From 6f1797fb59c23ad4f545ca5ef458ff56199d8152 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 17:38:21 -0400 Subject: [PATCH 1/7] Using grep -E --- include/binaries | 2 -- include/functions | 9 +++++++-- include/tests_authentication | 32 ++++++++++++++++---------------- include/tests_boot_services | 14 +++++++------- include/tests_containers | 2 +- include/tests_crypto | 4 ++-- include/tests_databases | 4 ++-- include/tests_file_integrity | 8 ++++---- include/tests_file_permissions | 2 +- include/tests_filesystems | 14 +++++++------- include/tests_firewalls | 6 +++--- include/tests_homedirs | 4 ++-- include/tests_insecure_services | 2 +- include/tests_kernel | 18 +++++++++--------- include/tests_logging | 24 ++++++++++++------------ include/tests_mail_messaging | 10 +++++----- include/tests_nameservices | 8 ++++---- include/tests_networking | 2 +- include/tests_php | 18 +++++++++--------- include/tests_ports_packages | 8 ++++---- include/tests_printers_spoolers | 6 +++--- include/tests_scheduling | 16 ++++++++-------- include/tests_shells | 2 +- include/tests_squid | 2 +- include/tests_ssh | 4 ++-- include/tests_storage | 8 ++++---- include/tests_time | 18 +++++++++--------- include/tests_tooling | 4 ++-- include/tests_usb | 12 ++++++------ include/tests_webservers | 6 +++--- 30 files changed, 136 insertions(+), 133 deletions(-) diff --git a/include/binaries b/include/binaries index 7aabba42..c8fdc1e2 100644 --- a/include/binaries +++ b/include/binaries @@ -169,7 +169,6 @@ domainname) DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;; dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;; xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;; - egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;; equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;; evmctl) EVMCTLBINARY=${BINARY}; LogText " Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;; exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;; @@ -341,7 +340,6 @@ [ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found" [ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found" [ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found" - [ "${EGREPBINARY:-}" ] || ExitFatal "egrep binary not found" [ "${FINDBINARY:-}" ] || ExitFatal "find binary not found" [ "${GREPBINARY:-}" ] || ExitFatal "grep binary not found" [ "${HEADBINARY:-}" ] || ExitFatal "head binary not found" diff --git a/include/functions b/include/functions index 38cc46b3..841586be 100644 --- a/include/functions +++ b/include/functions @@ -1315,7 +1315,7 @@ return 2 else for CHECK_PERMISSION in ${CHECKPERMISSION_FULL}; do - DATA=$(echo ${CHECK_PERMISSION} | ${EGREPBINARY} "[rwx]") + DATA=$(echo ${CHECK_PERMISSION} | ${GREPBINARY} -E "[rwx]") if [ $? -eq 0 ]; then # add a dummy character as first character so it looks like output is a normal file CHECK_PERMISSION=$(echo "-${CHECK_PERMISSION}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}') @@ -1608,7 +1608,7 @@ # This search is not foolproof LogText "Performing simple ps scan (busybox)" PSOPTIONS=" -o args=" - FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${EGREPBINARY:-egrep} "( |/)${search}" | ${GREPBINARY:-grep} -v "grep") + FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${GREPBINARY:-grep} -E "( |/)${search}" | ${GREPBINARY:-grep} -v "grep") else if [ -n "${users}" ]; then for u in ${users}; do @@ -3103,6 +3103,11 @@ unsafe=1 LogText "Security alert: file is not owned by active user, but can write to it" fi + # File is not owned by active user, and not readable by him + if [ ! -O "${FILE}" -a ! -r "${FILE}" ]; then + unsafe=1 + LogText "Security alert: file is not readable by active user" + fi fi # Check file permissions diff --git a/include/tests_authentication b/include/tests_authentication index 0552d646..3ec54d64 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -42,9 +42,9 @@ LogText "Test: Searching accounts with UID 0" # Check if device is a QNAP, as the root user is called admin, and not root if [ ${QNAP_DEVICE} -eq 1 ]; then - FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') + FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') else - FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') + FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') fi if [ -n "${FIND}" ]; then Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED @@ -163,7 +163,7 @@ LogText "Test: Checking login shells" if [ -f ${ROOTDIR}etc/master.passwd ]; then # Check for all shells, except: (/usr)/sbin/nologin /nonexistent - FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${GREPBINARY} -E -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN else @@ -499,13 +499,13 @@ Register --test-no AUTH-9240 --weight L --network NO --category security --description "Query NIS+ authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/nsswitch.conf ]; then - FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus") + FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nisplus") if [ -z "${FIND}" ]; then LogText "Result: NIS+ authentication not enabled" Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE else - FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") - FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") + FIND2=$(${GREPBINARY} -E "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") + FIND3=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") if [ -n "${FIND2}" -o -n "${FIND3}" ]; then LogText "Result: NIS+ authentication enabled" Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN @@ -526,13 +526,13 @@ Register --test-no AUTH-9242 --weight L --network NO --category security --description "Query NIS authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/nsswitch.conf ]; then - FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus") + FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nis" | ${GREPBINARY} -v "nisplus") if [ -z "${FIND}" ]; then LogText "Result: NIS authentication not enabled" Display --indent 2 --text "- NIS authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE else - FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") - FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") + FIND2=$(${GREPBINARY} -E "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") + FIND3=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") if [ -n "${FIND2}" -o -n "${FIND3}" ]; then LogText "Result: NIS authentication enabled" Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN @@ -737,7 +737,7 @@ LogText "Result: file ${ROOTDIR}etc/pam.conf exists" Display --indent 2 --text "- PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN LogText "Test: searching PAM configuration files" - FIND=$(${EGREPBINARY} -v "^#" ${ROOTDIR}etc/pam.conf | ${EGREPBINARY} -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g') + FIND=$(${GREPBINARY} -E -v "^#" ${ROOTDIR}etc/pam.conf | ${GREPBINARY} -E -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g') if [ -z "${FIND}" ]; then LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)" else @@ -1017,7 +1017,7 @@ LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}" LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)" # Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed) - FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}') + FIND=$(${GREPBINARY} -E -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}') if [ -n "${FIND}" ]; then for ACCOUNT in ${FIND}; do LogText "Result: password of user ${ACCOUNT} has been expired" @@ -1109,8 +1109,8 @@ TEST_PERFORMED=1 LogText "Result: file ${ROOTDIR}etc/inittab exists" LogText "Test: checking presence sulogin for single user mode" - FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab) - FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab) + FIND=$(${GREPBINARY} -E "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab) + FIND2=$(${GREPBINARY} -E "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab) if [ -n "${FIND}" -o -n "${FIND2}" ]; then FOUND=1 LogText "Result: found sulogin, so single user is protected" @@ -1147,7 +1147,7 @@ # Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support) TEST_PERFORMED=1 LogText "Result: found target ${I}" - FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin") + FIND=$(${GREPBINARY} -E "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin") if [ "${FIND}" = "" ]; then LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication" else @@ -1486,7 +1486,7 @@ Register --test-no AUTH-9402 --weight L --network NO --category security --description "Query LDAP authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f ${ROOTDIR}etc/nsswitch.conf ]; then - FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap") + FIND=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap") if [ "${FIND}" = "" ]; then LogText "Result: LDAP authentication not enabled" Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE @@ -1514,7 +1514,7 @@ LogText "Result: file ${FILE} exists, LDAP being used" LDAP_CLIENT_CONFIG_FILE="${FILE}" LogText "Test: checking LDAP servers in file ${FILE}" - FIND=$(${EGREPBINARY} "^host " ${FILE} | ${AWKBINARY} '{ print $2 }') + FIND=$(${GREPBINARY} -E "^host " ${FILE} | ${AWKBINARY} '{ print $2 }') for SERVER in ${FIND}; do Display --indent 6 --text "LDAP server: ${SERVER}" LogText "Result: found LDAP server ${SERVER}" diff --git a/include/tests_boot_services b/include/tests_boot_services index 5901cd70..967b98a6 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -460,7 +460,7 @@ BOOT_LOADER_FOUND=1 Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN LogText "Checking password option LILO" - FIND=$(${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#") + FIND=$(${GREPBINARY} -E 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#") if [ -z "${FIND}" ]; then if [ "${MACHINE_ROLE}" = "server" -o "${MACHINE_ROLE}" = "workstation" ]; then Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED @@ -605,7 +605,7 @@ else # FreeBSD (Read /etc/rc.conf file for enabled services) LogText "Searching for services at startup (rc.conf)" - FIND=$(${EGREPBINARY} -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//') + FIND=$(${GREPBINARY} -E -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${GREPBINARY} -E -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//') fi COUNT=0 for ITEM in ${FIND}; do @@ -715,7 +715,7 @@ if [ -n "${CHKCONFIGBINARY}" ]; then LogText "Result: chkconfig binary found, trying that to discover information" LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)" - FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }') + FIND=$(${CHKCONFIGBINARY} --list | ${GREPBINARY} -E '3:on|5:on' | ${AWKBINARY} '{ print $1 }') COUNT=0 Report "boot_service_tool=chkconfig" for ITEM in ${FIND}; do @@ -947,7 +947,7 @@ if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then LogText "Result: file /usr/lib/systemd/system/rescue.service" LogText "Test: checking presence sulogin for single user mode" - FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service) + FIND=$(${GREPBINARY} -E "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service) if [ -n "${FIND}" ]; then FOUND=1 LogText "Result: found sulogin, so single user is protected" @@ -981,14 +981,14 @@ Report "running_service[]=${ITEM}" COUNT=$((COUNT + 1 )) done - LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons" + LogText "Note: Run rcctl ls all | grep -E '^(pf|check_quotas|library_aslr)$' to see all daemons" Display --indent 2 --text "- Check running daemons (rcctl)" --result "${STATUS_DONE}" --color GREEN Display --indent 8 --text "Result: found ${COUNT} running daemons" LogText "Result: Found ${COUNT} running daemons" # OpenBSD (Ask rcctl(8) for enabled daemons) LogText "Searching for enabled daemons (rcctl)" - FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v '^(pf|check_quotas|library_aslr)$') + FIND=$(${RCCTLBINARY} ls on | ${GREPBINARY} -E -v '^(pf|check_quotas|library_aslr)$') COUNT=0 Report "boot_service_tool=rcctl" for ITEM in ${FIND}; do @@ -996,7 +996,7 @@ Report "boot_service[]=${ITEM}" COUNT=$((COUNT + 1 )) done - LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons" + LogText "Note: Run rcctl ls all | grep -E '^(pf|check_quotas|library_aslr)$' to see all daemons" Display --indent 2 --text "- Check enabled daemons at boot (rcctl)" --result "${STATUS_DONE}" --color GREEN Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot" LogText "Result: Found ${COUNT} enabled daemons at boot" diff --git a/include/tests_containers b/include/tests_containers index af10997d..a02ea268 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -137,7 +137,7 @@ # Check total of containers LogText "Test: checking total amount of Docker containers" - DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${EGREPBINARY} "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }') + DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${GREPBINARY} -E "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }') if [ -z "${DOCKER_CONTAINERS_TOTAL}" ]; then DOCKER_CONTAINERS_TOTAL=0 fi diff --git a/include/tests_crypto b/include/tests_crypto index 89ad1e62..a643b6c0 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -54,7 +54,7 @@ LASTSUBDIR="" LogText "Result: found directory ${DIR}" # Search for certificate files - FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') + FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${GREPBINARY} -E ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') for FILE in ${FILES}; do FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g') # See if we need to skip this path @@ -80,7 +80,7 @@ if [ ${CANREAD} -eq 1 ]; then # Only check the files that are not installed by a package, unless enabled by profile if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then - echo ${FILE} | ${EGREPBINARY} -q ".cer$|.der$" + echo ${FILE} | ${GREPBINARY} -E -q ".cer$|.der$" CER_DER=$? OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then diff --git a/include/tests_databases b/include/tests_databases index e973d23f..181dac6c 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -45,7 +45,7 @@ # Description : Check if MySQL is being used Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep") if [ -z "${FIND}" ]; then if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: MySQL process not active" @@ -244,7 +244,7 @@ # reco: recovery (optional) Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep") if [ -z "${FIND}" ]; then if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: Oracle process(es) not active" diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 8a38b97e..daf49196 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -104,7 +104,7 @@ if [ -n "${AIDEBINARY}" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of AIDE database and size check" if [ ${SKIPTEST} -eq 0 ]; then - AIDE_DB=$(${EGREPBINARY} '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://") + AIDE_DB=$(${GREPBINARY} -E '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://") if case ${AIDE_DB} in @@*) ;; *) false;; esac; then I=$(${GREPBINARY} "@@define.*DBDIR" ${AIDECONFIG} | ${AWKBINARY} '{print $3}') AIDE_DB=$(echo ${AIDE_DB} | ${SEDBINARY} "s#.*}#${I}#") @@ -330,7 +330,7 @@ ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') for DEVICE in /dev/mapper/*; do if [ -e "${DEVICE}" ]; then - FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY') + FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*INTEGRITY') if [ ! -z "${FIND}" ]; then FOUND=1 LogText "Result: found dm-integrity device ${DEVICE}" @@ -370,7 +370,7 @@ ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') for DEVICE in /dev/mapper/*; do if [ -e "${DEVICE}" ]; then - FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY') + FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*VERITY') if [ ! -z "${FIND}" ]; then FOUND=1 LogText "Result: found dm-verity device ${DEVICE}" @@ -404,7 +404,7 @@ if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)") + FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${GREPBINARY} -E "= .*(sha256|sha512)") if [ -z "${FIND}" ]; then LogText "Result: No SHA256 or SHA512 found for creating checksums" Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW diff --git a/include/tests_file_permissions b/include/tests_file_permissions index 32598f45..924dad12 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -35,7 +35,7 @@ FOUND=0 for PROFILE in ${PROFILES}; do LogText "Using profile ${PROFILE} for baseline." - FILES=$(${EGREPBINARY} '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1) + FILES=$(${GREPBINARY} -E '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1) for F in ${FILES}; do LogText "Test: checking file/directory ${F}" if [ -f "${F}" ]; then diff --git a/include/tests_filesystems b/include/tests_filesystems index ab6191aa..93af33ed 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -356,7 +356,7 @@ # Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least # https://www.kernel.org/doc/html/latest/filesystems/proc.html#chapter-4-configuring-procfs LogText "Test: check proc mount with incorrect mount options" - FIND=$(${MOUNTBINARY} | ${EGREPBINARY} "${ROOTDIR}proc " | ${EGREPBINARY} -o "hidepid=([0-9]|[a-z][a-z]*)") + FIND=$(${MOUNTBINARY} | ${GREPBINARY} -E "${ROOTDIR}proc " | ${GREPBINARY} -E -o "hidepid=([0-9]|[a-z][a-z]*)") if [ "${FIND}" = "hidepid=4" -o "${FIND}" = "hidepid=ptraceable" ]; then # https://lwn.net/Articles/817137/ Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN LogText "Result: proc mount mounted with ${FIND}" @@ -504,7 +504,7 @@ fi LogText "Test: Checking acl option on xfs root file system" - FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr') + FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${GREPBINARY} -E 'no_acl|no_user_xattr') if [ -z "${FIND}" ]; then FOUND=1 # some other tests to do ? @@ -638,7 +638,7 @@ NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} -l) NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} -l) NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} -l) - NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} -l) + NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${GREPBINARY} -E -v '^\(ro[,)]' | ${WCBINARY} -l) LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}" Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}" fi @@ -814,13 +814,13 @@ AVAILABLE_MODPROBE_FS="" for FS in ${LIST_FS_NOT_SUPPORTED}; do # Check if filesystem is present in modprobe output - FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | ${TAILBINARY} -1) + FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${GREPBINARY} -E "/${FS}.ko" | ${TAILBINARY} -1) if [ -n "${FIND}" ]; then LogText "Result: found ${FS} support in the kernel (output = ${FIND})" Debug "Module ${FS} present in the kernel" LogText "Test: Checking if ${FS} is active" # Check if FS is present in lsmod output - FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}") + FIND=$(${LSMODBINARY} | ${GREPBINARY} -E "^${FS}") if IsEmpty "${FIND}"; then LogText "Result: module ${FS} is currently not loaded in the kernel." AddHP 2 3 @@ -837,8 +837,8 @@ fi FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) if [ -n "${FIND}" ]; then - FIND1=$(${EGREPBINARY} "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND1=$(${GREPBINARY} -E "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN LogText "Result: module ${FS} is blacklisted" diff --git a/include/tests_firewalls b/include/tests_firewalls index 44d6c441..6852b536 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -112,7 +112,7 @@ TABLES="filter" for TABLE in ${TABLES}; do LogText "Test: gathering information from table ${TABLE}" - FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') + FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') done echo "${FIND}" | while read -r line; do @@ -154,7 +154,7 @@ if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ') + FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${GREPBINARY} -E -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ') if [ -n "${FIND}" ]; then FIREWALL_ACTIVE=1 if [ ${FIND} -le 5 ]; then @@ -506,7 +506,7 @@ Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check for empty ruleset - NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) + NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${GREPBINARY} -E -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) if [ ${NFT_RULES_LENGTH} -le 3 ]; then FIREWALL_EMPTY_RULESET=1 LogText "Result: this firewall set has 3 rules or less and is considered to be empty" diff --git a/include/tests_homedirs b/include/tests_homedirs index 3e5f1b78..77de47f4 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -57,7 +57,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if users' home directories permissions are 750 or more restrictive FOUND=0 - USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') + USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') while read -r LINE; do USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) @@ -93,7 +93,7 @@ EOF if [ ${SKIPTEST} -eq 0 ]; then # Check if users own their home directories FOUND=0 - USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') + USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') while read -r LINE; do USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index f01966f2..c86070c0 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -298,7 +298,7 @@ #if [ ${SKIPTEST} -eq 0 ]; then # # Check presence of Rsh Trust Files # FOUND=0 - # for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do + # for LINE in $(${CAT_BINARY} /etc/passwd | ${GREPBINARY} -E -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do # USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) # DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) # if [ -d ${DIR} ]; then diff --git a/include/tests_kernel b/include/tests_kernel index ad914bfb..bba8080f 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -49,7 +49,7 @@ LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target" ReportException "${TEST_NO}:01" else - FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical") + FIND2=$(${ECHOCMD} ${FIND} | ${GREPBINARY} -E "runlevel5|graphical") if HasData "${FIND2}"; then LogText "Result: Found match on runlevel5/graphical" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN @@ -401,7 +401,7 @@ elif [ -e ${ROOTDIR}etc/rpi-issue ]; then FINDKERNEL="raspberrypi-kernel" LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian" - elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then + elif $(${GREPBINARY} -E -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then FINDKERNEL="linux-image-$(uname -r)" LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No" else @@ -414,8 +414,8 @@ else LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing" LogText "Test: Using apt-cache policy to determine if there is an update available" - FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') - FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') LogText "Kernel installed: ${FINDINSTALLED}" LogText "Kernel candidate: ${FINDCANDIDATE}" if IsEmpty "${FINDINSTALLED}"; then @@ -826,7 +826,7 @@ LogText "Check: try to find raspberrypi-kernel file in ${APT_ARCHIVE_DIRECTORY} and extract package date from file name" FOUND_KERNEL_DATE=$(${FINDBINARY} ${APT_ARCHIVE_DIRECTORY} -name "raspberrypi-kernel*" -printf "%T@ %Tc %p\n" 2> /dev/null \ - | ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${EGREPBINARY} -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g') + | ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${GREPBINARY} -E -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g') if [ -n "${FOUND_KERNEL_DATE}" ]; then FOUND_KERNEL_IN_SECONDS=$(date -d "${FOUND_KERNEL_DATE}" "+%s" 2> /dev/null) @@ -851,21 +851,21 @@ next="month" fi elif [ "$next" = "month" ]; then - if [ $(${ECHOCMD} "${part}" | ${EGREPBINARY} -c "[A-Z][a-z]") -ge 1 ]; then + if [ $(${ECHOCMD} "${part}" | ${GREPBINARY} -E -c "[A-Z][a-z]") -ge 1 ]; then UNAME_DATE_MONTH="${part}" next="day" fi elif [ "${next}" = "day" ]; then - if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then + if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then UNAME_DATE_DAY="${part}" next="time" fi elif [ "${next}" = "time" ]; then - if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c ":[0-9][0-9]:") -ge 1 ]; then + if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c ":[0-9][0-9]:") -ge 1 ]; then next="year" fi elif [ "${next}" = "year" ]; then - if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then + if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then UNAME_DATE_YEAR="${part}" break fi diff --git a/include/tests_logging b/include/tests_logging index b6acdbe5..04bee67d 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -45,7 +45,7 @@ Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for a logging daemon" - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep") if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" @@ -261,7 +261,7 @@ Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which files are rotated with logrotate and if they exist" - FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }') + FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }') if [ -z "${FIND}" ]; then LogText "Result: nothing found" else @@ -280,7 +280,7 @@ Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which directories can be found in logrotate configuration" - FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u) + FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u) if IsEmpty "${FIND}"; then LogText "Result: nothing found" else @@ -345,7 +345,7 @@ if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ] && [ -n "${SOLARIS_LOGHOST}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2153 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking loghost is localhost" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${EGREPBINARY} "::1|127.0.0.1|127.1") + FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} -E "::1|127.0.0.1|127.1") if [ -n "${FIND}" ]; then SOLARIS_LOGHOST_LOCALHOST=1 LogText "Result: loghost entry is localhost (default)" @@ -371,7 +371,7 @@ TARGET="${ROOTDIR}etc/rsyslog.conf" if [ -f ${TARGET} ]; then LogText "Test: analyzing file ${TARGET} for remote target" - DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g') + DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g') if [ -z "${DATA}" ]; then LogText "Result: no remote target found" else @@ -391,7 +391,7 @@ for F in ${FILES}; do F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g') LogText "Test: analyzing file ${F} for remote target" - DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g') + DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g') if [ -n "${DATA}" ]; then LogText "Result: found remote target" REMOTE_LOGGING_ENABLED=1 @@ -403,7 +403,7 @@ done else # Check new style configuration (omrelp/omfwd). This can be all on one line or even split over multiple lines. - DATA=$(${EGREPBINARY} "target=\"([a-zA-Z0-9\-])" ${F}) + DATA=$(${GREPBINARY} -E "target=\"([a-zA-Z0-9\-])" ${F}) if [ -n "${DATA}" ]; then LogText "Result: most likely remote log host is used, as keyword 'target' is used" REMOTE_LOGGING_ENABLED=1 @@ -424,7 +424,7 @@ if [ -f ${SYSLOGD_CONF} ]; then LogText "Test: check if logs are also logged to a remote logging host" - FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@") + FIND=$(${GREPBINARY} -E "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@") if [ -n "${FIND}" ]; then FIND2=$(echo "${FIND}" | ${GREPBINARY} -v "@loghost") if [ ${SOLARIS_LOGHOST_LOCALHOST} -eq 1 ] && [ -z "${FIND2}" ]; then @@ -435,9 +435,9 @@ fi else # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination - DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}') + DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${GREPBINARY} -E "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}') for DESTINATION in ${DESTINATIONS}; do - FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)") + FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${GREPBINARY} -E "destination\(${DESTINATION}\)") if [ -n "${FIND2}" ]; then LogText "Result: found destination ${DESTINATION} configured for remote logging" REMOTE_LOGGING_ENABLED=1 @@ -539,7 +539,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking open log files with lsof" if [ -n "${LSOFBINARY}" ]; then - FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$") + FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${GREPBINARY} -E -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$") for I in ${FIND}; do LogText "Found logfile: ${I}" done @@ -572,7 +572,7 @@ LSOF_GREP="${LSOF_GREP}|anacron|awk|run-parts" fi - FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) + FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${GREPBINARY} -E -vw "${LSOF_GREP}" | ${GREPBINARY} -E -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) if [ -n "${FIND}" ]; then LogText "Result: found one or more files which are deleted, but still in use" for I in ${FIND}; do diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index a8e9ec3b..8d4ae929 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -70,18 +70,18 @@ unset FIND FIND2 FIND3 FIND4 # Local Only - FIND=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^nonlocal') + FIND=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^nonlocal') # Internet Host - FIND2=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^dnslookup_relay_to_domains') + FIND2=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^dnslookup_relay_to_domains') # Smarthost or Satellite - FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost') + FIND3=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^smarthost') if [ -n "${FIND}" ]; then EXIM_TYPE="LOCAL ONLY" elif [ -n "${FIND2}" ]; then EXIM_TYPE="INTERNET HOST" elif [ -n "${FIND3}" ]; then - FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost') + FIND4=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^hub_user_smarthost') if [ -n "${FIND4}" ]; then EXIM_TYPE="SATELLITE" else @@ -415,7 +415,7 @@ Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check smtpd status" - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep") if [ ! "${FIND}" = "" ]; then LogText "Result: found running smtpd process" Display --indent 2 --text "- OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN diff --git a/include/tests_nameservices b/include/tests_nameservices index 8c483d08..c35b4171 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -339,7 +339,7 @@ Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Trying to determine version from banner" - FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*") + FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${GREPBINARY} -E "[0-9].[0-9].[0-9]*") if [ "${FIND}" = "" ]; then LogText "Result: no useful information in banner found" Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN @@ -571,7 +571,7 @@ Register --test-no NAME-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check duplicate line in /etc/hosts" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts" - OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${EGREPBINARY} -v '^(#|$)' | ${EGREPBINARY} "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d) + OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E -v '^(#|$)' | ${GREPBINARY} -E "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d) if [ -z "${OUTPUT}" ]; then LogText "Result: OK, no duplicate lines found" Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_NONE}" --color GREEN @@ -592,7 +592,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check /etc/hosts contains an entry for this server name" if [ -n "${HOSTNAME}" ]; then - DATA=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME}) + DATA=$(${GREPBINARY} -E -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME}) if [ -n "${DATA}" ]; then LogText "Result: Found entry for ${HOSTNAME} in ${ROOTDIR}etc/hosts" Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_FOUND}" --color GREEN @@ -615,7 +615,7 @@ Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check server hostname not locally mapped in ${ROOTDIR}etc/hosts" - DATA=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}) + DATA=$(${GREPBINARY} -E -v '^(#|$)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}) if [ -n "${DATA}" ]; then LogText "Result: Found this server hostname mapped to a local address" LogText "Output: ${DATA}" diff --git a/include/tests_networking b/include/tests_networking index 7faf7125..116f3760 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -280,7 +280,7 @@ Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)" if [ $SKIPTEST -eq 0 ]; then LogText "Test: Searching default gateway(s)" - FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2) + FIND=$(${NETSTATBINARY} -rn | ${GREPBINARY} -E "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2) if [ -n "${FIND}" ]; then for I in ${FIND}; do LogText "Result: Found default gateway ${I}" diff --git a/include/tests_php b/include/tests_php index 23738198..858bc14b 100644 --- a/include/tests_php +++ b/include/tests_php @@ -285,9 +285,9 @@ # Test : PHP-2368 # Description : Check php register_globals option # Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed) - if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${EGREPBINARY}" ]; then + if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${GREPBINARY} -E" ]; then if [ -f "${PHPINIFILE}" ]; then - FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])") + FIND=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^(4.|5.[0-3])") if [ -z "${FIND}" ]; then PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals" else @@ -305,7 +305,7 @@ Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP register_globals option" - FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ -n "${FIND}" ]; then Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED ReportWarning "${TEST_NO}" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" @@ -338,7 +338,7 @@ ;; esac LogText "Test: Checking file ${FILE}" - FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;') if HasData "${FIND}"; then LogText "Result: found a a possible match on expose_php setting" LogText "Data: ${FIND}" @@ -367,7 +367,7 @@ Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP enable_dl option" - FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ -n "${FIND}" ]; then Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls" @@ -389,7 +389,7 @@ Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_fopen option" - FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW LogText "Result: allow_url_fopen option is turned on, which can be used for downloads via PHP and is a security risk" @@ -412,7 +412,7 @@ Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_include option" - FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW Report "Result: allow_url_include option is turned on, which can be used for downloads via PHP and is a risk" @@ -436,7 +436,7 @@ #if [ ${SKIPTEST} -eq 0 ]; then # FOUND=0 # SIMULATION=0 - # MAJOR_VERSION=$(echo ${PHPVERSION} | ${EGREPBINARY} "^7") + # MAJOR_VERSION=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^7") # if [ "${OS}" = "OpenBSD" ]; then # FOUND=1 # On OpenBSD, Suhosin is hard linked into PHP # SIMULATION=off @@ -519,7 +519,7 @@ ;; esac LogText "Test: Checking file ${FILE}" - FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE}) + FIND=$(${GREPBINARY} -E -i "^listen = [0-9]{1,5}$" ${FILE}) if HasData "${FIND}"; then LogText "Result: found listen on just a port number" LogText "Data: ${FIND}" diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 9ca1948d..0e938cfe 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -836,7 +836,7 @@ Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: YUM package update management" - FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$") + FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -E "^[0-9]+$") if [ -z "${FIND}" -o "${FIND}" = "0" ]; then LogText "Result: YUM package update management failed" Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED @@ -1030,7 +1030,7 @@ if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then if [ -f ${ROOTDIR}etc/apt/sources.list ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file" - FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${GREPBINARY} -E "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') if [ -n "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN @@ -1043,7 +1043,7 @@ fi if [ -d /etc/apt/sources.list.d ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory" - FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${GREPBINARY} -E -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') if [ -n "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN @@ -1338,7 +1338,7 @@ if [ "${DPKGBINARY}" ]; then TESTED=1 KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]" - KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l) + KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} -E "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l) if [ ${KERNELS} -eq 0 ]; then LogText "Result: found no kernels from dpkg -l output, which is unexpected" elif [ ${KERNELS} -gt 5 ]; then diff --git a/include/tests_printers_spoolers b/include/tests_printers_spoolers index 851b0edd..d9318c3b 100644 --- a/include/tests_printers_spoolers +++ b/include/tests_printers_spoolers @@ -144,14 +144,14 @@ LogText "Test: Checking CUPS daemon listening network addresses" # Search for Port statement - FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE}) + FIND=$(${GREPBINARY} -E "^Port 631" ${CUPSD_CONFIG_FILE}) if [ -n "${FIND}" ]; then LogText "Result: found CUPS listening on port 631 (most likely all interfaces)" PORT_FOUND=1 fi # Checking network addresses - FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') + FIND=$(${GREPBINARY} -E "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') COUNT=0 for ITEM in ${FIND}; do LogText "Result: found network address: ${ITEM}" @@ -222,7 +222,7 @@ QDAEMON_CONFIG_FILE="${ROOTDIR}etc/qconfig" FileIsReadable ${QDAEMON_CONFIG_FILE} if [ ${CANREAD} -eq 1 ]; then - FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device") + FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${GREPBINARY} -E "backend|device") if [ -n "${FIND}" ]; then LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}" Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN diff --git a/include/tests_scheduling b/include/tests_scheduling index 3aa004c6..10fa0766 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -35,7 +35,7 @@ # Description : Check cron daemon Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )") + FIND=$(${PSBINARY} aux | ${GREPBINARY} -E "( cron$|/cron(d)? )") if IsEmpty "${FIND}"; then LogText "Result: no cron daemon found" else @@ -55,12 +55,12 @@ BAD_FILE_PERMISSIONS=0 BAD_FILE_OWNERSHIP=0 FindCronJob() { - sCRONJOBS=$(${EGREPBINARY} '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY}) + sCRONJOBS=$(${GREPBINARY} -E '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY}) } CRONTAB_FILE="${ROOTDIR}etc/crontab" if [ -f ${CRONTAB_FILE} ]; then - ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab" + ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab" if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FindCronJob ${CRONTAB_FILE} @@ -86,7 +86,7 @@ if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}') - if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi + if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi FindCronJob ${FILE} if HasData "${sCRONJOBS}"; then for K in ${sCRONJOBS}; do @@ -121,7 +121,7 @@ if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${FILE}"; Report "insecure_fileperms_cronjob[]=${FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${FILE}"; Report "bad_fileowner_cronjob[]=${FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}') - if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi + if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi LogText "Result: Found cronjob (${I}): ${FILE}" Report "cronjob[]=${FILE}" done @@ -141,7 +141,7 @@ FIND=$(${FINDBINARY} /var/spool/cron/crontabs -xdev -type f -print 2> /dev/null) for I in ${FIND}; do if FileIsReadable ${I}; then - ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" + ${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" FindCronJob ${I} for FILE in ${sCRONJOBS}; do LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${FILE})" @@ -154,7 +154,7 @@ FIND=$(find ${ROOTDIR}var/spool/cron -type f -print) for I in ${FIND}; do if FileIsReadable ${I}; then - ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" + ${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" FindCronJob ${I} for FILE in ${sCRONJOBS}; do LogText "Found cronjob in ${ROOTDIR}var/spool/cron: ${I} (${FILE})" @@ -169,7 +169,7 @@ if [ "${OS}" = "Linux" ]; then if [ -f /etc/anacrontab ]; then LogText "Test: checking anacrontab" - sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY}) + sANACRONJOBS=$(${GREPBINARY} -E '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY}) if [ -n "${sANACRONJOBS}" ]; then Report "scheduler[]=anacron" for I in ${sANACRONJOBS}; do diff --git a/include/tests_shells b/include/tests_shells index 8ecbde2c..b046b608 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -52,7 +52,7 @@ Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking console TTYs" - FIND=$(${EGREPBINARY} '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure') + FIND=$(${GREPBINARY} -E '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN LogText "Result: console is secured against single user mode without password." diff --git a/include/tests_squid b/include/tests_squid index c486108c..1eb43955 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -42,7 +42,7 @@ LogText "Test: Searching for a Squid daemon" FOUND=0 # Check running processes - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(squid|squid3) " | ${GREPBINARY} -v "grep") if [ -n "${FIND}" ]; then SQUID_DAEMON_RUNNING=1 LogText "Result: Squid daemon is running" diff --git a/include/tests_ssh b/include/tests_ssh index fb784d83..6ab6f193 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -299,7 +299,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 # AllowUsers - FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') + FIND=$(${GREPBINARY} -E -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') if [ -n "${FIND}" ]; then LogText "Result: AllowUsers set, with value ${FIND}" Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN @@ -310,7 +310,7 @@ fi # AllowGroups - FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') + FIND=$(${GREPBINARY} -E -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') if [ -n "${FIND}" ]; then LogText "Result: AllowUsers set ${FIND}" Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN diff --git a/include/tests_storage b/include/tests_storage index ac60502c..29785e6c 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -38,8 +38,8 @@ if [ -d "${ROOTDIR}etc/modprobe.d" ]; then FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) if [ -n "${FIND}" ]; then - FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND1=$(${GREPBINARY} -E "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then FOUND=1 LogText "Result: found firewire ohci driver in disabled state" @@ -49,8 +49,8 @@ fi fi if [ -f "${ROOTDIR}etc/modprobe.conf" ]; then - FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#") + FIND1=$(${GREPBINARY} -E -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#") if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then FOUND=1 LogText "Result: found firewire ohci driver in disabled state" diff --git a/include/tests_time b/include/tests_time index df9a86b7..7ff6755e 100644 --- a/include/tests_time +++ b/include/tests_time @@ -139,7 +139,7 @@ for I in ${CRONTAB_FILES}; do if [ -f ${I} ]; then LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}" - FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#') + FIND=$(${GREPBINARY} -E "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#') if [ -n "${FIND}" ]; then FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN @@ -161,10 +161,10 @@ for I in ${CRON_DIRS}; do for J in "${I}"/*; do # iterate over folders in a safe way # Check: regular file, readable and not called .placeholder - FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$') + FIND=$(echo "${J}" | ${GREPBINARY} -E '/.placeholder$') if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}" - FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") + FIND=$("${GREPBINARY} -E" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") if [ -n "${FIND}" ]; then FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}" @@ -232,7 +232,7 @@ Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check the status of time synchronization via timedatectl" - FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes") + FIND=$(${TIMEDATECTL} status | ${GREPBINARY} -E "(NTP|System clock) synchronized: yes") if [ -z "${FIND}" ]; then LogText "Result: time not synchronized via NTP" ReportSuggestion "${TEST_NO}" "Check timedatectl output. Synchronization via NTP is enabled, but status reflects it is not synchronized" @@ -273,7 +273,7 @@ else for ITEM in ${FIND}; do LogText "Found stratum 16 peer: ${ITEM}" - FIND2=$(${EGREPBINARY} "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE}) + FIND2=$(${GREPBINARY} -E "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE}) if IsEmpty "${FIND2}"; then COUNT=$((COUNT + 1)) Report "ntp_stratum_16_peer[]=${ITEM}" @@ -303,7 +303,7 @@ Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking unreliable ntp peers" - FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g') + FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN LogText "Result: No unreliable peers found" @@ -371,7 +371,7 @@ Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking preferred time source" - FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} '^x') + FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E '^x') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN LogText "Result: No falsetickers found (items preceding with an 'x')" @@ -455,7 +455,7 @@ else LogText "Result: ${FILE} is not empty, which is fine" Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN - sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${EGREPBINARY} -v "^127." | ${EGREPBINARY} -v "^::1") + sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${GREPBINARY} -E -v "^127." | ${GREPBINARY} -E -v "^::1") for I in ${sFIND}; do FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l) if [ ${FIND} -gt 0 ]; then @@ -553,7 +553,7 @@ Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers" if [ ${SKIPTEST} -eq 0 ]; then # Format is "xx/yy peers valid, ..." - FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1) + FIND=$(${NTPCTLBINARY} -s status | ${GREPBINARY} -E -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1) if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status" fi diff --git a/include/tests_tooling b/include/tests_tooling index 083f5045..30c506c0 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -259,8 +259,8 @@ # # Check email alert configuration # LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}" # - # FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}) - # FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}) + # FIND=$(${GREPBINARY} -E "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}) + # FIND2=$(${GREPBINARY} -E "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}) # # if [ -n "${FIND}" ]; then # FAIL2BAN_EMAIL=1 diff --git a/include/tests_usb b/include/tests_usb index d99d5a66..81c184df 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -54,8 +54,8 @@ if [ -d /etc/modprobe.d ]; then FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) if [ -n "${FIND}" ]; then - FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*) + FIND=$(${GREPBINARY} -E -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*) if [ -n "${FIND}" -o -n "${FIND2}" ]; then FOUND=1 LogText "Result: found usb-storage driver in disabled state (blacklisted)" @@ -65,7 +65,7 @@ fi fi if [ -f ${ROOTDIR}etc/modprobe.conf ]; then - FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#") + FIND=$(${GREPBINARY} -E "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#") if [ -n "${FIND}" ]; then FOUND=1 LogText "Result: found usb-storage driver in disabled state" @@ -316,11 +316,11 @@ Display --indent 4 --text "- RuleFile" --result "${STATUS_FOUND}" --color GREEN AddHP 1 1 - USBGUARD_RULES_ALLOW=$(${EGREPBINARY} -c "^allow" ${USBGUARD_RULES}) + USBGUARD_RULES_ALLOW=$(${GREPBINARY} -E -c "^allow" ${USBGUARD_RULES}) Display --indent 6 --text "- Controllers & Devices allow" --result "${USBGUARD_RULES_ALLOW}" --color WHITE - USBGUARD_RULES_BLOCK=$(${EGREPBINARY} -c "^block" ${USBGUARD_RULES}) + USBGUARD_RULES_BLOCK=$(${GREPBINARY} -E -c "^block" ${USBGUARD_RULES}) Display --indent 6 --text "- Controllers & Devices block" --result "${USBGUARD_RULES_BLOCK}" --color WHITE - USBGUARD_RULES_REJECT=$(${EGREPBINARY} -c "^reject" ${USBGUARD_RULES}) + USBGUARD_RULES_REJECT=$(${GREPBINARY} -E -c "^reject" ${USBGUARD_RULES}) Display --indent 6 --text "- Controllers & Devices reject" --result "${USBGUARD_RULES_REJECT}" --color WHITE else LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)" diff --git a/include/tests_webservers b/include/tests_webservers index e0ca5737..1dbde636 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -63,7 +63,7 @@ Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE else LogText "Test: Scanning for Apache binary" - IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache') + IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} -E '[aA]pache') if IsEmpty "${IS_APACHE}"; then LogText "Result: ${HTTPDBINARY} is not Apache" Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE @@ -203,7 +203,7 @@ #if [ ${SKIPTEST} -eq 0 ]; then # # Testing Debian style # LogText "Test: searching loaded/enabled Apache modules" - # apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //' + # apachectl -t -D DUMP_MODULES 2>&1 | ${GREPBINARY} -E -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //' # for I in ${APACHE_MODULES_ENABLED_LOCS}; do # LogText "Test: checking ${I}" # if [ -d ${I} ]; then @@ -381,7 +381,7 @@ done # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx - SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})") + SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${GREPBINARY} -E -v "(application|audio|image|text|video)/" | ${GREPBINARY} -E -v "({|})") for I in ${SORTFILE}; do I=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g') Report "nginx_config_option[]=${I}"; From 09c03ce222c03996b652142bb89cc541b28a3243 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 17:40:16 -0400 Subject: [PATCH 2/7] Using grep -E --- lynis | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/lynis b/lynis index 3f6d3b84..5aa219b7 100755 --- a/lynis +++ b/lynis @@ -148,13 +148,25 @@ # Perform a basic check for permissions. After including functions, using SafePerms() IGNORE_FILE_PERMISSION_ISSUES=0 - FILES_TO_CHECK="consts functions" + FILES_TO_CHECK="consts functions parameters binaries osdetection data_upload" ISSUE=0 ISSUE_TYPE="" SHOWPERMERROR=0 for FILE in ${FILES_TO_CHECK}; do + SUGGESTED_PERMS=640 + if [ ${PRIVILEGED} -eq 0 ]; then + SUGGESTED_PERMS=644 + fi + + # First check if files are readable so the shell can execute them + if [ ! -r ${INCLUDEDIR}/${FILE} ]; then + ISSUE=1 + ISSUE_TYPE="perms" + echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to ${SUGGESTED_PERMS}."; echo " Command: chmod ${SUGGESTED_PERMS} ${INCLUDEDIR}/${FILE}" + fi + PERMS=$(ls -l ${INCLUDEDIR}/${FILE} | cut -c 2-10) GROUPPERMS=$(ls -l ${INCLUDEDIR}/${FILE} | cut -c 5-7) GROUPOWNERID=$(ls -n ${INCLUDEDIR}/${FILE} | awk '{ print $4 }') @@ -163,11 +175,11 @@ # Check permissions of include/X file (400, 600, 640, 644) if [ "${PERMS}" = "rwxrwxrwx" ]; then - ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}" + ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to ${SUGGESTED_PERMS}."; echo " Command: chmod ${SUGGESTED_PERMS} ${INCLUDEDIR}/${FILE}" elif [ ! "${PERMS}" = "r--------" -a ! "${PERMS}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then # If group ID equals user ID, we consider permissions to be fine (probably default umask) if [ ! "${GROUPOWNERID}" = "${OWNERID}" ]; then - ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}" + ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to ${SUGGESTED_PERMS}."; echo " Command: chmod ${SUGGESTED_PERMS} ${INCLUDEDIR}/${FILE}" fi fi @@ -193,7 +205,7 @@ if [ ${ISSUE} -eq 1 ]; then printf "\n[X] Security check failed\n\n Why do I see this error?\n -------------------------------\n This is a protection mechanism to prevent the root user from executing user created files. The files may be altered, or including malicious pieces of script.\n\n What can I do?\n ---------------------\n Option 1) Check if a trusted user created the files (e.g. due to using Git, Homebrew or similar).\n If you trust these files, you can decide to continue this run by pressing ENTER.\n" if [ "${ISSUE_TYPE}" = "perms" ]; then - printf "\n Option 2) Change permissions of the related files.\n\n Commands (full directory):\n # chmod 640 include/*\n # ./lynis audit system" + printf "\n Option 2) Change permissions of the related files.\n\n Commands (full directory):\n # chmod ${SUGGESTED_PERMS} include/*\n # ./lynis audit system" elif [ "${ISSUE_TYPE}" = "owner" ]; then printf "\n Option 2) Change ownership of the related files (or full directory).\n\n Commands (full directory):\n # cd ..\n # chown -R 0:0 lynis\n # cd lynis\n # ./lynis audit system" fi @@ -217,10 +229,10 @@ # Extract the short notation of the language (first two characters). if [ -x "$(command -v locale 2> /dev/null)" ]; then - LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$") + LANGUAGE=$(locale | grep -E "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$") # Try locale command if shell variable had no value if [ -z "${DISPLAY_LANG}" ]; then - DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2) + DISPLAY_LANG=$(locale | grep -E "^LANG=" | cut -d= -f2) fi else LANGUAGE="en" @@ -1036,7 +1048,7 @@ ${NORMAL} if SafeFile ${INCLUDE_FILE}; then . ${INCLUDE_FILE} else - LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)" + LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 644, 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}" # Insert a section and warn user also on screen InsertSection "${SECTION_GENERAL}" @@ -1063,7 +1075,7 @@ ${NORMAL} LogText "Result: file permissions fine, running custom tests" . ${INCLUDEDIR}/tests_custom else - LogText "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)" + LogText "Exception: skipping custom tests, file has bad permissions (should be 644, 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on custom tests file" Display --indent 2 --text "- Running custom tests... " --result "${STATUS_WARNING}" --color RED fi From c7b73837db1f68820befd06a63f2ab855a00d5f9 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 17:44:44 -0400 Subject: [PATCH 3/7] Removing changes from another branch --- include/functions | 5 ----- 1 file changed, 5 deletions(-) diff --git a/include/functions b/include/functions index 841586be..9c52044b 100644 --- a/include/functions +++ b/include/functions @@ -3103,11 +3103,6 @@ unsafe=1 LogText "Security alert: file is not owned by active user, but can write to it" fi - # File is not owned by active user, and not readable by him - if [ ! -O "${FILE}" -a ! -r "${FILE}" ]; then - unsafe=1 - LogText "Security alert: file is not readable by active user" - fi fi # Check file permissions From ea9c6dbcc8c6db00160db7691e7407ed83fab361 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 17:51:58 -0400 Subject: [PATCH 4/7] Removing --- lynis | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/lynis b/lynis index 5aa219b7..1f401b97 100755 --- a/lynis +++ b/lynis @@ -148,25 +148,13 @@ # Perform a basic check for permissions. After including functions, using SafePerms() IGNORE_FILE_PERMISSION_ISSUES=0 - FILES_TO_CHECK="consts functions parameters binaries osdetection data_upload" + FILES_TO_CHECK="consts functions" ISSUE=0 ISSUE_TYPE="" SHOWPERMERROR=0 for FILE in ${FILES_TO_CHECK}; do - SUGGESTED_PERMS=640 - if [ ${PRIVILEGED} -eq 0 ]; then - SUGGESTED_PERMS=644 - fi - - # First check if files are readable so the shell can execute them - if [ ! -r ${INCLUDEDIR}/${FILE} ]; then - ISSUE=1 - ISSUE_TYPE="perms" - echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to ${SUGGESTED_PERMS}."; echo " Command: chmod ${SUGGESTED_PERMS} ${INCLUDEDIR}/${FILE}" - fi - PERMS=$(ls -l ${INCLUDEDIR}/${FILE} | cut -c 2-10) GROUPPERMS=$(ls -l ${INCLUDEDIR}/${FILE} | cut -c 5-7) GROUPOWNERID=$(ls -n ${INCLUDEDIR}/${FILE} | awk '{ print $4 }') @@ -229,10 +217,10 @@ # Extract the short notation of the language (first two characters). if [ -x "$(command -v locale 2> /dev/null)" ]; then - LANGUAGE=$(locale | grep -E "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$") + LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$") # Try locale command if shell variable had no value if [ -z "${DISPLAY_LANG}" ]; then - DISPLAY_LANG=$(locale | grep -E "^LANG=" | cut -d= -f2) + DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2) fi else LANGUAGE="en" @@ -1048,7 +1036,7 @@ ${NORMAL} if SafeFile ${INCLUDE_FILE}; then . ${INCLUDE_FILE} else - LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 644, 640, 600 or 400)" + LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}" # Insert a section and warn user also on screen InsertSection "${SECTION_GENERAL}" @@ -1075,7 +1063,7 @@ ${NORMAL} LogText "Result: file permissions fine, running custom tests" . ${INCLUDEDIR}/tests_custom else - LogText "Exception: skipping custom tests, file has bad permissions (should be 644, 640, 600 or 400)" + LogText "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on custom tests file" Display --indent 2 --text "- Running custom tests... " --result "${STATUS_WARNING}" --color RED fi From 25a5d7af40070566cebc6a19c8f4841aabca100e Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 17:53:22 -0400 Subject: [PATCH 5/7] Removing --- lynis | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lynis b/lynis index 1f401b97..a92e3556 100755 --- a/lynis +++ b/lynis @@ -163,11 +163,11 @@ # Check permissions of include/X file (400, 600, 640, 644) if [ "${PERMS}" = "rwxrwxrwx" ]; then - ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to ${SUGGESTED_PERMS}."; echo " Command: chmod ${SUGGESTED_PERMS} ${INCLUDEDIR}/${FILE}" + ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}" elif [ ! "${PERMS}" = "r--------" -a ! "${PERMS}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then # If group ID equals user ID, we consider permissions to be fine (probably default umask) if [ ! "${GROUPOWNERID}" = "${OWNERID}" ]; then - ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to ${SUGGESTED_PERMS}."; echo " Command: chmod ${SUGGESTED_PERMS} ${INCLUDEDIR}/${FILE}" + ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}" fi fi @@ -217,10 +217,10 @@ # Extract the short notation of the language (first two characters). if [ -x "$(command -v locale 2> /dev/null)" ]; then - LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$") + LANGUAGE=$(locale | grep -E "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$") # Try locale command if shell variable had no value if [ -z "${DISPLAY_LANG}" ]; then - DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2) + DISPLAY_LANG=$(locale | grep -E "^LANG=" | cut -d= -f2) fi else LANGUAGE="en" From 346b843662376002e34c2e92a1914ae5233c56b0 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 17:54:01 -0400 Subject: [PATCH 6/7] Removing --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index a92e3556..3a628424 100755 --- a/lynis +++ b/lynis @@ -193,7 +193,7 @@ if [ ${ISSUE} -eq 1 ]; then printf "\n[X] Security check failed\n\n Why do I see this error?\n -------------------------------\n This is a protection mechanism to prevent the root user from executing user created files. The files may be altered, or including malicious pieces of script.\n\n What can I do?\n ---------------------\n Option 1) Check if a trusted user created the files (e.g. due to using Git, Homebrew or similar).\n If you trust these files, you can decide to continue this run by pressing ENTER.\n" if [ "${ISSUE_TYPE}" = "perms" ]; then - printf "\n Option 2) Change permissions of the related files.\n\n Commands (full directory):\n # chmod ${SUGGESTED_PERMS} include/*\n # ./lynis audit system" + printf "\n Option 2) Change permissions of the related files.\n\n Commands (full directory):\n # chmod 640 include/*\n # ./lynis audit system" elif [ "${ISSUE_TYPE}" = "owner" ]; then printf "\n Option 2) Change ownership of the related files (or full directory).\n\n Commands (full directory):\n # cd ..\n # chown -R 0:0 lynis\n # cd lynis\n # ./lynis audit system" fi From c845cecb6fb709d3bc81e0519688ff2bd5a5fe61 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 19:00:16 -0400 Subject: [PATCH 7/7] Fixing test --- include/tests_php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_php b/include/tests_php index 858bc14b..04502f68 100644 --- a/include/tests_php +++ b/include/tests_php @@ -285,7 +285,7 @@ # Test : PHP-2368 # Description : Check php register_globals option # Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed) - if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${GREPBINARY} -E" ]; then + if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${GREPBINARY}" ]; then if [ -f "${PHPINIFILE}" ]; then FIND=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^(4.|5.[0-3])") if [ -z "${FIND}" ]; then