mirror of
https://github.com/CISOfy/lynis.git
synced 2025-07-29 16:54:26 +02:00
[TIME-3104] Test permissions before opening files
This commit is contained in:
Michael Boelen
parent
7d17bfbbd7
commit
320a397772
@ -83,7 +83,7 @@
|
|||||||
|
|
||||||
# Check running processes
|
# Check running processes
|
||||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "grep")
|
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "grep")
|
||||||
if [ ! "${FIND}" = "" ]; then
|
if [ ! -z "${FIND}" ]; then
|
||||||
FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
|
FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
|
||||||
NTP_DAEMON="ntpd"
|
NTP_DAEMON="ntpd"
|
||||||
LogText "Result: found running NTP daemon in process list"
|
LogText "Result: found running NTP daemon in process list"
|
||||||
@ -100,7 +100,7 @@
|
|||||||
# Check timedate daemon (systemd)
|
# Check timedate daemon (systemd)
|
||||||
if [ ! -z "${TIMEDATECTL}" ]; then
|
if [ ! -z "${TIMEDATECTL}" ]; then
|
||||||
FIND=$(${TIMEDATECTL} status | ${GREPBINARY} "NTP synchronized: yes")
|
FIND=$(${TIMEDATECTL} status | ${GREPBINARY} "NTP synchronized: yes")
|
||||||
if [ ! "${FIND}" = "" ]; then
|
if [ ! -z "${FIND}" ]; then
|
||||||
# Check for systemd-timesyncd
|
# Check for systemd-timesyncd
|
||||||
if [ -f /etc/systemd/timesyncd.conf ]; then
|
if [ -f /etc/systemd/timesyncd.conf ]; then
|
||||||
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
|
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
|
||||||
@ -119,7 +119,7 @@
|
|||||||
if [ -f ${I} ]; then
|
if [ -f ${I} ]; then
|
||||||
LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
|
LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
|
||||||
FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#')
|
FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#')
|
||||||
if [ ! "${FIND}" = "" ]; then
|
if [ ! -z "${FIND}" ]; then
|
||||||
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
||||||
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
|
||||||
LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
|
LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
|
||||||
@ -139,18 +139,22 @@
|
|||||||
# Check cron jobs
|
# Check cron jobs
|
||||||
for I in ${CRON_DIRS}; do
|
for I in ${CRON_DIRS}; do
|
||||||
if [ -d ${I} ]; then
|
if [ -d ${I} ]; then
|
||||||
FIND=$(${LSBINARY} ${I} | ${GREPBINARY} -v FIFO)
|
if FileIsReadable ${I}; then
|
||||||
if [ ! "${FIND}" = "" ]; then
|
FIND=$(${LSBINARY} ${I} | ${GREPBINARY} -v FIFO)
|
||||||
for J in ${FIND}; do
|
if [ ! -z "${FIND}" ]; then
|
||||||
LogText "Test: checking for ntpdate or rdate in ${I}/${J}"
|
for J in ${FIND}; do
|
||||||
FIND2=$(${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#")
|
LogText "Test: checking for ntpdate or rdate in ${I}/${J}"
|
||||||
if [ ! "${FIND2}" = "" ]; then
|
FIND2=$(${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#")
|
||||||
LogText "Positive match found: ${FIND2}"
|
if [ ! -z "${FIND2}" ]; then
|
||||||
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
LogText "Positive match found: ${FIND2}"
|
||||||
fi
|
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
||||||
done
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
LogText "Result: ${I} is empty, skipping search in directory"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
LogText "Result: ${I} is empty, skipping search in directory"
|
LogText "Result: could not search in directory due to permissions"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@ -159,7 +163,6 @@
|
|||||||
Display --indent 2 --text "- Checking NTP client in cron files" --result "${STATUS_FOUND}" --color GREEN
|
Display --indent 2 --text "- Checking NTP client in cron files" --result "${STATUS_FOUND}" --color GREEN
|
||||||
LogText "Result: found ntpdate or rdate in cron directory"
|
LogText "Result: found ntpdate or rdate in cron directory"
|
||||||
else
|
else
|
||||||
#Display --indent 2 --text "- Checking NTP client in cron.d files" --result "${STATUS_NOT_FOUND}" --color WHITE
|
|
||||||
LogText "Result: no ntpdate or rdate found in cron directories"
|
LogText "Result: no ntpdate or rdate found in cron directories"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -178,7 +181,7 @@
|
|||||||
if [ -f /etc/rc.conf ]; then
|
if [ -f /etc/rc.conf ]; then
|
||||||
LogText "Test: Checking if ntpdate is enabled at startup in *BSD"
|
LogText "Test: Checking if ntpdate is enabled at startup in *BSD"
|
||||||
FIND=$(${GREPBINARY} 'ntpdate_enable="YES"' /etc/rc.conf)
|
FIND=$(${GREPBINARY} 'ntpdate_enable="YES"' /etc/rc.conf)
|
||||||
if [ ! "${FIND}" = "" ]; then
|
if [ ! -z "${FIND}" ]; then
|
||||||
LogText "Result: ntpdate is enabled in rc.conf"
|
LogText "Result: ntpdate is enabled in rc.conf"
|
||||||
FOUND=1
|
FOUND=1
|
||||||
NTP_CONFIG_TYPE_STARTUP=1
|
NTP_CONFIG_TYPE_STARTUP=1
|
||||||
@ -211,7 +214,7 @@
|
|||||||
#
|
#
|
||||||
# Test : TIME-3106
|
# Test : TIME-3106
|
||||||
# Description : Check status of systemd time synchronization
|
# Description : Check status of systemd time synchronization
|
||||||
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! "${TIMEDATECTL}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! -z "${TIMEDATECTL}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
|
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Check the status of time synchronization via timedatectl"
|
LogText "Test: Check the status of time synchronization via timedatectl"
|
||||||
@ -226,7 +229,7 @@
|
|||||||
#
|
#
|
||||||
# Test : TIME-3112
|
# Test : TIME-3112
|
||||||
# Description : Check for valid associations from ntpq peers list
|
# Description : Check for valid associations from ntpq peers list
|
||||||
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check active NTP associations ID's"
|
Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check active NTP associations ID's"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking for NTP association ID's from ntpq peers list"
|
LogText "Test: Checking for NTP association ID's from ntpq peers list"
|
||||||
@ -244,13 +247,13 @@
|
|||||||
#
|
#
|
||||||
# Test : TIME-3116
|
# Test : TIME-3116
|
||||||
# Description : Check for stratum 16 peers
|
# Description : Check for stratum 16 peers
|
||||||
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16"
|
Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
N=0
|
N=0
|
||||||
LogText "Test: Checking stratum 16 sources from ntpq peers list"
|
LogText "Test: Checking stratum 16 sources from ntpq peers list"
|
||||||
FIND=$(${NTPQBINARY} -p -n | ${AWKBINARY} '{ if ($2!=".POOL." && $3=="16") { print $1 }}')
|
FIND=$(${NTPQBINARY} -p -n | ${AWKBINARY} '{ if ($2!=".POOL." && $3=="16") { print $1 }}')
|
||||||
if [ "${FIND}" = "" ]; then
|
if [ -z "${FIND}" ]; then
|
||||||
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
|
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
|
||||||
LogText "Result: All peers are lower than stratum 16"
|
LogText "Result: All peers are lower than stratum 16"
|
||||||
else
|
else
|
||||||
@ -282,15 +285,15 @@
|
|||||||
# Description : Check unreliable peers from peer list
|
# Description : Check unreliable peers from peer list
|
||||||
# Notes : Items with # are too far away (network distance)
|
# Notes : Items with # are too far away (network distance)
|
||||||
# Items with - are not chosen due clustering algorithm
|
# Items with - are not chosen due clustering algorithm
|
||||||
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
|
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking unreliable ntp peers"
|
LogText "Test: Checking unreliable ntp peers"
|
||||||
FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g')
|
FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g')
|
||||||
if [ "${FIND}" = "" ]; then
|
if [ -z "${FIND}" ]; then
|
||||||
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN
|
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN
|
||||||
LogText "Result: No unreliable peers found"
|
LogText "Result: No unreliable peers found"
|
||||||
else
|
else
|
||||||
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_FOUND}" --color YELLOW
|
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_FOUND}" --color YELLOW
|
||||||
LogText "Result: Found one or more unreliable peers (marked with a minus or dash sign)"
|
LogText "Result: Found one or more unreliable peers (marked with a minus or dash sign)"
|
||||||
for I in ${FIND}; do
|
for I in ${FIND}; do
|
||||||
@ -327,7 +330,7 @@
|
|||||||
#
|
#
|
||||||
# Test : TIME-3128
|
# Test : TIME-3128
|
||||||
# Description : Check time source candidates
|
# Description : Check time source candidates
|
||||||
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check preferred time source"
|
Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check preferred time source"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking preferred time source"
|
LogText "Test: Checking preferred time source"
|
||||||
@ -350,7 +353,7 @@
|
|||||||
#
|
#
|
||||||
# Test : TIME-3132
|
# Test : TIME-3132
|
||||||
# Description : Check ntpq falsetickers
|
# Description : Check ntpq falsetickers
|
||||||
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
|
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking preferred time source"
|
LogText "Test: Checking preferred time source"
|
||||||
@ -374,7 +377,7 @@
|
|||||||
#
|
#
|
||||||
# Test : TIME-3136
|
# Test : TIME-3136
|
||||||
# Description : Check ntpq reported ntp version (Linux)
|
# Description : Check ntpq reported ntp version (Linux)
|
||||||
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP protocol version"
|
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP protocol version"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)"
|
LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)"
|
||||||
@ -395,7 +398,7 @@
|
|||||||
# Test : TIME-3146
|
# Test : TIME-3146
|
||||||
# Description : Check /etc/default/ntpdate (Linux)
|
# Description : Check /etc/default/ntpdate (Linux)
|
||||||
# Notes : ntpdate-debian binary
|
# Notes : ntpdate-debian binary
|
||||||
#if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
#if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
#Register --test-no TIME-3146 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/default/ntpdate"
|
#Register --test-no TIME-3146 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/default/ntpdate"
|
||||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
#
|
#
|
||||||
@ -416,7 +419,7 @@
|
|||||||
# Test : TIME-3160
|
# Test : TIME-3160
|
||||||
# Description : Check empty NTP step-tickers
|
# Description : Check empty NTP step-tickers
|
||||||
# Notes : Mostly applies to Red Hat and clones
|
# Notes : Mostly applies to Red Hat and clones
|
||||||
if [ "${NTPD_RUNNING}" -eq 1 -a ! "${NTPQBINARY}" = "" -a ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
if [ "${NTPD_RUNNING}" -eq 1 -a ! -z "${NTPQBINARY}" -a ! -z "${CHKCONFIGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check empty NTP step-tickers"
|
Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check empty NTP step-tickers"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FOUND=0
|
FOUND=0
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user