From 0cc27b956ef5530e62ff210c2ac36a645300b0a3 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 5 Oct 2016 09:50:06 +0200 Subject: [PATCH] New test INSE-8050 --- db/tests.db | 5 +++-- include/binaries | 5 ++++- include/tests_insecure_services | 23 +++++++++++++++++++++++ 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/db/tests.db b/db/tests.db index 199b6a2f..96fef125 100644 --- a/db/tests.db +++ b/db/tests.db @@ -54,7 +54,7 @@ BANN-7128:test:security:banners::Check issue.net banner file: BANN-7130:test:security:banners::Check issue.net banner file contents: BOOT-5102:test:security:boot_services:AIX:Check for AIX boot device: BOOT-5104:test:security:boot_services::Determine service manager: -BOOT-5106:test:security:boot_services:MacOS:Check EFI boot file on Mac OS X: +BOOT-5106:test:security:boot_services:MacOS:Check EFI boot file on macOS: BOOT-5108:test:security:boot_services:Linux:Test Syslinux boot loader: BOOT-5116:test:security:boot_services::Check if system is booted in UEFI mode: BOOT-5121:test:security:boot_services::Check for GRUB boot loader presence: @@ -134,7 +134,7 @@ FIRE-4520:test:security:firewalls::Check pf configuration consistency: FIRE-4524:test:security:firewalls::Check for CSF presence: FIRE-4526:test:security:firewalls:Solaris:Check ipf status: FIRE-4530:test:security:firewalls:FreeBSD:Check IPFW status: -FIRE-4532:test:security:firewalls::Check Mac OS X application firewall: +FIRE-4532:test:security:firewalls:MacOS:Check macOS application firewall: FIRE-4536:test:security:firewalls:Linux:Check nftables status: FIRE-4538:test:security:firewalls:Linux:Check nftables basic configuration: FIRE-4540:test:security:firewalls:Linux:Test for empty nftables configuration: @@ -150,6 +150,7 @@ INSE-8002:test:security:insecure_services::Check for enabled inet daemon: INSE-8004:test:security:insecure_services::Check for enabled inet daemon: INSE-8006:test:security:insecure_services::Check configuration of inetd when disabled: INSE-8016:test:security:insecure_services::Check for telnet via inetd: +INSE-8050:test:security:insecure_services:MacOS:Check for insecure services on macOS systems: KRNL-5622:test:security:kernel:Linux:Determine Linux default run level: KRNL-5677:test:security:kernel:Linux:Check CPU options and support: KRNL-5695:test:security:kernel:Linux:Determine Linux kernel version and release number: diff --git a/include/binaries b/include/binaries index de9a67ec..0f2e6f4c 100644 --- a/include/binaries +++ b/include/binaries @@ -151,7 +151,10 @@ journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}"; ;; kldstat) KLDSTATFOUND=1; KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;; kstat) KSTATFOUND=1; KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;; - launchctl) LAUNCHCTLBINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;; + launchctl) LAUNCHCTL_BINARY="${BINARY}" + SERVICE_MANAGER="launchd"; + LogText " Found known binary: launchctl (launchd client) - ${BINARY}" + ;; locate) LOCATEFOUND=1; LOCATEBINARY="${BINARY}"; LogText " Found known binary: locate (file database) - ${BINARY}" ;; logrotate) LOGROTATEFOUND=1; LOGROTATEBINARY="${BINARY}"; LogText " Found known binary: logrotate (log rotation tool) - ${BINARY}" ;; ls) LSFOUND=1; LSBINARY="${BINARY}"; LogText " Found known binary: ls (file listing) - ${BINARY}" ;; diff --git a/include/tests_insecure_services b/include/tests_insecure_services index d04afd7c..c5e39a99 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -109,6 +109,29 @@ # ################################################################################# # + if [ ! -z "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi + Register --test-no INSE-8050 --os "MacOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS" + if [ ${SKIPTEST} -eq 0 ]; then + TEST_SERVICES="com.apple.fingerd" + for ITEM in ${TEST_SERVICES}; do + if ${LAUNCHCTL_BINARY} print-enabled system | grep -sq ${ITEM}; then + Display --indent 2 --text "- $text" --result "${STATUS_NO}" --color RED + LogText "Result: found ${ITEM}, which is considered an insecure service" + AddSuggestion "${TEST_NO}" "Consider disabling service ${ITEM}" "launchctl" "-" + AddHP 0 1 + else + Display --indent 2 --text "- $text" --result "${STATUS_OK}" --color GREEN + LogText "Result: $text, OK" + AddHP 1 1 + fi + done + fi +# +################################################################################# +# + +# To do: +# - mark in report when a system was tested for any insecure services WaitForKeyPress