tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Style changes

This commit is contained in:
Michael Boelen 2016-08-25 15:25:51 +02:00
parent dfb025a863
commit 2f4d65b831
1 changed files with 41 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
include/tests_authentication
View File

@ -40,7 +40,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Search accounts with UID 0 # Search accounts with UID 0
LogText "Test: Searching accounts with UID 0" LogText "Test: Searching accounts with UID 0"
FIND=(${GREPBINARY} ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0') FIND=(${GREPBINARY} ':0:' /etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found more than one administrator accounts" LogText "Result: Found more than one administrator accounts"
@ -74,7 +74,7 @@
fi fi
# Check password file # Check password file
if [ -f ${PASSWD_FILE} ]; then if [ -f ${PASSWD_FILE} ]; then
FIND=`grep -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d` FIND=$(${GREPBINARY} -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d)
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Unique UIDs" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Unique UIDs" --result "${STATUS_OK}" --color GREEN
LogText "Result: all accounts found in ${PASSWD_FILE} are unique" LogText "Result: all accounts found in ${PASSWD_FILE} are unique"
@ -102,7 +102,7 @@
Display --indent 2 --text "- Checking chkgrp tool" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Checking chkgrp tool" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)." LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)."
LogText "Test: Testing consistency of /etc/group file" LogText "Test: Testing consistency of /etc/group file"
FIND=`/usr/sbin/chkgrp | grep -v 'is fine'` FIND=`/usr/sbin/chkgrp | ${GREPBINARY} -v 'is fine'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_OK}" --color GREEN Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_OK}" --color GREEN
LogText "Result: chkgrp test performed, Group file seems to be ok." LogText "Result: chkgrp test performed, Group file seems to be ok."
@ -158,7 +158,7 @@
LogText "Test: Checking login shells" LogText "Test: Checking login shells"
if [ -f /etc/master.passwd ]; then if [ -f /etc/master.passwd ]; then
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent # Check for all shells, except: (/usr)/sbin/nologin /nonexistent
FIND=`grep "[a-z]:\*:" /etc/master.passwd | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'` FIND=`${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
else else
@ -198,7 +198,7 @@
Register --test-no AUTH-9222 --weight L --network NO --category security --description "Check unique groups (IDs)" Register --test-no AUTH-9222 --weight L --network NO --category security --description "Check unique groups (IDs)"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for non unique group ID's in /etc/group" LogText "Test: Checking for non unique group ID's in /etc/group"
FIND=$(grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d) FIND=$(${GREPBINARY} -v '^#' /etc/group | ${GREPBINARY} -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d)
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Unique group IDs" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Unique group IDs" --result "${STATUS_OK}" --color GREEN
LogText "Result: All group ID's are unique" LogText "Result: All group ID's are unique"
@ -218,7 +218,7 @@
Register --test-no AUTH-9226 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unique group names" Register --test-no AUTH-9226 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unique group names"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for non unique group names in /etc/group" LogText "Test: Checking for non unique group names in /etc/group"
FIND=$(grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d) FIND=$(${GREPBINARY} -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d)
if [ -z "${FIND}" ]; then if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Unique group names" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Unique group names" --result "${STATUS_OK}" --color GREEN
LogText "Result: All group names are unique" LogText "Result: All group names are unique"
@ -295,7 +295,7 @@
"Linux") "Linux")
UID_MIN="" UID_MIN=""
if [ -f /etc/login.defs ]; then if [ -f /etc/login.defs ]; then
UID_MIN=$(grep "^UID_MIN" /etc/login.defs | awk '{print $2}') UID_MIN=$(${GREPBINARY} "^UID_MIN" /etc/login.defs | awk '{print $2}')
LogText "Result: found minimal user id specified: ${UID_MIN}" LogText "Result: found minimal user id specified: ${UID_MIN}"
fi fi
if [ "${UID_MIN}" = "" ]; then UID_MIN="1000"; fi if [ "${UID_MIN}" = "" ]; then UID_MIN="1000"; fi
@ -339,13 +339,13 @@
Register --test-no AUTH-9240 --weight L --network NO --category security --description "Query NIS+ authentication support" Register --test-no AUTH-9240 --weight L --network NO --category security --description "Query NIS+ authentication support"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then if [ -f /etc/nsswitch.conf ]; then
FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus"` FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus")
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: NIS+ authentication not enabled" LogText "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE
else else
FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nisplus"` FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nisplus")
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"` FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nisplus")
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
LogText "Result: NIS+ authentication enabled" LogText "Result: NIS+ authentication enabled"
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
@ -366,13 +366,13 @@
Register --test-no AUTH-9242 --weight L --network NO --category security --description "Query NIS authentication support" Register --test-no AUTH-9242 --weight L --network NO --category security --description "Query NIS authentication support"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then if [ -f /etc/nsswitch.conf ]; then
FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus"` FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus")
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: NIS authentication not enabled" LogText "Result: NIS authentication not enabled"
Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE
else else
FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
LogText "Result: NIS authentication enabled" LogText "Result: NIS authentication enabled"
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
@ -530,14 +530,14 @@
LogText "Result: file /etc/pam.conf exists" LogText "Result: file /etc/pam.conf exists"
Display --indent 2 --text "- PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN
LogText "Test: searching PAM configuration files" LogText "Test: searching PAM configuration files"
FIND=`grep -v "^#" /etc/pam.conf | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'` FIND=$(${EGREPBINARY} -v "^#" /etc/pam.conf | ${EGREPBINARY} -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)" LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)"
else else
LogText "Result: found one or more configuration lines" LogText "Result: found one or more configuration lines"
for I in ${FIND}; do for LINE in ${FIND}; do
I=`echo ${I} | sed 's/:space:/ /g'` LINE=$(echo ${LINE} | sed 's/:space:/ /g')
LogText "Found line: ${I}" LogText "Found line: ${LINE}"
done done
fi fi
else else
@ -557,9 +557,9 @@
LogText "Result: directory /etc/pam.d exists" LogText "Result: directory /etc/pam.d exists"
Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN
LogText "Test: searching PAM configuration files" LogText "Test: searching PAM configuration files"
FIND=`find /etc/pam.d -type f -print | sort` FIND=$(find /etc/pam.d -type f -print | sort)
for I in ${FIND}; do for FILE in ${FIND}; do
LogText "Found file: ${I}" LogText "Found file: ${FILE}"
done done
else else
LogText "Result: directory /etc/pam.d could not be found" LogText "Result: directory /etc/pam.d could not be found"
@ -638,13 +638,13 @@
case ${LINUX_VERSION} in case ${LINUX_VERSION} in
"SuSE") "SuSE")
PREQS_MET="YES" PREQS_MET="YES"
FIND=`passwd -a -S 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }'` FIND=$(passwd -a -S 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }')
FIND2=`passwd -a -S 2> /dev/null | awk '{ if ($2=="NP") print $1 }'` FIND2=$(passwd -a -S 2> /dev/null | awk '{ if ($2=="NP") print $1 }')
;; ;;
*) *)
PREQS_MET="YES" PREQS_MET="YES"
FIND=`passwd --all --status 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }'` FIND=$(passwd --all --status 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }')
FIND2=`passwd --all --status 2> /dev/null | awk '{ if ($2=="NP") print $1 }'` FIND2=$(passwd --all --status 2> /dev/null | awk '{ if ($2=="NP") print $1 }')
;; ;;
esac esac
else else
@ -704,7 +704,7 @@
Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking user password aging" Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking user password aging"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PASS_MIN_DAYS option in /etc/login.defs " LogText "Test: Checking PASS_MIN_DAYS option in /etc/login.defs "
FIND=`grep "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }'` FIND=$(${GREPBINARY} "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }')
if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then
LogText "Result: password minimum age is not configured" LogText "Result: password minimum age is not configured"
Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW
@ -718,7 +718,7 @@
fi fi
LogText "Test: Checking PASS_MAX_DAYS option in /etc/login.defs " LogText "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'` FIND=$(${GREPBINARY} "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }')
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
LogText "Result: password aging limits are not configured" LogText "Result: password aging limits are not configured"
Display --indent 2 --text "- User password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW Display --indent 2 --text "- User password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW
@ -745,7 +745,7 @@
LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}" LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}"
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)" LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed) # Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
FIND=`egrep -v ":[\!\*x](\*)?:" /etc/shadow | awk -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}'` FIND=$(${EGREPBINARY} -v ":[\!\*x](\*)?:" /etc/shadow | awk -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
for ACCOUNT in ${FIND}; do for ACCOUNT in ${FIND}; do
LogText "Result: password of user ${ACCOUNT} has been expired" LogText "Result: password of user ${ACCOUNT} has been expired"
@ -775,7 +775,7 @@
if [ -f /etc/default/sulogin ]; then if [ -f /etc/default/sulogin ]; then
LogText "Result: file /etc/default/sulogin exists" LogText "Result: file /etc/default/sulogin exists"
LogText "Test: checking presence PASSREQ=NO" LogText "Test: checking presence PASSREQ=NO"
FIND=`grep "^PASSREQ=NO" /etc/default/sulogin` FIND=$(${GREPBINARY} "^PASSREQ=NO" /etc/default/sulogin)
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: option not present or configured to request a password at single user mode login" LogText "Result: option not present or configured to request a password at single user mode login"
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_OK}" --color GREEN
@ -805,8 +805,8 @@
if [ -f /tcb/files/auth/system/default ]; then if [ -f /tcb/files/auth/system/default ]; then
LogText "Result: file /tcb/files/auth/system/default exists" LogText "Result: file /tcb/files/auth/system/default exists"
LogText "Test: checking presence :d_boot_authenticate@:" LogText "Test: checking presence :d_boot_authenticate@:"
FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default` FIND=$(grep "^:d_boot_authenticate@" /tcb/files/auth/system/default)
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
LogText "Result: option not set, password is needed at boot" LogText "Result: option not set, password is needed at boot"
Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_OK}" --color GREEN
AddHP 1 1 AddHP 1 1
@ -837,9 +837,9 @@
TEST_PERFORMED=1 TEST_PERFORMED=1
LogText "Result: file /etc/inittab exists" LogText "Result: file /etc/inittab exists"
LogText "Test: checking presence sulogin for single user mode" LogText "Test: checking presence sulogin for single user mode"
FIND=`egrep "^~~:S:(respawn|wait):/sbin/sulogin" /etc/inittab` FIND=$(${EGREPBINARY} "^~~:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
FIND2=`egrep "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab` FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
FOUND=1 FOUND=1
LogText "Result: found sulogin, so single user is protected" LogText "Result: found sulogin, so single user is protected"
fi fi