mirror of https://github.com/CISOfy/lynis.git
[TIME-3104] Test permissions before opening files
This commit is contained in:
Michael Boelen
parent
7d17bfbbd7
commit
320a397772
|
|
@ -83,7 +83,7 @@
|
|||
|
||||
# Check running processes
|
||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "grep")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
|
||||
NTP_DAEMON="ntpd"
|
||||
LogText "Result: found running NTP daemon in process list"
|
||||
|
|
@ -100,7 +100,7 @@
|
|||
# Check timedate daemon (systemd)
|
||||
if [ ! -z "${TIMEDATECTL}" ]; then
|
||||
FIND=$(${TIMEDATECTL} status | ${GREPBINARY} "NTP synchronized: yes")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
# Check for systemd-timesyncd
|
||||
if [ -f /etc/systemd/timesyncd.conf ]; then
|
||||
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
|
||||
|
|
@ -119,7 +119,7 @@
|
|||
if [ -f ${I} ]; then
|
||||
LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
|
||||
FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
||||
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
|
||||
|
|
@ -139,18 +139,22 @@
|
|||
# Check cron jobs
|
||||
for I in ${CRON_DIRS}; do
|
||||
if [ -d ${I} ]; then
|
||||
FIND=$(${LSBINARY} ${I} | ${GREPBINARY} -v FIFO)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
for J in ${FIND}; do
|
||||
LogText "Test: checking for ntpdate or rdate in ${I}/${J}"
|
||||
FIND2=$(${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#")
|
||||
if [ ! "${FIND2}" = "" ]; then
|
||||
LogText "Positive match found: ${FIND2}"
|
||||
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
||||
fi
|
||||
done
|
||||
if FileIsReadable ${I}; then
|
||||
FIND=$(${LSBINARY} ${I} | ${GREPBINARY} -v FIFO)
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
for J in ${FIND}; do
|
||||
LogText "Test: checking for ntpdate or rdate in ${I}/${J}"
|
||||
FIND2=$(${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#")
|
||||
if [ ! -z "${FIND2}" ]; then
|
||||
LogText "Positive match found: ${FIND2}"
|
||||
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
||||
fi
|
||||
done
|
||||
else
|
||||
LogText "Result: ${I} is empty, skipping search in directory"
|
||||
fi
|
||||
else
|
||||
LogText "Result: ${I} is empty, skipping search in directory"
|
||||
LogText "Result: could not search in directory due to permissions"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
|
@ -159,7 +163,6 @@
|
|||
Display --indent 2 --text "- Checking NTP client in cron files" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: found ntpdate or rdate in cron directory"
|
||||
else
|
||||
#Display --indent 2 --text "- Checking NTP client in cron.d files" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: no ntpdate or rdate found in cron directories"
|
||||
fi
|
||||
|
||||
|
|
@ -178,7 +181,7 @@
|
|||
if [ -f /etc/rc.conf ]; then
|
||||
LogText "Test: Checking if ntpdate is enabled at startup in *BSD"
|
||||
FIND=$(${GREPBINARY} 'ntpdate_enable="YES"' /etc/rc.conf)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: ntpdate is enabled in rc.conf"
|
||||
FOUND=1
|
||||
NTP_CONFIG_TYPE_STARTUP=1
|
||||
|
|
@ -211,7 +214,7 @@
|
|||
#
|
||||
# Test : TIME-3106
|
||||
# Description : Check status of systemd time synchronization
|
||||
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! "${TIMEDATECTL}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! -z "${TIMEDATECTL}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Check the status of time synchronization via timedatectl"
|
||||
|
|
@ -226,7 +229,7 @@
|
|||
#
|
||||
# Test : TIME-3112
|
||||
# Description : Check for valid associations from ntpq peers list
|
||||
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check active NTP associations ID's"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking for NTP association ID's from ntpq peers list"
|
||||
|
|
@ -244,13 +247,13 @@
|
|||
#
|
||||
# Test : TIME-3116
|
||||
# Description : Check for stratum 16 peers
|
||||
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
LogText "Test: Checking stratum 16 sources from ntpq peers list"
|
||||
FIND=$(${NTPQBINARY} -p -n | ${AWKBINARY} '{ if ($2!=".POOL." && $3=="16") { print $1 }}')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: All peers are lower than stratum 16"
|
||||
else
|
||||
|
|
@ -282,15 +285,15 @@
|
|||
# Description : Check unreliable peers from peer list
|
||||
# Notes : Items with # are too far away (network distance)
|
||||
# Items with - are not chosen due clustering algorithm
|
||||
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking unreliable ntp peers"
|
||||
FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN
|
||||
LogText "Result: No unreliable peers found"
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_FOUND}" --color YELLOW
|
||||
LogText "Result: Found one or more unreliable peers (marked with a minus or dash sign)"
|
||||
for I in ${FIND}; do
|
||||
|
|
@ -327,7 +330,7 @@
|
|||
#
|
||||
# Test : TIME-3128
|
||||
# Description : Check time source candidates
|
||||
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check preferred time source"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking preferred time source"
|
||||
|
|
@ -350,7 +353,7 @@
|
|||
#
|
||||
# Test : TIME-3132
|
||||
# Description : Check ntpq falsetickers
|
||||
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking preferred time source"
|
||||
|
|
@ -374,7 +377,7 @@
|
|||
#
|
||||
# Test : TIME-3136
|
||||
# Description : Check ntpq reported ntp version (Linux)
|
||||
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP protocol version"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)"
|
||||
|
|
@ -395,7 +398,7 @@
|
|||
# Test : TIME-3146
|
||||
# Description : Check /etc/default/ntpdate (Linux)
|
||||
# Notes : ntpdate-debian binary
|
||||
#if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
#if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
#Register --test-no TIME-3146 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/default/ntpdate"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
#
|
||||
|
|
@ -416,7 +419,7 @@
|
|||
# Test : TIME-3160
|
||||
# Description : Check empty NTP step-tickers
|
||||
# Notes : Mostly applies to Red Hat and clones
|
||||
if [ "${NTPD_RUNNING}" -eq 1 -a ! "${NTPQBINARY}" = "" -a ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ "${NTPD_RUNNING}" -eq 1 -a ! -z "${NTPQBINARY}" -a ! -z "${CHKCONFIGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check empty NTP step-tickers"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
|
|
|
|||
Loading…
Reference in New Issue