New test INSE-8050

2016-10-05 09:50:06 +02:00 · 2016-10-05 09:50:06 +02:00 · 0cc27b956e
parent f8288bff20
commit 0cc27b956e
3 changed files with 30 additions and 3 deletions
--- a/db/tests.db
+++ b/db/tests.db
@ -54,7 +54,7 @@ BANN-7128:test:security:banners::Check issue.net banner file:
 BANN-7130:test:security:banners::Check issue.net banner file contents:
 BOOT-5102:test:security:boot_services:AIX:Check for AIX boot device:
 BOOT-5104:test:security:boot_services::Determine service manager:
-BOOT-5106:test:security:boot_services:MacOS:Check EFI boot file on Mac OS X:
+BOOT-5106:test:security:boot_services:MacOS:Check EFI boot file on macOS:
 BOOT-5108:test:security:boot_services:Linux:Test Syslinux boot loader:
 BOOT-5116:test:security:boot_services::Check if system is booted in UEFI mode:
 BOOT-5121:test:security:boot_services::Check for GRUB boot loader presence:
@ -134,7 +134,7 @@ FIRE-4520:test:security:firewalls::Check pf configuration consistency:
 FIRE-4524:test:security:firewalls::Check for CSF presence:
 FIRE-4526:test:security:firewalls:Solaris:Check ipf status:
 FIRE-4530:test:security:firewalls:FreeBSD:Check IPFW status:
-FIRE-4532:test:security:firewalls::Check Mac OS X application firewall:
+FIRE-4532:test:security:firewalls:MacOS:Check macOS application firewall:
 FIRE-4536:test:security:firewalls:Linux:Check nftables status:
 FIRE-4538:test:security:firewalls:Linux:Check nftables basic configuration:
 FIRE-4540:test:security:firewalls:Linux:Test for empty nftables configuration:
@ -150,6 +150,7 @@ INSE-8002:test:security:insecure_services::Check for enabled inet daemon:
 INSE-8004:test:security:insecure_services::Check for enabled inet daemon:
 INSE-8006:test:security:insecure_services::Check configuration of inetd when disabled:
 INSE-8016:test:security:insecure_services::Check for telnet via inetd:
+INSE-8050:test:security:insecure_services:MacOS:Check for insecure services on macOS systems:
 KRNL-5622:test:security:kernel:Linux:Determine Linux default run level:
 KRNL-5677:test:security:kernel:Linux:Check CPU options and support:
 KRNL-5695:test:security:kernel:Linux:Determine Linux kernel version and release number:
--- a/include/binaries
+++ b/include/binaries
@ -151,7 +151,10 @@
                            journalctl)             JOURNALCTLBINARY="${BINARY}";                                                                         LogText "  Found known binary: journalctl (systemd journal) - ${BINARY}";                                 ;;
                            kldstat)                KLDSTATFOUND=1;        KLDSTATBINARY="${BINARY}";                                                     LogText "  Found known binary: kldstat (kernel modules) - ${BINARY}"                                      ;;
                            kstat)                  KSTATFOUND=1;          KSTATBINARY="${BINARY}";                                                       LogText "  Found known binary: kstat (kernel statistics) - ${BINARY}"                                     ;;
-                            launchctl)              LAUNCHCTLBINARY="${BINARY}"; SERVICE_MANAGER="launchd";                                               LogText "  Found known binary: launchctl (launchd client) - ${BINARY}"                                    ;;
+                            launchctl)              LAUNCHCTL_BINARY="${BINARY}"
+                                                    SERVICE_MANAGER="launchd";
+                                                    LogText "  Found known binary: launchctl (launchd client) - ${BINARY}"
+                            ;;
                            locate)                 LOCATEFOUND=1;         LOCATEBINARY="${BINARY}";                                                      LogText "  Found known binary: locate (file database) - ${BINARY}"                                        ;;
                            logrotate)              LOGROTATEFOUND=1;      LOGROTATEBINARY="${BINARY}";                                                   LogText "  Found known binary: logrotate (log rotation tool) - ${BINARY}"                                 ;;
                            ls)                     LSFOUND=1;             LSBINARY="${BINARY}";                                                          LogText "  Found known binary: ls (file listing) - ${BINARY}"                                             ;;
--- a/include/tests_insecure_services
+++ b/include/tests_insecure_services
@ -109,6 +109,29 @@
 #
 #################################################################################
 #
+    if [ ! -z "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
+    Register --test-no INSE-8050 --os "MacOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        TEST_SERVICES="com.apple.fingerd"
+        for ITEM in ${TEST_SERVICES}; do
+            if ${LAUNCHCTL_BINARY} print-enabled system | grep -sq ${ITEM}; then
+                Display --indent 2 --text "- $text" --result "${STATUS_NO}" --color RED
+                LogText "Result: found ${ITEM}, which is considered an insecure service"
+                AddSuggestion "${TEST_NO}" "Consider disabling service ${ITEM}" "launchctl" "-"
+                AddHP 0 1
+            else
+                Display --indent 2 --text "- $text" --result "${STATUS_OK}" --color GREEN
+                LogText "Result: $text, OK"
+                AddHP 1 1
+            fi
+        done
+    fi
+#
+#################################################################################
+#
+
+# To do:
+# - mark in report when a system was tested for any insecure services

 WaitForKeyPress