + if [ ${UNATTENDED_UPGRADES_TOOLKIT} -eq 1 ]; then + AddHP 5 5 + Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN + else + # TODO - Add logic to only display this when it is applicable as not all operating systems might support such tooling + AddHP 1 5 + Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOTFOUND}" --color YELLOW + LogText "Result: no toolkit for automatic updates discovered" + # TODO - add suggestion + fi + + fi +# +################################################################################# +# + if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi From abaed3e6c1fabb172d187c943cf75634719e69ac Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:53:52 +0100 Subject: [PATCH 009/132] Updated log --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index caf75ed3..8eedb146 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,8 @@ ### Changed - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems -- PKGS-7410 - add support for DPKG-based systems to gather installed kernel packages +- PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages +- PKGS-7420 - Detect toolkit to automatically download and apply upgrades --------------------------------------------------------------------------------- From 3660043308d5ad56c0e767f64deea41107ca5330 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 30 Mar 2019 13:31:03 +0100 Subject: [PATCH 010/132] [PKGS-7420] limit test to specific OS, add dnf-automatic support, extend logging --- include/tests_ports_packages | 76 +++++++++++++++++++++++------------- 1 file changed, 49 insertions(+), 27 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 05f150a6..9798a9b7 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1284,35 +1284,57 @@ if [ ${SKIPTEST} -eq 0 ]; then UNATTENDED_UPGRADES_TOOLKIT=0 UNATTENDED_UPGRADES_TOOL="" - if [ -f "${ROOTDIR}bin/auter" ]; then - UNATTENDED_UPGRADES_TOOL="auter" - UNATTENDED_UPGRADES_TOOLKIT=1 - LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" - Report "unattended_upgrade_tool[]=auter" - fi - if [ -f "${ROOTDIR}sbin/yum-cron" ]; then - UNATTENDED_UPGRADES_TOOL="yum-cron" - UNATTENDED_UPGRADES_TOOLKIT=1 - LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" - Report "unattended_upgrade_tool[]=yum-cron" - fi - if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then - UNATTENDED_UPGRADES_TOOL="unattended-upgrade" - UNATTENDED_UPGRADES_TOOLKIT=1 - LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" - Report "unattended_upgrade_tool[]=unattended-upgrade" - fi - if [ ${UNATTENDED_UPGRADES_TOOLKIT} -eq 1 ]; then - AddHP 5 5 - Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN - else - # TODO - Add logic to only display this when it is applicable as not all operating systems might support such tooling - AddHP 1 5 - Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOTFOUND}" --color YELLOW - LogText "Result: no toolkit for automatic updates discovered" - # TODO - add suggestion + UNATTENDED_UPGRADES_OPTION_AVAILABLE=0 + + case "${OS}" in + "Linux") + case "${LINUX_VERSION}" in + "CentOS" | "Debian" | "Fedora" | "RHEL" | "Ubuntu") + + UNATTENDED_UPGRADES_OPTION_AVAILABLE=1 + # Test available tools for Linux + if [ -f "${ROOTDIR}bin/auter" ]; then + UNATTENDED_UPGRADES_TOOL="auter" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + if [ -f "${ROOTDIR}sbin/yum-cron" ]; then + UNATTENDED_UPGRADES_TOOL="yum-cron" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then + UNATTENDED_UPGRADES_TOOL="dnf-automatic" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then + UNATTENDED_UPGRADES_TOOL="unattended-upgrade" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + ;; + esac + ;; + esac + + if [ ${UNATTENDED_UPGRADES_OPTION_AVAILABLE} -eq 1 ]; then + if [ ${UNATTENDED_UPGRADES_TOOLKIT} -eq 1 ]; then + AddHP 5 5 + Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN + else + AddHP 1 5 + Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOTFOUND}" --color YELLOW + LogText "Result: no toolkit for automatic updates discovered" + ReportSuggestion "${TEST_NO}" "Consider using a tool to automatically apply upgrades" + fi fi + Report "unattended_upgrade_option_avaiable=${UNATTENDED_UPGRADES_OPTION_AVAILABLE}" fi # ################################################################################# From d0df518426dd3ddb6f36bce86140e15c8e65ee81 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 30 Mar 2019 13:58:23 +0100 Subject: [PATCH 011/132] [PKGS-7420] corrected typo --- include/tests_ports_packages | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 9798a9b7..09243391 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1334,7 +1334,7 @@ fi fi - Report "unattended_upgrade_option_avaiable=${UNATTENDED_UPGRADES_OPTION_AVAILABLE}" + Report "unattended_upgrade_option_available=${UNATTENDED_UPGRADES_OPTION_AVAILABLE}" fi # ################################################################################# From 7b7086566da4b677470c13d65261719582a6bca5 Mon Sep 17 00:00:00 2001 From: Capashenn <37273010+Capashenn@users.noreply.github.com> Date: Tue, 2 Apr 2019 07:46:04 +0200 Subject: [PATCH 012/132] Add test FILE-6324 check XFS file systems (#699) --- include/tests_filesystems | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/include/tests_filesystems b/include/tests_filesystems index a52bb66b..e1be0a1f 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -163,6 +163,28 @@ fi # ################################################################################# +# + # Test : FILE-6324 + # Description : Checking Linux XFS file systems + Register --test-no FILE-6324 --os Linux --weight L --network NO --category security --description "Checking XFS file systems" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking for Linux XFS file systems" + FIND=$(${MOUNTBINARY} -t xfs | ${AWKBINARY} '{ print $3","$5 }') + if [ ! -z "${FIND}" ]; then + LogText "Result: found one or more XFS file systems" + for I in ${FIND}; do + FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1) + FILETYPE=$(echo ${I} | ${CUTBINARY} -d ',' -f2) + LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})" + Report "file_systems_xfs[]=${FILESYSTEM}|${FILETYPE}|" + done + else + LogText "Result: no XFS file systems found" + Report "file_systems_xfs[]=none" + fi + fi +# +################################################################################# # # Test : FILE-6329 # Description : Query all FFS/UFS mounts from /etc/fstab From 2c83037cbad67885e85289cbffca8875330fc16c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 2 Apr 2019 07:58:10 +0200 Subject: [PATCH 013/132] Minor cleanup --- include/tests_filesystems | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index e1be0a1f..43b9e7ec 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -158,7 +158,6 @@ done else LogText "Result: no EXT file systems found" - Report "file_systems_ext[]=none" fi fi # @@ -180,7 +179,6 @@ done else LogText "Result: no XFS file systems found" - Report "file_systems_xfs[]=none" fi fi # From f2e6b23c9f0ce432cd55e48f52e60c9e06263097 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 2 Apr 2019 11:14:49 +0200 Subject: [PATCH 014/132] Added PKGS-7420 --- db/tests.db | 1 + 1 file changed, 1 insertion(+) diff --git a/db/tests.db b/db/tests.db index 641ea927..24023cd2 100644 --- a/db/tests.db +++ b/db/tests.db @@ -319,6 +319,7 @@ PKGS-7393:test:security:ports_packages::Check for Gentoo vulnerable packages: PKGS-7394:test:security:ports_packages:Linux:Check for Ubuntu updates: PKGS-7398:test:security:ports_packages::Check for package audit tool: PKGS-7410:test:security:ports_packages::Count installed kernel packages: +PKGS-7420:test:security:ports_packages::Detect toolkit to automatically download and apply upgrades: PRNT-2302:test:security:printers_spools:FreeBSD:Check for printcap consistency: PRNT-2304:test:security:printers_spools::Check cupsd status: PRNT-2306:test:security:printers_spools::Check CUPSd configuration file: From 349f011489f56237f42912847de35cfbb7bd114b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 2 Apr 2019 11:14:56 +0200 Subject: [PATCH 015/132] Updated log --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8eedb146..88fbf8d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## Lynis 2.7.4 (not released yet) +### Added +- FILE-6324 - Discover XFS mount points + ### Changed - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems - PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages From e0ca517aaa88e6954a1b3cda79f2cb5b70a12c7b Mon Sep 17 00:00:00 2001 From: Capashenn <37273010+Capashenn@users.noreply.github.com> Date: Tue, 2 Apr 2019 11:15:31 +0200 Subject: [PATCH 016/132] Add tests INSE-8310 INSE-8312 (telnet) (#693) * Add test INSE-8000 * Add xinetd support in insecure_services * fix issue #662 * Check for talk via xinetd * Check for chargen via xinetd * Check for daytime via xinetd * Check discard via xinetd * Check echo via xinatd * Check time via xinetd * Check tftp via xinetd * Check rsync via xinetd * Add test INSE-8200 * Add test INSE-8300 INSE-8302 INSE-8304 (rsh) * Add tests INSE-8310 INSE-8312 (telnet) --- include/tests_insecure_services | 629 +++++++++++++++++++++++++++++++- 1 file changed, 628 insertions(+), 1 deletion(-) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 277791d9..9490fa32 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -18,7 +18,7 @@ # ################################################################################# # -# Unsecure services +# Insecure services # ################################################################################# # @@ -28,6 +28,28 @@ # INETD_ACTIVE=0 INETD_CONFIG_FILE="${ROOTDIR}etc/inetd.conf" + XINETD_ACTIVE=0 + XINETD_CONFIG_FILE="${ROOTDIR}etc/xinetd.conf" + XINETD_CONFIG_DIR="${ROOTDIR}etc/xinetd.d" +# +################################################################################# +# + # Test : INSE-8000 + # Description : Check for installed inetd daemon + Register --test-no INSE-8000 --weight L --network NO --category security --description "Check for installed inetd daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Check for installed inetd daemon + LogText "Test: Checking if inetd is installed" + PackageIsInstalled inetd + if [ $? -eq 0 ]; then + LogText "Result: inetd is installed" + Display --indent 2 --text "- Checking inetd installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "If there are no inetd services required, it is recommended that the daemon be removed" + else + LogText "Result: inetd is NOT installed" + Display --indent 2 --text "- Checking inetd installation" --result "${STATUS_OK}" --color GREEN + fi + fi # ################################################################################# # @@ -108,6 +130,611 @@ fi # ################################################################################# +# + # Test : INSE-8100 + # Description : Check for installed xinetd daemon + Register --test-no INSE-8100 --weight L --network NO --category security --description "Check for installed xinetd daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Check for installed xinetd daemon + LogText "Test: Checking for installed xinetd daemon" + PackageIsInstalled xinetd + if [ $? -eq 0 ]; then + LogText "Result: xinetd is installed" + Display --indent 2 --text "- Checking xinetd installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "If there are no xinetd services required, it is recommended that the daemon be removed" + else + LogText "Result: xinetd is NOT installed" + Display --indent 2 --text "- Checking xinetd installation" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8102 + # Description : Check for xinetd status + Register --test-no INSE-8102 --weight L --network NO --category security --description "Check for enabled xinet daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Check running processes + LogText "Test: Searching for active xinet daemon" + IsRunning xinetd + if [ ${RUNNING} -eq 1 ]; then + LogText "Result: xinetd is running" + Display --indent 4 --text "- Checking xinetd status" --result "ACTIVE" --color GREEN + XINETD_ACTIVE=1 + else + LogText "Result: xinetd is NOT running" + Display --indent 4 --text "- Checking xinetd status" --result "NOT ACTIVE" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8104 + # Description : Check for xinetd configuration file + if [ ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled xinet daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Check configuration file + LogText "Test: Searching for file ${XINETD_CONFIG_FILE}" + if [ -f ${XINETD_CONFIG_FILE} ]; then + LogText "Result: ${XINETD_CONFIG_FILE} exists" + Display --indent 6 --text "- Checking xinetd.conf" --result "${STATUS_FOUND}" --color WHITE + else + LogText "Result: ${XINETD_CONFIG_FILE} does not exist" + Display --indent 6 --text "- Checking xinetd.conf" --result "${STATUS_NOT_FOUND}" --color WHITE + fi + fi +# +################################################################################# +# + # Test : INSE-8106 + # Description : Check for xinetd configuration file contents if xinetd is NOT active + if [ ${XINETD_ACTIVE} -eq 0 -a -f ${XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of xinetd when disabled" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if any service is enabled in /etc/xinetd.d (xinetd is not active, see test 8102) + LogText "Test: check if all services are disabled if xinetd is disabled" + FIND=$(${GREPBINARY} -r "disable\s*=\s*no" ${XINETD_CONFIG_DIR}) + if [ -z "${FIND}" ]; then + LogText "Result: no services found in ${XINETD_CONFIG_DIR}" + Display --indent 6 --text "- Checking xinetd.d services" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: found services in ${XINETD_CONFIG_DIR}, even though xinetd is not running" + Display --indent 6 --text "- Checking xinetd.d services" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "Although xinetd is not running, make sure no services are enabled in ${XINETD_CONFIG_DIR}, or remove xinetd service" + fi + fi +# +################################################################################# +# + # Test : INSE-8116 + # Description : Check for telnet enabled via xinetd + TELNET_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/telnet" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TELNET_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for telnet via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking telnet presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TELNET_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: telnet not enabled in ${TELNET_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (telnet)" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + else + LogText "Result: telnet enabled in ${TELNET_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (telnet)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable telnet in xinetd configuration and use SSH instead" + AddHP 1 3 + fi + fi +# +################################################################################# +# + # Test : INSE-8118 + # Description : Check for rsh enabled via xinetd + RSH_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsh" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSH_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8118 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsh via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking rsh presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSH_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: rsh not enabled in ${RSH_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rsh)" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + else + LogText "Result: rsh enabled in ${RSH_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rsh)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable rsh in xinetd configuration and use SSH instead" + AddHP 1 3 + fi + fi +# +################################################################################# +# + # Test : INSE-8120 + # Description : Check for rlogin enabled via xinetd + RLOGIN_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rlogin" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RLOGIN_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rlogin via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking rlogin presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RLOGIN_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: rlogin not enabled in ${RLOGIN_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rlogin)" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + else + LogText "Result: rlogin enabled in ${RLOGIN_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rlogin)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable rlogin in xinetd configuration and use SSH instead" + AddHP 1 3 + fi + fi +# +################################################################################# +# + # Test : INSE-8122 + # Description : Check for rexec enabled via xinetd + REXEC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rexec" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${REXEC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rexec via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking rexec presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${REXEC_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: rexec not enabled in ${REXEC_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rexec)" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + else + LogText "Result: rexec enabled in ${REXEC_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rexec)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable rexec in xinetd configuration and use SSH instead" + AddHP 1 3 + fi + fi +# +################################################################################# +# + # Test : INSE-8124 + # Description : Check for talk enabled via xinetd + TALK_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/talk" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TALK_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for talk via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking talk presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TALK_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: talk not enabled in ${TALK_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (talk)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: talk enabled in ${TALK_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (talk)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable talk in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8126 + # Description : Check for ntalk enabled via xinetd + NTALK_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/ntalk" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${NTALK_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8126 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ntalk via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking ntalk presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${NTALK_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: ntalk not enabled in ${NTALK_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (ntalk)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: ntalk enabled in ${NTALK_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (ntalk)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable ntalk in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8128 + # Description : Check for chargen-dgram enabled via xinetd + CHARGEN_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/chargen-dgram" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${CHARGEN_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for chargen-dgram via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking chargen-dgram presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${CHARGEN_DGRAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: chargen-dgram not enabled in ${CHARGEN_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (chargen-dgram)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: chargen-dgram enabled in ${CHARGEN_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (chargen-dgram)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable chargen-dgram in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8130 + # Description : Check for chargen-stream enabled via xinetd + CHARGEN_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/chargen-stream" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${CHARGEN-STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8130 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for chargen-stream via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking chargen-stream presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${CHARGEN_STREAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: chargen-stream not enabled in ${CHARGEN_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (chargen-stream)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: chargen-stream enabled in ${CHARGEN_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (chargen-stream)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable chargen-stream in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8132 + # Description : Check for daytime-dgram enabled via xinetd + DAYTIME_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/daytime-dgram" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DAYTIME_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for daytime-dgram via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking daytime-dgram presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DAYTIME_DGRAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: daytime-dgram not enabled in ${DAYTIME_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (daytime-dgram)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: daytime-dgram enabled in ${DAYTIME_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (daytime-dgram)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable daytime-dgram in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8134 + # Description : Check for daytime-stream enabled via xinetd + DAYTIME_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/daytime-stream" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DAYTIME_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8134 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for daytime-stream via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking daytime-stream presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DAYTIME_STREAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: daytime-stream not enabled in ${DAYTIME_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (daytime-stream)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: daytime-stream enabled in ${DAYTIME_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (daytime-stream)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable daytime-stream in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8136 + # Description : Check for discard-dgram enabled via xinetd + DISCARD_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/discard-dgram" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DISCARD_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8136 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for discard-dgram via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking discard-dgram presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DISCARD_DGRAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: discard-dgram not enabled in ${DISCARD_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (discard-dgram)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: discard-dgram enabled in ${DISCARD_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (discard-dgram)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable discard-dgram in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8138 + # Description : Check for discard-stream enabled via xinetd + DISCARD_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/discard-stream" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DISCARD_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8138 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for discard-stream via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking discard-stream presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DISCARD_STREAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: discard-stream not enabled in ${DISCARD_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (discard-stream)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: discard-stream enabled in ${DISCARD_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (discard-stream)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable discard-stream in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8140 + # Description : Check for echo-dgram enabled via xinetd + ECHO_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/echo-dgram" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${ECHO_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8140 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for echo-dgram via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking echo-dgram presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${ECHO_DGRAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: echo-dgram not enabled in ${ECHO_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (echo-dgram)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: echo-dgram enabled in ${ECHO_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (echo-dgram)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable echo-dgram in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8142 + # Description : Check for echo-stream enabled via xinetd + ECHO_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/echo-stream" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${ECHO_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8142 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for echo-stream via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking echo-stream presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${ECHO_STREAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: echo-stream not enabled in ${ECHO_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (echo-stream)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: echo-stream enabled in ${ECHO_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (echo-stream)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable echo-stream in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8144 + # Description : Check for time-dgram enabled via xinetd + TIME_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/time-dgram" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TIME_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8144 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for time-dgram via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking time-dgram presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TIME_DGRAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: time-dgram not enabled in ${TIME_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (time-dgram)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: time-dgram enabled in ${TIME_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (time-dgram)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable time-dgram in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8146 + # Description : Check for time-stream enabled via xinetd + TIME_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/time-stream" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TIME_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8146 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for time-stream via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking time-stream presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TIME_STREAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: time-stream not enabled in ${TIME_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (time-stream)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: time-stream enabled in ${TIME_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (time-stream)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable time-stream in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8148 + # Description : Check for tftp enabled via xinetd + TFTP_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/tftp" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TFTP_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8148 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for tftp via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking tftp presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TFTP_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: tftp not enabled in ${TFTP_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (tftp)" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + else + LogText "Result: tftp enabled in ${TFTP_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (tftp)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable tftp in xinetd configuration" + AddHP 1 3 + fi + fi +# +################################################################################# +# + # Test : INSE-8150 + # Description : Check for rsync enabled via xinetd + RSYNC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsync" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSYNC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8150 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsync via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking rsync presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSYNC_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: rsync not enabled in ${RSYNC_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: rsync enabled in ${RSYNC_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable rsync in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8200 + # Description : Check if tcp_wrappers is installed when inetd/xinetd is active + if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if tcp_wrappers is installed when inetd/xinetd is active + LogText "Test: Checking if tcp_wrappers is installed" + FOUND="" + PACKAGES="tcp_wrappers tcpd" + for PACKAGE in ${PACKAGES}; do + PackageIsInstalled ${PACKAGE} + if [ $? -eq 0 ];then + FOUND=${PACKAGE} + fi + done + if [ ${FOUND} ]; then + LogText "Result: tcp_wrappers is installed" + Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: tcp_wrappers is NOT installed" + Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed" + fi + fi +# +################################################################################# +# + # Test : INSE-8300 + # Description : Check if rsh client is installed + Register --test-no INSE-8300 --weight L --network NO --category security --description "Check if rsh client is installed" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if rsh is installed + LogText "Test: Checking if rsh client is installed" + FOUND="" + PACKAGES="rsh rsh-client rsh-redone-client" + for PACKAGE in ${PACKAGES}; do + PackageIsInstalled ${PACKAGE} + if [ $? -eq 0 ];then + FOUND=${PACKAGE} + fi + done + if [ ${FOUND} ]; then + LogText "Result: rsh client is installed" + Display --indent 2 --text "- Checking rsh client installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "Rsh client contain numerous security exposures and have been replaced with the more secure SSH package" + else + LogText "Result: rsh client is NOT installed" + Display --indent 2 --text "- Checking rsh client installation" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8302 + # Description : Check presence of Rsh Trust Files + Register --test-no INSE-8302 --weight L --network NO --category security --description "Check presence of Rsh Trust Files" + if [ ${SKIPTEST} -eq 0 ]; then + # Check presence of Rsh Trust Files + FOUND=0 + for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do + USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) + DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) + if [ -d ${DIR} ]; then + for RHOSTS in ${DIR}/.rhosts; do + if [ ! -h ${RHOSTS} -a -f ${RHOSTS} ]; then + LogText "FOUND .rhosts file in home directory ${DIR} of ${USER}" + FOUND=1 + fi + done + fi + done + if [ -f /etc/hosts.equiv ];then + LogText "FOUND /etc/hosts.equiv" + FOUND=1 + fi + if [ ${FOUND} -eq 1 ]; then + LogText "Result: found one or more Rsh Trust Files" + Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "Remove every Rsh Trust Files as they can allow unauthenticated access to a system" + else + LogText "Result: no Rsh Trust Files found" + Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8304 + # Description : Check if rsh server is installed + Register --test-no INSE-8342 --weight L --network NO --category security --description "Check if rsh server is installed" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if rsh server is installed + LogText "Test: Checking if rsh server is installed" + FOUND="" + PACKAGES="rsh-server rsh-redone-server" + for PACKAGE in ${PACKAGES}; do + PackageIsInstalled ${PACKAGE} + if [ $? -eq 0 ];then + FOUND=${PACKAGE} + fi + done + if [ ${FOUND} ]; then + LogText "Result: rsh server is installed" + Display --indent 2 --text "- Checking rsh server installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "Removing the rsh-server package decreases the risk of the accidental (or intentional) activation of rsh services" + + else + LogText "Result: rsh server is NOT installed" + Display --indent 2 --text "- Checking rsh server installation" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8310 + # Description : Check if telnet client is installed + Register --test-no INSE-8310 --weight L --network NO --category security --description "Check if telnet client is installed" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if telnet client is installed + LogText "Test: Checking if telnet client is installed" + PackageIsInstalled telnet + if [ $? -eq 0 ]; then + LogText "Result: telnet client is installed" + Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "telnet client contain numerous security exposures and have been replaced with the more secure SSH package" + else + LogText "Result: telnet client is NOT installed" + Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8312 + # Description : Check if telnet server is installed + Register --test-no INSE-8322 --weight L --network NO --category security --description "Check if telnet server is installed" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if TFTP server is installed + LogText "Test: Checking if telnet server is installed" + FOUND="" + PACKAGES="telnetd telnet-server" + for PACKAGE in ${PACKAGES}; do + PackageIsInstalled ${PACKAGE} + if [ $? -eq 0 ];then + FOUND=${PACKAGE} + fi + done + if [ ${FOUND} ]; then + LogText "Result: telnet server is installed" + Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of telnet services" + else + LogText "Result: telnet server is NOT installed" + Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# # if [ ! -z "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS" From 247eb7d9a6bc50fa06ac33d3a118d79f7b24cc2c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 3 Apr 2019 12:46:03 +0200 Subject: [PATCH 017/132] Corrected if-statement --- include/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/functions b/include/functions index 95083600..e8965986 100644 --- a/include/functions +++ b/include/functions @@ -1717,7 +1717,7 @@ if [ ! -z "${RPMBINARY}" ]; then output=$(${RPMBINARY} --quiet -q ${package} 2> /dev/null) exit_code=$? - elif ! -z "${DPKGBINARY}" ]; then + elif [ ! -z "${DPKGBINARY}" ]; then output=$(${DPKGBINARY} -l ${package} 2> /dev/null) exit_code=$? elif [ ! -z "${ZYPPERBINARY}" ]; then From 28fd5948f7cc4d7d4f9119a60389da084a45e109 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 4 Apr 2019 14:41:56 +0200 Subject: [PATCH 018/132] Updated log --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 88fbf8d8..664b52cf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,14 @@ ### Added - FILE-6324 - Discover XFS mount points +- INSE-8000 - Installed inetd package +- INSE-8100 - Installed xinetd package +- INSE-8102 - Status of xinet daemon +- INSE-8104 - xinetd configuration file +- INSE-8106 - xinetd configuration for inactive daemon +- INSE-8200 - Usage of TCP wrappers +- INSE-8300 - Presence of rsh client +- INSE-8302 - Presence of rsh server ### Changed - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems From 7ebfd3015c4daa41607f6aaf9e435ff74332ad29 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 4 Apr 2019 14:42:06 +0200 Subject: [PATCH 019/132] Added new tests --- db/tests.db | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/db/tests.db b/db/tests.db index 24023cd2..215c3595 100644 --- a/db/tests.db +++ b/db/tests.db @@ -169,11 +169,17 @@ HTTP-6712:test:security:webservers::Check nginx access logging: HTTP-6714:test:security:webservers::Check for missing error logs in nginx: HTTP-6716:test:security:webservers::Check for debug mode on error log in nginx: HTTP-6720:test:security:webservers::Check Nginx log files: -INSE-8002:test:security:insecure_services::Check for enabled inet daemon: -INSE-8004:test:security:insecure_services::Check for enabled inet daemon: -INSE-8006:test:security:insecure_services::Check configuration of inetd when disabled: +INSE-8000:test:security:insecure_services::Installed inetd package: +INSE-8002:test:security:insecure_services::Status of inet daemon: +INSE-8004:test:security:insecure_services::Presence of inetd configuration file: +INSE-8006:test:security:insecure_services::Check configuration of inetd when it is disabled: INSE-8016:test:security:insecure_services::Check for telnet via inetd: INSE-8050:test:security:insecure_services:MacOS:Check for insecure services on macOS systems: +INSE-8100:test:security:insecure_services::Installed xinetd package: +INSE-8116:test:security:insecure_services::Insecure services enabled via xinetd: +INSE-8200:test:security:insecure_services::Usage of TCP wrappers: +INSE-8300:test:security:insecure_services::Presence of rsh client: +INSE-8302:test:security:insecure_services::Presence of rsh server: KRNL-5622:test:security:kernel:Linux:Determine Linux default run level: KRNL-5677:test:security:kernel:Linux:Check CPU options and support: KRNL-5695:test:security:kernel:Linux:Determine Linux kernel version and release number: From 99362242784c9efd25b84b38a347f10933af1e1a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 4 Apr 2019 14:42:39 +0200 Subject: [PATCH 020/132] Merge of several tests, cleanup, minor code enhancements and restructure --- include/tests_insecure_services | 589 ++++++++------------------------ 1 file changed, 134 insertions(+), 455 deletions(-) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 9490fa32..afed850e 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -28,6 +28,7 @@ # INETD_ACTIVE=0 INETD_CONFIG_FILE="${ROOTDIR}etc/inetd.conf" + INETD_PACKAGE_INSTALLED=0 XINETD_ACTIVE=0 XINETD_CONFIG_FILE="${ROOTDIR}etc/xinetd.conf" XINETD_CONFIG_DIR="${ROOTDIR}etc/xinetd.d" @@ -35,19 +36,19 @@ ################################################################################# # # Test : INSE-8000 - # Description : Check for installed inetd daemon - Register --test-no INSE-8000 --weight L --network NO --category security --description "Check for installed inetd daemon" + # Description : Check for installed inetd package + Register --test-no INSE-8000 --weight L --network NO --category security --description "Installed inetd package" if [ ${SKIPTEST} -eq 0 ]; then # Check for installed inetd daemon LogText "Test: Checking if inetd is installed" - PackageIsInstalled inetd - if [ $? -eq 0 ]; then + if PackageIsInstalled "inetd"; then + INETD_PACKAGE_INSTALLED=1 LogText "Result: inetd is installed" - Display --indent 2 --text "- Checking inetd installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "If there are no inetd services required, it is recommended that the daemon be removed" + Display --indent 2 --text "- Installation of inetd package" --result "${STATUS_FOUND}" --color YELLOW + #ReportSuggestion ${TEST_NO} "If there are no inetd services required, it is recommended that the daemon be removed" else LogText "Result: inetd is NOT installed" - Display --indent 2 --text "- Checking inetd installation" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installation of inetd package" --result "${STATUS_NOT_FOUND}" --color GREEN fi fi # @@ -55,27 +56,27 @@ # # Test : INSE-8002 # Description : Check for inetd status - Register --test-no INSE-8002 --weight L --network NO --category security --description "Check for enabled inet daemon" + if [ ${INETD_PACKAGE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8002 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon" if [ ${SKIPTEST} -eq 0 ]; then # Check running processes LogText "Test: Searching for active inet daemon" - IsRunning inetd - if [ ${RUNNING} -eq 1 ]; then + if IsRunning "inetd"; then LogText "Result: inetd is running" - Display --indent 2 --text "- Checking inetd status" --result "ACTIVE" --color GREEN + Display --indent 4 --text "- inetd status" --result "ACTIVE" --color GREEN INETD_ACTIVE=1 else LogText "Result: inetd is NOT running" - Display --indent 2 --text "- Checking inetd status" --result "NOT ACTIVE" --color GREEN + Display --indent 4 --text "- inetd status" --result "NOT ACTIVE" --color GREEN fi fi # ################################################################################# # # Test : INSE-8004 - # Description : Check for inetd configuration file + # Description : Check for inetd configuration file (inetd) if [ ${INETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon" + Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of inetd configuration file" if [ ${SKIPTEST} -eq 0 ]; then # Check configuration file LogText "Test: Searching for file ${INETD_CONFIG_FILE}" @@ -95,15 +96,15 @@ if [ ${INETD_ACTIVE} -eq 0 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of inetd when disabled" if [ ${SKIPTEST} -eq 0 ]; then - # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002) - LogText "Test: check if all services are disabled if inetd is disabled" + # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test INSE-8002) + LogText "Test: check if all services are disabled when inetd is disabled" FIND=$(${GREPBINARY} -v "^#" ${INETD_CONFIG_FILE} | ${GREPBINARY} -v "^$") if [ -z "${FIND}" ]; then LogText "Result: no services found in ${INETD_CONFIG_FILE}" - Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_OK}" --color GREEN + Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_OK}" --color GREEN else LogText "Result: found services in inetd, even though inetd is not running" - Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_SUGGESTION}" --color YELLOW + Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service" fi fi @@ -117,7 +118,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking telnet presence in inetd configuration" FIND=$(${GREPBINARY} "^telnet" ${INETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}" Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_NOT_FOUND}" --color GREEN AddHP 3 3 @@ -140,11 +141,11 @@ PackageIsInstalled xinetd if [ $? -eq 0 ]; then LogText "Result: xinetd is installed" - Display --indent 2 --text "- Checking xinetd installation" --result "${STATUS_SUGGESTION}" --color YELLOW + Display --indent 2 --text "- Installation of xinetd package" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "If there are no xinetd services required, it is recommended that the daemon be removed" else LogText "Result: xinetd is NOT installed" - Display --indent 2 --text "- Checking xinetd installation" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installation of xinetd package" --result "${STATUS_OK}" --color GREEN fi fi # @@ -152,18 +153,17 @@ # # Test : INSE-8102 # Description : Check for xinetd status - Register --test-no INSE-8102 --weight L --network NO --category security --description "Check for enabled xinet daemon" + Register --test-no INSE-8102 --weight L --network NO --category security --description "Check for active xinet daemon" if [ ${SKIPTEST} -eq 0 ]; then # Check running processes - LogText "Test: Searching for active xinet daemon" - IsRunning xinetd - if [ ${RUNNING} -eq 1 ]; then + LogText "Test: Searching for active extended internet services daemon (xinetd)" + if IsRunning "xinetd"; then LogText "Result: xinetd is running" - Display --indent 4 --text "- Checking xinetd status" --result "ACTIVE" --color GREEN + Display --indent 4 --text "- xinetd status" --result "ACTIVE" --color GREEN XINETD_ACTIVE=1 else LogText "Result: xinetd is NOT running" - Display --indent 4 --text "- Checking xinetd status" --result "NOT ACTIVE" --color GREEN + Display --indent 4 --text "- xinetd status" --result "NOT ACTIVE" --color GREEN fi fi # @@ -176,12 +176,12 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check configuration file LogText "Test: Searching for file ${XINETD_CONFIG_FILE}" - if [ -f ${XINETD_CONFIG_FILE} ]; then + if [ -f "${XINETD_CONFIG_FILE}" ]; then LogText "Result: ${XINETD_CONFIG_FILE} exists" - Display --indent 6 --text "- Checking xinetd.conf" --result "${STATUS_FOUND}" --color WHITE + Display --indent 6 --text "- Configuration file (xinetd.conf)" --result "${STATUS_FOUND}" --color WHITE else LogText "Result: ${XINETD_CONFIG_FILE} does not exist" - Display --indent 6 --text "- Checking xinetd.conf" --result "${STATUS_NOT_FOUND}" --color WHITE + Display --indent 6 --text "- Configuration file (xinetd.conf)" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -192,15 +192,15 @@ if [ ${XINETD_ACTIVE} -eq 0 -a -f ${XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no INSE-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of xinetd when disabled" if [ ${SKIPTEST} -eq 0 ]; then - # Check if any service is enabled in /etc/xinetd.d (xinetd is not active, see test 8102) + # Check if any service is enabled in /etc/xinetd.d (xinetd is not active, see test INSE-8102) LogText "Test: check if all services are disabled if xinetd is disabled" FIND=$(${GREPBINARY} -r "disable\s*=\s*no" ${XINETD_CONFIG_DIR}) if [ -z "${FIND}" ]; then LogText "Result: no services found in ${XINETD_CONFIG_DIR}" - Display --indent 6 --text "- Checking xinetd.d services" --result "${STATUS_OK}" --color GREEN + Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_NOT_FOUND}" --color GREEN else LogText "Result: found services in ${XINETD_CONFIG_DIR}, even though xinetd is not running" - Display --indent 6 --text "- Checking xinetd.d services" --result "${STATUS_SUGGESTION}" --color YELLOW + Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Although xinetd is not running, make sure no services are enabled in ${XINETD_CONFIG_DIR}, or remove xinetd service" fi fi @@ -208,350 +208,41 @@ ################################################################################# # # Test : INSE-8116 - # Description : Check for telnet enabled via xinetd - TELNET_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/telnet" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TELNET_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for telnet via xinetd" + # Description : Check for insecure services enabled via xinetd + if [ ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Insecure services enabled via xinetd" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking telnet presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TELNET_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: telnet not enabled in ${TELNET_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (telnet)" --result "${STATUS_DISABLED}" --color GREEN + XINETD_INSECURE_SERVICE_FOUND=0 + + ITEMS="chargen chargen-dgram chargen-stream daytime daytime-dgram daytime-stream discard discard-dgram discard-stream echo echo-dgram echo-stream time time-dgram time-stream ntalk rexec rlogin rsh talk telnet tftp" + + for SERVICE in ${ITEMS}; do + LogText "Test: checking service ${SERVICE}" + if ! SkipAtomicTest "${TEST_NO}:${SERVICE}"; then + FILE="${XINETD_CONFIG_DIR}/${SERVICE}" + if [ -f "${FILE}" ]; then + LogText "Test: checking status in xinetd configuration file (${FILE})" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${FILE}) + if [ ! -z "${FIND}" ]; then + LogText "Result: found insecure service enabled: ${SERVICE}" + XINETD_INSECURE_SERVICE_FOUND=1 + ReportSuggestion "${TEST_NO}" "Disable or remove any insecure services in the xinetd configuration" "${SERVICE}" "text:See log file for more details" + Report "insecure_service[]=${SERVICE}" + fi + fi + else + LogText "Result: skipped, as this item is excluded using the profile" + fi + done + + if [ ${XINETD_INSECURE_SERVICE_FOUND} -eq 0 ]; then + LogText "Result: no insecure services found in xinetd configuration" + Display --indent 6 --text "- Checking xinetd (insecure services)" --result "${STATUS_OK}" --color GREEN AddHP 3 3 else - LogText "Result: telnet enabled in ${TELNET_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (telnet)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable telnet in xinetd configuration and use SSH instead" - AddHP 1 3 - fi - fi -# -################################################################################# -# - # Test : INSE-8118 - # Description : Check for rsh enabled via xinetd - RSH_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsh" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSH_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8118 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsh via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking rsh presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSH_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: rsh not enabled in ${RSH_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rsh)" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - else - LogText "Result: rsh enabled in ${RSH_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rsh)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable rsh in xinetd configuration and use SSH instead" - AddHP 1 3 - fi - fi -# -################################################################################# -# - # Test : INSE-8120 - # Description : Check for rlogin enabled via xinetd - RLOGIN_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rlogin" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RLOGIN_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rlogin via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking rlogin presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RLOGIN_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: rlogin not enabled in ${RLOGIN_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rlogin)" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - else - LogText "Result: rlogin enabled in ${RLOGIN_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rlogin)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable rlogin in xinetd configuration and use SSH instead" - AddHP 1 3 - fi - fi -# -################################################################################# -# - # Test : INSE-8122 - # Description : Check for rexec enabled via xinetd - REXEC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rexec" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${REXEC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rexec via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking rexec presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${REXEC_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: rexec not enabled in ${REXEC_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rexec)" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - else - LogText "Result: rexec enabled in ${REXEC_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rexec)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable rexec in xinetd configuration and use SSH instead" - AddHP 1 3 - fi - fi -# -################################################################################# -# - # Test : INSE-8124 - # Description : Check for talk enabled via xinetd - TALK_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/talk" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TALK_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for talk via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking talk presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TALK_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: talk not enabled in ${TALK_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (talk)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: talk enabled in ${TALK_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (talk)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable talk in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8126 - # Description : Check for ntalk enabled via xinetd - NTALK_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/ntalk" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${NTALK_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8126 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ntalk via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking ntalk presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${NTALK_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: ntalk not enabled in ${NTALK_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (ntalk)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: ntalk enabled in ${NTALK_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (ntalk)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable ntalk in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8128 - # Description : Check for chargen-dgram enabled via xinetd - CHARGEN_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/chargen-dgram" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${CHARGEN_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for chargen-dgram via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking chargen-dgram presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${CHARGEN_DGRAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: chargen-dgram not enabled in ${CHARGEN_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (chargen-dgram)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: chargen-dgram enabled in ${CHARGEN_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (chargen-dgram)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable chargen-dgram in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8130 - # Description : Check for chargen-stream enabled via xinetd - CHARGEN_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/chargen-stream" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${CHARGEN-STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8130 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for chargen-stream via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking chargen-stream presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${CHARGEN_STREAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: chargen-stream not enabled in ${CHARGEN_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (chargen-stream)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: chargen-stream enabled in ${CHARGEN_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (chargen-stream)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable chargen-stream in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8132 - # Description : Check for daytime-dgram enabled via xinetd - DAYTIME_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/daytime-dgram" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DAYTIME_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for daytime-dgram via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking daytime-dgram presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DAYTIME_DGRAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: daytime-dgram not enabled in ${DAYTIME_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (daytime-dgram)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: daytime-dgram enabled in ${DAYTIME_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (daytime-dgram)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable daytime-dgram in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8134 - # Description : Check for daytime-stream enabled via xinetd - DAYTIME_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/daytime-stream" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DAYTIME_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8134 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for daytime-stream via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking daytime-stream presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DAYTIME_STREAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: daytime-stream not enabled in ${DAYTIME_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (daytime-stream)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: daytime-stream enabled in ${DAYTIME_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (daytime-stream)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable daytime-stream in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8136 - # Description : Check for discard-dgram enabled via xinetd - DISCARD_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/discard-dgram" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DISCARD_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8136 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for discard-dgram via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking discard-dgram presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DISCARD_DGRAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: discard-dgram not enabled in ${DISCARD_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (discard-dgram)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: discard-dgram enabled in ${DISCARD_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (discard-dgram)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable discard-dgram in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8138 - # Description : Check for discard-stream enabled via xinetd - DISCARD_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/discard-stream" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DISCARD_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8138 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for discard-stream via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking discard-stream presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DISCARD_STREAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: discard-stream not enabled in ${DISCARD_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (discard-stream)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: discard-stream enabled in ${DISCARD_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (discard-stream)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable discard-stream in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8140 - # Description : Check for echo-dgram enabled via xinetd - ECHO_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/echo-dgram" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${ECHO_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8140 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for echo-dgram via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking echo-dgram presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${ECHO_DGRAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: echo-dgram not enabled in ${ECHO_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (echo-dgram)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: echo-dgram enabled in ${ECHO_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (echo-dgram)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable echo-dgram in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8142 - # Description : Check for echo-stream enabled via xinetd - ECHO_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/echo-stream" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${ECHO_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8142 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for echo-stream via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking echo-stream presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${ECHO_STREAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: echo-stream not enabled in ${ECHO_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (echo-stream)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: echo-stream enabled in ${ECHO_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (echo-stream)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable echo-stream in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8144 - # Description : Check for time-dgram enabled via xinetd - TIME_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/time-dgram" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TIME_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8144 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for time-dgram via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking time-dgram presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TIME_DGRAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: time-dgram not enabled in ${TIME_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (time-dgram)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: time-dgram enabled in ${TIME_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (time-dgram)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable time-dgram in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8146 - # Description : Check for time-stream enabled via xinetd - TIME_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/time-stream" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TIME_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8146 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for time-stream via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking time-stream presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TIME_STREAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: time-stream not enabled in ${TIME_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (time-stream)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: time-stream enabled in ${TIME_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (time-stream)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable time-stream in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8148 - # Description : Check for tftp enabled via xinetd - TFTP_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/tftp" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TFTP_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8148 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for tftp via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking tftp presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TFTP_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: tftp not enabled in ${TFTP_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (tftp)" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - else - LogText "Result: tftp enabled in ${TFTP_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (tftp)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable tftp in xinetd configuration" - AddHP 1 3 + LogText "Result: one ore more insecure services discovered in xinetd configuration" + Display --indent 6 --text "- Checking xinetd (insecure services)" --result "${STATUS_WARNING}" --color RED + AddHP 0 3 fi fi # @@ -559,21 +250,21 @@ # # Test : INSE-8150 # Description : Check for rsync enabled via xinetd - RSYNC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsync" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSYNC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8150 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsync via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking rsync presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSYNC_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: rsync not enabled in ${RSYNC_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: rsync enabled in ${RSYNC_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable rsync in xinetd configuration" - fi - fi + #RSYNC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsync" + #if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSYNC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + #Register --test-no INSE-8150 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsync via xinetd" + #if [ ${SKIPTEST} -eq 0 ]; then + # LogText "Test: checking rsync presence in xinetd configuration" + # FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSYNC_XINETD_CONFIG_FILE}) + # if [ "${FIND}" = "" ]; then + # LogText "Result: rsync not enabled in ${RSYNC_XINETD_CONFIG_FILE}" + # Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_DISABLED}" --color GREEN + # else + # LogText "Result: rsync enabled in ${RSYNC_XINETD_CONFIG_FILE}" + # Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_ENABLED}" --color RED + # ReportSuggestion "${TEST_NO}" "Disable rsync in xinetd configuration" + # fi + #fi # ################################################################################# # @@ -582,23 +273,19 @@ if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no INSE-8200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active" if [ ${SKIPTEST} -eq 0 ]; then - # Check if tcp_wrappers is installed when inetd/xinetd is active LogText "Test: Checking if tcp_wrappers is installed" - FOUND="" + FOUND=0 PACKAGES="tcp_wrappers tcpd" for PACKAGE in ${PACKAGES}; do - PackageIsInstalled ${PACKAGE} - if [ $? -eq 0 ];then - FOUND=${PACKAGE} - fi + if PackageIsInstalled ${PACKAGE}; then FOUND=1; fi done - if [ ${FOUND} ]; then + if [ ${FOUND} -eq 1 ]; then LogText "Result: tcp_wrappers is installed" Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_OK}" --color GREEN else LogText "Result: tcp_wrappers is NOT installed" Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed" + #ReportSuggestion ${TEST_NO} "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed" fi fi # @@ -608,20 +295,16 @@ # Description : Check if rsh client is installed Register --test-no INSE-8300 --weight L --network NO --category security --description "Check if rsh client is installed" if [ ${SKIPTEST} -eq 0 ]; then - # Check if rsh is installed LogText "Test: Checking if rsh client is installed" - FOUND="" + FOUND=0 PACKAGES="rsh rsh-client rsh-redone-client" for PACKAGE in ${PACKAGES}; do - PackageIsInstalled ${PACKAGE} - if [ $? -eq 0 ];then - FOUND=${PACKAGE} - fi + if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi done - if [ ${FOUND} ]; then + if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh client is installed" Display --indent 2 --text "- Checking rsh client installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Rsh client contain numerous security exposures and have been replaced with the more secure SSH package" + ReportSuggestion ${TEST_NO} "Remove rsh client when it is not in use or replace with the more secure SSH package" else LogText "Result: rsh client is NOT installed" Display --indent 2 --text "- Checking rsh client installation" --result "${STATUS_OK}" --color GREEN @@ -631,36 +314,36 @@ ################################################################################# # # Test : INSE-8302 - # Description : Check presence of Rsh Trust Files - Register --test-no INSE-8302 --weight L --network NO --category security --description "Check presence of Rsh Trust Files" - if [ ${SKIPTEST} -eq 0 ]; then - # Check presence of Rsh Trust Files - FOUND=0 - for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do - USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) - DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) - if [ -d ${DIR} ]; then - for RHOSTS in ${DIR}/.rhosts; do - if [ ! -h ${RHOSTS} -a -f ${RHOSTS} ]; then - LogText "FOUND .rhosts file in home directory ${DIR} of ${USER}" - FOUND=1 - fi - done - fi - done - if [ -f /etc/hosts.equiv ];then - LogText "FOUND /etc/hosts.equiv" - FOUND=1 - fi - if [ ${FOUND} -eq 1 ]; then - LogText "Result: found one or more Rsh Trust Files" - Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Remove every Rsh Trust Files as they can allow unauthenticated access to a system" - else - LogText "Result: no Rsh Trust Files found" - Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_OK}" --color GREEN - fi - fi + # Description : Check presence of rsh Trust Files + #Register --test-no INSE-8302 --weight L --network NO --category security --description "Check presence of rsh Trust Files" + #if [ ${SKIPTEST} -eq 0 ]; then + # # Check presence of Rsh Trust Files + # FOUND=0 + # for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do + # USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) + # DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) + # if [ -d ${DIR} ]; then + # for RHOSTS in ${DIR}/.rhosts; do + # if [ ! -h ${RHOSTS} -a -f ${RHOSTS} ]; then + # LogText "FOUND .rhosts file in home directory ${DIR} of ${USER}" + # FOUND=1 + # fi + # done + # fi + # done + # if [ -f /etc/hosts.equiv ];then + # LogText "FOUND /etc/hosts.equiv" + # FOUND=1 + # fi + # if [ ${FOUND} -eq 1 ]; then + # LogText "Result: found one or more Rsh Trust Files" + # Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_SUGGESTION}" --color YELLOW + # ReportSuggestion ${TEST_NO} "Remove every Rsh Trust Files as they can allow unauthenticated access to a system" + # else + # LogText "Result: no Rsh Trust Files found" + # Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_OK}" --color GREEN + # fi + #fi # ################################################################################# # @@ -670,19 +353,16 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if rsh server is installed LogText "Test: Checking if rsh server is installed" - FOUND="" + FOUND=0 PACKAGES="rsh-server rsh-redone-server" for PACKAGE in ${PACKAGES}; do - PackageIsInstalled ${PACKAGE} - if [ $? -eq 0 ];then - FOUND=${PACKAGE} - fi + if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi done - if [ ${FOUND} ]; then + if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh server is installed" Display --indent 2 --text "- Checking rsh server installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Removing the rsh-server package decreases the risk of the accidental (or intentional) activation of rsh services" - + ReportSuggestion ${TEST_NO} "Remove the rsh-server package and replace with a more secure alternative like SSH" + Report "insecure_service[]=rsh-server" else LogText "Result: rsh server is NOT installed" Display --indent 2 --text "- Checking rsh server installation" --result "${STATUS_OK}" --color GREEN @@ -697,11 +377,12 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if telnet client is installed LogText "Test: Checking if telnet client is installed" - PackageIsInstalled telnet - if [ $? -eq 0 ]; then + if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi + if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet client is installed" - Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "telnet client contain numerous security exposures and have been replaced with the more secure SSH package" + Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_FOUND}" --color YELLOW + # Telnet client usage might be used for troubleshooting instead of system administration + #ReportSuggestion ${TEST_NO} "telnet client contain numerous security exposures and have been replaced with the more secure SSH package" else LogText "Result: telnet client is NOT installed" Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_OK}" --color GREEN @@ -716,18 +397,16 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if TFTP server is installed LogText "Test: Checking if telnet server is installed" - FOUND="" + FOUND=0 PACKAGES="telnetd telnet-server" for PACKAGE in ${PACKAGES}; do - PackageIsInstalled ${PACKAGE} - if [ $? -eq 0 ];then - FOUND=${PACKAGE} - fi + if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi done - if [ ${FOUND} ]; then + if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet server is installed" - Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of telnet services" + Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_FOUND}" --color YELLOW + ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package and replace with SSH when possible" + Report "insecure_service[]=telnet-server" else LogText "Result: telnet server is NOT installed" Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_OK}" --color GREEN From 72ba872a2fc2de1900f7a3f088b1b136a2751e32 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 4 Apr 2019 19:04:42 +0200 Subject: [PATCH 021/132] Improve text output for AIX systems --- include/osdetection | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/osdetection b/include/osdetection index 5ab80293..a6c18bb5 100644 --- a/include/osdetection +++ b/include/osdetection @@ -477,7 +477,7 @@ ECHONB="" case ${OS} in - "AIX") ECHOCMD="echo" ;; + "AIX") ECHOCMD="echo"; ECHONB="printf" ;; "DragonFly"|"FreeBSD"|"NetBSD") ECHOCMD="echo -e"; ECHONB="echo -n" ;; "macOS" | "Mac OS X") ECHOCMD="echo"; ECHONB="/bin/echo -n" ;; "Solaris") ECHOCMD="echo" ; test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n" ;; From ef0b5b7641e4af2664e578386cba425c79517f04 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 4 Apr 2019 19:05:02 +0200 Subject: [PATCH 022/132] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 664b52cf..a6a5e11d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems - PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages - PKGS-7420 - Detect toolkit to automatically download and apply upgrades +- Improve text output for AIX systems --------------------------------------------------------------------------------- From 2750e9b7b8014a01b5e218d89856a37793529ec1 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 7 Apr 2019 15:50:46 +0200 Subject: [PATCH 023/132] Detect equery binary --- include/binaries | 3 ++- include/consts | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/include/binaries b/include/binaries index ec9a634f..2ba93cfa 100644 --- a/include/binaries +++ b/include/binaries @@ -132,7 +132,8 @@ domainname) DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;; dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;; egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;; - exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText "Found ${BINARY} (version ${EXIMVERSION})" ;; + equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;; + exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;; fail2ban-server) FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;; file) FILEBINARY="${BINARY}"; LogText " Found known binary: file (file type detection) - ${BINARY}" ;; find) FINDBINARY="${BINARY}"; LogText " Found known binary: find (search tool) - ${BINARY}" ;; diff --git a/include/consts b/include/consts index 1abe26f9..fa923c99 100644 --- a/include/consts +++ b/include/consts @@ -103,6 +103,7 @@ unset LANG DPKGBINARY="" ECHOCMD="" ERROR_ON_WARNINGS=0 + EQUERYBINARY="" FAIL2BANBINARY="" FILEBINARY="" FILEVALUE="" From f8b390617b14fefa045c24c3810488e3740fadcf Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 7 Apr 2019 15:51:25 +0200 Subject: [PATCH 024/132] Changed screen output --- include/tests_insecure_services | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index afed850e..2b673072 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -44,11 +44,11 @@ if PackageIsInstalled "inetd"; then INETD_PACKAGE_INSTALLED=1 LogText "Result: inetd is installed" - Display --indent 2 --text "- Installation of inetd package" --result "${STATUS_FOUND}" --color YELLOW + Display --indent 2 --text "- Installed inetd package" --result "${STATUS_FOUND}" --color YELLOW #ReportSuggestion ${TEST_NO} "If there are no inetd services required, it is recommended that the daemon be removed" else LogText "Result: inetd is NOT installed" - Display --indent 2 --text "- Installation of inetd package" --result "${STATUS_NOT_FOUND}" --color GREEN + Display --indent 2 --text "- Installed inetd package" --result "${STATUS_NOT_FOUND}" --color GREEN fi fi # @@ -141,11 +141,11 @@ PackageIsInstalled xinetd if [ $? -eq 0 ]; then LogText "Result: xinetd is installed" - Display --indent 2 --text "- Installation of xinetd package" --result "${STATUS_FOUND}" --color YELLOW + Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "If there are no xinetd services required, it is recommended that the daemon be removed" else LogText "Result: xinetd is NOT installed" - Display --indent 2 --text "- Installation of xinetd package" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_OK}" --color GREEN fi fi # @@ -303,11 +303,11 @@ done if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh client is installed" - Display --indent 2 --text "- Checking rsh client installation" --result "${STATUS_SUGGESTION}" --color YELLOW + Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Remove rsh client when it is not in use or replace with the more secure SSH package" else LogText "Result: rsh client is NOT installed" - Display --indent 2 --text "- Checking rsh client installation" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_OK}" --color GREEN fi fi # @@ -360,12 +360,12 @@ done if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh server is installed" - Display --indent 2 --text "- Checking rsh server installation" --result "${STATUS_SUGGESTION}" --color YELLOW + Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Remove the rsh-server package and replace with a more secure alternative like SSH" Report "insecure_service[]=rsh-server" else LogText "Result: rsh server is NOT installed" - Display --indent 2 --text "- Checking rsh server installation" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_OK}" --color GREEN fi fi # @@ -380,12 +380,12 @@ if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet client is installed" - Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_FOUND}" --color YELLOW + Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_FOUND}" --color YELLOW # Telnet client usage might be used for troubleshooting instead of system administration #ReportSuggestion ${TEST_NO} "telnet client contain numerous security exposures and have been replaced with the more secure SSH package" else LogText "Result: telnet client is NOT installed" - Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_OK}" --color GREEN fi fi # @@ -404,12 +404,12 @@ done if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet server is installed" - Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_FOUND}" --color YELLOW + Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package and replace with SSH when possible" Report "insecure_service[]=telnet-server" else LogText "Result: telnet server is NOT installed" - Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_NOT_FOUND}" --color GREEN fi fi # From 1e134bc1b36cbdadf3d42a8c0b3a0016318550c8 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 7 Apr 2019 15:52:52 +0200 Subject: [PATCH 025/132] Extended function with more package managers --- include/functions | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/include/functions b/include/functions index e8965986..c1df0fbf 100644 --- a/include/functions +++ b/include/functions @@ -1714,11 +1714,20 @@ Fatal "Incorrect usage of PackageIsInstalled function" fi - if [ ! -z "${RPMBINARY}" ]; then - output=$(${RPMBINARY} --quiet -q ${package} 2> /dev/null) + if [ ! -z "${DNFBINARY}" ]; then + output=$(${DNFBINARY} --quiet --cacheonly --noplugins --assumeno info --installed ${package} > /dev/null 2>&1) exit_code=$? elif [ ! -z "${DPKGBINARY}" ]; then - output=$(${DPKGBINARY} -l ${package} 2> /dev/null) + output=$(${DPKGBINARY} -l ${package} > /dev/null 2>&1) + exit_code=$? + elif [ ! -z "${EQUERYBINARY}" ]; then + output=$(${EQUERYBINARY} --quiet ${package} > /dev/null 2>&1) + exit_code=$? # 0=package installed, 3=package not installed + elif [ ! -z "${PKG_BINARY}" ]; then + output=$(${PKG_BINARY} -N info ${package} >& /dev/null) + exit_code=$? # 0=package installed, 70=invalid package + elif [ ! -z "${RPMBINARY}" ]; then + output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1) exit_code=$? elif [ ! -z "${ZYPPERBINARY}" ]; then output=$(${ZYPPERBINARY} --quiet --non-interactive search --installed -i ${PACKAGE} 2> /dev/null | grep "^i") From 1a1d736fa7baee2983ae7b8452c64fb342313c32 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 7 Apr 2019 15:53:04 +0200 Subject: [PATCH 026/132] Updated log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a6a5e11d..0d0187d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,12 +12,14 @@ - INSE-8200 - Usage of TCP wrappers - INSE-8300 - Presence of rsh client - INSE-8302 - Presence of rsh server +- Detect equery binary detection ### Changed - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems - PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages - PKGS-7420 - Detect toolkit to automatically download and apply upgrades - Improve text output for AIX systems +- Extended PackageIsInstalled function --------------------------------------------------------------------------------- From 08ecd911801dd90215ab885e690dec3686cf1d36 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 7 Apr 2019 19:03:21 +0200 Subject: [PATCH 027/132] Use ps instead of pgrep on AIX --- include/functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/functions b/include/functions index c1df0fbf..e3a09c0c 100644 --- a/include/functions +++ b/include/functions @@ -1284,7 +1284,8 @@ if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi RUNNING=0 - if [ ! -z "${PGREPBINARY}" ]; then + # AIX does not fully support pgrep options, so using ps instead + if [ ! -z "${PGREPBINARY}" -a ! "${OS}" = "AIX" ]; then FIND=$(${PGREPBINARY} ${pgrep_options} "${search}" | ${TRBINARY} '\n' ' ') else if [ -z "${PSOPTIONS}" ]; then From 3516ce9de10528f08f949b09daa179e949b0596c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 7 Apr 2019 19:03:28 +0200 Subject: [PATCH 028/132] Updated log --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d0187d7..c7c09fc0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,8 +18,9 @@ - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems - PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages - PKGS-7420 - Detect toolkit to automatically download and apply upgrades -- Improve text output for AIX systems +- AIX enhancement for IsRunning function - Extended PackageIsInstalled function +- Improve text output on AIX systems --------------------------------------------------------------------------------- From 71a0c79053119fedfcb68d47c7b4483b16a8ec1c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 8 Apr 2019 07:53:04 +0200 Subject: [PATCH 029/132] Corrected stdout/stderr redirection for FreeBSD pkg tool --- include/functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/functions b/include/functions index e3a09c0c..26d8c378 100644 --- a/include/functions +++ b/include/functions @@ -1700,7 +1700,7 @@ ################################################################################ # Name : PackageIsInstalled() - # Description : Add a separator to log file between sections, tests etc + # Description : Determines if a package is installed # Returns : exit code # Notes : this function is not used yet, but created in advance to allow # the addition of support for all operating systems @@ -1725,7 +1725,7 @@ output=$(${EQUERYBINARY} --quiet ${package} > /dev/null 2>&1) exit_code=$? # 0=package installed, 3=package not installed elif [ ! -z "${PKG_BINARY}" ]; then - output=$(${PKG_BINARY} -N info ${package} >& /dev/null) + output=$(${PKG_BINARY} -N info ${package} >/dev/null 2>&1) exit_code=$? # 0=package installed, 70=invalid package elif [ ! -z "${RPMBINARY}" ]; then output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1) From 137dc6f0ccb1abe91c6102362209c274e6897ec7 Mon Sep 17 00:00:00 2001 From: Capashenn <37273010+Capashenn@users.noreply.github.com> Date: Mon, 8 Apr 2019 10:36:17 +0200 Subject: [PATCH 030/132] fix FILE-6374 (#672) --- include/tests_filesystems | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 43b9e7ec..8bf47685 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -560,7 +560,7 @@ # --------------------------------------------------------- FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid" - Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Checking /boot mount options" + Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Checking partitions mount options" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/fstab ]; then for I in ${FILESYSTEMS_TO_CHECK}; do @@ -574,7 +574,7 @@ fi fi if [ ! -z "${FS_FSTAB}" ]; then - FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') + FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} -d '\n') LogText "File system: ${FILESYSTEM}" LogText "Expected flags: ${EXPECTED_FLAGS}" LogText "Found flags: ${FOUND_FLAGS}" From 256bc1da0fec522dc6cce84bba499416c367f6d8 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 8 Apr 2019 11:07:41 +0200 Subject: [PATCH 031/132] Undoed submitted pull request as it breaks testing at least on Ubuntu system --- include/tests_filesystems | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 8bf47685..7dc61933 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -566,7 +566,7 @@ for I in ${FILESYSTEMS_TO_CHECK}; do FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d: -f1) EXPECTED_FLAGS=$(echo ${I} | ${CUTBINARY} -d: -f2 | ${SEDBINARY} 's/,/ /g') - FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' /etc/fstab) + FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' ${ROOTDIR}etc/fstab) if [ "${FS_FSTAB}" = "glusterfs" ]; then EXPECTED_FLAGS=$(echo ${EXPECTED_FLAGS} | ${SEDBINARY} 's/\<\(nodev\|nosuid\)\> *//g') if [ -z "${EXPECTED_FLAGS}" ]; then @@ -574,7 +574,7 @@ fi fi if [ ! -z "${FS_FSTAB}" ]; then - FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} -d '\n') + FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') LogText "File system: ${FILESYSTEM}" LogText "Expected flags: ${EXPECTED_FLAGS}" LogText "Found flags: ${FOUND_FLAGS}" @@ -582,7 +582,7 @@ FULLY_HARDENED=1 for FLAG in ${EXPECTED_FLAGS}; do FLAG_AVAILABLE=$(echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG}) - if [ "${FLAG_AVAILABLE}" = "" ]; then + if [ -z "${FLAG_AVAILABLE}" ]; then LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}" FULLY_HARDENED=0 else From fd8b1e790d3eb7e3d98b89fc66edd392862f8430 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 8 Apr 2019 15:09:18 +0200 Subject: [PATCH 032/132] Improved PackageIsInstalled function and its usage --- include/functions | 2 +- include/tests_insecure_services | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/functions b/include/functions index 26d8c378..b15bda88 100644 --- a/include/functions +++ b/include/functions @@ -1719,7 +1719,7 @@ output=$(${DNFBINARY} --quiet --cacheonly --noplugins --assumeno info --installed ${package} > /dev/null 2>&1) exit_code=$? elif [ ! -z "${DPKGBINARY}" ]; then - output=$(${DPKGBINARY} -l ${package} > /dev/null 2>&1) + output=$(${DPKGBINARY} -l ${package} 2> /dev/null | ${GREPBINARY} "^ii") exit_code=$? elif [ ! -z "${EQUERYBINARY}" ]; then output=$(${EQUERYBINARY} --quiet ${package} > /dev/null 2>&1) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 2b673072..841189d8 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -138,8 +138,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check for installed xinetd daemon LogText "Test: Checking for installed xinetd daemon" - PackageIsInstalled xinetd - if [ $? -eq 0 ]; then + if PackageIsInstalled "xinetd"; then LogText "Result: xinetd is installed" Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "If there are no xinetd services required, it is recommended that the daemon be removed" @@ -277,7 +276,7 @@ FOUND=0 PACKAGES="tcp_wrappers tcpd" for PACKAGE in ${PACKAGES}; do - if PackageIsInstalled ${PACKAGE}; then FOUND=1; fi + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi done if [ ${FOUND} -eq 1 ]; then LogText "Result: tcp_wrappers is installed" @@ -299,7 +298,7 @@ FOUND=0 PACKAGES="rsh rsh-client rsh-redone-client" for PACKAGE in ${PACKAGES}; do - if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi done if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh client is installed" @@ -356,7 +355,7 @@ FOUND=0 PACKAGES="rsh-server rsh-redone-server" for PACKAGE in ${PACKAGES}; do - if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi done if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh server is installed" @@ -377,7 +376,8 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if telnet client is installed LogText "Test: Checking if telnet client is installed" - if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi + if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet client is installed" Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_FOUND}" --color YELLOW @@ -400,7 +400,7 @@ FOUND=0 PACKAGES="telnetd telnet-server" for PACKAGE in ${PACKAGES}; do - if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi done if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet server is installed" From fe09e4ebaa8f52cd6b7c01bc2088001cce4a7afe Mon Sep 17 00:00:00 2001 From: Capashenn <37273010+Capashenn@users.noreply.github.com> Date: Tue, 9 Apr 2019 06:49:34 +0200 Subject: [PATCH 033/132] fix SHLL-6220 description (#673) --- include/tests_shells | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_shells b/include/tests_shells index 8f9763b4..80735064 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -99,7 +99,7 @@ # # Test : SHLL-6220 # Description : check for idle session killing tools or settings - Register --test-no SHLL-6220 --weight L --network NO --category security --description "Checking available and valid shells" + Register --test-no SHLL-6220 --weight L --network NO --category security --description "check for idle session killing tools or settings" if [ ${SKIPTEST} -eq 0 ]; then IDLE_TIMEOUT_METHOD="" From 15c942ac24adbac67f13f97d554a6e97986507c2 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 9 Apr 2019 06:51:47 +0200 Subject: [PATCH 034/132] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c7c09fc0..fa67946f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems - PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages - PKGS-7420 - Detect toolkit to automatically download and apply upgrades +- Minor changes to improve text output and test descriptions - AIX enhancement for IsRunning function - Extended PackageIsInstalled function - Improve text output on AIX systems From d90c43d06cbf10b90da61593beac6bb85d7be083 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 9 Apr 2019 06:52:00 +0200 Subject: [PATCH 035/132] Updated descriptions --- include/tests_shells | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/include/tests_shells b/include/tests_shells index 80735064..3a094ad8 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -31,9 +31,10 @@ # Files (interactive login shells): /etc/profile $HOME/.bash_profile # $HOME/.bash_login $HOME/.profile # Files (interactive non-login shells): $HOME/.bash_rc - + # # csh/tcsh # Files: /etc/csh.cshrc /etc/csh.login + # # zsh # Files: /etc/zshenv /etc/zsh/zshenv $HOME/.zshenv /etc/zprofile # /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc @@ -68,8 +69,8 @@ ################################################################################# # # Test : SHLL-6211 - # Description : which shells are available according /etc/shells - Register --test-no SHLL-6211 --weight L --network NO --category security --description "Checking available and valid shells" + # Description : Determine available shell according /etc/shells + Register --test-no SHLL-6211 --weight L --network NO --category security --description "Available and valid shells" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for ${ROOTDIR}etc/shells" if [ -f ${ROOTDIR}etc/shells ]; then @@ -98,8 +99,8 @@ ################################################################################# # # Test : SHLL-6220 - # Description : check for idle session killing tools or settings - Register --test-no SHLL-6220 --weight L --network NO --category security --description "check for idle session killing tools or settings" + # Description : Check for idle session killing tools or settings + Register --test-no SHLL-6220 --weight L --network NO --category security --description "Idle session killing tools or settings" if [ ${SKIPTEST} -eq 0 ]; then IDLE_TIMEOUT_METHOD="" From e195e7c8e0be65491745a4a89b559d60c5106ed7 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 9 Apr 2019 08:26:16 +0200 Subject: [PATCH 036/132] Corrected lsvg binary detection --- include/binaries | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/binaries b/include/binaries index 2ba93cfa..7bf0d233 100644 --- a/include/binaries +++ b/include/binaries @@ -166,7 +166,7 @@ lsattr) LSATTRBINARY="${BINARY}"; LogText " Found known binary: lsattr (file attributes) - ${BINARY}" ;; lsmod) LSMODBINARY="${BINARY}"; LogText " Found known binary: lsmod (kernel modules) - ${BINARY}" ;; lsof) LSOFBINARY="${BINARY}"; LogText " Found known binary: lsof (open files) - ${BINARY}" ;; - lsvg) LVSGBINARY=${BINARY}; LogText " Found known binary: lsvg (volume manager) - ${BINARY}" ;; + lsvg) LSVGBINARY=${BINARY}; LogText " Found known binary: lsvg (volume manager) - ${BINARY}" ;; lvdisplay) LVDISPLAYBINARY="${BINARY}"; LogText " Found known binary: lvdisplay (LVM tool) - ${BINARY}" ;; lynx) LYNXBINARY="${BINARY}"; LYNXVERSION=$(${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3); LogText "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;; maldet) LMDBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;; From 6bc2aefbd4ef905e48c86f416b95eb919da3511e Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 9 Apr 2019 08:26:24 +0200 Subject: [PATCH 037/132] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fa67946f..8d73513c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ - AIX enhancement for IsRunning function - Extended PackageIsInstalled function - Improve text output on AIX systems +- Corrected lsvg binary detection --------------------------------------------------------------------------------- From 2d0c68493154e8dfee061f7a101a3a689a29097f Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 13 Apr 2019 13:26:56 +0200 Subject: [PATCH 038/132] Added new 'generate' command --- include/consts | 2 + include/functions | 22 ++++++++-- include/helper_generate | 89 +++++++++++++++++++++++++++++++++++++++++ include/helper_show | 12 ++++++ include/parameters | 18 +++++++++ 5 files changed, 140 insertions(+), 3 deletions(-) create mode 100644 include/helper_generate diff --git a/include/consts b/include/consts index fa923c99..24a32167 100644 --- a/include/consts +++ b/include/consts @@ -251,8 +251,10 @@ unset LANG SHOW_REPORT_SOLUTION=1 SHOW_TOOL_TIPS=1 # Show inline tool tips (default true) SHOW_WARNINGS_ONLY=0 + SKIP_GETHOSTID=0 SKIP_PLUGINS=0 SKIP_TESTS="" + SKIP_VM_DETECTION=0 SKIPREASON="" SKIPPED_TESTS_ROOTONLY="" SMTPCTLBINARY="" diff --git a/include/functions b/include/functions index b15bda88..35cb6b00 100644 --- a/include/functions +++ b/include/functions @@ -805,15 +805,26 @@ # Name : GetHostID() # Description : Create an unique id for the system # - # Returns : optional value + # Returns : 0 = fetched or created IDs, 1 = failed, 2 = skipped # Usage : GetHostID ################################################################################ GetHostID() { + if [ ${SKIP_GETHOSTID} -eq 1 ]; then + return 2 + fi + if [ ! -z "${HOSTID}" -a ! -z "${HOSTID2}" ]; then Debug "Skipping creation of host identifiers, as they are already configured (via profile)" - return 1 + return 2 + fi + + if [ -f "${ROOTDIR}etc/lynis/hostids" ]; then + Debug "Used hostids file to fetch values" + HOSTID=$(grep "^hostid=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}') + HOSTID2=$(grep "^hostid2=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}') + return 0 fi FIND="" @@ -1110,8 +1121,9 @@ fi # Show an exception if no HostID could be created, to ensure each system (and scan) has one - if [ "${HOSTID}" = "" ]; then + if [ -z "${HOSTID}" ]; then ReportException "GetHostID" "No unique host identifier could be created." + return 1 elif [ ! -z "${HOSTID2}" ]; then return 0 fi @@ -1393,6 +1405,10 @@ ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown" SHORT="" + if [ ${SKIP_VM_DETECTION} -eq 1 ]; then + return 2 + fi + # lxc environ detection if [ -z "${SHORT}" ]; then if [ -f /proc/1/environ ]; then diff --git a/include/helper_generate b/include/helper_generate new file mode 100644 index 00000000..bdcfb44d --- /dev/null +++ b/include/helper_generate @@ -0,0 +1,89 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2013, Michael Boelen +# Copyright 2007-2019, CISOfy +# +# Website : https://cisofy.com +# Blog : http://linux-audit.com +# GitHub : https://github.com/CISOfy/lynis +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +###################################################################### +# +# Helper program to generate specific details such as host IDs +# +###################################################################### +# +# How to use: +# ------------ +# Run: lynis generate