diff --git a/extras/bash_completion.d/lynis b/extras/bash_completion.d/lynis index 299f5a1e..f8deac47 100644 --- a/extras/bash_completion.d/lynis +++ b/extras/bash_completion.d/lynis @@ -16,7 +16,7 @@ _lynis() # first parameter on line case $cur in -*) - COMPREPLY=( $( compgen -W '--check-all --help --info --version' -- "$cur" ) ) + COMPREPLY=( $( compgen -W '--help --info --version' -- "$cur" ) ) ;; *) COMPREPLY=( $( compgen -W 'audit --help --info --version' -- "$cur" ) ) @@ -58,14 +58,18 @@ _lynis() COMPREPLY=( '"TEST-0001 TEST-0002 TEST-0003"' ) return 0 ;; - --tests-category) + --tests-from-category) + COMPREPLY=( '"performance privacy security"' ) + return 0 + ;; + --tests-from-groups) COMPREPLY=( '"accounting authentication"' ) return 0 ;; *) COMPREPLY=( $( compgen -W ' \ --auditor --cronjob --debug --quick --quiet --logfile --no-colors --no-log --pentest --reverse-colors \ - --tests --tests-category --upload --verbose --view-categories' -- "$cur" ) ) + --tests --tests-category --upload --verbose' -- "$cur" ) ) ;; esac diff --git a/include/consts b/include/consts index d29018e5..68074ddc 100644 --- a/include/consts +++ b/include/consts @@ -178,7 +178,9 @@ unset LANG TEMP_FILE="" TEMP_FILES="" TEST_SKIP_ALWAYS="" - TESTS_CATEGORY_TO_PERFORM="" + TEST_AVAILABLE_CATEGORIES="performance privacy security" + TEST_CATEGORY_TO_CHECK="all" + TEST_GROUP_TO_CHECK="all" TESTS_EXECUTED="" TESTS_SKIPPED="" TMPFILE="" diff --git a/include/functions b/include/functions index 9d0526be..f40997d9 100644 --- a/include/functions +++ b/include/functions @@ -83,7 +83,8 @@ # ShowSymlinkPath Show a path behind a symlink # SkipAtomicTest Test if a subtest needs to be skipped # TestValue Evaluate a value in a string or key -# ViewCategories Display tests categories +# ViewCategories Show available category of tests +# ViewGroups Display test groups # WaitForKeyPress Wait for user to press a key to continue # ################################################################################# @@ -1743,10 +1744,14 @@ # Do not insert a log break, if previous test was not logged if [ ${SKIPLOGTEST} -eq 0 ]; then LogTextBreak; fi ROOT_ONLY=0; SKIPTEST=0; SKIPLOGTEST=0; TEST_NEED_OS=""; PREQS_MET="" - TEST_NEED_NETWORK=""; TEST_NEED_PLATFORM="" + TEST_CATEGORY=""; TEST_NEED_NETWORK=""; TEST_NEED_PLATFORM="" TOTAL_TESTS=$((TOTAL_TESTS + 1)) while [ $# -ge 1 ]; do case $1 in + --category) + shift + TEST_CATEGORY=$1 + ;; --description) shift TEST_DESCRIPTION=$1 @@ -1837,6 +1842,11 @@ fi fi + # Skip test when it belongs to another category (default is 'all') + if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_CATEGORY_TO_CHECK}" -a ! "${TEST_CATEGORY_TO_CHECK}" = "all" -a ! "${TEST_CATEGORY}" = "${TEST_CATEGORY_TO_CHECK}" ]; then + SKIPTEST=1; SKIPREASON="Incorrect category (${TEST_CATEGORY_TO_CHECK} only)" + fi + # Check for correct hardware platform if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi @@ -2529,8 +2539,24 @@ ################################################################################ ViewCategories() { + for CATEGORY in ${TEST_AVAILABLE_CATEGORIES}; do echo "${CATEGORY}"; done + echo "" + ExitClean + } + + + ################################################################################ + # Name : ViewGroups() + # Description : Show what group of tests are available + # + # Input : + # Returns : + # Usage : ViewGroups + ################################################################################ + + ViewGroups() { if [ ! "${INCLUDEDIR}" = "" ]; then - InsertSection "Available test categories" + InsertSection "Available test groups" for I in `ls ${INCLUDEDIR}/tests_* | xargs -n 1 basename | sed 's/tests_//' | grep -v "custom.template"`; do echo "${I}" done diff --git a/include/helper_show b/include/helper_show index b7655eac..8953c04d 100644 --- a/include/helper_show +++ b/include/helper_show @@ -30,13 +30,14 @@ COMMANDS="audit show update" HELPERS="audit configure show update" -OPTIONS="--auditor\n--check-all (-c)\n--config\n--cronjob (--cron)\n--debug\n--developer\n--help (-h)\n--info\n--license-key --log-file\n--manpage (--man)\n--no-colors --no-log\n--pentest\n--profile\n--plugins-dir\n--quiet (-q)\n--quick (-Q)\n--report-file\n--reverse-colors\n--tests\n--tests-category\n--upload\n--verbose\n--version (-V)\n--view-categories" +OPTIONS="--auditor\n--check-all (-c)\n--config\n--cronjob (--cron)\n--debug\n--developer\n--help (-h)\n--info\n--license-key --log-file\n--manpage (--man)\n--no-colors --no-log\n--pentest\n--profile\n--plugins-dir\n--quiet (-q)\n--quick (-Q)\n--report-file\n--reverse-colors\n--tests\n--tests-category\n--upload\n--verbose\n--version (-V)" -SHOW_ARGS="categories changelog commands dbdir help hostids includedir language license logfile man options pidfile plugindir profiles release releasedate report settings tests version workdir" +SHOW_ARGS="categories changelog commands dbdir groups help hostids includedir language license logfile man options pidfile plugindir profiles release releasedate report settings tests version workdir" SHOW_HELP="lynis show ${BROWN}categories${NORMAL} (display test categories) lynis show ${BROWN}changelog${NORMAL} ${GRAY}[version]${NORMAL} (release details) lynis show ${BROWN}commands${NORMAL} (all available commands) lynis show ${BROWN}dbdir${NORMAL} (database directory) +lynis show ${BROWN}groups${NORMAL} (test groups) lynis show ${BROWN}help${NORMAL} (detailed information about arguments) lynis show ${BROWN}hostids${NORMAL} (unique IDs for this system) lynis show ${BROWN}includedir${NORMAL} (include directory for tests and functions) @@ -204,6 +205,9 @@ if [ $# -gt 0 ]; then "dbdir") ${ECHOCMD} "${DBDIR}" ;; + "groups") + ViewGroups + ;; "help" | "--help" | "-h") if [ $# -eq 1 ]; then ${ECHOCMD} "${PROGRAM_NAME} ${PROGRAM_VERSION} - Help" diff --git a/include/parameters b/include/parameters index f2840014..dd66d5bd 100644 --- a/include/parameters +++ b/include/parameters @@ -155,12 +155,12 @@ # Perform tests (deprecated, use audit system) --check-all | --checkall | -c) - # echo "Usage of option -c is deprecated. Please use: lynis audit system [options]" + DisplayToolTip "Usage of option -c is deprecated. Please use: lynis audit system [options]" CHECK=1 ;; # Cronjob support - --cronjob | --cron) + --cron-job | --cronjob | --cron) CRONJOB=1 CHECK=1; QUICKMODE=1; COLORS=0; NEVERBREAK=1 # Use some defaults (-c, -Q, no colors) RemoveColors @@ -189,9 +189,9 @@ --pentest --profile --plugins-dir --quiet_(-q) --quick_(-Q) --report-file --reverse-colors - --tests --tests-category + --tests --upload - --version_(-V) --view-categories" + --version_(-V)" for I in ${OPTIONS}; do echo "${I}" | tr '_' ' ' done @@ -298,10 +298,16 @@ TESTS_TO_PERFORM=$1 ;; - # Scan one or more categories only - --tests-category) + # Scan one or more tests from just one category (e.g. security) + --tests-from-category) shift - TESTS_CATEGORY_TO_PERFORM=$1 + TEST_CATEGORY_TO_CHECK=$1 + ;; + + # Scan one or more tests from just on group + --tests-from-group) + shift + TEST_GROUP_TO_CHECK=$1 ;; # Lynis Enterprise: upload data to central node @@ -319,11 +325,6 @@ exit 0 ;; - --view-categories | --list-categories | --show-categories) - ViewCategories - exit 0 - ;; - # View man page --view-manpage | --man-page | --manpage | --man) if [ -f lynis.8 ]; then @@ -343,6 +344,11 @@ QUIET=1 ;; + --tests-category | --tests-categories | --view-categories | --list-categories | --show-categories) + ShowError "Deprecated option" + ExitFatal + ;; + # Drop out when using wrong option(s) *) # Wrong option used, we bail out later diff --git a/include/tests_accounting b/include/tests_accounting index 22cbd4eb..70b43450 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -32,7 +32,7 @@ # # Test : ACCT-2754 # Description : Check availability FreeBSD accounting data - Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --description "Check for available FreeBSD accounting information" + Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --category security --description "Check for available FreeBSD accounting information" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /var/account/acct ]; then Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN @@ -51,7 +51,7 @@ # # Test : ACCT-2760 # Description : Check availability OpenBSD accounting data - Register --test-no ACCT-2760 --os OpenBSD --weight L --network NO --description "Check for available OpenBSD accounting information" + Register --test-no ACCT-2760 --os OpenBSD --weight L --network NO --category security --description "Check for available OpenBSD accounting information" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /var/account/acct ]; then Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN @@ -71,7 +71,7 @@ # Test : ACCT-9622 # Description : Check availability Linux accounting data # Notes : /var/log/pacct (Slackware) - Register --test-no ACCT-9622 --os Linux --weight L --network NO --description "Check for available Linux accounting information" + Register --test-no ACCT-9622 --os Linux --weight L --network NO --category security --description "Check for available Linux accounting information" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check accounting information" if [ -f /var/account/pacct ]; then @@ -99,7 +99,7 @@ # # Test : ACCT-9626 # Description : Check sysstat accounting data - Register --test-no ACCT-9626 --os Linux --weight L --network NO --description "Check for sysstat accounting data" + Register --test-no ACCT-9626 --os Linux --weight L --network NO --category security --description "Check for sysstat accounting data" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check /etc/default/sysstat presence" if [ -f /etc/default/sysstat ]; then @@ -135,7 +135,7 @@ # Test : ACCT-9628 # Description : Check auditd status if [ ! "${AUDITDBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no ACCT-9628 --os Linux --weight L --network NO --description "Check for auditd" + Register --test-no ACCT-9628 --os Linux --weight L --network NO --category security --description "Check for auditd" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check auditd status" # Should not get kauditd @@ -164,7 +164,7 @@ # Test : ACCT-9630 # Description : Check auditd rules if [ ! "${AUDITDBINARY}" = "" -a ! "${AUDITCTLBINARY}" = "" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --description "Check for auditd rules" + Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for auditd rules" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking auditd rules" FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"` @@ -190,7 +190,7 @@ # Test : ACCT-9632 # Description : Check auditd configuration file if [ ! "${AUDITDBINARY}" = "" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd configuration file" + Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd configuration file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking auditd configuration file" for I in ${AUDITD_CONF_LOCS}; do @@ -216,7 +216,7 @@ # Test : ACCT-9634 # Description : Check auditd log file if [ ! "${AUDITDBINARY}" = "" -a ${LINUX_AUDITD_RUNNING} -eq 1 -a ! "${AUDITD_CONF_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd log file" + Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd log file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking auditd log file" FIND=`grep "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }'` @@ -243,7 +243,7 @@ # # Test : ACCT-9636 # Description : Check for Snoopy (wrapper for execve() and logger) - Register --test-no ACCT-9636 --os Linux --weight L --network NO --description "Check for Snoopy wrapper and logger" + Register --test-no ACCT-9636 --os Linux --weight L --network NO --category security --description "Check for Snoopy wrapper and logger" if [ ${SKIPTEST} -eq 0 ]; then FILE="/lib/snoopy.so" if [ -f ${FILE} ]; then @@ -274,7 +274,7 @@ # # Test : ACCT-9650 # Description : Check Solaris audit daemon presence - Register --test-no ACCT-9650 --os Solaris --weight L --network NO --description "Check Solaris audit daemon" + Register --test-no ACCT-9650 --os Solaris --weight L --network NO --category security --description "Check Solaris audit daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check if audit daemon is running" IsRunning auditd @@ -294,7 +294,7 @@ # Test : ACCT-9652 # Description : Check Solaris auditd service status if [ -x /usr/bin/svcs -a ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no ACCT-9652 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check auditd SMF status" + Register --test-no ACCT-9652 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check auditd SMF status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check if auditd service is enabled and online" FIND=`/usr/bin/svcs svc:/system/auditd:default | grep "^online"` @@ -312,7 +312,7 @@ # Test : ACCT-9654 # Description : Check Solaris Basic Security Mode (BSM) in /etc/system if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no ACCT-9654 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in /etc/system" + Register --test-no ACCT-9654 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check BSM auditing in /etc/system" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check if BSM is enabled in /etc/system" if [ -f /etc/system ]; then @@ -333,7 +333,7 @@ # Test : ACCT-9656 # Description : Check Solaris BSM (c2audit) module status if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no ACCT-9656 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list" + Register --test-no ACCT-9656 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check BSM auditing in module list" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check if c2audit module is active" if [ -x /usr/sbin/modinfo ]; then @@ -355,7 +355,7 @@ # Test : ACCT-9662 # Description : Check location for audit events if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no ACCT-9660 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check location of audit events" + Register --test-no ACCT-9660 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check location of audit events" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check /etc/security/audit_control for event logging location" if [ -f /etc/security/audit_control ]; then @@ -388,7 +388,7 @@ # Test : ACCT-9672 # Description : check auditstat if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Solaris auditing stats" + Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Solaris auditing stats" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check auditing statistics" if [ -x /usr/sbin/auditstat ]; then diff --git a/include/tests_authentication b/include/tests_authentication index f84a9c70..c25b7ca0 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -36,7 +36,7 @@ # Test : AUTH-9204 # Description : Check users with UID zero (0) # Notes : Ignores :0: in file if match is in NIS related line - Register --test-no AUTH-9204 --weight L --network NO --description "Check users with an UID of zero" + Register --test-no AUTH-9204 --weight L --network NO --category security --description "Check users with an UID of zero" if [ ${SKIPTEST} -eq 0 ]; then # Search accounts with UID 0 LogText "Test: Searching accounts with UID 0" @@ -63,7 +63,7 @@ # # Test : AUTH-9208 # Description : Check non-unique accounts - Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts in passwd file" + Register --test-no AUTH-9208 --weight L --network NO --category security --description "Check non-unique accounts in passwd file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for non-unique accounts" if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" -o "${OS}" = "OpenBSD" ]; then @@ -95,7 +95,7 @@ # Test : AUTH-9212 # Description : Test group file with chkgrp tool (ie FreeBSD) if [ -f /usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file" + Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test group file" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking chkgrp tool" --result "${STATUS_FOUND}" --color GREEN LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)." @@ -117,7 +117,7 @@ # Test : AUTH-9216 # Description : Check /etc/group and shadow group files if [ ! "${GRPCKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --description "Check group and shadow group files" + Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check group and shadow group files" if [ ${SKIPTEST} -eq 0 ]; then # Test : run grpck to test group files (most likely /etc/group and shadow group files) # Expected result : 0 (exit code) @@ -153,7 +153,7 @@ # Test : AUTH-9218 # Description : Check login shells for passwordless accounts # Notes : Results should be checked - Register --test-no AUTH-9218 --os FreeBSD --weight L --network NO --description "Check harmful login shells" + Register --test-no AUTH-9218 --os FreeBSD --weight L --network NO --category security --description "Check harmful login shells" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Test: Checking login shells" @@ -195,7 +195,7 @@ # # Test : AUTH-9222 # Description : Check for non unique groups - Register --test-no AUTH-9222 --weight L --network NO --description "Check for non unique groups" + Register --test-no AUTH-9222 --weight L --network NO --category security --description "Check for non unique groups" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for non unique group ID's in /etc/group" FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d` @@ -216,7 +216,7 @@ # Test : AUTH-9226 # Description : Check non unique group names if [ -f /etc/group ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9226 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check non unique group names" + Register --test-no AUTH-9226 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check non unique group names" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for non unique group names in /etc/group" FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d` @@ -238,7 +238,7 @@ # Description : Check password file consistency with pwck # Notes : Operating systems include Linux, Solaris if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9228 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency with pwck" + Register --test-no AUTH-9228 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check password file consistency with pwck" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking password file consistency (pwck)" TESTED=0 @@ -278,7 +278,7 @@ # Mac OS X: needs to be improved (just reading passwd file is not enough) # OpenBSD/NetBSD: unknown # Arch Linux / CentOS / Ubuntu: 1000+ - Register --test-no AUTH-9234 --weight L --network NO --description "Query user accounts" + Register --test-no AUTH-9234 --weight L --network NO --category security --description "Query user accounts" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Read system users (including root user) from /etc/passwd" FIND="" @@ -338,7 +338,7 @@ # # Test : AUTH-9240 # Description : Query NIS+ authentication support - Register --test-no AUTH-9240 --weight L --network NO --description "Query NIS+ authentication support" + Register --test-no AUTH-9240 --weight L --network NO --category security --description "Query NIS+ authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/nsswitch.conf ]; then FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus"` @@ -365,7 +365,7 @@ # # Test : AUTH-9242 # Description : Query NIS authentication support - Register --test-no AUTH-9242 --weight L --network NO --description "Query NIS authentication support" + Register --test-no AUTH-9242 --weight L --network NO --category security --description "Query NIS authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/nsswitch.conf ]; then FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus"` @@ -392,7 +392,7 @@ # # Test : AUTH-9250 # Description : Check for sudoers file - Register --test-no AUTH-9250 --weight L --network NO --description "Checking sudoers file" + Register --test-no AUTH-9250 --weight L --network NO --category security --description "Checking sudoers file" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 for I in ${SUDOERS_LOCATIONS}; do @@ -419,7 +419,7 @@ # Test : AUTH-9252 # Description : Check for sudoers file permissions if [ ! "${SUDOERS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sudoers file" + Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sudoers file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions" FIND=`ls -l ${SUDOERS_FILE} | cut -c 2-10` @@ -437,7 +437,7 @@ # # Test : AUTH-9254 # Description : Solaris test to check passwordless accounts - Register --test-no AUTH-9254 --os Solaris --weight L --network NO --root-only YES --description "Solaris passwordless accounts" + Register --test-no AUTH-9254 --os Solaris --weight L --network NO --root-only YES --category security --description "Solaris passwordless accounts" if [ ${SKIPTEST} -eq 0 ]; then FIND=`logins -p | awk '{ print $1 }'` if [ "${FIND}" = "" ]; then @@ -455,7 +455,7 @@ # # Test : AUTH-9262 # Description : Search for PAM password strength testing libraries - Register --test-no AUTH-9262 --weight L --network NO --description "Checking presence password strength testing tools (PAM)" + Register --test-no AUTH-9262 --weight L --network NO --category security --description "Checking presence password strength testing tools (PAM)" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 FOUND_CRACKLIB=0 @@ -525,7 +525,7 @@ # # Test : AUTH-9264 # Description : Scan /etc/pam.conf file - Register --test-no AUTH-9264 --weight L --network NO --description "Checking presence pam.conf" + Register --test-no AUTH-9264 --weight L --network NO --category security --description "Checking presence pam.conf" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking file /etc/pam.conf" if [ -f /etc/pam.conf ]; then @@ -552,7 +552,7 @@ # # Test : AUTH-9266 # Description : Searching available PAM configurations (/etc/pam.d) - Register --test-no AUTH-9266 --weight L --network NO --description "Checking presence pam.d files" + Register --test-no AUTH-9266 --weight L --network NO --category security --description "Checking presence pam.d files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking directory /etc/pam.d" if [ -d /etc/pam.d ]; then @@ -575,7 +575,7 @@ # Description : Searching available PAM files # Notes : PAM is used on AIX, FreeBSD, Linux, HPUX, Solaris if [ ${OS} = "AIX" -o ${OS} = "Linux" -o ${OS} = "HPUX" -o ${OS} = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9268 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking presence pam.d files" + Register --test-no AUTH-9268 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking presence pam.d files" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Test: Searching pam modules" @@ -607,7 +607,7 @@ # # Test : AUTH-9278 # Description : Search LDAP support in PAM files - Register --test-no AUTH-9278 --weight L --network NO --description "Checking LDAP pam status" + Register --test-no AUTH-9278 --weight L --network NO --category security --description "Checking LDAP pam status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking presence /etc/pam.d/common-auth" if [ -f /etc/pam.d/common-auth ]; then @@ -661,7 +661,7 @@ # Test : AUTH-9282 # Description : Search password protected accounts without expire (Linux) - Register --test-no AUTH-9282 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking password protected account without expire date" + Register --test-no AUTH-9282 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking password protected account without expire date" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Linux version and password expire date status" if [ "${FIND}" = "" ]; then @@ -678,7 +678,7 @@ fi # Test : AUTH-9283 # Description : Search passwordless accounts - Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking accounts without password" + Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking accounts without password" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking passwordless accounts" if [ "${FIND2}" = "" ]; then @@ -702,7 +702,7 @@ # Notes : MIN = minimum age, avoid rotation of passwords too quickly # : MAX = maximum age, ensure regular change of passwords if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking user password aging" + Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking user password aging" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PASS_MIN_DAYS option in /etc/login.defs " FIND=`grep "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }'` @@ -739,7 +739,7 @@ # Description : Determine which accounts have an expired password # Notes : This test might not work (yet) on all platforms if [ -f /etc/shadow ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9288 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --description "Checking for expired passwords" + Register --test-no AUTH-9288 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Checking for expired passwords" if [ ${SKIPTEST} -eq 0 ]; then if FileIsReadable /etc/shadow; then DAYS_SINCE_EPOCH=$((`date --utc +%s`/86400)) @@ -770,7 +770,7 @@ # Test : AUTH-9304 # Description : Check if single user mode login is properly configured in Solaris # Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d - Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration" + Register --test-no AUTH-9304 --os Solaris --weight L --network NO --category security --description "Check single user login configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check if file exists (Solaris 10 does not have this file by default) if [ -f /etc/default/sulogin ]; then @@ -799,7 +799,7 @@ # Notes : :d_boot_authenticate: is a good option for production machines to # avoid unauthorized booting of systems. Option :d_boot_autentication@: # disabled a required login. - Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --description "Check single boot authentication" + Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --category security --description "Check single boot authentication" if [ ${SKIPTEST} -eq 0 ]; then # Check if file exists LogText "Test: Searching /tcb/files/auth/system/default" @@ -826,7 +826,7 @@ # # Test : AUTH-9308 # Description : Check single user mode login for Linux - Register --test-no AUTH-9308 --os Linux --weight L --network NO --description "Check single user login configuration" + Register --test-no AUTH-9308 --os Linux --weight L --network NO --category security --description "Check single user login configuration" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 TEST_PERFORMED=0 @@ -913,7 +913,7 @@ # Notes: This test should be moved later to shells section # /etc/login.defs # pam_umask - Register --test-no AUTH-9328 --weight L --network NO --description "Default umask values" + Register --test-no AUTH-9328 --weight L --network NO --category security --description "Default umask values" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Determining default umask" @@ -1133,7 +1133,7 @@ # # Test : AUTH-9340 # Description : Solaris account locking - Register --test-no AUTH-9340 --os Solaris --weight L --network NO --description "Solaris account locking" + Register --test-no AUTH-9340 --os Solaris --weight L --network NO --category security --description "Solaris account locking" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 if [ -f /etc/security/policy.conf ]; then @@ -1183,7 +1183,7 @@ # # Test : AUTH-9402 # Description : Query LDAP authentication support - Register --test-no AUTH-9402 --weight L --network NO --description "Query LDAP authentication support" + Register --test-no AUTH-9402 --weight L --network NO --category security --description "Query LDAP authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/nsswitch.conf ]; then FIND=`egrep "^passwd" /etc/nsswitch.conf | grep "ldap"` @@ -1205,7 +1205,7 @@ # Test : AUTH-9406 # Description : Check LDAP servers in client configuration if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration" + Register --test-no AUTH-9406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query LDAP servers in client configuration" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking ldap.conf options" for I in ${LDAP_CONF_LOCATIONS}; do @@ -1231,7 +1231,7 @@ # Test : AUTH-9408 # Description : Logging of failed login attempts if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Logging of failed login attempts via /etc/login.defs" + Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Logging of failed login attempts via /etc/login.defs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking FAILLOG_ENAB option in /etc/login.defs " FIND=`grep "^FAILLOG_ENAB" /etc/login.defs | awk '{ if ($1=="FAILLOG_ENAB") { print $2 } }'` diff --git a/include/tests_banners b/include/tests_banners index f0fe981c..d25fc4d4 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -33,7 +33,7 @@ # # Test : BANN-7113 # Description : Check FreeBSD COPYRIGHT banner file - Register --test-no BANN-7113 --os FreeBSD --weight L --network NO --description "Check COPYRIGHT banner file" + Register --test-no BANN-7113 --os FreeBSD --weight L --network NO --category security --description "Check COPYRIGHT banner file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT" if [ -f /COPYRIGHT ]; then @@ -65,7 +65,7 @@ # # Test : BANN-7119 # Description : Check MOTD banner file - #Register --test-no BANN-7119 --weight L --network NO --description "Check MOTD banner file" + #Register --test-no BANN-7119 --weight L --network NO --category security --description "Check MOTD banner file" #if [ ${SKIPTEST} -eq 0 ]; then # LogText "Test: Testing existence /etc/motd" # if [ -f /etc/motd ]; then @@ -95,7 +95,7 @@ # Description : Check motd file to see if it contains some form of message # to discourage unauthorized users to leave the system alone #if [ -f /etc/motd -a ! -L /etc/motd ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no BANN-7122 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check /etc/motd banner file contents" + #Register --test-no BANN-7122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/motd banner file contents" #if [ ${SKIPTEST} -eq 0 ]; then # N=0 # LogText "Test: Checking file /etc/motd contents for legal key words" @@ -123,7 +123,7 @@ # # Test : BANN-7124 # Description : Check issue banner file - Register --test-no BANN-7124 --weight L --network NO --description "Check issue banner file" + Register --test-no BANN-7124 --weight L --network NO --category security --description "Check issue banner file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking file /etc/issue" if [ -f /etc/issue ]; then @@ -146,7 +146,7 @@ # Description : Check issue file to see if it contains some form of message # to discourage unauthorized users to leave the system alone if [ -f /etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no BANN-7126 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check issue banner file contents" + Register --test-no BANN-7126 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue banner file contents" if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: Checking file /etc/issue contents for legal key words" @@ -174,7 +174,7 @@ # # Test : BANN-7128 # Description : Check issue.net banner file - Register --test-no BANN-7128 --weight L --network NO --description "Check issue.net banner file" + Register --test-no BANN-7128 --weight L --network NO --category security --description "Check issue.net banner file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking file /etc/issue.net" if [ -f /etc/issue.net ]; then @@ -198,7 +198,7 @@ # Description : Check issue.net file to see if it contains some form of message # to discourage unauthorized users to leave the system alone if [ -f /etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no BANN-7130 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check issue.net banner file contents" + Register --test-no BANN-7130 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue.net banner file contents" if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: Checking file /etc/issue.net contents for legal key words" diff --git a/include/tests_boot_services b/include/tests_boot_services index 08868155..b55536bb 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -37,7 +37,7 @@ # Test : BOOT-5102 # Description : Check for AIX boot device # Notes : The AIX bootstrap is called as software ROS. Bootstrap contains IPL (Initial Program loader) - Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --description "Check for AIX boot device" + Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --category security --description "Check for AIX boot device" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 LogText "Test: Query bootinfo for AIX boot device" @@ -64,7 +64,7 @@ # initscripts - Used by Arch before # systemd - Common option with more Linux distros implementing it # upstart - Used by Debian/Ubuntu - Register --test-no BOOT-5104 --weight L --network NO --description "Determine service manager" + Register --test-no BOOT-5104 --weight L --network NO --category security --description "Determine service manager" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 case ${OS} in @@ -136,7 +136,7 @@ # # Test : BOOT-5106 # Description : Check if boot.efi is found on Mac OS X - Register --test-no BOOT-5106 --os "MacOS" --weight L --network NO --root-only YES --description "Check EFI boot file on Mac OS X" + Register --test-no BOOT-5106 --os "MacOS" --weight L --network NO --root-only YES --category security --description "Check EFI boot file on Mac OS X" if [ ${SKIPTEST} -eq 0 ]; then FileExists /System/Library/CoreServices/boot.efi if [ ${FILE_FOUND} -eq 1 ]; then @@ -150,7 +150,7 @@ # # Test : BOOT-5116 # Description : Check if system is booted in UEFI mode - Register --test-no BOOT-5116 --weight L --network NO --root-only YES --description "Check if system is booted in UEFI mode" + Register --test-no BOOT-5116 --weight L --network NO --root-only YES --category security --description "Check if system is booted in UEFI mode" if [ ${SKIPTEST} -eq 0 ]; then UEFI_TESTS_PERFORMED=0 case ${OS} in @@ -210,7 +210,7 @@ # # Test : BOOT-5121 # Description : Check for GRUB boot loader - Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence" + Register --test-no BOOT-5121 --weight L --network NO --category security --description "Check for GRUB boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 FOUND=0 @@ -259,7 +259,7 @@ # Test : BOOT-5122 # Description : Check for GRUB boot loader configuration if [ ! "${GRUBCONFFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for GRUB boot password" + Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for GRUB boot password" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Found file ${GRUBCONFFILE}, proceeding with tests." @@ -296,7 +296,7 @@ # # Test : BOOT-5124 # Description : Check for FreeBSD boot loader - Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot loader presence" + Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --category security --description "Check for FreeBSD boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then @@ -313,7 +313,7 @@ # # Test : BOOT-5126 # Description : Check for NetBSD boot loader - Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --description "Check for NetBSD boot loader presence" + Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --category security --description "Check for NetBSD boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then @@ -332,7 +332,7 @@ # Test : BOOT-5139 # Description : Check for LILO boot loader # Notes : password= or password = - Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence" + Register --test-no BOOT-5139 --weight L --network NO --category security --description "Check for LILO boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 LILOCONFFILE="/etc/lilo.conf" @@ -369,7 +369,7 @@ # # Test : BOOT-5142 # Description : Check for SILO boot loader - Register --test-no BOOT-5142 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)" + Register --test-no BOOT-5142 --weight L --network NO --category security --description "Check SPARC Improved boot loader (SILO)" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 if [ -f /etc/silo.conf ]; then @@ -387,7 +387,7 @@ # Test : BOOT-5144 # Description : Check for SILO boot loader consistency # Notes : To be tested on Gentoo -# Register --test-no BOOT-5144 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)" +# Register --test-no BOOT-5144 --weight L --network NO --category security --description "Check SPARC Improved boot loader (SILO)" # if [ ${SKIPTEST} -eq 0 ]; then # if [ -f /etc/silo.conf -a -x /sbin/silo ]; then # FIND=`/sbin/silo | grep "appears to be valid"` @@ -406,7 +406,7 @@ # # Test : BOOT-5155 # Description : Check for YABOOT boot loader - Register --test-no BOOT-5155 --weight L --network NO --description "Check for YABOOT boot loader configuration file" + Register --test-no BOOT-5155 --weight L --network NO --category security --description "Check for YABOOT boot loader configuration file" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 LogText "Test: Check for /etc/yaboot.conf" @@ -425,7 +425,7 @@ # Test : BOOT-5159 # Description : Check for OpenBSD boot loader # More info : Only OpenBSD - Register --test-no BOOT-5159 --os OpenBSD --weight L --network NO --description "Check for OpenBSD boot loader presence" + Register --test-no BOOT-5159 --os OpenBSD --weight L --network NO --category security --description "Check for OpenBSD boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then BOOT_LOADER_SEARCHED=1 FOUND=0 @@ -475,7 +475,7 @@ # # Test : BOOT-5165 # Description : Check for FreeBSD boot services - Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot services" + Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --category security --description "Check for FreeBSD boot services" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${SERVICEBINARY}" = "" ]; then # FreeBSD (Ask services(8) for enabled services) @@ -502,7 +502,7 @@ # Test : BOOT-5177 # Description : Check for Linux boot services (systemd and chkconfig) # Notes : We skip using chkconfig if systemd is being used. - Register --test-no BOOT-5177 --os Linux --weight L --network NO --description "Check for Linux boot and running services" + Register --test-no BOOT-5177 --os Linux --weight L --network NO --category security --description "Check for Linux boot and running services" if [ ${SKIPTEST} -eq 0 ]; then CHECKED=0 LogText "Test: checking presence systemctl binary" @@ -568,7 +568,7 @@ # Description : Check for Linux boot services (Debian style) # Notes : Debian 8+ shows runlevel 5 if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)" + Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for Linux boot services (Debian style)" if [ ${SKIPTEST} -eq 0 ]; then # Runlevel check sRUNLEVEL=`${RUNLEVELBINARY} | grep "N [0-9]" | awk '{ print $2} '` @@ -597,7 +597,7 @@ # # Test : BOOT-5184 # Description : Check world writable startup scripts - Register --test-no BOOT-5184 --os Linux --weight L --network NO --description "Check permissions for boot files/scripts" + Register --test-no BOOT-5184 --os Linux --weight L --network NO --category security --description "Check permissions for boot files/scripts" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 CHECKDIRS="/etc/init.d /etc/rc.d /etc/rcS.d" @@ -682,7 +682,7 @@ # # Test : BOOT-5202 # Description : Check uptime of system - Register --test-no BOOT-5202 --weight L --network NO --description "Check uptime of system" + Register --test-no BOOT-5202 --weight L --network NO --category security --description "Check uptime of system" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 FIND="" @@ -755,7 +755,7 @@ # # Test : BOOT-5260 # Description : Check single user mode for systemd - Register --test-no BOOT-5260 --weight L --network NO --description "Check single user mode for systemd" + Register --test-no BOOT-5260 --weight L --network NO --category security --description "Check single user mode for systemd" if [ ${SKIPTEST} -eq 0 ]; then # Check if file exists LogText "Test: Searching /usr/lib/systemd/system/rescue.service" diff --git a/include/tests_containers b/include/tests_containers index dd745126..bc91dbe9 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -33,7 +33,7 @@ # Test : CONT-8004 # Description : Query running Solaris zones if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no CONT-8004 --os Solaris --weight L --network NO --description "Query running Solaris zones" + Register --test-no CONT-8004 --os Solaris --weight L --network NO --category security --description "Query running Solaris zones" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: query zoneadm to list all running zones" FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'` @@ -59,7 +59,7 @@ # Test : CONT-1906 # Description : Query running Xen zones #if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no CONT-1906 --weight L --network NO --description "Query Xen guests" + #Register --test-no CONT-1906 --weight L --network NO --category security --description "Query Xen guests" #if [ ${SKIPTEST} -eq 0 ]; then # Show Xen guests #FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'` @@ -74,7 +74,7 @@ # # Test : CONT-8102 # Description : Checking Docker daemon status and basic information for later tests - Register --test-no CONT-8102 --weight L --network NO --description "Checking Docker status and information" + Register --test-no CONT-8102 --weight L --network NO --category security --description "Checking Docker status and information" if [ ${SKIPTEST} -eq 0 ]; then IsRunning "docker -d" if [ ${RUNNING} -eq 1 ]; then @@ -92,7 +92,7 @@ # Description : Checking Docker info for any warnings # Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings" + Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Docker info for any warnings" if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 LogText "Test: Check for any warnings" @@ -120,7 +120,7 @@ # Description : Checking Docker containers (basic stats) # Notes : Hardening points are awarded, if there aren't a lot of stopped containers if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather basic stats from Docker" + Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather basic stats from Docker" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 6 --text "- Containers" @@ -173,7 +173,7 @@ # Description : Checking Docker file permissions # Notes : /var/run/docker.sock - Usually root as owner, docker as group - should not be world writable if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no CONT-8108 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check file permissions for Docker files" + Register --test-no CONT-8108 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check file permissions for Docker files" if [ ${SKIPTEST} -eq 0 ]; then NOT_WORLD_WRITABLE="/var/run/docker.sock" for I in ${NOT_WORLD_WRITABLE}; do diff --git a/include/tests_crypto b/include/tests_crypto index 64f6c5a8..8e22049f 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -29,7 +29,7 @@ # Test : CRYP-7902 # Description : check for expired SSL certificates if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check expire date of SSL certificates" + Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates" if [ ${SKIPTEST} -eq 0 ]; then FOUNDPROBLEM=0 sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | sed 's/:/ /g') diff --git a/include/tests_custom.template b/include/tests_custom.template index 284c4a67..b84badd7 100644 --- a/include/tests_custom.template +++ b/include/tests_custom.template @@ -16,7 +16,7 @@ # Register our first custom test # We consider it to be a lightweight test (no heavy IO, or long searches), no network connection needed - Register --test-no CUST-0001 --weight L --network NO --description "A test case for colors and text display" + Register --test-no CUST-0001 --weight L --network NO --category security --description "A test case for colors and text display" if [ ${SKIPTEST} -eq 0 ]; then # The Display function makes it easy to show something on screen, with colors. # --indent defines amount of spaces @@ -81,7 +81,7 @@ # # First check if OPENSSLBINARY is known as a prerequisite for this test. if [ ! "${OPENSSLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no CUST-0002 --preqs-met ${PREQS_MET} --weight M --network NO --description "Description of custom test" + Register --test-no CUST-0002 --preqs-met ${PREQS_MET} --weight M --network NO --category security --description "Description of custom test" if [ ${SKIPTEST} -eq 0 ]; then FOUNDPROBLEM=0 DIR="/my/path" diff --git a/include/tests_databases b/include/tests_databases index 22b7f346..b57a964e 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -33,7 +33,7 @@ # Test : DBS-1804 # Description : Check if MySQL is being used - Register --test-no DBS-1804 --weight L --network NO --description "Checking active MySQL process" + Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"` if [ "${FIND}" = "" ]; then @@ -51,7 +51,7 @@ # # Test : DBS-1808 # Description : Check MySQL data directory - #Register --test-no DBS-1808 --weight L --network NO --description "Checking MySQL data directory" + #Register --test-no DBS-1808 --weight L --network NO --category security --description "Checking MySQL data directory" #if [ ${SKIPTEST} -eq 0 ]; then #fi # @@ -59,7 +59,7 @@ # # Test : DBS-1812 # Description : Check data directory permissions - #Register --test-no DBS-1812 --weight L --network NO --description "Checking MySQL data directory permissions" + #Register --test-no DBS-1812 --weight L --network NO --category security --description "Checking MySQL data directory permissions" #if [ ${SKIPTEST} -eq 0 ]; then #fi # @@ -69,7 +69,7 @@ # Description : Check empty MySQL root password # Notes : Only perform test when MySQL is running and client is available if [ ! "${MYSQLCLIENTBINARY}" = "" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking MySQL root password" + Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking MySQL root password" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Trying to login to local MySQL server without password" FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?` @@ -91,7 +91,7 @@ # # Test : DBS-1826 # Description : Check if PostgreSQL is being used - Register --test-no DBS-1826 --weight L --network NO --description "Checking active PostgreSQL processes" + Register --test-no DBS-1826 --weight L --network NO --category security --description "Checking active PostgreSQL processes" if [ ${SKIPTEST} -eq 0 ]; then if IsRunning "postgres:"; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN @@ -116,7 +116,7 @@ # arch: archiver (optional) # ckpt: checkpoint (optional) # reco: recovery (optional) - Register --test-no DBS-1840 --weight L --network NO --description "Checking active Oracle processes" + Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"` if [ "${FIND}" = "" ]; then @@ -134,7 +134,7 @@ # # Test : DBS-1842 # Description : Check Oracle home paths from oratab - #Register --test-no DBS-1842 --weight L --network NO --description "Checking Oracle home paths" + #Register --test-no DBS-1842 --weight L --network NO --category security --description "Checking Oracle home paths" #if [ ${SKIPTEST} -eq 0 ]; then # if [ -f /etc/oratab ]; then # FIND=`grep -v "#" /etc/oratab | awk -F: "{ print $2 }"` @@ -145,7 +145,7 @@ # # Test : DBS-1860 # Description : Checks if a DB2 instance is currently runnigng - Register --test-no DBS-1860 --weight L --network NO --description "Checking active DB2 instances" + Register --test-no DBS-1860 --weight L --network NO --category security --description "Checking active DB2 instances" if [ ${SKIPTEST} -eq 0 ]; then if IsRunning db2sysc; then Display --indent 2 --text "- DB2 instance running" --result "${STATUS_FOUND}" --color GREEN diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 972cf283..ca36c1e2 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -31,7 +31,7 @@ # # Test : FINT-4310 # Description : Check if AFICK is installed - Register --test-no FINT-4310 --weight L --network NO --description "AFICK availability" + Register --test-no FINT-4310 --weight L --network NO --category security --description "AFICK availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking AFICK binary" if [ ! "${AFICKBINARY}" = "" ]; then @@ -50,7 +50,7 @@ # # Test : FINT-4314 # Description : Check if AIDE is installed - Register --test-no FINT-4314 --weight L --network NO --description "AIDE availability" + Register --test-no FINT-4314 --weight L --network NO --category security --description "AIDE availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking AIDE binary" if [ ! "${AIDEBINARY}" = "" ]; then @@ -70,7 +70,7 @@ # Test : FINT-4315 # Description : Check AIDE configuration file if [ ! "${AIDEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check AIDE configuration file" + Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check AIDE configuration file" if [ ${SKIPTEST} -eq 0 ]; then AIDE_CONFIG_LOCS="/etc /etc/aide /usr/local/etc" LogText "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}" @@ -98,7 +98,7 @@ # # Test : FINT-4318 # Description : Check if Osiris is installed - Register --test-no FINT-4318 --weight L --network NO --description "Osiris availability" + Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Osiris binary" if [ ! "${OSIRISBINARY}" = "" ]; then @@ -117,7 +117,7 @@ # # Test : FINT-4322 # Description : Check if Samhain is installed - Register --test-no FINT-4322 --weight L --network NO --description "Samhain availability" + Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Samhain binary" if [ ! "${SAMHAINBINARY}" = "" ]; then @@ -136,7 +136,7 @@ # # Test : FINT-4326 # Description : Check if Tripwire is installed - Register --test-no FINT-4326 --weight L --network NO --description "Tripwire availability" + Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Tripwire binary" if [ ! "${TRIPWIREBINARY}" = "" ]; then @@ -155,7 +155,7 @@ # # Test : FINT-4328 # Description : Check if OSSEC system integrity tool is running - Register --test-no FINT-4328 --weight L --network NO --description "OSSEC syscheck daemon running" + Register --test-no FINT-4328 --weight L --network NO --category security --description "OSSEC syscheck daemon running" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if OSSEC syscheck daemon is running" IsRunning ossec-syscheckd @@ -176,7 +176,7 @@ # Test : FINT-4330 # Description : Check if mtree is installed # Note : Usually on BSD and similar - Register --test-no FINT-4330 --weight L --network NO --description "mtree availability" + Register --test-no FINT-4330 --weight L --network NO --category security --description "mtree availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking mtree binary" if [ ! "${MTREEBINARY}" = "" ]; then @@ -196,7 +196,7 @@ # Test : FINT-4334 # Description : Check if LFD is used (part of CSF suite) if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status" + Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd daemon status" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- lfd (CSF)" --result "${STATUS_FOUND}" --color GREEN IsRunning 'lfd ' @@ -216,7 +216,7 @@ # Test : FINT-4336 # Description : Check if LFD is enabled (part of CSF suite) if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd configuration status" + Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd configuration status" if [ ${SKIPTEST} -eq 0 ]; then # LFD configuration parameters ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}` @@ -247,7 +247,7 @@ # # Test : FINT-4338 # Description : Check if osquery system integrity tool is running - Register --test-no FINT-4338 --weight L --network NO --description "osqueryd syscheck daemon running" + Register --test-no FINT-4338 --weight L --network NO --category security --description "osqueryd syscheck daemon running" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if osqueryd syscheck daemon is running" IsRunning osqueryd @@ -268,7 +268,7 @@ # Test : FINT-4402 (was FINT-4316) # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums if [ ! "${AIDEBINARY}" = "" -a ! "${AIDECONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --description "AIDE configuration: Checksums (SHA256 or SHA512)" + Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)"` if [ "${FIND2}" = "" ]; then @@ -287,7 +287,7 @@ # # Test : FINT-4350 # Description : Check if at least one file integrity tool is installed - Register --test-no FINT-4350 --weight L --network NO --description "File integrity software installed" + Register --test-no FINT-4350 --weight L --network NO --category security --description "File integrity software installed" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check if at least on file integrity tool is available/installed" if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then diff --git a/include/tests_file_permissions b/include/tests_file_permissions index 859dbaca..a4f4e3b2 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -28,7 +28,7 @@ # # Test : FILE-7524 # Description : Perform file permissions check - Register --test-no FILE-7524 --weight L --network NO --description "Perform file permissions check" + Register --test-no FILE-7524 --weight L --network NO --category security --description "Perform file permissions check" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Starting file permissions check" LogText "Test: Checking file permissions" diff --git a/include/tests_filesystems b/include/tests_filesystems index f5f1fc09..479a5d36 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -35,7 +35,7 @@ # Test : FILE-6310 # Description : Checking if some mount points are separated from / # Goal : Users should not be able to fill their home directory or temporary directory and creating a Denial of Service - Register --test-no FILE-6310 --weight L --network NO --description "Checking /tmp, /home and /var directory" + Register --test-no FILE-6310 --weight L --network NO --category security --description "Checking /tmp, /home and /var directory" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking mount points" SEPARATED_FILESYTEMS="/home /tmp /var" @@ -71,7 +71,7 @@ # Description : Checking LVM Volume Groups # Notes : No volume groups found is sent to STDERR for unclear reasons. Filtering both STDERR redirecting and grep. if [ ! "${VGDISPLAYBINARY}" = "" -o ! "${LSVGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FILE-6311 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking LVM volume groups" + Register --test-no FILE-6311 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking LVM volume groups" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for LVM volume groups" case ${OS} in @@ -104,7 +104,7 @@ # Test : FILE-6312 # Description : Checking LVM volumes if [ ${LVM_VG_USED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FILE-6312 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking LVM volumes" + Register --test-no FILE-6312 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking LVM volumes" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for LVM volumes" case ${OS} in @@ -136,7 +136,7 @@ # # Test : FILE-6316 # Description : Checking /etc/fstab file permissions - #Register --test-no FILE-6316 --os Linux --weight L --network NO --description "Checking /etc/fstab" + #Register --test-no FILE-6316 --os Linux --weight L --network NO --category security --description "Checking /etc/fstab" #if [ ${SKIPTEST} -eq 0 ]; then # 644 # @@ -144,7 +144,7 @@ # # Test : FILE-6323 # Description : Checking Linux EXT2, EXT3, EXT4 file systems - Register --test-no FILE-6323 --os Linux --weight L --network NO --description "Checking EXT file systems" + Register --test-no FILE-6323 --os Linux --weight L --network NO --category security --description "Checking EXT file systems" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for Linux EXT file systems" FIND=`mount -t ext2,ext3,ext4 | awk '{ print $3","$5 }'` @@ -167,7 +167,7 @@ # Test : FILE-6329 # Description : Query all FFS/UFS mounts from /etc/fstab if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking FFS/UFS file systems" + Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking FFS/UFS file systems" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Query /etc/fstab for available FFS/UFS mount points" FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab` @@ -188,7 +188,7 @@ # # Test : FILE-6330 # Description : Query all ZFS mounts from /etc/fstab - Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --description "Checking ZFS file systems" + Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Query /etc/fstab for available ZFS mount points" FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'` @@ -210,7 +210,7 @@ # Test : FILE-6332 # Description : Check swap partitions if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FILE-6332 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap partitions" + Register --test-no FILE-6332 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking swap partitions" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Test: query swap partitions from /etc/fstab file" @@ -271,7 +271,7 @@ # Examples : [partition] swap swap defaults 0 0 # [partition] none swap sw 0 0 if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap mount options" + Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking swap mount options" if [ ${SKIPTEST} -eq 0 ]; then # Swap partitions should be mounted with 'sw' or 'swap' LogText "Test: check swap partitions with incorrect mount options" @@ -304,7 +304,7 @@ PREQS_MET="NO"; fi fi - Register --test-no FILE-6344 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking proc mount options" + Register --test-no FILE-6344 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking proc mount options" if [ ${SKIPTEST} -eq 0 ]; then # Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least LogText "Test: check proc mount with incorrect mount options" @@ -327,7 +327,7 @@ # Test : FILE-6354 # Description : Search files within /tmp which are older than 3 months if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --description "Searching for old files in /tmp" + Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Searching for old files in /tmp" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for old files in /tmp" # Search for files only in /tmp, with an access time older than X days @@ -357,7 +357,7 @@ # Test : FILE-6362 # Description : Check for sticky bit on /tmp if [ -d /tmp -a ! -L /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FILE-6362 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /tmp sticky bit" + Register --test-no FILE-6362 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking /tmp sticky bit" if [ ${SKIPTEST} -eq 0 ]; then # Depending on OS, number of field with 'tmp' differs FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10` @@ -388,7 +388,7 @@ # # Test : FILE-6368 # Description : Checking Linux root file system ACL support - Register --test-no FILE-6368 --os Linux --weight L --network NO --root-only YES --description "Checking ACL support on root file system" + Register --test-no FILE-6368 --os Linux --weight L --network NO --root-only YES --category security --description "Checking ACL support on root file system" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Test: Checking acl option on ext[2-4] root file system" @@ -449,7 +449,7 @@ # Test : FILE-6372 # Description : Check / mount options for Linux # Notes : - Register --test-no FILE-6372 --os Linux --weight L --network NO --description "Checking / mount options" + Register --test-no FILE-6372 --os Linux --weight L --network NO --category security --description "Checking / mount options" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/fstab ]; then FIND=`cat /etc/fstab | grep -v "^#" | awk '{ if ($2=="/") { print $4 } }'` @@ -493,7 +493,7 @@ # --------------------------------------------------------- FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid" - Register --test-no FILE-6374 --os Linux --weight L --network NO --description "Checking /boot mount options" + Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Checking /boot mount options" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/fstab ]; then for I in ${FILESYSTEMS_TO_CHECK}; do @@ -547,7 +547,7 @@ # # Test : FILE-6376 # Description : Bind mount the /var/tmp directory to /tmp - Register --test-no FILE-6376 --os Linux --weight L --network NO --description "Determine if /var/tmp is bound to /tmp" + Register --test-no FILE-6376 --os Linux --weight L --network NO --category security --description "Determine if /var/tmp is bound to /tmp" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/fstab ]; then FIND=`awk '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab` @@ -617,7 +617,7 @@ # or /var/cache/locate/locatedb # FreeBSD /var/db/locate.database if [ ! "${LOCATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FILE-6410 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Checking Locate database" + Register --test-no FILE-6410 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Checking Locate database" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking locate database" FOUND=0 @@ -681,7 +681,7 @@ # Description : Disable mounting of some filesystems # Rationale : Unless there is a specific reason to use a particular file system, disable it. # Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf - Register --test-no FILE-6430 --weight L --network NO --description "Disable mounting of some filesystems" + Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then Display --indent 2 --text "- Disable kernel support of some filesystems" diff --git a/include/tests_firewalls b/include/tests_firewalls index c6fd5d0d..59cdcd84 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -38,7 +38,7 @@ # # Test : FIRE-4502 # Description : Check iptables kernel module - Register --test-no FIRE-4502 --os Linux --weight L --network NO --description "Check iptables kernel module" + Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${LSMODBINARY} | awk '{ print $1 }' | grep "^ip*_tables"` if [ ! "${FIND}" = "" ]; then @@ -100,7 +100,7 @@ # Description : Check iptables chain policies # Notes : Suggestions are currently disabled, until related page and documentation is available if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check used policies of iptables chains" + Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN TABLES="filter" @@ -146,7 +146,7 @@ # Test : FIRE-4512 # Description : Check iptables for empty ruleset (should have at least 10 or more rules) if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check iptables for empty ruleset" + Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | egrep -v "^(Chain|target|$)" | wc -l | tr -d ' '` if [ ! "${FIND}" = "" ]; then @@ -169,7 +169,7 @@ # Test : FIRE-4513 # Description : Check iptables for unused rules if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check iptables for unused rules" + Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs` if [ "${FIND}" = "" ]; then @@ -191,7 +191,7 @@ # # Test : FIRE-4518 # Description : Checking status of pf firewall components - Register --test-no FIRE-4518 --weight L --network NO --description "Check pf firewall components" + Register --test-no FIRE-4518 --weight L --network NO --category security --description "Check pf firewall components" if [ ${SKIPTEST} -eq 0 ]; then PFFOUND=0; PFLOGDFOUND=0 @@ -258,7 +258,7 @@ # Test : FIRE-4520 # Description : Check pf configuration consistency if [ ${PFFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FIRE-4520 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check pf configuration consistency" + Register --test-no FIRE-4520 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check pf configuration consistency" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check /etc/pf.conf" # Test for warnings (-n don't load the rules) @@ -289,7 +289,7 @@ # # Test : FIRE-4524 # Description : Check for CSF (ConfigServer Security & Firewall) - Register --test-no FIRE-4524 --weight L --network NO --description "Check for CSF presence" + Register --test-no FIRE-4524 --weight L --network NO --category security --description "Check for CSF presence" if [ ${SKIPTEST} -eq 0 ]; then FILE="/etc/csf/csf.conf" LogText "Test: check ${FILE}" @@ -309,7 +309,7 @@ # Test : FIRE-4526 # Description : Check ipf (Solaris) if [ ! "${IPFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check ipf status" + Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check ipf status" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'` if [ "${FIND}" = "yes" ]; then @@ -328,7 +328,7 @@ # # Test : FIRE-4530 # Description : Check IPFW (FreeBSD) - Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --description "Check IPFW status" + Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${SYSCTLBINARY}" = "" ]; then # For now, only check for IPv4. @@ -362,7 +362,7 @@ # Test : FIRE-4532 # Description : Check Application Firewall in Mac OS X if [ -x /usr/libexec/ApplicationFirewall/socketfilterfw ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FIRE-4532 --weight L --os "MacOS" --preqs-met ${PREQS_MET} --network NO --description "Check Mac OS X application firewall" + Register --test-no FIRE-4532 --weight L --os "MacOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check Mac OS X application firewall" if [ ${SKIPTEST} -eq 0 ]; then FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | grep "Firewall is enabled"` if [ ! "${FIND}" = "" ]; then @@ -383,7 +383,7 @@ # Test : FIRE-4536 # Description : Check nftables kernel module if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nftables status" + Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${LSMODBINARY} | awk '{ print $1 }' | grep "^nf*_tables"` if [ ! "${FIND}" = "" ]; then @@ -398,7 +398,7 @@ # Test : FIRE-4538 # Description : Check nftables configuration if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nftables basic configuration" + Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables basic configuration" if [ ${SKIPTEST} -eq 0 ]; then # Retrieve nft version NFT_VERSION=`${NFTBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="nftables") { print $2 }}' | tr -d 'v'` @@ -419,7 +419,7 @@ # # Test : FIRE-4590 # Description : Check if at least one firewall if active - Register --test-no FIRE-4590 --weight L --network NO --description "Check firewall status" + Register --test-no FIRE-4590 --weight L --network NO --category security --description "Check firewall status" if [ ${SKIPTEST} -eq 0 ]; then if [ ${FIREWALL_ACTIVE} -eq 1 ]; then Display --indent 2 --text "- Checking host based firewall" --result "ACTIVE" --color GREEN diff --git a/include/tests_hardening b/include/tests_hardening index b7f0b7a3..3db0cef2 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -28,7 +28,7 @@ # Test : HRDN-7220 # Description : Check for installed compilers # Notes : No suggestion for hardening compilers, as HRDN-7222 will take care of that - Register --test-no HRDN-7220 --weight L --network NO --description "Check if one or more compilers are installed" + Register --test-no HRDN-7220 --weight L --network NO --category security --description "Check if one or more compilers are installed" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check if one or more compilers can be found on the system" if [ ${COMPILER_INSTALLED} -eq 0 ]; then @@ -46,7 +46,7 @@ # # Test : HRDN-7222 # Description : Check for permissions of installed compilers - Register --test-no HRDN-7222 --weight L --network NO --description "Check compiler permissions" + Register --test-no HRDN-7222 --weight L --network NO --category security --description "Check compiler permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check if one or more compilers can be found on the system" HARDEN_COMPILERS_NEEDED=0 @@ -96,7 +96,7 @@ # # Test : HRDN-7230 # Description : Check for installed malware scanners - Register --test-no HRDN-7230 --weight L --network NO --description "Check for malware scanner" + Register --test-no HRDN-7230 --weight L --network NO --category security --description "Check for malware scanner" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check if a malware scanner is installed" if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then diff --git a/include/tests_homedirs b/include/tests_homedirs index f0828c85..a6034a02 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -34,7 +34,7 @@ # # Test : HOME-9302 # Description : Create list with home directories - Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories" + Register --test-no HOME-9302 --weight L --network NO --category security --description "Create list with home directories" if [ ${SKIPTEST} -eq 0 ]; then # Read sixth field of /etc/passwd LogText "Test: query /etc/passwd to obtain home directories" @@ -53,7 +53,7 @@ # # Test : HOME-9310 # Description : Check for suspicious shell history files - Register --test-no HOME-9310 --weight L --network NO --description "Checking for suspicious shell history files" + Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${HOMEDIRS}" = "" ]; then if [ "${OS}" = "Solaris" ]; then @@ -84,7 +84,7 @@ # Test : HOME-9314 # Description : Check if non local paths are found in PATH, which can be a risk, but also bad for performance # (like searching on a filer, instead of local disk) - #Register --test-no HOME-9314 --weight L --network NO --description "Create list with home directories" + #Register --test-no HOME-9314 --weight L --network NO --category security --description "Create list with home directories" # ################################################################################# # @@ -94,7 +94,7 @@ # as much as possible for every find command # Profile opt : ignore_home_dir (multiple lines allowed), ignores home directory if [ ! "${REPORTFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collecting information from home directories" + Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories" if [ ${SKIPTEST} -eq 0 ]; then IGNORE_HOME_DIRS=`grep "^config:ignore_home_dir:" ${PROFILE} | awk -F: '{ print $3 }'` if [ "${IGNORE_HOME_DIRS}" = "" ]; then diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 4b181d42..5812cfae 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -33,7 +33,7 @@ # # Test : INSE-8002 # Description : Check for inetd status - Register --test-no INSE-8002 --weight L --network NO --description "Check for enabled inet daemon" + Register --test-no INSE-8002 --weight L --network NO --category security --description "Check for enabled inet daemon" if [ ${SKIPTEST} -eq 0 ]; then # Check running processes LogText "Test: Searching for active inet daemon" @@ -53,7 +53,7 @@ # Test : INSE-8004 # Description : Check for inetd configuration file if [ ${INETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for enabled inet daemon" + Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon" if [ ${SKIPTEST} -eq 0 ]; then # Check configuration file LogText "Test: Searching for file ${INETD_CONFIG_FILE}" @@ -71,7 +71,7 @@ # Test : INSE-8006 # Description : Check for inetd configuration file contents if inetd is NOT active if [ ${INETD_ACTIVE} -eq 0 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check configuration of inetd when disabled" + Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of inetd when disabled" if [ ${SKIPTEST} -eq 0 ]; then # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002) LogText "Test: check if all services are disabled if inetd is disabled" @@ -89,7 +89,7 @@ # Test : INSE-8016 # Description : Check for telnet enabled via inetd if [ ${INETD_ACTIVE} -eq 1 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8016 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for telnet via inetd" + Register --test-no INSE-8016 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for telnet via inetd" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking telnet presence in inetd configuration" FIND=`grep "^telnet" ${INETD_CONFIG_FILE}` diff --git a/include/tests_kernel b/include/tests_kernel index 524fd4c2..10b33a11 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -36,7 +36,7 @@ # # Test : KRNL-5622 # Description : Check default run level on Linux machines - Register --test-no KRNL-5622 --os Linux --weight L --network NO --description "Determine Linux default run level" + Register --test-no KRNL-5622 --os Linux --weight L --network NO --category security --description "Determine Linux default run level" if [ ${SKIPTEST} -eq 0 ]; then # Checking if we can find the systemd default target LogText "Test: Checking for systemd default.target" @@ -102,7 +102,7 @@ # Test : KRNL-5677 # Description : Check CPU options and support (PAE, No eXecute, eXecute Disable) # More info : pae and nx bit are both visible on AMD and Intel CPU's if supported - Register --test-no KRNL-5677 --os Linux --weight L --network NO --description "Check CPU options and support" + Register --test-no KRNL-5677 --os Linux --weight L --network NO --category security --description "Check CPU options and support" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking CPU support (NX/PAE)" LogText "Test: Checking /proc/cpuinfo" @@ -162,7 +162,7 @@ # # Test : KRNL-5695 # Description : Determining Linux kernel version and release number - Register --test-no KRNL-5695 --os Linux --weight L --network NO --description "Determine Linux kernel version and release number" + Register --test-no KRNL-5695 --os Linux --weight L --network NO --category security --description "Determine Linux kernel version and release number" if [ ${SKIPTEST} -eq 0 ]; then # Kernel number (and suffix) LINUX_KERNEL_RELEASE=`uname -r` @@ -179,7 +179,7 @@ # # Test : KRNL-5723 # Description : Check if Linux is build as a monolithic kernel or not - Register --test-no KRNL-5723 --os Linux --weight L --network NO --description "Determining if Linux kernel is monolithic" + Register --test-no KRNL-5723 --os Linux --weight L --network NO --category security --description "Determining if Linux kernel is monolithic" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then LogText "Test: checking if kernel is monolithic or modular" @@ -204,7 +204,7 @@ # # Test : KRNL-5726 # Description : Checking Linux loaded kernel modules - Register --test-no KRNL-5726 --os Linux --weight L --network NO --description "Checking Linux loaded kernel modules" + Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then FIND=`${LSMODBINARY} | awk '{ if ($1!="Module") print $1 }' | sort` @@ -231,7 +231,7 @@ # # Test : KRNL-5728 # Description : Checking for available Linux kernel configuration file in /boot - Register --test-no KRNL-5728 --os Linux --weight L --network NO --description "Checking Linux kernel config" + Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config" if [ ${SKIPTEST} -eq 0 ]; then CHECKFILE="/boot/config-`uname -r`" if [ -f ${CHECKFILE} ]; then @@ -262,7 +262,7 @@ if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi fi - Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking disk I/O kernel scheduler" + Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking disk I/O kernel scheduler" if [ ${SKIPTEST} -eq 0 ]; then if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi if [ ! "${GREPTOOL}" = "" ]; then @@ -285,7 +285,7 @@ # # Test : KRNL-5745 # Description : Checking FreeBSD loaded kernel modules - Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules" + Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --category security --description "Checking FreeBSD loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking active kernel modules" LogText "Test: Active kernel modules (KLDs)" @@ -316,7 +316,7 @@ # # Test : KRNL-5770 # Description : Checking Solaris load modules - Register --test-no KRNL-5770 --os Solaris --weight L --network NO --description "Checking active kernel modules" + Register --test-no KRNL-5770 --os Solaris --weight L --network NO --category security --description "Checking active kernel modules" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching loaded kernel modules" FIND=`modinfo -c -w | grep -v "UNLOADED" | grep LOADED | awk '{ print $3 }' | sort` @@ -337,7 +337,7 @@ # Test : KRNL-5788 # Description : Checking availability new kernel if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking availability new Linux kernel" + Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching apt-cache, to determine if a newer kernel is available" if [ -x /usr/bin/apt-cache ]; then @@ -393,7 +393,7 @@ # # Test : KRNL-5820 # Description : Checking core dumps configuration (Linux) - Register --test-no KRNL-5820 --os Linux --weight L --network NO --description "Checking core dumps configuration" + Register --test-no KRNL-5820 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking presence /etc/security/limits.conf" if [ -f /etc/security/limits.conf ]; then @@ -446,14 +446,14 @@ # # Test : KRNL-5826 # Description : Checking core dumps configuration (Solaris) - #Register --test-no KRNL-5826 --os Linux --weight L --network NO --description "Checking core dumps configuration" + #Register --test-no KRNL-5826 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration" #if [ ${SKIPTEST} -eq 0 ]; then # ################################################################################# # # Test : KRNL-5830 # Description : Check if system needs a reboot (Linux only) - Register --test-no KRNL-5830 --os Linux --weight L --network NO --description "Checking if system is running on the latest installed kernel" + Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel" if [ ${SKIPTEST} -eq 0 ]; then REBOOT_NEEDED=2 FILE="/var/run/reboot-required.pkgs" diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 40a31940..39303326 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -30,7 +30,7 @@ # Description : Check sysctl parameters # Sysctl : net.ipv4.icmp_ingore_bogus_error_responses (=1) if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sysctl key pairs in scan profile" + Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 N=0 diff --git a/include/tests_ldap b/include/tests_ldap index 1034fd67..0d940c5f 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -34,7 +34,7 @@ # # Test : LDAP-2219 # Description : Check running OpenLDAP instance - Register --test-no LDAP-2219 --weight L --network NO --description "Check running OpenLDAP instance" + Register --test-no LDAP-2219 --weight L --network NO --category security --description "Check running OpenLDAP instance" if [ ${SKIPTEST} -eq 0 ]; then #YYY add additional slash IsRunning slapd @@ -54,7 +54,7 @@ # Test : LDAP-2224 # Description : Search slapd.conf if [ ${SLAPD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no LDAP-2224 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check presence slapd.conf" + Register --test-no LDAP-2224 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check presence slapd.conf" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching slapd.conf" for I in ${SLAPD_CONF_LOCS}; do diff --git a/include/tests_logging b/include/tests_logging index 37f3eeb6..5104f827 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -40,7 +40,7 @@ # Test : LOGG-2130 # Description : Check for a running syslog daemon - Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon" + Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for a logging daemon" FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"` @@ -63,7 +63,7 @@ # # Test : LOGG-2132 # Description : Check for a running syslog-ng daemon - Register --test-no LOGG-2132 --weight L --network NO --description "Check for running syslog-ng daemon" + Register --test-no LOGG-2132 --weight L --network NO --category security --description "Check for running syslog-ng daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for syslog-ng daemon in process list" IsRunning syslog-ng @@ -83,7 +83,7 @@ # Test : LOGG-2134 # Description : Check for Syslog-NG configuration file consistency if [ ! "${SYSLOGNGBINARY}" = "" -a ${SYSLOG_NG_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Syslog-NG configuration file consistency" + Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Syslog-NG configuration file consistency" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${SYSLOGNGBINARY} -s; echo $?` if [ "${FIND}" = "0" ]; then @@ -101,7 +101,7 @@ # # Test : LOGG-2136 # Description : Check for a running systemd-journal daemon - Register --test-no LOGG-2136 --weight L --network NO --description "Check for running systemd journal daemon" + Register --test-no LOGG-2136 --weight L --network NO --category security --description "Check for running systemd journal daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for systemd journal daemon in process list" IsRunning systemd-journal @@ -117,7 +117,7 @@ # # Test : LOGG-2210 # Description : Check for a running metalog daemon - Register --test-no LOGG-2210 --weight L --network NO --description "Check for running metalog daemon" + Register --test-no LOGG-2210 --weight L --network NO --category security --description "Check for running metalog daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for metalog daemon in process list" IsRunning metalog @@ -136,7 +136,7 @@ # # Test : LOGG-2230 # Description : Check for a running rsyslog daemon - Register --test-no LOGG-2230 --weight L --network NO --description "Check for running RSyslog daemon" + Register --test-no LOGG-2230 --weight L --network NO --category security --description "Check for running RSyslog daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for RSyslog daemon in process list" IsRunning rsyslogd @@ -155,7 +155,7 @@ # # Test : LOGG-2240 # Description : Check for a running RFC 3195 compliant daemon (syslog via TCP) - Register --test-no LOGG-2240 --weight L --network NO --description "Check for running RFC 3195 compliant daemon" + Register --test-no LOGG-2240 --weight L --network NO --category security --description "Check for running RFC 3195 compliant daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list" IsRunning rfc3195d @@ -178,7 +178,7 @@ # * In combination with syslog-ng, klogd is still an addition to it, since it # captures kernel related events and send them to syslog-ng. # * This test should be below all other logging daemons - Register --test-no LOGG-2138 --os Linux --weight L --network NO --description "Checking kernel logger daemon on Linux" + Register --test-no LOGG-2138 --os Linux --weight L --network NO --category security --description "Checking kernel logger daemon on Linux" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching kernel logger daemon (klogd)" if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then @@ -202,7 +202,7 @@ # # Test : LOGG-2142 # Description : Check for minilogd presence on Linux systems - Register --test-no LOGG-2142 --os Linux --weight L --network NO --description "Checking minilog daemon" + Register --test-no LOGG-2142 --os Linux --weight L --network NO --category security --description "Checking minilog daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Result: Checking for unkilled minilogd instances" # Search for minilogd. It shouldn't be running normally, if another syslog daemon is started @@ -222,7 +222,7 @@ # # Test : LOGG-2146 # Description : Check for logrotate (/etc/logrotate.conf and logrotate.d) - Register --test-no LOGG-2146 --weight L --os Linux --network NO --description "Checking logrotate.conf and logrotate.d" + Register --test-no LOGG-2146 --weight L --os Linux --network NO --category security --description "Checking logrotate.conf and logrotate.d" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for /etc/logrotate.conf" if [ -f /etc/logrotate.conf ]; then @@ -255,7 +255,7 @@ # Test : LOGG-2148 # Description : Checking log files rotated with logrotate if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking logrotated files" + Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which files are rotated with logrotate and if they exist" FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort -u | awk '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'` @@ -274,7 +274,7 @@ # Test : LOGG-2150 # Description : Checking log directories rotated with logrotate if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration" + Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which directories can be found in logrotate configuration" FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort -u | awk '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | sort -u` @@ -298,7 +298,7 @@ # Test : LOGG-2152 # Description : Check for Solaris 'loghost' entry in /etc/inet/hosts, or # succesful resolving via DNS or any other name service. - Register --test-no LOGG-2152 --weight L --os Solaris --network NO --description "Checking loghost" + Register --test-no LOGG-2152 --weight L --os Solaris --network NO --category security --description "Checking loghost" if [ ${SKIPTEST} -eq 0 ]; then # Try local hosts file LogText "Result: Checking for loghost in /etc/inet/hosts" @@ -338,7 +338,7 @@ # Description : Check to see if remote logging is enabled # Notes : prevent lines showing up with commands in it (like |mail) if [ ${SYSLOG_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no LOGG-2154 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking syslog configuration file" + Register --test-no LOGG-2154 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking syslog configuration file" if [ ${SKIPTEST} -eq 0 ]; then if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then SYSLOGD_CONF="/etc/syslog-ng/syslog-ng.conf" @@ -381,7 +381,7 @@ # Test : LOGG-2160 # Description : Check for /etc/newsyslog.conf (FreeBSD/OpenBSD) if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf" + Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then LogText "Result: /etc/newsyslog.conf found" Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result "${STATUS_FOUND}" --color GREEN @@ -394,7 +394,7 @@ # Test : LOGG-2162 # Description : Check for directories in /etc/newsyslog.conf if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking directories in /etc/newsyslog.conf" + Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking directories in /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: parsing directories from /etc/newsyslog.conf file" FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sed 's/\/*[a-zA-Z_.-]*$//g' | sort -u` @@ -414,7 +414,7 @@ # Test : LOGG-2164 # Description : Check for files in /etc/newsyslog.conf if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking files specified /etc/newsyslog.conf" + Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking files specified /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: parsing files from /etc/newsyslog.conf file" FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sort -u` @@ -432,7 +432,7 @@ # # Test : LOGG-2170 # Description : Search available log paths - Register --test-no LOGG-2170 --weight L --network NO --description "Checking log paths" + Register --test-no LOGG-2170 --weight L --network NO --category security --description "Checking log paths" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching log paths" for I in ${LOG_FILES_LOCS}; do @@ -450,7 +450,7 @@ # # Test : LOGG-2180 # Description : Search open log file - Register --test-no LOGG-2180 --weight L --network NO --description "Checking open log files" + Register --test-no LOGG-2180 --weight L --network NO --category security --description "Checking open log files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking open log files with lsof" if [ ! "${LSOFBINARY}" = "" ]; then @@ -472,7 +472,7 @@ # Test : LOGG-2190 # Description : Checking deleted files if [ ! "${LSOFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for deleted files in use" + Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for deleted files in use" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking deleted files that are still in use" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index c4150611..a761559c 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -29,7 +29,7 @@ # # Test : MACF-6204 # Description : Check if AppArmor is installed - Register --test-no MACF-6204 --weight L --network NO --description "Check AppArmor presence" + Register --test-no MACF-6204 --weight L --network NO --category security --description "Check AppArmor presence" if [ ${SKIPTEST} -eq 0 ]; then if [ "${AASTATUSBINARY}" = "" ]; then APPARMORFOUND=0 @@ -47,7 +47,7 @@ # Test : MACF-6208 # Description : Check AppArmor active status if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check if AppArmor is enabled" + Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${AASTATUSBINARY}" = "" ]; then # Checking AppArmor status @@ -85,7 +85,7 @@ # # Test : MACF-6232 # Description : Check SELINUX for installation - Register --test-no MACF-6232 --weight L --network NO --description "Check SELINUX presence" + Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking if we have sestatus binary" if [ ! "${SESTATUSBINARY}" = "" ]; then @@ -102,7 +102,7 @@ # Test : MACF-6234 # Description : Check SELINUX status if [ ! "${SESTATUSBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SELINUX status" + Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status" if [ ${SKIPTEST} -eq 0 ]; then # Status: Enabled/Disabled FIND=`${SESTATUSBINARY} | grep "^SELinux status" | awk '{ print $3 }'` @@ -137,7 +137,7 @@ # Test : RBAC-6272 # Description : Check if grsecurity is installed # Notes : We already checked grsecurity in osdetection - Register --test-no RBAC-6272 --weight L --network NO --description "Check grsecurity presence" + Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence" if [ ${SKIPTEST} -eq 0 ]; then # Check Linux kernel configuration if [ ! "${LINUXCONFIGFILE}" = "" -a -f "${LINUXCONFIGFILE}" ]; then @@ -161,7 +161,7 @@ # # Test : MACF-6290 # Description : Check if at least one MAC framework is implemented - Register --test-no MACF-6290 --weight L --network NO --description "Check for implemented MAC framework" + Register --test-no MACF-6290 --weight L --network NO --category security --description "Check for implemented MAC framework" if [ ${SKIPTEST} -eq 0 ]; then if [ ${MAC_FRAMEWORK_ACTIVE} -eq 1 ]; then Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_OK}" --color GREEN diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index 7a9597ba..999f5251 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -38,7 +38,7 @@ # # Test : MAIL-8802 # Description : Check Exim process status - Register --test-no MAIL-8802 --weight L --network NO --description "Check Exim status" + Register --test-no MAIL-8802 --weight L --network NO --category security --description "Check Exim status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check Exim status" IsRunning exim @@ -58,7 +58,7 @@ # Test : MAIL-8814 # Description : Check Postfix process # Notes : qmgr and pickup run under postfix uid, without full path to binary - Register --test-no MAIL-8814 --weight L --network NO --description "Check postfix process status" + Register --test-no MAIL-8814 --weight L --network NO --category security --description "Check postfix process status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check Postfix status" # Some other processes also use master, therefore it should include both master and postfix @@ -81,7 +81,7 @@ # Test : MAIL-8816 # Description : Check Postfix configuration if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration" + Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking Postfix configuration" --result "${STATUS_FOUND}" --color GREEN POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | grep '^config_directory' | awk '{ print $3 }'` @@ -95,7 +95,7 @@ # Test : MAIL-8818 # Description : Check Postfix configuration if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no MAIL-8818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration: banner" + Register --test-no MAIL-8818 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration: banner" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Postfix banner" FIND1=`${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | grep 'postfix'` @@ -125,7 +125,7 @@ # # Test : MAIL-8838 # Description : Check Dovecot process - Register --test-no MAIL-8838 --weight L --network NO --description "Check dovecot process" + Register --test-no MAIL-8838 --weight L --network NO --category security --description "Check dovecot process" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check dovecot status" IsRunning dovecot @@ -145,7 +145,7 @@ # # Test : MAIL-8860 # Description : Check Qmail process status - Register --test-no MAIL-8860 --weight L --network NO --description "Check Qmail status" + Register --test-no MAIL-8860 --weight L --network NO --category security --description "Check Qmail status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check Qmail status" IsRunning qmail-smtpd @@ -164,7 +164,7 @@ # # Test : MAIL-8880 # Description : Check Sendmail process status - Register --test-no MAIL-8880 --weight L --network NO --description "Check Sendmail status" + Register --test-no MAIL-8880 --weight L --network NO --category security --description "Check Sendmail status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check sendmail status" IsRunning sendmail @@ -184,7 +184,7 @@ # Test : MAIL-8920 # Description : Check OpenSMTPD process status if [ ! "${SMTPCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check OpenSMTPD status" + Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check smtpd status" FIND=`${PSBINARY} ax | egrep "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | grep -v "grep"` diff --git a/include/tests_malware b/include/tests_malware index 4572e9f0..685eca9b 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -38,7 +38,7 @@ # # Test : MALW-3275 # Description : Check for installed tool (chkrootkit) - Register --test-no MALW-3275 --weight L --network NO --description "Check for chkrootkit" + Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking presence chkrootkit" if [ ! "${CHKROOTKITBINARY}" = "" ]; then @@ -56,7 +56,7 @@ # # Test : MALW-3276 # Description : Check for installed tool (Rootkit Hunter) - Register --test-no MALW-3276 --weight L --network NO --description "Check for Rootkit Hunter" + Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking presence Rootkit Hunter" if [ ! "${RKHUNTERBINARY}" = "" ]; then @@ -74,7 +74,7 @@ # # Test : MALW-3278 # Description : Check for installed tool (Linux Malware Detect or LMD) - Register --test-no MALW-3278 --weight L --network NO --description "Check for LMD" + Register --test-no MALW-3278 --weight L --network NO --category security --description "Check for LMD" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking presence LMD" if [ ! "${LMDBINARY}" = "" ]; then @@ -92,7 +92,7 @@ # # Test : MALW-3280 # Description : Check if an anti-virus tool is installed - Register --test-no MALW-3280 --weight L --network NO --description "Check if anti-virus tool is installed" + Register --test-no MALW-3280 --weight L --network NO --category security --description "Check if anti-virus tool is installed" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 @@ -158,7 +158,7 @@ # # Test : MALW-3282 # Description : Check if clamscan is installed - Register --test-no MALW-3282 --weight L --network NO --description "Check for clamscan" + Register --test-no MALW-3282 --weight L --network NO --category security --description "Check for clamscan" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking presence clamscan" if [ ! "${CLAMSCANBINARY}" = "" ]; then @@ -176,7 +176,7 @@ # # Test : MALW-3284 # Description : Check running clamd process - Register --test-no MALW-3284 --weight L --network NO --description "Check for clamd" + Register --test-no MALW-3284 --weight L --network NO --category security --description "Check for clamd" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking running ClamAV daemon (clamd)" IsRunning clamd @@ -195,7 +195,7 @@ # Test : MALW-3286 # Description : Check running freshclam if clamd process is running if [ ${CLAMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for freshclam" + Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for freshclam" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking running freshclam daemon" IsRunning freshclam @@ -216,7 +216,7 @@ # Test : MALW-3288 # Description : Check for ClamXav (Mac OS X) if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for ClamXav" + Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav" if [ ${SKIPTEST} -eq 0 ]; then CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'` if [ ! "${CLAMSCANBINARY}" = "" ]; then diff --git a/include/tests_memory_processes b/include/tests_memory_processes index 93b385e6..b1eaf994 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -28,7 +28,7 @@ # # Test : PROC-3602 # Description : Query /proc/meminfo - Register --test-no PROC-3602 --os Linux --weight L --network NO --description "Checking /proc/meminfo for memory details" + Register --test-no PROC-3602 --os Linux --weight L --network NO --category security --description "Checking /proc/meminfo for memory details" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /proc/meminfo ]; then LogText "Result: found /proc/meminfo" @@ -48,7 +48,7 @@ # # Test : PROC-3604 # Description : Query /proc/meminfo - Register --test-no PROC-3604 --os Solaris --weight L --network NO --description "Query prtconf for memory details" + Register --test-no PROC-3604 --os Solaris --weight L --network NO --category security --description "Query prtconf for memory details" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching /usr/sbin/prtconf" if [ -x /usr/sbin/prtconf ]; then @@ -70,7 +70,7 @@ # Description : Searching for dead and zombie processes # Notes : Don't perform test on Solaris if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dead or zombie processes" + Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check dead or zombie processes" if [ ${SKIPTEST} -eq 0 ]; then if [ "${OS}" = "AIX" ]; then FIND=`${PSBINARY} -Ae -o pid,stat,comm | awk '{ if ($2 ~ /Z|X/) print $1 }' | xargs` @@ -94,7 +94,7 @@ # Description : Searching for heavy IO based waiting processes # Notes : Don't perform test on Solaris if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PROC-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check heavy IO waiting based processes" + Register --test-no PROC-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check heavy IO waiting based processes" if [ ${SKIPTEST} -eq 0 ]; then if [ "${OS}" = "AIX" ]; then FIND=`${PSBINARY} -Ae -o pid,stat,comm | awk '{ if ($2=="D") print $1 }' | xargs` diff --git a/include/tests_nameservices b/include/tests_nameservices index 2eeb33ec..fdf647e3 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -41,7 +41,7 @@ # # Test : NAME-4016 # Description : Check main domain (domain in /etc/resolv.conf) - Register --test-no NAME-4016 --weight L --network NO --description "Check /etc/resolv.conf default domain" + Register --test-no NAME-4016 --weight L --network NO --category security --description "Check /etc/resolv.conf default domain" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check /etc/resolv.conf for default domain" if [ -f /etc/resolv.conf ]; then @@ -65,7 +65,7 @@ # Test : NAME-4018 # Description : Check search domains in /etc/resolv.conf # Notes : Maximum of one search keyword is allowed in /etc/resolv.conf - Register --test-no NAME-4018 --weight L --network NO --description "Check /etc/resolv.conf search domains" + Register --test-no NAME-4018 --weight L --network NO --category security --description "Check /etc/resolv.conf search domains" if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: check /etc/resolv.conf for search domains" @@ -110,7 +110,7 @@ # # Test : NAME-4020 # Description : Check non default resolv.conf options - Register --test-no NAME-4020 --weight L --network NO --description "Check non default options" + Register --test-no NAME-4020 --weight L --network NO --category security --description "Check non default options" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check /etc/resolv.conf for non default options" if [ -f /etc/resolv.conf ]; then @@ -138,7 +138,7 @@ # # Test : NAME-4024 # Description : Check Solaris uname -n output - Register --test-no NAME-4024 --os Solaris --weight L --network NO --description "Solaris uname -n output" + Register --test-no NAME-4024 --os Solaris --weight L --network NO --category security --description "Solaris uname -n output" if [ ${SKIPTEST} -eq 0 ]; then FIND=`uname -n` LogText "Result: 'uname -n' returned ${FIND}" @@ -150,7 +150,7 @@ # Test : NAME-4026 # Description : Check Solaris /etc/nodename # Notes : If a system is standalone, /etc/nodename should contain a system name only, not FQDN - Register --test-no NAME-4026 --os Solaris --weight L --network NO --description "Check /etc/nodename" + Register --test-no NAME-4026 --os Solaris --weight L --network NO --category security --description "Check /etc/nodename" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking /etc/nodename" if [ -f /etc/nodename ]; then @@ -169,7 +169,7 @@ # Test : NAME-4028 # Description : Check DNS domain name # To Do : grep ^DOMAINNAME /etc/conf.d/domainname (remove "'s) - Register --test-no NAME-4028 --weight L --network NO --description "Check domain name" + Register --test-no NAME-4028 --weight L --network NO --category security --description "Check domain name" if [ ${SKIPTEST} -eq 0 ]; then DOMAINNAME="" # NIS @@ -228,7 +228,7 @@ # # Test : NAME-4032 # Description : Check name service caching daemon (NSCD) status - Register --test-no NAME-4032 --weight L --network NO --description "Check nscd status" + Register --test-no NAME-4032 --weight L --network NO --category security --description "Check nscd status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking nscd status" IsRunning nscd @@ -246,7 +246,7 @@ # # Test : NAME-4034 # Description : Check name service caching daemon (Unbound) status - Register --test-no NAME-4034 --weight L --network NO --description "Check Unbound status" + Register --test-no NAME-4034 --weight L --network NO --category security --description "Check Unbound status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking Unbound (unbound) status" IsRunning unbound @@ -266,7 +266,7 @@ # Test : NAME-4036 # Description : Checking Unbound configuration file if [ ${UNBOUND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NAME-4036 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Unbound configuration file" + Register --test-no NAME-4036 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Unbound configuration file" if [ ${SKIPTEST} -eq 0 ]; then FIND=`which unbound-checkconf` if [ ! "${FIND}" = "" ]; then @@ -291,7 +291,7 @@ # # Test : NAME-4202 # Description : Check if BIND is running - Register --test-no NAME-4202 --weight L --network NO --description "Check BIND status" + Register --test-no NAME-4202 --weight L --network NO --category security --description "Check BIND status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for running BIND instance" IsRunning named @@ -310,7 +310,7 @@ # Test : NAME-4204 # Description : Check configuration file of BIND if [ ${BIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file" + Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search BIND configuration file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Search BIND configuration file" for I in ${BIND_CONFIG_LOCS}; do @@ -331,7 +331,7 @@ # Test : NAME-4206 # Description : Check BIND configuration file consistency if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NAME-4206 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BIND configuration consistency" + Register --test-no NAME-4206 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check BIND configuration consistency" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching for named-checkconf binary" if [ ! "${NAMEDCHECKCONFBINARY}" = "" ]; then @@ -354,7 +354,7 @@ # # Test : NAME-4208 # Description : Check DNS server type (master, slave, caching, forwarding) - #Register --test-no NAME-4050 --weight L --network NO --description "Check nscd status" + #Register --test-no NAME-4050 --weight L --network NO --category security --description "Check nscd status" #if [ ${SKIPTEST} -eq 0 ]; then # ################################################################################# @@ -362,7 +362,7 @@ # Test : NAME-4210 # Description : Check if we can determine useful information from banner if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check DNS banner" + Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Trying to determine version from banner" FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"` @@ -384,27 +384,27 @@ # Test : NAME-4212 # Description : Check version option in BIND configuration #if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no NAME-4212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check version setting in configuration" + #Register --test-no NAME-4212 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check version setting in configuration" # ################################################################################# # # Test : NAME-4220 # Description : Check if we can perform a zone transfer of primary domain - #Register --test-no NAME-4220 --weight L --network NO --description "Check zone transfer" + #Register --test-no NAME-4220 --weight L --network NO --category security --description "Check zone transfer" #if [ ${SKIPTEST} -eq 0 ]; then # ################################################################################# # # Test : NAME-4222 # Description : Check if we can perform a zone transfer of PTR (of primary domain) - #Register --test-no NAME-4222 --weight L --network NO --description "Check zone transfer" + #Register --test-no NAME-4222 --weight L --network NO --category security --description "Check zone transfer" #if [ ${SKIPTEST} -eq 0 ]; then # ################################################################################# # # Test : NAME-4230 # Description : Check if PowerDNS is running - Register --test-no NAME-4230 --weight L --network NO --description "Check PowerDNS status" + Register --test-no NAME-4230 --weight L --network NO --category security --description "Check PowerDNS status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for running PowerDNS instance" IsRunning pdns_server @@ -423,7 +423,7 @@ # Test : NAME-4232 # Description : Check PowerDNS configuration file if [ ${POWERDNS_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file" + Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search PowerDNS configuration file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Search PowerDNS configuration file" for I in ${POWERDNS_CONFIG_LOCS}; do @@ -444,7 +444,7 @@ # # Test : NAME-4234 # # Description : Check PowerDNS configuration file consistency # if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no NAME-4234 --weight L --network NO --description "Check PowerDNS configuration consistency" +# Register --test-no NAME-4234 --weight L --network NO --category security --description "Check PowerDNS configuration consistency" # if [ ${SKIPTEST} -eq 0 ]; then # fi # @@ -453,7 +453,7 @@ # Test : NAME-4236 # Description : Check PowerDNS server backends if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS backends" + Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS backends" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for PowerDNS backends" FIND=`awk -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}` @@ -473,7 +473,7 @@ # Test : NAME-4238 # Description : Check PowerDNS authoritive status if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS authoritive status" + Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritive status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for PowerDNS master status" FIND=`grep "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}` @@ -501,7 +501,7 @@ # # Test : NAME-4302 # Description : Check NIS ypbind daemon status - Register --test-no NAME-4304 --weight L --network NO --description "Check NIS ypbind status" + Register --test-no NAME-4304 --weight L --network NO --category security --description "Check NIS ypbind status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking status of ypbind daemon" IsRunning ypbind @@ -528,7 +528,7 @@ # Description : Check NIS domain # Notes : FreeBSD: sysctl kern.domainname if [ ${YPBIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NIS domain" + Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NIS domain" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking `domainname` for NIS domain value" FIND=`${DOMAINNAMEBINARY} | grep -v "(none)"` @@ -594,7 +594,7 @@ # Test : NAME-4402 # Description : Check /etc/hosts configuration - Register --test-no NAME-4402 --weight L --network NO --description "Check duplicate line in /etc/hosts" + Register --test-no NAME-4402 --weight L --network NO --category security --description "Check duplicate line in /etc/hosts" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check duplicate line in /etc/hosts" if [ -f /etc/hosts ]; then @@ -619,7 +619,7 @@ # Test : NAME-4404 # Description : Check /etc/hosts contains an entry for this server name if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NAME-4404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check /etc/hosts contains an entry for this server name" + Register --test-no NAME-4404 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/hosts contains an entry for this server name" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check /etc/hosts contains an entry for this server name" if [ -f /etc/hosts ]; then @@ -641,7 +641,7 @@ # Test : NAME-4406 # Description : Check server hostname mapping if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check server hostname mapping" + Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check server hostname not locally mapped in /etc/hosts" sFIND=`egrep -v '^(#|$)' /etc/hosts | egrep '^(localhost|::1)\s' | grep -w ${HOSTNAME}` diff --git a/include/tests_networking b/include/tests_networking index 70a2fe30..c54c196e 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -36,7 +36,7 @@ # # Test : NETW-2600 # Description : Gather IPv6 configuration - Register --test-no NETW-2600 --os "Linux" --weight L --network YES --description "Checking IPv6 configuration" + Register --test-no NETW-2600 --os "Linux" --weight L --network YES --category security --description "Checking IPv6 configuration" if [ ${SKIPTEST} -eq 0 ]; then IPV6_CONFIGURED=0 IPV6_ACCEPT_RA=255 @@ -116,7 +116,7 @@ # # Test : NETW-2704 # Description : Basic nameserver configuration tests (connectivity) - Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests" + Register --test-no NETW-2704 --weight L --network YES --category security --description "Basic nameserver configuration tests" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking configured nameservers" LogText "Test: Checking /etc/resolv.conf file" @@ -163,7 +163,7 @@ # Test : NETW-2705 # Description : Basic nameserver configuration tests (connectivity) if [ ${LOCAL_DNSRESOLVER_FOUND} -eq 0 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --description "Check availability two nameservers" + Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check availability two nameservers" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${DIGBINARY}" = "" ]; then if [ ${NUMBERACTIVENS} -lt 2 ]; then @@ -192,7 +192,7 @@ # Description : Find default gateway (route) # More info : BSD: ^default Linux: 0.0.0.0 if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Find default gateway (route)" + Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)" if [ $SKIPTEST -eq 0 ]; then LogText "Test: Searching default gateway(s)" FIND=`${NETSTATBINARY} -rn | egrep "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2` @@ -212,7 +212,7 @@ # # Test : NETW-3004 # Description : Find available network interfaces on FreeBSD and others - Register --test-no NETW-3004 --weight L --network NO --description "Search available network interfaces" + Register --test-no NETW-3004 --weight L --network NO --category security --description "Search available network interfaces" if [ ${SKIPTEST} -eq 0 ]; then FIND="" N=0 @@ -254,7 +254,7 @@ # # Test : NETW-3006 # Description : Get network MAC addresses - Register --test-no NETW-3006 --weight L --network NO --description "Get network MAC addresses" + Register --test-no NETW-3006 --weight L --network NO --category security --description "Get network MAC addresses" if [ ${SKIPTEST} -eq 0 ]; then FIND="" case ${OS} in @@ -305,7 +305,7 @@ # # Test : NETW-3008 # Description : Get network IPv4/6 addresses - Register --test-no NETW-3008 --weight L --network NO --description "Get network IP addresses" + Register --test-no NETW-3008 --weight L --network NO --category security --description "Get network IP addresses" if [ ${SKIPTEST} -eq 0 ]; then FIND=""; FIND2="" case ${OS} in @@ -369,7 +369,7 @@ # # Test : NETW-3012 # Description : Check listening ports - Register --test-no NETW-3012 --weight L --network NO --description "Check listening ports" + Register --test-no NETW-3012 --weight L --network NO --category security --description "Check listening ports" if [ ${SKIPTEST} -eq 0 ]; then FIND=""; FIND2="" N=0 @@ -468,7 +468,7 @@ # Description : Checking promiscuous interfaces (BSD) # Note : FreeBSD and others if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking promiscuous interfaces (BSD)" + Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (BSD)" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking promiscuous interfaces (FreeBSD)" FIND=`${IFCONFIGBINARY} | grep PROMISC | cut -d ':' -f1` @@ -510,7 +510,7 @@ # Description : Checking promiscuous interfaces (Linux) # Note : Need ifconfig binary at this moment (does not work on Arch Linux) if [ ! "${IFCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking promiscuous interfaces (Linux)" + Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking promiscuous interfaces (Linux)" NETWORK=`${IFCONFIGBINARY} | grep Link | tr -s ' ' | cut -d ' ' -f1` @@ -569,7 +569,7 @@ # Type : Performance # Notes : It is common to see a healthy web server seeing to have several thousands of TCP connections in WAIT state if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking connections in WAIT state" + Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking connections in WAIT state" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Using netstat for check for connections in WAIT state" FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'` @@ -588,7 +588,7 @@ # # Test : NETW-3030 # Description : Checking for DHCP client - Register --test-no NETW-3030 --weight L --network NO --description "Checking DHCP client status" + Register --test-no NETW-3030 --weight L --network NO --category security --description "Checking DHCP client status" if [ ${SKIPTEST} -eq 0 ]; then IsRunning dhclient if [ ${RUNNING} -eq 1 ]; then @@ -603,7 +603,7 @@ # # Test : NETW-3032 # Description : Checking for ARP spoofing and related monitoring software - Register --test-no NETW-3032 --os Linux --weight L --network NO --description "Checking for ARP monitoring software" + Register --test-no NETW-3032 --os Linux --weight L --network NO --category security --description "Checking for ARP monitoring software" if [ ${SKIPTEST} -eq 0 ]; then IsRunning arpwatch if [ ${RUNNING} -eq 1 ]; then diff --git a/include/tests_php b/include/tests_php index c77e71b2..7164b49a 100644 --- a/include/tests_php +++ b/include/tests_php @@ -45,7 +45,7 @@ # # Test : PHP-2211 # Description : Check php.ini presence - Register --test-no PHP-2211 --weight L --network NO --description "Check php.ini presence" + Register --test-no PHP-2211 --weight L --network NO --category security --description "Check php.ini presence" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for presence php.ini" PHPINIFILE="" @@ -93,7 +93,7 @@ # Test : PHP-2320 # Description : Check php disable functions option if [ ! "${PHPINI_ALLFILES}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP disabled functions" + Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 for I in ${PHPINI_ALLFILES}; do @@ -149,7 +149,7 @@ Debug "php.ini: ${PHPINIFILE}" Debug "version: ${PHPVERSION}" fi - Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option" + Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP register_globals option" FIND=`egrep -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;'` @@ -173,7 +173,7 @@ # Description : Check php expose_php option # Notes : Extend test to check all PHP files YYY if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option" + Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking expose_php option" FIND=`egrep -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` @@ -197,7 +197,7 @@ # Description : Check PHP enable_dl option # Notes : Extend test to check all PHP files if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option" + Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP enable_dl option" FIND=$(egrep -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;') @@ -219,7 +219,7 @@ # Description : Check PHP allow_url_fopen option # Notes : Extend test to check all PHP files YYY if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option" + Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_fopen option" FIND=`egrep -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` @@ -242,7 +242,7 @@ # Description : Check PHP allow_url_include option # Notes : Extend test to check all PHP files YYY if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option" + Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_include option" FIND=`egrep -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` diff --git a/include/tests_ports_packages b/include/tests_ports_packages index f104ec53..b75870f8 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -38,7 +38,7 @@ # Test : PKGS-7301 # Description : Query FreeBSD pkg if [ -x /usr/sbin/pkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query NetBSD pkg" + Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query NetBSD pkg" if [ ${SKIPTEST} -eq 0 ]; then FIND=`pkg -N 2>&1; echo $?` if [ "${FIND}" = "0" ]; then @@ -64,7 +64,7 @@ # Test : PKGS-7302 # Description : Query FreeBSD/NetBSD pkg_info if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD/NetBSD pkg_info" + Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD/NetBSD pkg_info" if [ ${SKIPTEST} -eq 0 ]; then N=0 Display --indent 4 --text "- Checking pkg_info" --result "${STATUS_FOUND}" --color GREEN @@ -91,7 +91,7 @@ # Description : Query brew package manager FIND=`which brew 2> /dev/null` if [ ! "${FIND}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query brew package manager" + Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found brew" @@ -113,7 +113,7 @@ # Test : PKGS-7304 # Description : Gentoo packages if [ -x /usr/bin/emerge -a -x /usr/bin/equery ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Gentoo packages" + Register --test-no PKGS-7304 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Gentoo packages" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Searching emerge" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found Gentoo emerge" @@ -136,7 +136,7 @@ # Test : PKGS-7306 # Description : Solaris packages if [ -x /usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages" + Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Solaris packages" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found Solaris pkginfo" @@ -159,7 +159,7 @@ # Test : PKGS-7308 # Description : RPM package based systems if [ ! "${RPMBINARY}" = "" -a "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with RPM" + Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM" if [ ${SKIPTEST} -eq 0 ]; then N=0 Display --indent 4 --text "- Searching RPM package manager" --result "${STATUS_FOUND}" --color GREEN @@ -192,7 +192,7 @@ # Test : PKGS-7310 # Description : pacman package based systems if [ ! "${PACMANBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with pacman" + Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman" if [ ${SKIPTEST} -eq 0 ]; then N=0 Display --indent 4 --text "- Searching pacman package manager" --result "${STATUS_FOUND}" --color GREEN @@ -222,7 +222,7 @@ # Test : PKGS-7312 # Description : Check for available package updates when pacman package is used (Arch Linux) if [ ! "${PACMANBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7312 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking available updates for pacman based system" + Register --test-no PKGS-7312 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking available updates for pacman based system" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 FIND=`which checkupdates` @@ -252,7 +252,7 @@ # Description : Check pacman.conf options PACMANCONF="/etc/pacman.conf" if [ ! "${PACMANBINARY}" = "" -a -f ${PACMANCONF} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7314 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking pacman configuration options" + Register --test-no PKGS-7314 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking pacman configuration options" if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 # Check configuration options (options start with a capital) @@ -280,7 +280,7 @@ # Test : PKGS-7328 # Description : Check installed packages with Zypper if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Zypper for installed packages" + Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages" if [ ${SKIPTEST} -eq 0 ]; then N=0 PACKAGE_AUDIT_TOOL_FOUND=1 @@ -304,7 +304,7 @@ # Test : PKGS-7330 # Description : Check vulnerable packages with Zypper if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Zypper for vulnerable packages" + Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${ZYPPERBINARY} -n pchk | grep "(0 security patches)"` if [ ! "${FIND}" = "" ]; then @@ -332,7 +332,7 @@ # Test : PKGS-7345 # Description : Debian package based systems (dpkg) if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying dpkg" + Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying dpkg" if [ ${SKIPTEST} -eq 0 ]; then N=0 Display --indent 4 --text "- Searching dpkg package manager" --result "${STATUS_FOUND}" --color GREEN @@ -360,7 +360,7 @@ # Description : Check packages which are removed, but still own configuration files, cron jobs etc # Notes : Cleanup: for pkg in `dpkg -l | grep "^rc" | cut -d' ' -f3`; do aptitude purge ${pkg}; done if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search unpurged packages on system" + Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system" if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: Querying dpkg -l to get unpurged packages" @@ -389,7 +389,7 @@ # Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is # issued when it's missing. # Add portmaster --clean-distfiles-all - Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --description "Check for old distfiles" + Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles" if [ ${SKIPTEST} -eq 0 ]; then if [ -x /usr/local/sbin/portsclean ]; then FIND=`/usr/local/sbin/portsclean -n -DD | grep 'Delete' | wc -l | tr -d ' '` @@ -410,7 +410,7 @@ # Description : Use Dandified YUM to gather installed packages # Notes : Possible replacement for YUM in the long term if [ ! "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for installed packages with DNF utility" + Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Searching DNF package manager" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found DNF (Dandified YUM) utility (binary: ${DNFBINARY})" @@ -433,7 +433,7 @@ # Test : PKGS-7352 # Description : Use Dandified YUM to detect security updates if [ ! "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no "PKGS-7352" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for security updates with DNF utility" + Register --test-no "PKGS-7352" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for security updates with DNF utility" if [ ${SKIPTEST} -eq 0 ]; then # Check for security updates LogText "Action: checking updateinfo for security updates" @@ -460,7 +460,7 @@ # Test : PKGS-7354 # Description : Perform integrity tests for package database if [ ! "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package database integrity" + Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity" if [ ${SKIPTEST} -eq 0 ]; then # Check if repoquery plugin is available FIND=`${DNFBINARY} 2>&1 | grep "^repoquery"` @@ -486,7 +486,7 @@ # Test : PKGS-7366 # Description : Checking if debsecan is installed and enabled on Debian systems if [ ! "${DEBSECANBINARY}" = "" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsecan utility" + Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsecan utility" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${DEBSECANBINARY}" = "" ]; then LogText "Result: debsecan utility is installed" @@ -519,7 +519,7 @@ # Description : Checking debsums installation status and presence in cron job # Note : Run this only when it is a DPKG based system if [ ! "${DPKGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsums utility" + Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsums utility" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${DEBSUMSBINARY}" = "" ]; then LogText "Result: debsums utility is installed" @@ -549,7 +549,7 @@ # Test : PKGS-7378 # Description : Query FreeBSD portmaster for available port upgrades if [ -x /usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query portmaster for port upgrades" + Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query portmaster for port upgrades" if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: Querying portmaster for possible port upgrades" @@ -572,7 +572,7 @@ # # Test : PKGS-7380 # Description : Check for vulnerable NetBSD packages (with pkg_admin) - Register --test-no PKGS-7380 --os NetBSD --weight L --network NO --description "Check for vulnerable NetBSD packages" + Register --test-no PKGS-7380 --os NetBSD --weight L --network NO --category security --description "Check for vulnerable NetBSD packages" if [ ${SKIPTEST} -eq 0 ]; then if [ -x /usr/sbin/pkg_admin ]; then PACKAGE_AUDIT_TOOL_FOUND=1 @@ -612,7 +612,7 @@ # Test : PKGS-7381 # Description : Check for vulnerable FreeBSD packages (with pkg) if [ -x /usr/sbin/pkg -a -f /var/db/pkg/vuln.xml ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7381 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for vulnerable FreeBSD packages with pkg" + Register --test-no PKGS-7381 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with pkg" if [ ${SKIPTEST} -eq 0 ]; then if [ -x /usr/sbin/pkg ]; then FIND=`/usr/sbin/pkg audit 2> /dev/null | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'` @@ -650,7 +650,7 @@ # Description : Check for vulnerable FreeBSD packages # Notes : Newer machines should use pkg audit instead of portaudit if [ -x /usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for vulnerable FreeBSD packages with portaudit" + Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit" if [ ${SKIPTEST} -eq 0 ]; then PACKAGE_AUDIT_TOOL_FOUND=1 FIND=`/usr/local/sbin/portaudit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'` @@ -679,7 +679,7 @@ # Description : Check for YUM package Update management # Notes : Skip if DNF is used as package manager if [ ! "${YUMBINARY}" = "" -a "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --description "Check for YUM package Update management" + Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package Update management" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: YUM package update management" sFIND=`${YUMBINARY} repolist 2>/dev/null | grep repolist | sed 's/ //g' | sed 's/[,.]//g' | awk -F ":" '{print $2}'` @@ -699,7 +699,7 @@ # Test : PKGS-7384 # Description : Search for YUM utils package if [ ! "${YUMBINARY}" = "" -a "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM utils package" + Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package" if [ ${SKIPTEST} -eq 0 ]; then if [ -x /usr/bin/package-cleanup ]; then LogText "Result: found YUM utils package (/usr/bin/package-cleanup)" @@ -744,7 +744,7 @@ # : RHEL 6: yum-security-plugin (plugin) # : RHEL 5: yum-security (plugin) if [ -x /usr/bin/yum -a "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7386 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM security package" + Register --test-no PKGS-7386 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM security package" if [ ${SKIPTEST} -eq 0 ]; then DO_TEST=0 LogText "Test: Determining if yum-security package installed" @@ -818,7 +818,7 @@ # Test : PKGS-7387 # Description : Search for YUM GPG check if [ -x /usr/bin/yum -a "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for GPG signing in YUM security package" + Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 FileExists /etc/yum.conf @@ -840,7 +840,7 @@ # Test : PKGS-7388 # Description : Check security repository in Debian/ubuntu apt sources.list file if [ -f /etc/apt/sources.list -a -d /etc/apt/sources.list.d ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check security repository in Debian/ubuntu apt sources.list file" + Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check security repository in Debian/ubuntu apt sources.list file" if [ $SKIPTEST -eq 0 ]; then FOUND=0 if [ ! "${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY}" = "yes" ]; then @@ -888,7 +888,7 @@ # Test : PKGS-7390 # Description : Check Ubuntu database consistency if [ "${LINUX_VERSION}" = "Ubuntu" -a -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --description "Check Ubuntu database consistency" + Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Package database consistency by running apt-get check" FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?` @@ -908,7 +908,7 @@ # Test : PKGS-7392 # Description : Check Debian/Ubuntu vulnerable packages if [ -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --description "Check for Debian/Ubuntu security updates" + Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --category security --description "Check for Debian/Ubuntu security updates" if [ ${SKIPTEST} -eq 0 ]; then VULNERABLE_PACKAGES_FOUND=0 SCAN_PERFORMED=0 @@ -981,7 +981,7 @@ # Test : PKGS-7393 # Description : Check Gentoo vulnerable packages if [ -x /usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7393 --preqs-met ${PREQS_MET} --weight L --network YES --description "Check for Gentoo vulnerable packages" + Register --test-no PKGS-7393 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Gentoo vulnerable packages" if [ ${SKIPTEST} -eq 0 ]; then VULNERABLE_PACKAGES_FOUND=0 SCAN_PERFORMED=0 @@ -1028,7 +1028,7 @@ # Test : PKGS-7394 # Description : Check Ubuntu upgradeable packages if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --description "Check for Ubuntu updates" + Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking /usr/bin/apt-show-versions" if [ -x /usr/bin/apt-show-versions ]; then @@ -1060,7 +1060,7 @@ # # Test : PKGS-7398 # Description : Check package audit tool - Register --test-no PKGS-7398 --weight L --network YES --description "Check for package audit tool" + Register --test-no PKGS-7398 --weight L --network YES --category security --description "Check for package audit tool" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking for package audit tool" if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then @@ -1088,7 +1088,7 @@ # # Test : PKGS-7410 # Description : Count number of installed kernel packages - Register --test-no PKGS-7410 --weight L --network NO --description "Count installed kernel packages" + Register --test-no PKGS-7410 --weight L --network NO --category security --description "Count installed kernel packages" if [ ${SKIPTEST} -eq 0 ]; then KERNELS=0 if [ ! "${RPMBINARY}" = "" ]; then diff --git a/include/tests_printers_spools b/include/tests_printers_spools index 4ebd146f..70cf3bf3 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -40,7 +40,7 @@ # # Test : PRNT-2302 # Description : Check printcap file consistency - Register --test-no PRNT-2302 --os FreeBSD --weight L --network NO --description "Check for printcap consistency" + Register --test-no PRNT-2302 --os FreeBSD --weight L --network NO --category security --description "Check for printcap consistency" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching /usr/sbin/chkprintcap" if [ ! -f /usr/sbin/chkprintcap ]; then @@ -66,7 +66,7 @@ # # Test : PRNT-2304 # Description : Check cupsd status - Register --test-no PRNT-2304 --weight L --network NO --description "Check cupsd status" + Register --test-no PRNT-2304 --weight L --network NO --category security --description "Check cupsd status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking cupsd status" #FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd` @@ -86,7 +86,7 @@ # Test : PRNT-2306 # Description : Check CUPSd configuration file if [ ${CUPSD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file" + Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching cupsd configuration file" for I in ${CUPSD_CONFIG_LOCS}; do @@ -114,7 +114,7 @@ # Description : Check CUPSd configuration file permissions # To Do : Add function if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file permissions" + Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking CUPS configuration file permissions" FIND=`ls -l ${CUPSD_CONFIG_FILE} | cut -c 2-10` @@ -134,7 +134,7 @@ # Test : PRNT-2308 # Description : Check CUPS daemon network configuration if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd network configuration" + Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd network configuration" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 # Checking network addresses @@ -187,7 +187,7 @@ # # Test : PRNT-2314 # Description : Check lpd status - Register --test-no PRNT-2314 --weight L --network NO --description "Check lpd status" + Register --test-no PRNT-2314 --weight L --network NO --category security --description "Check lpd status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking lpd status" IsRunning lpd @@ -207,7 +207,7 @@ # Test : PRNT-23xx # Description : Test Linux printcap file #if [ ${CUPSD_RUNNING} -eq 1 -a ! "${CUPSD_CONFIG_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no PRNT-23xx--preqs-met ${PREQS_MET} --weight L --network NO --description "Check cupsd address configuration" + #Register --test-no PRNT-23xx--preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check cupsd address configuration" #if [ ${SKIPTEST} -eq 0 ]; then #if [ "${OS}" = "Linux" ]; then # echo " - Testing printcap file [Test not implemented yet]" @@ -218,7 +218,7 @@ # # Test : PRNT-2416 # Description : Check /etc/qconfig file - Register --test-no PRNT-2316 --os AIX --weight L --network NO --description "Checking /etc/qconfig file" + Register --test-no PRNT-2316 --os AIX --weight L --network NO --category security --description "Checking /etc/qconfig file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking /etc/qconfig" QDAEMON_CONFIG_FILE="/etc/qconfig" @@ -242,7 +242,7 @@ # # Test : PRNT-2418 # Description : Check qdaemon printer spooler status - Register --test-no PRNT-2418 --os AIX --weight L --network NO --description "Checking qdaemon printer spooler status" + Register --test-no PRNT-2418 --os AIX --weight L --network NO --category security --description "Checking qdaemon printer spooler status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking qdaemon status" IsRunning qdaemon @@ -266,7 +266,7 @@ # # Test : PRNT-2420 # Description : Checking old print jobs - Register --test-no PRNT-2420 --os AIX --weight L --network NO --description "Checking old print jobs" + Register --test-no PRNT-2420 --os AIX --weight L --network NO --category security --description "Checking old print jobs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking old print jobs" DirectoryExists /var/spool/lpd/qdir diff --git a/include/tests_scheduling b/include/tests_scheduling index 08cf0650..0b5b4c83 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -33,7 +33,7 @@ # # Test : SCHD-7702 # Description : Check cron daemon - Register --test-no SCHD-7702 --weight L --network NO --description "Check status of cron daemon" + Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(ps aux | ${EGREPBINARY} "( cron$|/cron(d)? )") if [ "${FIND}" = "" ]; then @@ -50,7 +50,7 @@ # # Test : SCHD-7704 # Description : Check crontab / cronjobs - Register --test-no SCHD-7704 --weight L --network NO --description "Check crontab/cronjobs" + Register --test-no SCHD-7704 --weight L --network NO --category security --description "Check crontab/cronjobs" if [ ${SKIPTEST} -eq 0 ]; then BAD_FILE_PERMISSIONS=0 BAD_FILE_OWNERSHIP=0 @@ -183,7 +183,7 @@ # # Test : SCHD-7718 # Description : Check atd status - Register --test-no SCHD-7718 --weight L --network NO --description "Check at users" + Register --test-no SCHD-7718 --weight L --network NO --category security --description "Check at users" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking atd status" FIND=$(${PSBINARY} ax | grep "/atd" | grep -v "grep") @@ -207,7 +207,7 @@ # except the listed ones can schedule jobs. If both can't be # found, only root can schedule jobs. if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SCHD-7720 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at users" + Register --test-no SCHD-7720 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check at users" if [ ${SKIPTEST} -eq 0 ]; then AT_UNKNOWN=0 case ${OS} in @@ -270,7 +270,7 @@ # Test : SCHD-7724 # Description : Check scheduled at jobs if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at jobs" + Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check at jobs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check scheduled at jobs" FIND=$(atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g') diff --git a/include/tests_shells b/include/tests_shells index 9a060927..2fd5eeaf 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -48,7 +48,7 @@ # Test : SHLL-6202 # Description : check all console TTYs in which root user can enter single user mode without password - Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --description "Check console TTYs" + Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking console TTYs" FIND=`egrep '^console' /etc/ttys | grep -v 'insecure'` @@ -69,7 +69,7 @@ # # Test : SHLL-6211 # Description : which shells are available according /etc/shells - Register --test-no SHLL-6211 --weight L --network NO --description "Checking available and valid shells" + Register --test-no SHLL-6211 --weight L --network NO --category security --description "Checking available and valid shells" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for /etc/shells" if [ -f /etc/shells ]; then @@ -99,7 +99,7 @@ # # Test : SHLL-6220 # Description : check for idle session killing tools or settings - Register --test-no SHLL-6220 --weight L --network NO --description "Checking available and valid shells" + Register --test-no SHLL-6220 --weight L --network NO --category security --description "Checking available and valid shells" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Search for session timeout tools or settings in shell" IsRunning timeoutd @@ -221,7 +221,7 @@ # Test : SHLL-6230 # Description : Check for umask values in shell configurations SHELL_CONFIG_FILES="/etc/bashrc /etc/bash.bashrc /etc/csh.cshrc /etc/profile" - Register --test-no SHLL-6230 --weight H --network NO --description "Perform umask check for shell configurations" + Register --test-no SHLL-6230 --weight H --network NO --category security --description "Perform umask check for shell configurations" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 HARDENING_POSSIBLE=0 @@ -272,7 +272,7 @@ # # Test : SHLL-6290 # Description : Check for Shellshock vulnerability - Register --test-no SHLL-6290 --weight H --network NO --description "Perform Shellshock vulnerability tests" + Register --test-no SHLL-6290 --weight H --network NO --category security --description "Perform Shellshock vulnerability tests" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 #Display --indent 2 --text "- Testing for Shellshock vulnerability" diff --git a/include/tests_snmp b/include/tests_snmp index 96588ec9..02cbf5a8 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -32,7 +32,7 @@ # Test : SNMP-3302 # Description : Check for a running SNMP daemon - Register --test-no SNMP-3302 --weight L --network NO --description "Check for running SNMP daemon" + Register --test-no SNMP-3302 --weight L --network NO --category security --description "Check for running SNMP daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for a SNMP daemon" # Check running processes @@ -52,7 +52,7 @@ # Test : SNMP-3304 # Description : Determine SNMP daemon configuration file location if [ ${SNMP_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SNMP-3304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SNMP daemon file location" + Register --test-no SNMP-3304 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SNMP daemon file location" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching for snmpd.conf file" for I in ${SNMP_DAEMON_CONFIG_LOCS}; do @@ -75,7 +75,7 @@ # Test : SNMP-3306 # Description : Determine SNMP communities if [ ! "${SNMPD_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SNMP communities" + Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SNMP communities" if [ ${SKIPTEST} -eq 0 ]; then WARN=0 LogText "Test: reading active snmp communities" diff --git a/include/tests_solaris b/include/tests_solaris index 96c23899..d283cef9 100644 --- a/include/tests_solaris +++ b/include/tests_solaris @@ -28,7 +28,7 @@ # # Test : SOL-xxxx # Description : Check if Stop-A is disabled -# Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon" +# Register --test-no SOL-xxxx --weight L --network NO --category security --description "Check for running SSH daemon" # if [ ${SKIPTEST} -eq 0 ]; then # LogText "Test: Searching for a SSH daemon" # # Check running processes @@ -47,7 +47,7 @@ # # Test : SOL-xxxx # Description : Check if vold is disabled, to disallow unaudited mounts -# Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon" +# Register --test-no SOL-xxxx --weight L --network NO --category security --description "Check for running SSH daemon" # if [ ${SKIPTEST} -eq 0 ]; then # LogText "Test: Searching for a SSH daemon" # # Check running processes diff --git a/include/tests_squid b/include/tests_squid index ee5e2b09..d1e5bb46 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -37,7 +37,7 @@ # Description : Check for a running Squid daemon # Notes : Search for squid(3) with a space, to avoid SquidGuard and other # programs. - Register --test-no SQD-3602 --weight L --network NO --description "Check for running Squid daemon" + Register --test-no SQD-3602 --weight L --network NO --category security --description "Check for running Squid daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for a Squid daemon" FOUND=0 @@ -58,7 +58,7 @@ # Test : SQD-3604 # Description : Determine Squid daemon configuration file location if [ ${SQUID_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SQD-3604 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid daemon file location" + Register --test-no SQD-3604 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid daemon file location" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching for squid.conf or squid3.conf file" for I in ${SQUID_DAEMON_CONFIG_LOCS}; do @@ -87,7 +87,7 @@ # Test : SQD-3606 # Description : Check Squid version if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" + Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${SQUIDBINARY}" = "" ]; then LogText "Result: Squid binary found (${SQUIDBINARY})" @@ -111,7 +111,7 @@ # Test : SQD-3610 # Description : Check Squid configuration options if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" + Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" FIND=`grep -v "^#" ${SQUID_DAEMON_CONFIG} | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` @@ -128,7 +128,7 @@ # Test : SQD-3613 # Description : Check Squid configuration options if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid file permissions" + Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}" FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)` @@ -156,7 +156,7 @@ # Test : SQD-3614 # Description : Check Squid authentication if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid authentication methods" + Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check auth_param option for authentication methods" FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'` @@ -177,7 +177,7 @@ # Test : SQD-3616 # Description : Check external Squid authentication if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check external Squid authentication" + Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check external_acl_type option for external authentication helpers" FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}` @@ -199,7 +199,7 @@ # Test : SQD-3620 # Description : Check ACLs if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid access control lists" + Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid access control lists" if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: checking ACLs" @@ -224,7 +224,7 @@ # Test : SQD-3624 [T] # Description : Check unsecure ports in Safe_ports list if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid safe ports" + Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid safe ports" if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: checking ACL Safe_ports http_access option" @@ -275,7 +275,7 @@ # Test : SQD-3630 [T] # Description : Check reply_body_max_size value if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid reply_body_max_size option" + Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option" if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: checking option reply_body_max_size" @@ -304,7 +304,7 @@ # Test : SQD-3680 # Description : Check httpd_suppress_version_string if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version suppresion" + Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppresion" if [ ${SKIPTEST} -eq 0 ]; then FIND=`grep "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | grep " on"` if [ "${FIND}" = "" ]; then diff --git a/include/tests_ssh b/include/tests_ssh index 61c038b2..516fb64c 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -36,7 +36,7 @@ # # Test : SSH-7402 # Description : Check for a running SSH daemon - Register --test-no SSH-7402 --weight L --network NO --description "Check for running SSH daemon" + Register --test-no SSH-7402 --weight L --network NO --category security --description "Check for running SSH daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for a SSH daemon" IsRunning sshd @@ -57,7 +57,7 @@ # Test : SSH-7404 # Description : Determine SSH daemon configuration file location if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SSH-7404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH daemon file location" + Register --test-no SSH-7404 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH daemon file location" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Test: searching for sshd_config file" @@ -93,7 +93,7 @@ # Description : Check SSH specific defined options # Notes : Instead of parsing the configuration file, we query the SSH daemon itself if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_OPTIONS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH specific defined options" + Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH specific defined options" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}" ## SSHOPTIONS scheme: @@ -237,7 +237,7 @@ # Description : AllowUsers / AllowGroups # Goal : Check if only a specific amount of users/groups can log in to the system if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_OPTIONS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups" + Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH option: AllowUsers and AllowGroups" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 # AllowUsers diff --git a/include/tests_storage b/include/tests_storage index 1f95699b..ea9457d9 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -30,7 +30,7 @@ # # Test : STRG-1840 # Description : Check for disabled USB storage - Register --test-no STRG-1840 --os Linux --weight L --network NO --description "Check if USB storage is disabled" + Register --test-no STRG-1840 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" @@ -70,7 +70,7 @@ # # Test : STRG-1842 # Description : Check USB authorizations - Register --test-no STRG-1842 --os Linux --weight L --network NO --description "Check USB authorizations" + Register --test-no STRG-1842 --os Linux --weight L --network NO --category security --description "Check USB authorizations" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking USB devices authorization to connect to the system" FOUND=0 @@ -107,7 +107,7 @@ # Test : STRG-1846 # Description : Check for disabled firewire storage # Explanation : Best option is to use the install function, or else drivers can still be loaded manually - Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled" + Register --test-no STRG-1846 --os Linux --weight L --network NO --category security --description "Check if firewire storage is disabled" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf" diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index 154b688b..593e5b35 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -34,7 +34,7 @@ # Test : STRG-1902 # Description : Check rpcinfo if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check rpcinfo registered programs" + Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking rpcinfo registered programs" FIND=`${RPCINFOBINARY} -p 2> /dev/null | tr -s ' ' ','` @@ -49,7 +49,7 @@ # Test : STRG-1904 # Description : Check nfs versions in rpcinfo if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc" + Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking NFS registered versions" FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort` @@ -64,7 +64,7 @@ # Test : STRG-1906 # Description : Check nfs protocols (TCP/UDP) and port in rpcinfo if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc" + Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking NFS registered protocols" FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort` @@ -91,7 +91,7 @@ # # Test : STRG-1920 # Description : Check for running NFS daemons - Register --test-no STRG-1920 --weight L --network NO --description "Checking NFS daemon" + Register --test-no STRG-1920 --weight L --network NO --category security --description "Checking NFS daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking running NFS daemon" FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"` @@ -109,7 +109,7 @@ # # Test : STRG-1924 # Description : Check missing nfs in rpcinfo while NFS is running - #Register --test-no STRG-1924 --weight L --network NO --description "Checking NFS daemon" + #Register --test-no STRG-1924 --weight L --network NO --category security --description "Checking NFS daemon" #if [ ${SKIPTEST} -eq 0 ]; then # ################################################################################# @@ -117,7 +117,7 @@ # Test : STRG-1926 # Description : Check NFS exports if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking NFS exports" + Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking NFS exports" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check /etc/exports" if [ -f /etc/exports ]; then @@ -144,7 +144,7 @@ # Test : STRG-1928 # Description : Check for empty exports file while NFS is running if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports" + Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking empty /etc/exports" if [ ${SKIPTEST} -eq 0 ]; then if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then Display --indent 6 --text "- Checking empty /etc/exports" --result "${STATUS_SUGGESTION}" --color YELLOW @@ -158,7 +158,7 @@ # Test : STRG-1930 # Description : Check client access to nfs share if [ ${NFS_DAEMON_RUNNING} -eq 1 -a ${NFS_EXPORTS_EMPTY} -eq 0 -a ! "${SHOWMOUNTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check client access to nfs share" + Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share" if [ ${SKIPTEST} -eq 0 ]; then #LogText "Test: " sFIND=`${SHOWMOUNTBINARY} -e | awk '{ print $2 }' | sed '1d'| grep "\*"` diff --git a/include/tests_time b/include/tests_time index 4b91ef2b..d9a0645b 100644 --- a/include/tests_time +++ b/include/tests_time @@ -48,7 +48,7 @@ else PREQS_MET="YES" fi - Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client" + Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for running NTP daemon or client" if [ ${SKIPTEST} -eq 0 ]; then # Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate), Chrony, systemd-timesyncd LogText "Test: Searching for a running NTP daemon or available client" @@ -200,7 +200,7 @@ # Test : TIME-3106 # Description : Check status of systemd time synchronization if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! "${TIMEDATECTL}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check systemd NTP time synchronization status" + Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check the status of time synchronization via timedatectl" FIND=`${TIMEDATECTL} status | grep "NTP sychronized: yes"` @@ -215,7 +215,7 @@ # Test : TIME-3112 # Description : Check for valid associations from ntpq peers list if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check active NTP associations ID's" + Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check active NTP associations ID's" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for NTP association ID's from ntpq peers list" FIND=`${NTPQBINARY} -p -n | grep "No association ID's returned"` @@ -233,7 +233,7 @@ # Test : TIME-3116 # Description : Check for stratum 16 peers if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check peers with stratum value of 16" + Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16" if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: Checking stratum 16 sources from ntpq peers list" @@ -271,7 +271,7 @@ # Notes : Items with # are too far away (network distance) # Items with - are not chosing due clustering algoritm if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check unreliable NTP peers" + Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking unreliable ntp peers" FIND=`${NTPQBINARY} -p -n | egrep "^(-|#)" | awk '{ print $1 }' | sed 's/^-//g'` @@ -294,7 +294,7 @@ # Test : TIME-3124 # Description : Check selected time source if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check selected time source" + Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check selected time source" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking selected time source" FIND=`${NTPQBINARY} -p -n | grep '^*' | awk '{ if ($4=="l") { print $1 } }'` @@ -316,7 +316,7 @@ # Test : TIME-3128 # Description : Check time source candidates if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check preffered time source" + Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check preffered time source" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking preferred time source" FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'` @@ -339,7 +339,7 @@ # Test : TIME-3132 # Description : Check ntpq falsetickers if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP falsetickers" + Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking preferred time source" FIND=`${NTPQBINARY} -p -n | grep '^x'` @@ -363,7 +363,7 @@ # Test : TIME-3136 # Description : Check ntpq reported ntp version (Linux) if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP protocol version" + Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP protocol version" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)" FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'` @@ -384,7 +384,7 @@ # Description : Check /etc/default/ntpdate (Linux) # Notes : ntpdate-debian binary #if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no TIME-3146 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check /etc/default/ntpdate" + #Register --test-no TIME-3146 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/default/ntpdate" #if [ ${SKIPTEST} -eq 0 ]; then # ################################################################################# @@ -393,7 +393,7 @@ # Description : Check empty NTP step-tickers # Notes : Mostly applies to Red Hat and clones if [ "${NTPD_RUNNING}" -eq 1 -a ! "${NTPQBINARY}" = "" -a ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check empty NTP step-tickers" + Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check empty NTP step-tickers" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 FILE="/etc/ntp/step-tickers" @@ -449,7 +449,7 @@ WaitForKeyPress # Other should preferably have no access, or read-only at max FILE_ARRAY="/etc/chrony.conf /etc/inet/ntp.conf /etc/ntp.conf /usr/local/etc/ntp.conf" - Register --test-no TIME-3170 --weight L --network NO --description "Check configuration files" + Register --test-no TIME-3170 --weight L --network NO --category security --description "Check configuration files" if [ ${SKIPTEST} -eq 0 ]; then for FILE in ${FILE_ARRAY}; do if [ -f ${FILE} ]; then diff --git a/include/tests_tooling b/include/tests_tooling index 5ee29b8e..cdce5e6e 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -43,7 +43,7 @@ # # Test : TOOL-5002 # Description : Check if automation tools are found - Register --test-no TOOL-5002 --weight L --network NO --description "Checking for automation tools" + Register --test-no TOOL-5002 --weight L --network NO --category security --description "Checking for automation tools" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking automation tooling" @@ -155,7 +155,7 @@ # # Test : TOOL-5102 # Description : Check for Fail2ban - Register --test-no TOOL-5102 --weight L --network NO --description "Check for presence of Fail2ban" + Register --test-no TOOL-5102 --weight L --network NO --category security --description "Check for presence of Fail2ban" if [ ${SKIPTEST} -eq 0 ]; then # Fail2ban presence @@ -268,7 +268,7 @@ # # Test : TOOL-5190 # Description : Check for an IDS/IPS tool - Register --test-no TOOL-5014 --weight L --network NO --description "Check presence of IDS/IPS tool" + Register --test-no TOOL-5014 --weight L --network NO --category security --description "Check presence of IDS/IPS tool" if [ ${SKIPTEST} -eq 0 ]; then if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then diff --git a/include/tests_virtualization b/include/tests_virtualization index c8d9cc8e..630ec803 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -28,7 +28,7 @@ # # # Test : VIRT-1920 # # Description : Checking VMware -# Register --test-no VIRT-1920 --weight L --network NO --description "Checking VMware guest status" +# Register --test-no VIRT-1920 --weight L --network NO --category security --description "Checking VMware guest status" # if [ ${SKIPTEST} -eq 0 ]; then # # Initialise # VMWARE_GUEST=0 diff --git a/include/tests_webservers b/include/tests_webservers index 47c4cbed..137165cc 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -52,7 +52,7 @@ # Notes : Do not run on NetBSD, -v is unknown option for httpd binary # On OpenBSD do not run /usr/sbin/httpd with -v: builtin non-Apache if [ ! "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Apache presence" + Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache presence" if [ ${SKIPTEST} -eq 0 ]; then if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then HTTPDBINARY=""; fi if [ "${HTTPDBINARY}" = "" ]; then @@ -88,7 +88,7 @@ else PREQS_MET="NO" fi - Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing main Apache configuration file" + Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing main Apache configuration file" if [ ${SKIPTEST} -eq 0 ]; then APACHE_CONFIGFILE="" APACHE_TEST=`${HTTPDBINARY} -V 2> /dev/null | grep "\-D SERVER_CONFIG_FILE=" | sed 's/[ ]-D SERVER_CONFIG_FILE=//' | tr -d '"' | tr -d ' ' | tr -d '[:cntrl:]'` @@ -124,7 +124,7 @@ # Test : HTTP-6626 # Description : Testing other Apache configuration files if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6626 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing other Apache configuration file" + Register --test-no HTTP-6626 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing other Apache configuration file" if [ ${SKIPTEST} -eq 0 ]; then #Display --indent 4 --text "- Searching Apache virtual hosts" for I in ${sTEST_APACHE_TARGETS}; do @@ -194,7 +194,7 @@ # Test : HTTP-6628 # Description : Testing other Apache configuration files #if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no HTTP-6628 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing other Apache configuration file" + #Register --test-no HTTP-6628 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing other Apache configuration file" #if [ ${SKIPTEST} -eq 0 ]; then # # Configuration specific tests # SERVERTOKENSFOUND=0 @@ -244,7 +244,7 @@ # Test : HTTP-6630 # Description : Search for all loaded modules #if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no HTTP-6630 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining all loaded Apache modules" + #Register --test-no HTTP-6630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining all loaded Apache modules" #if [ ${SKIPTEST} -eq 0 ]; then # Testing Debian style #LogText "Test: searching loaded/enabled Apache modules" @@ -264,7 +264,7 @@ # Test : HTTP-6632 # Description : Search for available Apache modules if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining all available Apache modules" + Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining all available Apache modules" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching available Apache modules" N=0 @@ -293,7 +293,7 @@ # Test : HTTP-6640 # Description : Search for special Apache modules: evasive if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6640 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules" + Register --test-no HTTP-6640 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules" if [ ${SKIPTEST} -eq 0 ]; then # Check modules, module CheckItem "apache_module" "/mod_evasive([0-9][0-9])?.so" @@ -312,7 +312,7 @@ # Test : HTTP-6641 # Description : Search for special Apache modules: Quality of Service if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6641 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules" + Register --test-no HTTP-6641 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules" if [ ${SKIPTEST} -eq 0 ]; then # Check modules, module CheckItem "apache_module" "/mod_qos.so" @@ -332,7 +332,7 @@ # Description : Search for special Apache modules: Spamhaus # Notes : This test is outdated #if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no HTTP-6642 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules" + #Register --test-no HTTP-6642 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules" #if [ ${SKIPTEST} -eq 0 ]; then # # Check modules, module # CheckItem "apache_module" "/mod_spamhaus.so" @@ -351,7 +351,7 @@ # Test : HTTP-6643 # Description : Search for special Apache modules: security if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules" + Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules" if [ ${SKIPTEST} -eq 0 ]; then # Check modules, module CheckItem "apache_module" "/mod_security2.so" @@ -375,7 +375,7 @@ # # Test : HTTP-6702 # Description : Search for nginx process - Register --test-no HTTP-6702 --weight L --network NO --description "Check nginx process" + Register --test-no HTTP-6702 --weight L --network NO --category security --description "Check nginx process" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching running nginx process" FIND=`${PSBINARY} ax | grep "/nginx" | grep "master" | grep -v "grep"` @@ -394,7 +394,7 @@ # Test : HTTP-6704 # Description : Search for nginx configuration file if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx configuration file" + Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx configuration file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching nginx configuration file" for I in ${NGINX_CONF_LOCS}; do @@ -419,7 +419,7 @@ # Description : Search for includes within nginx configuration file # Notes : Daemon nginx should be running, nginx.conf should be found if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for additional nginx configuration files" + Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for additional nginx configuration files" if [ ${SKIPTEST} -eq 0 ]; then # Remove temp file if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi @@ -468,7 +468,7 @@ # Description : Check discovered nginx configuration settings for further hardering # Notes : Daemon of nginx should be running, nginx.conf should be found if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check discovered nginx configuration settings" + Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: start parsing all discovered nginx options" Display --indent 4 --text "- Parsing configuration options" @@ -481,7 +481,7 @@ # Description : Check SSL configuration of nginx # Notes : Daemon of nginx should be running, nginx.conf should be found if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx SSL configuration settings" + Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx SSL configuration settings" if [ ${SKIPTEST} -eq 0 ]; then NGINX_SSL_SUGGESTION=0 if [ ${NGINX_SSL_ON} -eq 1 ]; then @@ -534,7 +534,7 @@ # Description : Check logging configuration of nginx # Notes : Daemon of nginx should be running, nginx.conf should be found if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx access logging" + Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx access logging" if [ ${SKIPTEST} -eq 0 ]; then NGINX_LOG_SUGGESTION=0 Display --indent 6 --text "- Checking log file configuration" @@ -568,7 +568,7 @@ # Test : HTTP-6714 # Description : Check missing error logs in nginx if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for missing error logs in nginx" + Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for missing error logs in nginx" if [ ${SKIPTEST} -eq 0 ]; then NGINX_LOG_SUGGESTION=0 # Check for missing access log @@ -589,7 +589,7 @@ # Test : HTTP-6716 # Description : Check debug mode on error log in nginx if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for debug mode on error log in nginx" + Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for debug mode on error log in nginx" if [ ${SKIPTEST} -eq 0 ]; then NGINX_LOG_SUGGESTION=0 # Access log in debug mode @@ -615,7 +615,7 @@ # Description : Check if nginx is running as a reverse proxy # Notes : aliases are not counted yet (YYY) # if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no HTTP-67xx --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx virtual hosts" +# Register --test-no HTTP-67xx --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx virtual hosts" # if [ ${SKIPTEST} -eq 0 ]; then # N=0 # LogText "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}" @@ -639,7 +639,7 @@ # Description : Search for nginx virtual hosts # Notes : Test if not aware yet of included configuration files # if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no HTTP-67xx --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx virtual hosts" +# Register --test-no HTTP-67xx --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx virtual hosts" # if [ ${SKIPTEST} -eq 0 ]; then # N=0 # LogText "Test: searching nginx virtual hosts" @@ -664,7 +664,7 @@ # Test : HTTP-6720 # Description : Search for Nginx log files if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no HTTP-6720 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Nginx log files" + Register --test-no HTTP-6720 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Nginx log files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking directories for files with log file definitions" for I in ${NGINX_CONF_LOCS}; do diff --git a/lynis b/lynis index 6d06e710..2e29608e 100755 --- a/lynis +++ b/lynis @@ -510,6 +510,8 @@ ${NORMAL} LogText "Info: could not find a hostname, using 'no-hostname' instead" ReportSuggestion "LYNIS" "Check your hostname configuration" "hostname -s" fi + Report "test_category=${TEST_CATEGORY_TO_CHECK}" + Report "test_group=${TEST_GROUP_TO_CHECK}" # ################################################################################# # @@ -578,13 +580,17 @@ ${NORMAL} echo " Kernel version: ${OS_KERNELVERSION}" echo " Hardware platform: ${HARDWARE}" echo " Hostname: ${HOSTNAME}" - echo " Auditor: ${AUDITORNAME}" + echo " ---------------------------------------------------" echo " Profiles: ${PROFILES}" echo " Log file: ${LOGFILE}" echo " Report file: ${REPORTFILE}" echo " Report version: ${REPORT_version}" echo " Plugin directory: ${PLUGINDIR}" echo " ---------------------------------------------------" + echo " Auditor: ${AUDITORNAME}" + echo " Test category: ${TEST_CATEGORY_TO_CHECK}" + echo " Test group: ${TEST_GROUP_TO_CHECK}" + echo " ---------------------------------------------------" fi LogText "Program version: ${PROGRAM_VERSION}" @@ -609,6 +615,8 @@ ${NORMAL} LogText "Report file: ${REPORTFILE}" LogText "Report version: ${REPORT_version}" LogText "-----------------------------------------------------" + LogText "Test category: ${TEST_CATEGORY_TO_CHECK}" + LogText "Test group: ${TEST_GROUP_TO_CHECK}" LogText "BusyBox used: ${SHELL_IS_BUSYBOX}" Report "plugin_directory=${PLUGINDIR}" @@ -860,7 +868,7 @@ ${NORMAL} LogTextBreak # Test sections - if [ "${TESTS_CATEGORY_TO_PERFORM}" = "" ]; then + if [ "${TEST_GROUP_TO_CHECK}" = "all" ]; then LogText "Info: perform tests from all categories" INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ @@ -870,8 +878,8 @@ ${NORMAL} mac_frameworks file_integrity tooling malware file_permissions homedirs \ kernel_hardening hardening" else - INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}" - LogText "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}" + INCLUDE_TESTS="${TEST_GROUP_TO_CHECK}" + LogText "Info: only performing tests from groups: ${TEST_GROUP_TO_CHECK}" fi # Include available tests