tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-28 08:14:10 +02:00
Code Issues Packages Projects Releases Wiki Activity

Small code enhancements

Browse Source
This commit is contained in:
Michael Boelen 2020-10-25 18:48:42 +01:00
parent 42a33fb1e2
commit 499cf1cdb9
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
1 changed files with 16 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
include/tests_authentication
View File

@ -849,7 +849,7 @@
# #
################################################################################# #################################################################################
# #
# Test : AUTH-9282 and AUTH-9283 # Test : AUTH-9282, AUTH-9283, and AUTH-9284
# Note : Every Linux based operating system seem to have different passwd # Note : Every Linux based operating system seem to have different passwd
# options, so we have to check the version first. # options, so we have to check the version first.
if [ "${OS}" = "Linux" ]; then if [ "${OS}" = "Linux" ]; then
@ -902,11 +902,10 @@
ReportSuggestion "${TEST_NO}" "When possible set expire dates for all password protected accounts" ReportSuggestion "${TEST_NO}" "When possible set expire dates for all password protected accounts"
fi fi
fi fi
#
#################################################################################
#
# Test : AUTH-9283 # Test : AUTH-9283
# Description : Search passwordless accounts # Description : Search passwordless accounts
# Notes : requires FIND2 variable
Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking accounts without password" Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking accounts without password"
if [ "${SKIPTEST}" -eq 0 ]; then if [ "${SKIPTEST}" -eq 0 ]; then
LogText "Test: Checking passwordless accounts" LogText "Test: Checking passwordless accounts"
@ -923,36 +922,38 @@
ReportWarning "${TEST_NO}" "Found accounts without password" ReportWarning "${TEST_NO}" "Found accounts without password"
fi fi
fi fi
#
#################################################################################
#
# Test : AUTH-9284 # Test : AUTH-9284
# Description : Check locked user accounts in /etc/passwd # Description : Check locked user accounts in /etc/passwd
# Notes : requires FIND3 variable
Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check locked user accounts in /etc/passwd" Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check locked user accounts in /etc/passwd"
if [ "${SKIPTEST}" -eq 0 ]; then if [ "${SKIPTEST}" -eq 0 ]; then
LogText "Test: Checking locked accounts" LogText "Test: Checking locked accounts"
NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq) NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' ${ROOTDIR}etc/passwd | ${SORTBINARY} | ${UNIQBINARY})
LOCKED_NON_SYSTEM_ACCOUNTS=0 LOCKED_NON_SYSTEM_ACCOUNTS=0
for account in ${FIND3}; do for account in ${FIND3}; do
if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then if echo "${NON_SYSTEM_ACCOUNTS}" | ${GREPBINARY} -w "${account}" > /dev/null ; then
LOCKED_NON_SYSTEM_ACCOUNTS=$((LOCKED_NON_SYSTEM_ACCOUNTS + 1)) LOCKED_NON_SYSTEM_ACCOUNTS=$((LOCKED_NON_SYSTEM_ACCOUNTS + 1))
fi fi
done done
if [ $LOCKED_NON_SYSTEM_ACCOUNTS -eq 0 ]; then if [ ${LOCKED_NON_SYSTEM_ACCOUNTS} -eq 0 ]; then
LogText "Result: all accounts seem to be unlocked" LogText "Result: all accounts seem to be unlocked"
Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}" --color GREEN
else else
LogText "Result: found one or more locked accounts" LogText "Result: found one or more locked accounts"
for account in ${FIND3}; do for account in ${FIND3}; do
if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then if echo "${NON_SYSTEM_ACCOUNTS}" | ${GREPBINARY} -w "${account}" > /dev/null ; then
LogText "Locked account: ${account}" LogText "Locked account: ${account}"
Report "locked_account[]=${account}" Report "locked_account[]=${account}"
fi fi
done done
Display --indent 2 --text "- Locked accounts" --result "${STATUS_WARNING}" --color RED Display --indent 2 --text "- Locked accounts" --result "${STATUS_FOUND}" --color RED
ReportSuggestion "${TEST_NO}" "Look at the locked accounts and consider removing them" ReportSuggestion "${TEST_NO}" "Look at the locked accounts and consider removing them"
fi fi
unset account LOCKED_NON_SYSTEM_ACCOUNTS NON_SYSTEM_ACCOUNTS
fi fi
unset FIND1 FIND2 FIND3
# #
################################################################################# #################################################################################
# #