mirror of https://github.com/CISOfy/lynis.git
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
This commit is contained in:
parent
5ccd0912cf
commit
4ecb9d4d05
13
CHANGELOG.md
13
CHANGELOG.md
|
@ -10,17 +10,28 @@ Lynis 2.5.0 (2017-05-03) - Not released yet
|
|||
This release is a maintenance release with focus on cleaning up the code for
|
||||
readability and future expansion. It includes:
|
||||
|
||||
* Setting ROOTDIR variable instead of fixed paths
|
||||
* Use ROOTDIR variable instead of fixed paths
|
||||
* Introduction of IsEmpty and HasData functions for readability of code
|
||||
* Renamed some variables to better indicate their purpose (counting, data type)
|
||||
* Removal of unused code and comments
|
||||
* Deleted unused tests from database file
|
||||
* Correct levels of identation
|
||||
|
||||
During the maintenance cycle, the project got informed about a flaw that could
|
||||
be possibly abused. This release is therefore highly recommended. See details on
|
||||
[CVE-2017-8108](https://cisofy.com/security/cve/cve-2017-8108/)
|
||||
|
||||
Changes:
|
||||
--------
|
||||
* Support for older mac OS X versions (Lion and Mountain Lion)
|
||||
* Initialized variables for more binaries
|
||||
|
||||
Tests:
|
||||
------
|
||||
* MALW-3280 - Extended test with Symantec components
|
||||
* PKGS-7332 - Detection of macOS ports tool and installed packages
|
||||
* TOOL-5120 - Snort detection
|
||||
* TOOL-5122 - Snort configuration file
|
||||
|
||||
---------------------------------------------------------------------------------
|
||||
|
||||
|
|
30
db/tests.db
30
db/tests.db
|
@ -46,8 +46,6 @@ AUTH-9402:test:security:authentication::Query LDAP authentication support:
|
|||
AUTH-9406:test:security:authentication::Query LDAP servers in client configuration:
|
||||
AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs:
|
||||
BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file:
|
||||
#BANN-7119:test:security:banners::Check MOTD banner file:
|
||||
#BANN-7122:test:security:banners::Check /etc/motd banner file contents:
|
||||
BANN-7124:test:security:banners::Check issue banner file:
|
||||
BANN-7126:test:security:banners::Check issue banner file contents:
|
||||
BANN-7128:test:security:banners::Check issue.net banner file:
|
||||
|
@ -63,7 +61,6 @@ BOOT-5124:test:security:boot_services:FreeBSD:Check for FreeBSD boot loader pres
|
|||
BOOT-5126:test:security:boot_services:NetBSD:Check for NetBSD boot loader presence:
|
||||
BOOT-5139:test:security:boot_services::Check for LILO boot loader presence:
|
||||
BOOT-5142:test:security:boot_services::Check SPARC Improved boot loader (SILO):
|
||||
#BOOT-5144:test:security:boot_services::Check SPARC Improved boot loader (SILO):
|
||||
BOOT-5155:test:security:boot_services::Check for YABOOT boot loader configuration file:
|
||||
BOOT-5159:test:security:boot_services:OpenBSD:Check for OpenBSD boot loader presence:
|
||||
BOOT-5165:test:security:boot_services:FreeBSD:Check for FreeBSD boot services:
|
||||
|
@ -73,7 +70,6 @@ BOOT-5184:test:security:boot_services:Linux:Check permissions for boot files/scr
|
|||
BOOT-5202:test:security:boot_services::Check uptime of system:
|
||||
BOOT-5260:test:security:boot_services::Check single user mode for systemd:
|
||||
CONT-8004:test:security:containers:Solaris:Query running Solaris zones:
|
||||
#CONT-1906:test:security:containers::Query Xen guests:
|
||||
CONT-8102:test:security:containers::Checking Docker status and information:
|
||||
CONT-8104:test:security:containers::Checking Docker info for any warnings:
|
||||
CONT-8106:test:security:containers::Gather basic stats from Docker:
|
||||
|
@ -81,14 +77,11 @@ CONT-8107:test:performance:containers::Check number of unused Docker containers:
|
|||
CONT-8108:test:security:containers::Check file permissions for Docker files:
|
||||
CRYP-7902:test:security:crypto::Check expire date of SSL certificates:
|
||||
DBS-1804:test:security:databases::Checking active MySQL process:
|
||||
#DBS-1808:test:security:databases::Checking MySQL data directory:
|
||||
#DBS-1812:test:security:databases::Checking MySQL data directory permissions:
|
||||
DBS-1816:test:security:databases::Checking MySQL root password:
|
||||
DBS-1818:test:security:databases::MongoDB status:
|
||||
DBS-1820:test:security:databases::Check MongoDB authentication:
|
||||
DBS-1826:test:security:databases::Checking active PostgreSQL processes:
|
||||
DBS-1840:test:security:databases::Checking active Oracle processes:
|
||||
#DBS-1842:test:security:databases::Checking Oracle home paths:
|
||||
DBS-1860:test:security:databases::Checking active DB2 instances:
|
||||
DBS-1880:test:security:databases::Checking active Redis processes:
|
||||
DBS-1882:test:security:databases::Redis configuration file:
|
||||
|
@ -112,7 +105,6 @@ FILE-7524:test:security:file_permissions::Perform file permissions check:
|
|||
FILE-6310:test:security:filesystems::Checking /tmp, /home and /var directory:
|
||||
FILE-6311:test:security:filesystems::Checking LVM volume groups:
|
||||
FILE-6312:test:security:filesystems::Checking LVM volumes:
|
||||
#FILE-6316:test:security:filesystems:Linux:Checking /etc/fstab:
|
||||
FILE-6323:test:security:filesystems:Linux:Checking EXT file systems:
|
||||
FILE-6329:test:security:filesystems::Checking FFS/UFS file systems:
|
||||
FILE-6330:test:security:filesystems:FreeBSD:Checking ZFS file systems:
|
||||
|
@ -145,7 +137,6 @@ FIRE-4586:test:security:firewalls::Check firewall logging:
|
|||
FIRE-4590:test:security:firewalls::Check firewall status:
|
||||
HOME-9302:test:security:homedirs::Create list with home directories:
|
||||
HOME-9310:test:security:homedirs::Checking for suspicious shell history files:
|
||||
#HOME-9314:test:security:homedirs::Create list with home directories:
|
||||
HOME-9350:test:security:homedirs::Collecting information from home directories:
|
||||
HRDN-7220:test:security:hardening::Check if one or more compilers are installed:
|
||||
HRDN-7222:test:security:hardening::Check compiler permissions:
|
||||
|
@ -153,12 +144,9 @@ HRDN-7230:test:security:hardening::Check for malware scanner:
|
|||
HTTP-6622:test:security:webservers::Checking Apache presence:
|
||||
HTTP-6624:test:security:webservers::Testing main Apache configuration file:
|
||||
HTTP-6626:test:security:webservers::Testing other Apache configuration file:
|
||||
#HTTP-6628:test:security:webservers::Testing other Apache configuration file:
|
||||
#HTTP-6630:test:security:webservers::Determining all loaded Apache modules:
|
||||
HTTP-6632:test:security:webservers::Determining all available Apache modules:
|
||||
HTTP-6640:test:security:webservers::Determining existence of specific Apache modules:
|
||||
HTTP-6641:test:security:webservers::Determining existence of specific Apache modules:
|
||||
#HTTP-6642:test:security:webservers::Determining existence of specific Apache modules:
|
||||
HTTP-6643:test:security:webservers::Determining existence of specific Apache modules:
|
||||
HTTP-6702:test:security:webservers::Check nginx process:
|
||||
HTTP-6704:test:security:webservers::Check nginx configuration file:
|
||||
|
@ -168,8 +156,6 @@ HTTP-6710:test:security:webservers::Check nginx SSL configuration settings:
|
|||
HTTP-6712:test:security:webservers::Check nginx access logging:
|
||||
HTTP-6714:test:security:webservers::Check for missing error logs in nginx:
|
||||
HTTP-6716:test:security:webservers::Check for debug mode on error log in nginx:
|
||||
#HTTP-67xx:test:security:webservers::Check nginx virtual hosts:
|
||||
#HTTP-67xx:test:security:webservers::Check nginx virtual hosts:
|
||||
HTTP-6720:test:security:webservers::Check Nginx log files:
|
||||
INSE-8002:test:security:insecure_services::Check for enabled inet daemon:
|
||||
INSE-8004:test:security:insecure_services::Check for enabled inet daemon:
|
||||
|
@ -187,7 +173,6 @@ KRNL-5745:test:security:kernel:FreeBSD:Checking FreeBSD loaded kernel modules:
|
|||
KRNL-5770:test:security:kernel:Solaris:Checking active kernel modules:
|
||||
KRNL-5788:test:security:kernel:Linux:Checking availability new Linux kernel:
|
||||
KRNL-5820:test:security:kernel:Linux:Checking core dumps configuration:
|
||||
#KRNL-5826:test:security:kernel:Linux:Checking core dumps configuration:
|
||||
KRNL-5830:test:security:kernel:Linux:Checking if system is running on the latest installed kernel:
|
||||
KRNL-6000:test:security:kernel_hardening::Check sysctl key pairs in scan profile:
|
||||
LDAP-2219:test:security:ldap::Check running OpenLDAP instance:
|
||||
|
@ -252,14 +237,9 @@ NAME-4036:test:security:nameservices::Check Unbound configuration file:
|
|||
NAME-4202:test:security:nameservices::Check BIND status:
|
||||
NAME-4204:test:security:nameservices::Search BIND configuration file:
|
||||
NAME-4206:test:security:nameservices::Check BIND configuration consistency:
|
||||
#NAME-4050:test:security:nameservices::Check nscd status:
|
||||
NAME-4210:test:security:nameservices::Check DNS banner:
|
||||
#NAME-4212:test:security:nameservices::Check version setting in configuration:
|
||||
#NAME-4220:test:security:nameservices::Check zone transfer:
|
||||
#NAME-4222:test:security:nameservices::Check zone transfer:
|
||||
NAME-4230:test:security:nameservices::Check PowerDNS status:
|
||||
NAME-4232:test:security:nameservices::Search PowerDNS configuration file:
|
||||
#NAME-4234:test:security:nameservices::Check PowerDNS configuration consistency:
|
||||
NAME-4236:test:security:nameservices::Check PowerDNS backends:
|
||||
NAME-4238:test:security:nameservices::Check PowerDNS authoritive status:
|
||||
NAME-4304:test:security:nameservices::Check NIS ypbind status:
|
||||
|
@ -301,6 +281,8 @@ PKGS-7320:test:security:ports_packages:Linux:Check presence of arch-audit for Ar
|
|||
PKGS-7322:test:security:ports_packages:Linux:Discover vulnerable packages on Arch Linux:
|
||||
PKGS-7328:test:security:ports_packages::Querying Zypper for installed packages:
|
||||
PKGS-7330:test:security:ports_packages::Querying Zypper for vulnerable packages:
|
||||
PKGS-7332:test:security:ports_packages::Detection of macOS ports and packages:
|
||||
PKGS-7334:test:security:ports_packages::Detection of available updates for macOS ports:
|
||||
PKGS-7345:test:security:ports_packages::Querying dpkg:
|
||||
PKGS-7346:test:security:ports_packages::Search unpurged packages on system:
|
||||
PKGS-7348:test:security:ports_packages:FreeBSD:Check for old distfiles:
|
||||
|
@ -330,7 +312,6 @@ PRNT-2306:test:security:printers_spools::Check CUPSd configuration file:
|
|||
PRNT-2307:test:security:printers_spools::Check CUPSd configuration file permissions:
|
||||
PRNT-2308:test:security:printers_spools::Check CUPSd network configuration:
|
||||
PRNT-2314:test:security:printers_spools::Check lpd status:
|
||||
#PRNT-23xx:test::printers_spools:Check cupsd address configuration:security:
|
||||
PRNT-2316:test:security:printers_spools:AIX:Checking /etc/qconfig file:
|
||||
PRNT-2418:test:security:printers_spools:AIX:Checking qdaemon printer spooler status:
|
||||
PRNT-2420:test:security:printers_spools:AIX:Checking old print jobs:
|
||||
|
@ -348,8 +329,6 @@ SHLL-6290:test:security:shells::Perform Shellshock vulnerability tests:
|
|||
SNMP-3302:test:security:snmp::Check for running SNMP daemon:
|
||||
SNMP-3304:test:security:snmp::Check SNMP daemon file location:
|
||||
SNMP-3306:test:security:snmp::Check SNMP communities:
|
||||
#SOL-xxxx:test:security:solaris::Check for running SSH daemon:
|
||||
#SOL-xxxx:test:security:solaris::Check for running SSH daemon:
|
||||
SQD-3602:test:security:squid::Check for running Squid daemon:
|
||||
SQD-3604:test:security:squid::Check Squid daemon file location:
|
||||
SQD-3606:test:security:squid::Check Squid version:
|
||||
|
@ -372,7 +351,6 @@ STRG-1902:test:security:storage_nfs::Check rpcinfo registered programs:
|
|||
STRG-1904:test:security:storage_nfs::Check nfs rpc:
|
||||
STRG-1906:test:security:storage_nfs::Check nfs rpc:
|
||||
STRG-1920:test:security:storage_nfs::Checking NFS daemon:
|
||||
#STRG-1924:test:security:storage_nfs::Checking NFS daemon:
|
||||
STRG-1926:test:security:storage_nfs::Checking NFS exports:
|
||||
STRG-1928:test:security:storage_nfs::Checking empty /etc/exports:
|
||||
STRG-1930:test:security:storage_nfs::Check client access to nfs share:
|
||||
|
@ -385,13 +363,13 @@ TIME-3124:test:security:time::Check selected time source:
|
|||
TIME-3128:test:security:time::Check preffered time source:
|
||||
TIME-3132:test:security:time::Check NTP falsetickers:
|
||||
TIME-3136:test:security:time:Linux:Check NTP protocol version:
|
||||
#TIME-3146:test:security:time:Linux:Check /etc/default/ntpdate:
|
||||
TIME-3148:test:performance:time:Linux:Check TZ variable:
|
||||
TIME-3160:test:security:time:Linux:Check empty NTP step-tickers:
|
||||
TIME-3170:test:security:time::Check configuration files:
|
||||
TOOL-5002:test:security:tooling::Checking for automation tools:
|
||||
TOOL-5102:test:security:tooling::Check for presence of Fail2ban:
|
||||
TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:
|
||||
TOOL-5120:test:security:tooling::Presence of Snort IDS:
|
||||
TOOL-5122:test:security:tooling::Snort IDS configuration file:
|
||||
TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling:
|
||||
#VIRT-1920:test::virtualization:Checking VMware guest status:security:
|
||||
# EOF
|
||||
|
|
|
@ -38,7 +38,7 @@
|
|||
# Description : Check all system binaries
|
||||
# Notes : Always perform test, dependency for many other tests
|
||||
Register --test-no CORE-1000 --weight L --network NO --description "Check all system binaries"
|
||||
BINARY_PATHS_FOUND=""; N=0
|
||||
BINARY_PATHS_FOUND=""; COUNT=0
|
||||
Display --indent 2 --text "- Checking system binaries..."
|
||||
LogText "Status: Starting binary scan..."
|
||||
for SCANDIR in ${BIN_PATHS}; do
|
||||
|
@ -55,10 +55,10 @@
|
|||
LogText "Result: found the path behind this symlink (${SCANDIR} --> ${sFILE})"
|
||||
ORGPATH="${SCANDIR}"
|
||||
SCANDIR="${sFILE}"
|
||||
else
|
||||
else
|
||||
SKIPDIR=1; LogText "Result: Symlink variable empty, or directory to symlink is non-existing"
|
||||
fi
|
||||
else
|
||||
else
|
||||
SKIPDIR=1; LogText "Result: Could not find the location of this symlink, or is not a directory"
|
||||
fi
|
||||
fi
|
||||
|
@ -73,12 +73,12 @@
|
|||
BINARY_PATHS_FOUND="${BINARY_PATHS_FOUND}, ${SCANDIR}"
|
||||
LogText "Directory ${SCANDIR} exists. Starting directory scanning..."
|
||||
FIND=$(ls ${SCANDIR})
|
||||
for I in ${FIND}; do
|
||||
N=$((N + 1))
|
||||
BINARY="${SCANDIR}/${I}"
|
||||
for FILENAME in ${FIND}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
BINARY="${SCANDIR}/${FILENAME}"
|
||||
DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
|
||||
# Optimized, much quicker (limited file access needed)
|
||||
case ${I} in
|
||||
case ${FILENAME} in
|
||||
aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; LogText " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
|
||||
afick.pl) AFICKFOUND=1; AFICKBINARY=${BINARY}; LogText " Found known binary: afick (file integrity checker) - ${BINARY}" ;;
|
||||
aide) AIDEFOUND=1; AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;;
|
||||
|
@ -205,9 +205,9 @@
|
|||
ps) PSFOUND=1; PSBINARY="${BINARY}"; LogText " Found known binary: ps (process listing) - ${BINARY}" ;;
|
||||
puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; LogText " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
|
||||
puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; LogText " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
|
||||
python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
|
||||
python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
|
||||
python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
|
||||
python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
|
||||
python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
|
||||
python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
|
||||
readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
|
||||
rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
|
||||
rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;
|
||||
|
@ -217,7 +217,7 @@
|
|||
salt-master) SALTMASTERFOUND=1; SALTMASTERBINARY="${BINARY}"; LogText " Found known binary: salt-master (SaltStack master) - ${BINARY}" ;;
|
||||
salt-minion) SALTMINIONFOUND=1; SALTMINIONBINARY="${BINARY}"; LogText " Found known binary: salt-minion (SaltStack client) - ${BINARY}" ;;
|
||||
samhain) SAMHAINFOUND=1; SAMHAINBINARY="${BINARY}"; LogText " Found known binary: samhain (integrity tool) - ${BINARY}" ;;
|
||||
service) SERVICEFOUND=1; SERVICEBINARY="${BINARY}"; LogText " Found known binary: service (system services) - ${BINARY}" ;;
|
||||
service) SERVICEFOUND=1; SERVICEBINARY="${BINARY}"; LogText " Found known binary: service (system services) - ${BINARY}" ;;
|
||||
sed) SEDBINARY="${BINARY}"
|
||||
LogText " Found known binary: sed (text stream editor) - ${BINARY}"
|
||||
;;
|
||||
|
@ -226,8 +226,9 @@
|
|||
smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=$(${BINARY} -V | grep "^Version" | awk '{ print $2 }'); fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;;
|
||||
smtpctl) SMTPCTLBINARY="${BINARY}"; LogText " Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;;
|
||||
showmount) SHOWMOUNTFOUND=1; SHOWMOUNTBINARY="${BINARY}"; LogText " Found known binary: showmount (NFS mounts) - ${BINARY}" ;;
|
||||
snort) SNORTBINARY="${BINARY}"; LogText " Found known binary: snort (IDS) - ${BINARY}" ;;
|
||||
sockstat) SOCKSTATFOUND=1; SOCKSTATBINARY="${BINARY}"; LogText " Found known binary: sockstat (open network sockets) - ${BINARY}" ;;
|
||||
sort) SORTBINARY="${BINARY}"; LogText " Found known binary: sort (sort data streams) - ${BINARY}" ;;
|
||||
sort) SORTBINARY="${BINARY}"; LogText " Found known binary: sort (sort data streams) - ${BINARY}" ;;
|
||||
squid) SQUIDFOUND=1; SQUIDBINARY="${BINARY}"; LogText " Found known binary: squid (proxy) - ${BINARY}" ;;
|
||||
ss) SSFOUND=1; SSBINARY="${BINARY}"; LogText " Found known binary: ss (show sockets) - ${BINARY}" ;;
|
||||
sshd) SSHDFOUND=1; SSHDBINARY="${BINARY}"; SSHDVERSION=$(${BINARY} -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 | tr -d ',' | tr -d '\r'); LogText "Found ${BINARY} (version ${SSHDVERSION})" ;;
|
||||
|
@ -263,22 +264,21 @@
|
|||
zypper) ZYPPERFOUND=1; ZYPPERBINARY="${BINARY}"; LogText " Found known binary: zypper (package manager) - ${BINARY}" ;;
|
||||
esac
|
||||
done
|
||||
else
|
||||
else
|
||||
LogText "Result: Directory ${SCANDIR} skipped"
|
||||
if [ ! "${ORGPATH}" = "" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: Directory ${SCANDIR} does NOT exist"
|
||||
fi
|
||||
done
|
||||
BINARY_SCAN_FINISHED=1
|
||||
BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/ //g')
|
||||
LogText "Discovered directories: ${BINARY_PATHS_FOUND}"
|
||||
LogText "Result: found ${COUNT} binaries"
|
||||
Report "binaries_count=${COUNT}"
|
||||
Report "binary_paths=${BINARY_PATHS_FOUND}"
|
||||
BINARY_SCAN_FINISHED=1
|
||||
LogText "Result: found ${N} binaries"
|
||||
Report "binaries_count=${N}"
|
||||
|
||||
else
|
||||
else
|
||||
LogText "Result: checking of binaries skipped in this mode"
|
||||
fi
|
||||
|
||||
|
|
|
@ -59,6 +59,7 @@ unset LANG
|
|||
AUDITD_RUNNING=0
|
||||
APPLICATION_FIREWALL_ACTIVE=0
|
||||
BINARY_SCAN_FINISHED=0
|
||||
BLKIDBINARY=""
|
||||
CAT_BINARY=""
|
||||
CFAGENTBINARY=""
|
||||
CHECK=0
|
||||
|
@ -98,12 +99,14 @@ unset LANG
|
|||
DOCKER_DAEMON_RUNNING=0
|
||||
ECHOCMD=""
|
||||
ERROR_ON_WARNINGS=0
|
||||
FAIL2BANBINARY=""
|
||||
FILEBINARY=""
|
||||
FILEVALUE=""
|
||||
FIND=""
|
||||
FIREWALL_ACTIVE=0
|
||||
FOUNDPATH=0
|
||||
GETENT_BINARY=""
|
||||
GRADMBINARY=""
|
||||
GREPBINARY="grep"
|
||||
GROUP_NAME=""
|
||||
GRPCKBINARY=""
|
||||
|
@ -239,6 +242,7 @@ unset LANG
|
|||
SKIPREASON=""
|
||||
SKIPPED_TESTS_ROOTONLY=""
|
||||
SMTPCTLBINARY=""
|
||||
SNORTBINARY=""
|
||||
SSHKEYSCANBINARY=""
|
||||
SSHKEYSCANFOUND=0
|
||||
SSL_CERTIFICATE_PATHS=""
|
||||
|
|
|
@ -38,7 +38,7 @@
|
|||
# Additional options to curl
|
||||
if [ "${UPLOAD_OPTIONS}" = "" ]; then
|
||||
CURL_OPTIONS=""
|
||||
else
|
||||
else
|
||||
CURL_OPTIONS=" ${UPLOAD_OPTIONS}"
|
||||
fi
|
||||
|
||||
|
@ -62,7 +62,7 @@
|
|||
# Check if we can find curl
|
||||
# Suggestion: If you want to keep the system hardened, copying the binary from a trusted source is a good alternative.
|
||||
# Restrict access to this binary to the user who is running this script.
|
||||
if [ "${CURLBINARY}" = "" ]; then
|
||||
if IsEmpty "${CURLBINARY}"; then
|
||||
echo "Fatal: can't find curl binary. Please install the related package or put the binary in the PATH. Quitting.."
|
||||
LogText "Error: Could not find cURL binary"
|
||||
exit 1
|
||||
|
@ -73,7 +73,7 @@
|
|||
echo "Fatal: no license key found. Quitting.."
|
||||
LogText "Error: no license key was specified in the profile (${PROFILE})"
|
||||
ExitFatal
|
||||
else
|
||||
else
|
||||
Output "License key = ${LICENSE_KEY}"
|
||||
fi
|
||||
|
||||
|
@ -189,7 +189,7 @@
|
|||
if [ "${UPLOAD_CODE}" = "100" ]; then
|
||||
Output "${WHITE}License is valid${NORMAL}"
|
||||
LogText "Result: license is valid"
|
||||
else
|
||||
else
|
||||
LogText "Result: error while checking license"
|
||||
LogText "Output: ${UPLOAD_CODE}"
|
||||
echo "${RED}Fatal error: ${WHITE}Error while checking the license.${NORMAL}"
|
||||
|
@ -237,16 +237,16 @@
|
|||
echo ""
|
||||
# Quit
|
||||
ExitClean
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "Data upload status" --result OK --color GREEN
|
||||
fi
|
||||
else
|
||||
else
|
||||
echo "${RED}Error${NORMAL}: No hostid and/or hostid2 found. Can not upload report file."
|
||||
echo "Suggested command: lynis show hostids"
|
||||
# Quit
|
||||
ExitFatal
|
||||
fi
|
||||
else
|
||||
else
|
||||
Output "${YELLOW}No report file found to upload.${NORMAL}"
|
||||
ExitFatal
|
||||
fi
|
||||
|
|
|
@ -124,7 +124,7 @@
|
|||
HPTOTAL=$((HPTOTAL + HPADDMAX))
|
||||
if [ ${HPADD} -eq ${HPADDMAX} ]; then
|
||||
LogText "Hardening: assigned maximum number of hardening points for this item (${HPADDMAX}). Currently having ${HPPOINTS} points (out of ${HPTOTAL})"
|
||||
else
|
||||
else
|
||||
LogText "Hardening: assigned partial number of hardening points (${HPADD} of ${HPADDMAX}). Currently having ${HPPOINTS} points (out of ${HPTOTAL})"
|
||||
fi
|
||||
}
|
||||
|
@ -151,7 +151,7 @@
|
|||
FIND=$(egrep "^${SETTING};" ${SETTINGS_FILE})
|
||||
if [ -z "${FIND}" ]; then
|
||||
echo "${SETTING};${VALUE};${DESCRIPTION};" >> ${SETTINGS_FILE}
|
||||
else
|
||||
else
|
||||
Debug "Setting '${SETTING}' was already configured, overwriting previous line '${FIND}' in ${SETTINGS_FILE} with value '${VALUE}'"
|
||||
# Delete line first, then add new value (inline search and replace is messy)
|
||||
CreateTempFile
|
||||
|
@ -194,12 +194,12 @@
|
|||
CHECKFILE=$1
|
||||
if [ ! -d ${CHECKFILE} -a ! -f ${CHECKFILE} ]; then
|
||||
PERMS="FILE_NOT_FOUND"
|
||||
else
|
||||
else
|
||||
# If 'file' is an directory, use -d
|
||||
if [ -d ${CHECKFILE} ]; then
|
||||
FILEVALUE=$(ls -d -l ${CHECKFILE} | cut -c 2-10)
|
||||
PROFILEVALUE=$(grep '^permdir' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3)
|
||||
else
|
||||
else
|
||||
FILEVALUE=$(ls -l ${CHECKFILE} | cut -c 2-10)
|
||||
PROFILEVALUE=$(grep '^permfile' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3)
|
||||
fi
|
||||
|
@ -218,33 +218,32 @@
|
|||
################################################################################
|
||||
|
||||
CheckItem() {
|
||||
ITEM_FOUND=0
|
||||
RETVAL=255
|
||||
if [ $# -eq 2 ]; then
|
||||
# Don't search in /dev/null, it's too empty there
|
||||
if [ ! "${REPORTFILE}" = "/dev/null" ]; then
|
||||
# Check if we can find the main type (with or without brackets)
|
||||
LogText "Test: search string $2 in earlier discovered results"
|
||||
FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
ITEM_FOUND=1
|
||||
RETVAL=0
|
||||
LogText "Result: found search string (result: $FIND)"
|
||||
else
|
||||
LogText "Result: search string NOT found"
|
||||
RETVAL=1
|
||||
fi
|
||||
else
|
||||
LogText "Skipping search, as /dev/null is being used"
|
||||
fi
|
||||
return ${RETVAL}
|
||||
else
|
||||
ReportException ${TEST_NO} "Error in function call to CheckItem"
|
||||
fi
|
||||
ITEM_FOUND=0
|
||||
RETVAL=255
|
||||
if [ $# -eq 2 ]; then
|
||||
# Don't search in /dev/null, it's too empty there
|
||||
if [ ! "${REPORTFILE}" = "/dev/null" ]; then
|
||||
# Check if we can find the main type (with or without brackets)
|
||||
LogText "Test: search string $2 in earlier discovered results"
|
||||
FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2")
|
||||
if HasData "${FIND}"; then
|
||||
ITEM_FOUND=1
|
||||
RETVAL=0
|
||||
LogText "Result: found search string (result: $FIND)"
|
||||
else
|
||||
LogText "Result: search string NOT found"
|
||||
RETVAL=1
|
||||
fi
|
||||
else
|
||||
LogText "Skipping search, as /dev/null is being used"
|
||||
fi
|
||||
return ${RETVAL}
|
||||
else
|
||||
ReportException ${TEST_NO} "Error in function call to CheckItem"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
|
||||
################################################################################
|
||||
# Name : CheckUpdates()
|
||||
# Description : Determine if there is an update available
|
||||
|
@ -344,12 +343,12 @@
|
|||
RANDOMSTRING1=$(echo lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}'))
|
||||
TEMP_FILE="/tmp/${RANDOMSTRING1}"
|
||||
touch ${TEMP_FILE}
|
||||
else
|
||||
else
|
||||
TEMP_FILE=$(mktemp /tmp/lynis.XXXXXXXXXX) || exit 1
|
||||
fi
|
||||
if [ ! "${TEMP_FILE}" = "" ]; then
|
||||
LogText "Action: created temporary file ${TEMP_FILE}"
|
||||
else
|
||||
else
|
||||
Fatal "Could not create a temporary file"
|
||||
fi
|
||||
# Add temporary file to queue for cleanup later
|
||||
|
@ -367,13 +366,14 @@
|
|||
|
||||
# Determine if a directory exists
|
||||
DirectoryExists() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling DirectoryExists function"; fi
|
||||
DIRECTORY_FOUND=0
|
||||
LogText "Test: checking if directory $1 exists"
|
||||
if [ -d $1 ]; then
|
||||
LogText "Result: directory $1 exists"
|
||||
DIRECTORY_FOUND=1
|
||||
return 0
|
||||
else
|
||||
else
|
||||
LogText "Result: directory $1 NOT found"
|
||||
return 1
|
||||
fi
|
||||
|
@ -434,7 +434,7 @@
|
|||
Debug "Already discovered default.prf - skipping this file (${PLOC}/${PNAME})"
|
||||
elif [ "${PNAME}" = "custom.prf" -a ! "${CUSTOM_PROFILE}" = "" ]; then
|
||||
Debug "Already discovered custom.prf - skipping this file (${PLOC}/${PNAME})"
|
||||
else
|
||||
else
|
||||
if [ "${PLOC}" = "." ]; then FILE="${WORKDIR}/${PNAME}"; else FILE="${PLOC}/${PNAME}"; fi
|
||||
if [ -r ${FILE} ]; then
|
||||
PROFILES="${PROFILES} ${FILE}"
|
||||
|
@ -460,7 +460,7 @@
|
|||
echo "${RED}Fatal error: ${WHITE}No profile defined and could not find default profile${NORMAL}"
|
||||
echo "Search paths used --> ${tPROFILE_TARGETS}"
|
||||
ExitCustom 66
|
||||
else
|
||||
else
|
||||
PROFILES=$(echo ${PROFILES} | sed 's/^ //')
|
||||
fi
|
||||
}
|
||||
|
@ -513,10 +513,10 @@
|
|||
|
||||
if [ "${RESULT}" = "" ]; then
|
||||
RESULTPART=""
|
||||
else
|
||||
else
|
||||
if [ ${CRONJOB} -eq 0 ]; then
|
||||
RESULTPART=" [ ${COLOR}${RESULT}${NORMAL} ]"
|
||||
else
|
||||
else
|
||||
RESULTPART=" [ ${RESULT} ]"
|
||||
fi
|
||||
fi
|
||||
|
@ -540,7 +540,7 @@
|
|||
# Check if we already have already discovered a proper echo command tool. It not, set it default to 'echo'.
|
||||
if [ "${ECHOCMD}" = "" ]; then ECHOCMD="echo"; fi
|
||||
${ECHOCMD} "\033[${INDENT}C${TEXT}\033[${SPACES}C${RESULTPART}${DEBUGTEXT}"
|
||||
else
|
||||
else
|
||||
echo "${TEXT}${RESULTPART}"
|
||||
fi
|
||||
fi
|
||||
|
@ -637,7 +637,7 @@
|
|||
if [ $# -eq 1 ]; then
|
||||
LogText "${PROGRAM_NAME} ended with exit code $1."
|
||||
exit $1
|
||||
else
|
||||
else
|
||||
LogText "${PROGRAM_NAME} ended with exit code 1."
|
||||
exit 1
|
||||
fi
|
||||
|
@ -674,13 +674,14 @@
|
|||
################################################################################
|
||||
|
||||
FileExists() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling FileExists function"; fi
|
||||
FILE_FOUND=0
|
||||
LogText "Test: checking if file $1 exists"
|
||||
if [ -f $1 ]; then
|
||||
LogText "Result: file $1 exists"
|
||||
FILE_FOUND=1
|
||||
return 0
|
||||
else
|
||||
else
|
||||
LogText "Result: file $1 NOT found"
|
||||
return 1
|
||||
fi
|
||||
|
@ -718,17 +719,18 @@
|
|||
#
|
||||
# Returns : 0 (empty), 1 (not empty)
|
||||
# EMPTY (0 or 1) - deprecated usage
|
||||
# Usage : xyz
|
||||
# Usage : if FileIsEmpty /etc/passwd; then
|
||||
################################################################################
|
||||
|
||||
FileIsEmpty() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling FileIsEmpty function"; fi
|
||||
EMPTY=0
|
||||
LogText "Test: checking if file $1 is empty"
|
||||
if [ -z $1 ]; then
|
||||
LogText "Result: file $1 is empty"
|
||||
EMPTY=1
|
||||
return 0
|
||||
else
|
||||
else
|
||||
LogText "Result: file $1 is NOT empty"
|
||||
return 1
|
||||
fi
|
||||
|
@ -851,117 +853,117 @@
|
|||
else
|
||||
ReportException "GetHostID" "No sha1, sha1sum, csum or openssl binary available on AIX"
|
||||
fi
|
||||
else
|
||||
else
|
||||
ReportException "GetHostID" "No output from entstat on interfaces: en0, ent0"
|
||||
fi
|
||||
;;
|
||||
|
||||
"DragonFly" | "FreeBSD")
|
||||
FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
HOSTID=$(echo ${FIND} | sha1)
|
||||
else
|
||||
ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD"
|
||||
fi
|
||||
FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if HasData "${FIND}"; then
|
||||
HOSTID=$(echo ${FIND} | sha1)
|
||||
else
|
||||
ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD"
|
||||
fi
|
||||
;;
|
||||
|
||||
"Linux")
|
||||
# Define preferred interfaces
|
||||
#PREFERRED_INTERFACES="eth0 eth1 eth2 enp0s25"
|
||||
# Define preferred interfaces
|
||||
#PREFERRED_INTERFACES="eth0 eth1 eth2 enp0s25"
|
||||
|
||||
# Only use ifconfig if no ip binary has been found
|
||||
if [ ! "${IFCONFIGBINARY}" = "" ]; then
|
||||
# Determine if we have ETH0 at all (not all Linux distro have this, e.g. Arch)
|
||||
HASETH0=$(${IFCONFIGBINARY} | grep "^eth0")
|
||||
# Check if we can find it with HWaddr on the line
|
||||
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
|
||||
# Only use ifconfig if no ip binary has been found
|
||||
if [ ! "${IFCONFIGBINARY}" = "" ]; then
|
||||
# Determine if we have ETH0 at all (not all Linux distro have this, e.g. Arch)
|
||||
HASETH0=$(${IFCONFIGBINARY} | grep "^eth0")
|
||||
# Check if we can find it with HWaddr on the line
|
||||
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
|
||||
|
||||
# If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch)
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr)
|
||||
if [ "${FIND}" = "" ]; then
|
||||
# If possible directly address eth0 to avoid risking gathering the incorrect MAC address.
|
||||
# If not, then falling back to getting first interface. Better than nothing.
|
||||
if [ ! "${HASETH0}" = "" ]; then
|
||||
FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
else
|
||||
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)"
|
||||
else
|
||||
LogText "Result: No eth0 found (ether found), using first network interface to determine hostid (with ifconfig)"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
|
||||
LogText "GetHostID: No eth0 found (but HWaddr was found), using first network interface to determine hostid, with ifconfig"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
# See if we can use ip binary instead
|
||||
if [ ! "${IPBINARY}" = "" ]; then
|
||||
# Determine if we have the common available eth0 interface
|
||||
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
# Determine the MAC address of first interface with the ip command
|
||||
FIND=$(${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
ReportException "GetHostID" "Can't create hostid (no MAC addresses found)"
|
||||
# If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch)
|
||||
if IsEmpty "${FIND}"; then
|
||||
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr)
|
||||
if IsEmpty "${FIND}"; then
|
||||
# If possible directly address eth0 to avoid risking gathering the incorrect MAC address.
|
||||
# If not, then falling back to getting first interface. Better than nothing.
|
||||
if HasData "${HASETH0}"; then
|
||||
FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
else
|
||||
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]')
|
||||
if IsEmpty "${FIND}"; then
|
||||
ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)"
|
||||
else
|
||||
LogText "Result: No eth0 found (ether found), using first network interface to determine hostid (with ifconfig)"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
ReportException "GetHostID" "Can't create hostid, missing both ifconfig and ip binary"
|
||||
else
|
||||
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
|
||||
LogText "GetHostID: No eth0 found (but HWaddr was found), using first network interface to determine hostid, with ifconfig"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check if we found a HostID
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Info: using hardware address ${FIND} to create ID"
|
||||
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
|
||||
LogText "Result: Found HostID: ${HOSTID}"
|
||||
else
|
||||
ReportException "GetHostID" "Can't create HOSTID, command ip not found"
|
||||
else
|
||||
# See if we can use ip binary instead
|
||||
if [ ! "${IPBINARY}" = "" ]; then
|
||||
# Determine if we have the common available eth0 interface
|
||||
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if IsEmpty "${FIND}"; then
|
||||
# Determine the MAC address of first interface with the ip command
|
||||
FIND=$(${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if IsEmpty "${FIND}"; then
|
||||
ReportException "GetHostID" "Can't create hostid (no MAC addresses found)"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
ReportException "GetHostID" "Can't create hostid, missing both ifconfig and ip binary"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check if we found a HostID
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Info: using hardware address ${FIND} to create ID"
|
||||
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
|
||||
LogText "Result: Found HostID: ${HOSTID}"
|
||||
else
|
||||
ReportException "GetHostID" "Can't create HOSTID, command ip not found"
|
||||
fi
|
||||
;;
|
||||
|
||||
"macOS")
|
||||
FIND=$(${IFCONFIGBINARY} en0 | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
HOSTID=$(echo ${FIND} | shasum | awk '{ print $1 }')
|
||||
else
|
||||
ReportException "GetHostID" "No MAC address returned on macOS"
|
||||
fi
|
||||
LYNIS_HOSTID2_PART1=$(hostname -s)
|
||||
if [ ! -z "${LYNIS_HOSTID2_PART1}" ]; then
|
||||
LogText "Info: using hostname ${LYNIS_HOSTID2_PART1}"
|
||||
LYNIS_HOSTID2_PART2=$(sysctl -n kern.uuid 2> /dev/null)
|
||||
if [ ! -z "${LYNIS_HOSTID2_PART2}" ]; then
|
||||
LogText "Info: using UUID ${LYNIS_HOSTID2_PART2}"
|
||||
else
|
||||
LogText "Info: could not create HOSTID2 as kern.uuid sysctl key is missing"
|
||||
fi
|
||||
HOSTID2=$(echo "${LYNIS_HOSTID2_PART1}${LYNIS_HOSTID2_PART2}" | shasum -a 256 | awk '{ print $1 }')
|
||||
else
|
||||
LogText "Info: could not create HOSTID2 as hostname is missing"
|
||||
fi
|
||||
FIND=$(${IFCONFIGBINARY} en0 | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
HOSTID=$(echo ${FIND} | shasum | awk '{ print $1 }')
|
||||
else
|
||||
ReportException "GetHostID" "No MAC address returned on macOS"
|
||||
fi
|
||||
LYNIS_HOSTID2_PART1=$(hostname -s)
|
||||
if [ ! -z "${LYNIS_HOSTID2_PART1}" ]; then
|
||||
LogText "Info: using hostname ${LYNIS_HOSTID2_PART1}"
|
||||
LYNIS_HOSTID2_PART2=$(sysctl -n kern.uuid 2> /dev/null)
|
||||
if [ ! -z "${LYNIS_HOSTID2_PART2}" ]; then
|
||||
LogText "Info: using UUID ${LYNIS_HOSTID2_PART2}"
|
||||
else
|
||||
LogText "Info: could not create HOSTID2 as kern.uuid sysctl key is missing"
|
||||
fi
|
||||
HOSTID2=$(echo "${LYNIS_HOSTID2_PART1}${LYNIS_HOSTID2_PART2}" | shasum -a 256 | awk '{ print $1 }')
|
||||
else
|
||||
LogText "Info: could not create HOSTID2 as hostname is missing"
|
||||
fi
|
||||
;;
|
||||
|
||||
"NetBSD")
|
||||
FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
HOSTID=$(echo ${FIND} | sha1)
|
||||
else
|
||||
ReportException "GetHostID" "No MAC address returned on NetBSD"
|
||||
fi
|
||||
FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if HasData "${FIND}"; then
|
||||
HOSTID=$(echo ${FIND} | sha1)
|
||||
else
|
||||
ReportException "GetHostID" "No MAC address returned on NetBSD"
|
||||
fi
|
||||
;;
|
||||
|
||||
"OpenBSD")
|
||||
FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
HOSTID=$(echo ${FIND} | sha1)
|
||||
else
|
||||
ReportException "GetHostID" "No MAC address returned on OpenBSD"
|
||||
fi
|
||||
FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if HasData "${FIND}"; then
|
||||
HOSTID=$(echo ${FIND} | sha1)
|
||||
else
|
||||
ReportException "GetHostID" "No MAC address returned on OpenBSD"
|
||||
fi
|
||||
;;
|
||||
|
||||
"Solaris")
|
||||
|
@ -979,10 +981,10 @@
|
|||
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
|
||||
elif [ ! "${OPENSSLBINARY}" = "" ]; then
|
||||
HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }')
|
||||
else
|
||||
else
|
||||
ReportException "GetHostID" "Can not find sha1/sha1sum or openssl"
|
||||
fi
|
||||
else
|
||||
else
|
||||
ReportException "GetHostID" "No interface found op Solaris to create HostID"
|
||||
fi
|
||||
;;
|
||||
|
@ -1000,7 +1002,7 @@
|
|||
fi
|
||||
done
|
||||
fi
|
||||
else
|
||||
else
|
||||
ReportException "GetHostID" "Can't create HOSTID as there is no SHA1 hash tool available (sha1, sha1sum, openssl)"
|
||||
fi
|
||||
|
||||
|
@ -1027,13 +1029,13 @@
|
|||
if [ ! "${SHA1SUMBINARY}" = "" ]; then
|
||||
HOSTID=$(cat /etc/ssh/${I} | ${SHA1SUMBINARY} | awk '{ print $1 }')
|
||||
LogText "result: Created HostID with SSH key ($I): ${HOSTID}"
|
||||
else
|
||||
else
|
||||
ReportException "GetHostID" "Can't create HOSTID with SSH key, as sha1sum binary is missing"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
else
|
||||
else
|
||||
LogText "Result: no /etc/ssh directory found, skipping"
|
||||
fi
|
||||
fi
|
||||
|
@ -1055,7 +1057,7 @@
|
|||
fi
|
||||
fi
|
||||
done
|
||||
else
|
||||
else
|
||||
LogText "Result: no /etc/ssh directory found, skipping"
|
||||
fi
|
||||
|
||||
|
@ -1216,10 +1218,10 @@
|
|||
################################################################################
|
||||
|
||||
IsEmpty() {
|
||||
if [ $# -eq 1 ]; then
|
||||
if [ -z "$1" ]; then return 0; else return 1; fi
|
||||
else
|
||||
if [ $# -eq 0 ]; then
|
||||
ExitFatal "Function IsEmpty called without parameters - look in log to determine where this happened, or use sh -x lynis to see all details."
|
||||
else
|
||||
if [ -z "$1" ]; then return 0; else return 1; fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -1232,6 +1234,7 @@
|
|||
################################################################################
|
||||
|
||||
IsRunning() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsRunning function"; fi
|
||||
RUNNING=0
|
||||
PSOPTIONS=""
|
||||
if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then PSOPTIONS=" ax"; fi
|
||||
|
@ -1240,7 +1243,7 @@
|
|||
RUNNING=1
|
||||
LogText "IsRunning: process '$1' found (${FIND})"
|
||||
return 0
|
||||
else
|
||||
else
|
||||
LogText "IsRunning: process '$1' not found"
|
||||
return 1
|
||||
fi
|
||||
|
@ -1290,14 +1293,14 @@
|
|||
if [ "${PERMS}" = "" ]; then
|
||||
PERMS=$(ls -n ${FILE} | ${AWKBINARY} '{ print $3":"$4 }')
|
||||
fi
|
||||
else
|
||||
else
|
||||
ReportException "IsOwnedByRoot" "Functions needs 1 argument"
|
||||
return 255
|
||||
fi
|
||||
if [ "${PERMS}" = "0:0" ]; then
|
||||
if IsDeveloperMode; then LogText "Debug: found incorrect file permissions on ${FILE}"; fi
|
||||
return 0
|
||||
else
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
@ -1340,10 +1343,10 @@
|
|||
LogText "Result: facter says this machine is not a virtual"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
else
|
||||
LogText "Result: facter utility not found"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: skipped facter test, as we already found machine type"
|
||||
fi
|
||||
|
||||
|
@ -1356,10 +1359,10 @@
|
|||
LogText "Result: found ${FIND}"
|
||||
SHORT="${FIND}"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: systemd-detect-virt not found"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: skipped systemd test, as we already found machine type"
|
||||
fi
|
||||
|
||||
|
@ -1372,13 +1375,13 @@
|
|||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found ${FIND}"
|
||||
SHORT="${FIND}"
|
||||
else
|
||||
else
|
||||
LogText "Result: can't find hypervisor vendor with lscpu"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: lscpu not found"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: skipped lscpu test, as we already found machine type"
|
||||
fi
|
||||
|
||||
|
@ -1387,7 +1390,8 @@
|
|||
if [ "${SHORT}" = "" ]; then
|
||||
if [ -x /usr/bin/dmidecode ]; then DMIDECODE_BINARY="/usr/bin/dmidecode"
|
||||
elif [ -x /usr/sbin/dmidecode ]; then DMIDECODE_BINARY="/usr/sbin/dmidecode"
|
||||
else DMIDECODE_BINARY=""
|
||||
else
|
||||
DMIDECODE_BINARY=""
|
||||
fi
|
||||
if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then
|
||||
LogText "Test: trying to guess virtualization with dmidecode"
|
||||
|
@ -1395,13 +1399,13 @@
|
|||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found ${FIND}"
|
||||
SHORT="${FIND}"
|
||||
else
|
||||
else
|
||||
LogText "Result: can't find product name with dmidecode"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: dmidecode not found (or no access)"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: skipped dmidecode test, as we already found machine type"
|
||||
fi
|
||||
# Other options
|
||||
|
@ -1423,7 +1427,7 @@
|
|||
if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi
|
||||
IsRunning VBoxClient
|
||||
if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi
|
||||
else
|
||||
else
|
||||
LogText "Result: skipped processes test, as we already found platform"
|
||||
fi
|
||||
|
||||
|
@ -1432,10 +1436,10 @@
|
|||
LogText "Test: checking specific files for Amazon"
|
||||
if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then
|
||||
SHORT="amazon-ec2"
|
||||
else
|
||||
else
|
||||
LogText "Result: system not hosted on Amazon"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: skipped Amazon EC2 test, as we already found platform"
|
||||
fi
|
||||
|
||||
|
@ -1450,21 +1454,21 @@
|
|||
if [ ! "${FIND}" = "" ]; then
|
||||
SHORT="${FIND}"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: skipped sysctl test, as we already found platform"
|
||||
fi
|
||||
|
||||
# lshw
|
||||
if [ "${SHORT}" = "" ]; then
|
||||
if HasData "${SHORT}"; then
|
||||
if [ ${PRIVILEGED} -eq 1 ]; then
|
||||
if [ -x /usr/bin/lshw ]; then
|
||||
LogText "Test: trying to guess virtualization with lshw"
|
||||
FIND=$(lshw -quiet -class system 2> /dev/null | awk '{ if ($1=="product:") { print $2 }}')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: found ${FIND}"
|
||||
SHORT="${FIND}"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: lshw not found"
|
||||
fi
|
||||
else
|
||||
|
@ -1508,7 +1512,7 @@
|
|||
elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then
|
||||
LogText "Result: unknown if this system is a virtual machine"
|
||||
Report "vm=2"
|
||||
else
|
||||
else
|
||||
LogText "Result: system seems to be non-virtual"
|
||||
fi
|
||||
}
|
||||
|
@ -1524,6 +1528,7 @@
|
|||
################################################################################
|
||||
|
||||
IsWorldReadable() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldReadable function"; fi
|
||||
sFILE=$1
|
||||
# Check for symlink
|
||||
if [ -L ${sFILE} ]; then
|
||||
|
@ -1533,7 +1538,7 @@
|
|||
if [ -f ${sFILE} -o -d ${sFILE} ]; then
|
||||
FINDVAL=$(ls -ld ${sFILE} | cut -c 8)
|
||||
if [ "${FINDVAL}" = "r" ]; then return 0; else return 1; fi
|
||||
else
|
||||
else
|
||||
return 255
|
||||
fi
|
||||
}
|
||||
|
@ -1550,6 +1555,7 @@
|
|||
|
||||
# Function IsWorldExecutable
|
||||
IsWorldExecutable() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldExecutable function"; fi
|
||||
sFILE=$1
|
||||
# Check for symlink
|
||||
if [ -L ${sFILE} ]; then
|
||||
|
@ -1559,7 +1565,7 @@
|
|||
if [ -f ${sFILE} -o -d ${sFILE} ]; then
|
||||
FINDVAL=$(ls -l ${sFILE} | cut -c 10)
|
||||
if [ "${FINDVAL}" = "x" ]; then return 0; else return 1; fi
|
||||
else
|
||||
else
|
||||
return 255
|
||||
fi
|
||||
}
|
||||
|
@ -1575,6 +1581,7 @@
|
|||
################################################################################
|
||||
|
||||
IsWorldWritable() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldWritable function"; fi
|
||||
sFILE=$1
|
||||
FileIsWorldWritable=""
|
||||
|
||||
|
@ -1583,7 +1590,7 @@
|
|||
FINDVAL=$(ls -ld ${sFILE} | cut -c 9)
|
||||
if IsDeveloperMode; then Debug "File mode of ${sFILE} is ${FINDVAL}"; fi
|
||||
if [ "${FINDVAL}" = "w" ]; then return 0; else return 1; fi
|
||||
else
|
||||
else
|
||||
return 255
|
||||
fi
|
||||
}
|
||||
|
@ -1752,7 +1759,7 @@
|
|||
if [ "${VALUE}" = "off" ]; then
|
||||
LogText "Result: found logging disabled for one virtual host"
|
||||
NGINX_ACCESS_LOG_DISABLED=1
|
||||
else
|
||||
else
|
||||
if [ ! "${VALUE}" = "" ]; then
|
||||
# If multiple values follow, select first one
|
||||
VALUE=$(echo ${VALUE} | awk '{ print $1 }')
|
||||
|
@ -1796,7 +1803,7 @@
|
|||
if [ ! -f ${FILE} ]; then
|
||||
NGINX_ERROR_LOG_MISSING=1
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Warning: did not find a filename after error_log in nginx configuration"
|
||||
fi
|
||||
;;
|
||||
|
@ -1908,18 +1915,18 @@
|
|||
PortIsListening() {
|
||||
if [ "${LSOFBINARY}" = "" ]; then
|
||||
return 255
|
||||
else
|
||||
else
|
||||
if [ $# -eq 2 ] && [ $1 = "TCP" -o $1 = "UDP" ]; then
|
||||
LogText "Test: find service listening on $1:$2"
|
||||
if [ $1 = "TCP" ]; then FIND=$(${LSOFBINARY} -i${1} -s${1}:LISTEN -P -n | grep ":${2} "); else FIND=$(${LSOFBINARY} -i${1} -P -n | grep ":${2} "); fi
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found service listening on port $2 ($1)"
|
||||
return 0
|
||||
else
|
||||
else
|
||||
LogText "Result: did not find service listening on port $2 ($1)"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
else
|
||||
return 255
|
||||
ReportException ${TEST_NO} "Error in function call to PortIsListening"
|
||||
fi
|
||||
|
@ -1945,7 +1952,7 @@
|
|||
# If the No-Break version of echo is known, use that (usually breaks in combination with -e)
|
||||
if [ ! "${ECHONB}" = "" ]; then
|
||||
${ECHONB} "$1"
|
||||
else
|
||||
else
|
||||
${ECHOCMD} -en "$1"
|
||||
fi
|
||||
fi
|
||||
|
@ -2023,7 +2030,7 @@
|
|||
ROOT_ONLY=1
|
||||
elif [ "$1" = "NO" -o "$1" = "no" ]; then
|
||||
ROOT_ONLY=0
|
||||
else
|
||||
else
|
||||
Debug "Invalid option for --root-only parameter of Register function"
|
||||
fi
|
||||
;;
|
||||
|
@ -2111,7 +2118,7 @@
|
|||
if IsVerbose; then Debug "Performing test ID ${TEST_NO} (${TEST_DESCRIPTION})"; fi
|
||||
fi
|
||||
TESTS_EXECUTED="${TEST_NO}|${TESTS_EXECUTED}"
|
||||
else
|
||||
else
|
||||
if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Skipped test ${TEST_NO} (${TEST_DESCRIPTION})"; fi
|
||||
if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Reason to skip: ${SKIPREASON}"; fi
|
||||
TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}"
|
||||
|
@ -2167,7 +2174,7 @@
|
|||
if [ -f ${PIDFILE} ]; then
|
||||
rm -f $PIDFILE;
|
||||
LogText "PID file removed (${PIDFILE})"
|
||||
else
|
||||
else
|
||||
LogText "PID file not found (${PIDFILE})"
|
||||
fi
|
||||
fi
|
||||
|
@ -2190,14 +2197,14 @@
|
|||
if [ -f ${TMPFILE} ]; then
|
||||
LogText "Action: removing temporary file ${TMPFILE}"
|
||||
rm -f ${TMPFILE}
|
||||
else
|
||||
else
|
||||
LogText "Info: temporary file ${TMPFILE} was already removed"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Found invalid temporary file (${FILE}), not removed. Check your /tmp directory."
|
||||
fi
|
||||
done
|
||||
else
|
||||
else
|
||||
LogText "No temporary files to be deleted"
|
||||
fi
|
||||
}
|
||||
|
@ -2429,10 +2436,10 @@
|
|||
LogText "File permissions are OK"
|
||||
return 0
|
||||
fi
|
||||
else
|
||||
else
|
||||
ReportException "SafePerms()" "Invalid number of arguments for function"
|
||||
fi
|
||||
else
|
||||
else
|
||||
PERMS_OK=1
|
||||
return 0
|
||||
fi
|
||||
|
@ -2483,11 +2490,11 @@
|
|||
LogText "Result: found search string '${STRING}'"
|
||||
if [ ${MASK_LOG} -eq 0 ]; then LogText "Full string returned: ${FIND}"; fi
|
||||
RETVAL=0
|
||||
else
|
||||
else
|
||||
LogText "Result: search search string '${STRING}' NOT found"
|
||||
RETVAL=1
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Skipping search, file (${FILE}) does not exist"
|
||||
ReportException "${TEST_NO}" "Test is trying to search for a string in nonexistent file"
|
||||
fi
|
||||
|
@ -2664,7 +2671,7 @@
|
|||
sFILE="${tFILE}"
|
||||
LogText "Result: symlink found, pointing to directory ${sFILE}"
|
||||
FOUNDPATH=1
|
||||
else
|
||||
else
|
||||
# Check the full path of the symlink, strip the filename, copy the path and linked filename together
|
||||
tDIR=$(echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}')
|
||||
tFILE="${tDIR}/${tFILE}"
|
||||
|
@ -2700,7 +2707,7 @@
|
|||
LogText "Result: file ${tFILE} in ${tDIR} not found"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: file ${sFILE} is not a symlink"
|
||||
fi
|
||||
# Now check if our new location is actually a file or directory destination
|
||||
|
@ -2710,7 +2717,7 @@
|
|||
fi
|
||||
if [ ${FOUNDPATH} -eq 1 ]; then
|
||||
SYMLINK="${sFILE}"
|
||||
else
|
||||
else
|
||||
SYMLINK=""
|
||||
fi
|
||||
}
|
||||
|
@ -2735,7 +2742,7 @@
|
|||
STRING=$(echo $1 | tr '[:lower:]' '[:upper:]')
|
||||
if [ "${I}" = "${STRING}" ]; then RETVAL=0; LogText "Atomic test ($1) skipped by configuration (skip-test)"; fi
|
||||
done
|
||||
else
|
||||
else
|
||||
ReportException "SkipAtomicTest()" "Function called without right number of arguments (1)"
|
||||
fi
|
||||
return $RETVAL
|
||||
|
@ -2860,7 +2867,7 @@
|
|||
|
||||
if [ "${RETVAL}" -lt 2 ]; then
|
||||
return ${RESULT}
|
||||
else
|
||||
else
|
||||
Fatal "ERROR: No result returned from function (TestValue). Incorrect usage?"
|
||||
#ExitFatal
|
||||
fi
|
||||
|
@ -2964,14 +2971,14 @@
|
|||
RETVAL=1
|
||||
if [ "$#" -ne "2" ]; then
|
||||
ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}"
|
||||
else
|
||||
else
|
||||
LogText "${FUNCNAME}: checking value for application ${APP}"
|
||||
LogText "${FUNCNAME}: ${OPTION} is set to ${1}"
|
||||
|
||||
if [ "$1" != "$2" ]; then
|
||||
LogText "${FUNCNAME}: ${1} is not equal to ${2}"
|
||||
RETVAL=0
|
||||
else
|
||||
else
|
||||
LogText "${FUNCNAME}: ${1} is equal to ${2}"
|
||||
fi
|
||||
fi
|
||||
|
@ -2988,14 +2995,14 @@
|
|||
RETVAL=1
|
||||
if [ "$#" -ne "2" ]; then
|
||||
ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}"
|
||||
else
|
||||
else
|
||||
LogText "${FUNCNAME}: checking value for application ${APP}"
|
||||
LogText "${FUNCNAME}: ${OPTION} is set to ${1}"
|
||||
LogText "${FUNCNAME}: checking if ${1} is greater than ${2}"
|
||||
if [ "$1" > "$2" ]; then
|
||||
LogText "${FUNCNAME}: ${1} is greater than ${2}"
|
||||
RETVAL=0
|
||||
else
|
||||
else
|
||||
LogText "${FUNCNAME}: ${1} is not greater than ${2}"
|
||||
fi
|
||||
fi
|
||||
|
@ -3013,7 +3020,7 @@
|
|||
RETVAL=1
|
||||
if [ "$#" -ne "2" ]; then
|
||||
ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}"
|
||||
else
|
||||
else
|
||||
LogText "${FUNCNAME}: checking value for application ${APP}"
|
||||
LogText "${FUNCNAME}: ${OPTION} is set to ${1}"
|
||||
LogText "${FUNCNAME}: checking if ${1} is greater or equal ${2}"
|
||||
|
@ -3035,7 +3042,7 @@
|
|||
RETVAL=1
|
||||
if [ "$#" -ne "2" ]; then
|
||||
ReportException "${TEST_NO}" "Error in function call to TestCase_GreaterOrEqual"
|
||||
else
|
||||
else
|
||||
LogText "${FUNCNAME}: checking value for application ${APP}"
|
||||
LogText "${FUNCNAME}: ${OPTION} is set to ${1}"
|
||||
|
||||
|
@ -3059,7 +3066,7 @@
|
|||
RETVAL=1
|
||||
if [ "$#" -ne "2" ]; then
|
||||
ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}"
|
||||
else
|
||||
else
|
||||
LogText "${FUNCNAME}: checking value for application ${APP}"
|
||||
LogText "${FUNCNAME}: ${OPTION} is set to ${1}"
|
||||
LogText "${FUNCNAME}: checking if ${1} is less or equal ${2}"
|
||||
|
|
|
@ -19,30 +19,29 @@
|
|||
#################################################################################
|
||||
|
||||
if [ $# -eq 0 ]; then
|
||||
|
||||
Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
|
||||
Display --text " "; Display --text " "
|
||||
ExitFatal
|
||||
else
|
||||
else
|
||||
FILE=$(echo $1 | egrep "^http|https")
|
||||
if [ ! "${FILE}" = "" ] ; then
|
||||
if HasData "${FILE}"; then
|
||||
CreateTempFile
|
||||
TMP_FILE="${TEMP_FILE}"
|
||||
Display --indent 2 --text "Downloading URL ${FILE} with wget"
|
||||
wget -o ${TMP_FILE} ${FILE}
|
||||
if [ $? -gt 0 ]; then
|
||||
AUDIT_FILE="${TMP_FILE}"
|
||||
else
|
||||
else
|
||||
if [ -f ${TMP_FILE} ]; then
|
||||
rm -f ${TMP_FILE}
|
||||
fi
|
||||
Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
|
||||
ExitFatal
|
||||
fi
|
||||
else
|
||||
else
|
||||
if [ -f $1 ]; then
|
||||
AUDIT_FILE="$1"
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "File $1 does not exist"
|
||||
ExitFatal
|
||||
fi
|
||||
|
@ -98,7 +97,7 @@ InsertSection "Basics"
|
|||
FIND=$(egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
ReportWarning "dockerfile" "No maintainer found. Unclear who created this file."
|
||||
else
|
||||
else
|
||||
MAINTAINER=$(echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}')
|
||||
Display --indent 2 --text "Maintainer" --result "${MAINTAINER}"
|
||||
fi
|
||||
|
@ -114,7 +113,7 @@ InsertSection "Basics"
|
|||
FIND=$(egrep "apt-get(.*) install" ${AUDIT_FILE})
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Found installation via apt-get"
|
||||
else
|
||||
else
|
||||
LogText "No installations found via apt-get"
|
||||
fi
|
||||
;;
|
||||
|
@ -151,14 +150,14 @@ InsertSection "Basics"
|
|||
|
||||
LogText "Checking usage of wget"
|
||||
FIND_WGET=$(grep wget ${AUDIT_FILE})
|
||||
if [ ! "${FIND_WGET}" = "" ]; then
|
||||
if HasData "${FIND_WGET}"; then
|
||||
Display --indent 4 --text "Download tool" --result "wget"
|
||||
FILE_DOWNLOAD=1
|
||||
fi
|
||||
|
||||
|
||||
FIND=$(grep "^ADD http" ${AUDIT_FILE})
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
FILE_DOWNLOAD=1
|
||||
ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed"
|
||||
LogText "Details: ${FIND}"
|
||||
|
@ -168,10 +167,10 @@ InsertSection "Basics"
|
|||
|
||||
SSL_USED_FIND=$(egrep "(https)" ${AUDIT_FILE})
|
||||
|
||||
if [ ! "${SSL_USED_FIND}" = "" ]; then
|
||||
if HasData "${SSL_USED_FIND}"; then
|
||||
SSL_USED="YES"
|
||||
COLOR="GREEN"
|
||||
else
|
||||
else
|
||||
SSL_USED="NO"
|
||||
COLOR="RED"
|
||||
ReportSuggestion "Use SSL downloads when possible to increase security (DNSSEC, HTTPS, validation of domain, avoid MitM)"
|
||||
|
@ -182,7 +181,7 @@ InsertSection "Basics"
|
|||
KEYS_USED=$(egrep "(apt-key adv)" ${AUDIT_FILE})
|
||||
Display --indent 2 --text "Signing keys used" --result ${SSL_USED}
|
||||
Display --indent 2 --text "All downloads properly checked" --result "?"
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "No files seems to be downloaded in this Dockerfile"
|
||||
|
||||
fi
|
||||
|
@ -192,7 +191,7 @@ InsertSection "Basics"
|
|||
InsertSection "Permissions"
|
||||
|
||||
FIND=$(grep -i "chmod 777" ${AUDIT_FILE})
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
ReportWarning "dockerfile" "Warning: chmod 777 found"
|
||||
fi
|
||||
#
|
||||
|
|
|
@ -187,11 +187,11 @@ if [ $# -gt 0 ]; then
|
|||
"commands")
|
||||
if [ $# -eq 1 ]; then
|
||||
${ECHOCMD} "\n${WHITE}Commands:${NORMAL}"
|
||||
for I in ${COMMANDS}; do
|
||||
${ECHOCMD} "lynis ${CYAN}${I}${NORMAL}"
|
||||
for ITEM in ${COMMANDS}; do
|
||||
${ECHOCMD} "lynis ${CYAN}${ITEM}${NORMAL}"
|
||||
done
|
||||
${ECHOCMD} ""
|
||||
else
|
||||
else
|
||||
shift
|
||||
if [ $# -eq 1 ]; then
|
||||
case $1 in
|
||||
|
@ -200,7 +200,7 @@ if [ $# -gt 0 ]; then
|
|||
"update") ${ECHOCMD} "No help available yet" ;;
|
||||
*) DisplayError "Unknown argument for 'commands'"
|
||||
esac
|
||||
else
|
||||
else
|
||||
shift
|
||||
case $1 in
|
||||
"dockerfile")
|
||||
|
@ -223,7 +223,7 @@ if [ $# -gt 0 ]; then
|
|||
if [ -z "${LOGFILE}" ]; then DisplayError "Could not find log file to parse"; fi
|
||||
if [ $# -eq 1 ]; then
|
||||
DisplayError "This command needs a test ID (e.g. CORE-1000) to search for."
|
||||
else
|
||||
else
|
||||
shift
|
||||
if [ $# -eq 1 ]; then
|
||||
TESTID="$1"
|
||||
|
@ -255,14 +255,14 @@ if [ $# -gt 0 ]; then
|
|||
${ECHOCMD} "=========================="
|
||||
${ECHOCMD} ""
|
||||
${ECHOCMD} "${WHITE}Commands${NORMAL}:"
|
||||
for I in ${COMMANDS}; do
|
||||
${ECHOCMD} "${CYAN}${I}${NORMAL}"
|
||||
for ITEM in ${COMMANDS}; do
|
||||
${ECHOCMD} "${CYAN}${ITEM}${NORMAL}"
|
||||
done
|
||||
${ECHOCMD} ""
|
||||
${ECHOCMD} "Use 'lynis show help ${CYAN}<command>${NORMAL}' to see details"
|
||||
${ECHOCMD} ""; ${ECHOCMD} ""
|
||||
${ECHOCMD} "${WHITE}Options${NORMAL}:\n${GRAY}${OPTIONS}${NORMAL}"
|
||||
else
|
||||
else
|
||||
shift
|
||||
case $1 in
|
||||
"audit") ${ECHOCMD} "${AUDIT_HELP}" ;;
|
||||
|
@ -274,7 +274,7 @@ if [ $# -gt 0 ]; then
|
|||
esac
|
||||
fi
|
||||
;;
|
||||
"helpers") for I in ${HELPERS}; do ${ECHOCMD} ${I}; done ;;
|
||||
"helpers") for ITEM in ${HELPERS}; do ${ECHOCMD} ${ITEM}; done ;;
|
||||
"hostids" | "hostid")
|
||||
${ECHOCMD} "hostid=${HOSTID}"
|
||||
${ECHOCMD} "hostid2=${HOSTID2}"
|
||||
|
@ -295,7 +295,7 @@ if [ $# -gt 0 ]; then
|
|||
${ECHOCMD} "OS_VERSION=${OS_VERSION}"
|
||||
;;
|
||||
"pidfile") ${ECHOCMD} "${PIDFILE}" ;;
|
||||
"profile" | "profiles") for I in ${PROFILES}; do ${ECHOCMD} ${I}; done ;;
|
||||
"profile" | "profiles") for ITEM in ${PROFILES}; do ${ECHOCMD} ${ITEM}; done ;;
|
||||
"profiledir") ${ECHOCMD} "${PROFILEDIR}" ;;
|
||||
"plugindir") ${ECHOCMD} "${PLUGINDIR}" ;;
|
||||
"release") ${ECHOCMD} "${PROGRAM_VERSION}-${PROGRAM_RELEASE_TYPE}" ;;
|
||||
|
@ -314,7 +314,7 @@ if [ $# -gt 0 ]; then
|
|||
*)
|
||||
${ECHOCMD} "${RED}Error${NORMAL}: Invalid argument provided to 'lynis show settings'\n\n"
|
||||
${ECHOCMD} "Suggestions:"
|
||||
for I in ${SHOW_SETTINGS_ARGS}; do ${ECHOCMD} "lynis show settings ${I}"; done
|
||||
for ITEM in ${SHOW_SETTINGS_ARGS}; do ${ECHOCMD} "lynis show settings ${ITEM}"; done
|
||||
ExitFatal
|
||||
;;
|
||||
esac
|
||||
|
@ -431,10 +431,10 @@ if [ $# -gt 0 ]; then
|
|||
"?") ${ECHOCMD} "${SHOW_ARGS}" ;;
|
||||
*) ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis show" ;;
|
||||
esac
|
||||
else
|
||||
else
|
||||
${ECHOCMD} "\n ${WHITE}Provide an additional argument${NORMAL}\n\n"
|
||||
for I in ${SHOW_ARGS}; do
|
||||
${ECHOCMD} " lynis show ${BROWN}${I}${NORMAL}"
|
||||
for ITEM in ${SHOW_ARGS}; do
|
||||
${ECHOCMD} " lynis show ${BROWN}${ITEM}${NORMAL}"
|
||||
done
|
||||
${ECHOCMD} "\n"
|
||||
|
||||
|
|
|
@ -69,11 +69,11 @@ elif [ "$1" = "info" ]; then
|
|||
echo -n " Status : "
|
||||
if [ ${PROGRAM_LV} -eq 0 ]; then
|
||||
echo "${RED}Unknown${NORMAL}";
|
||||
elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
|
||||
elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
|
||||
echo "${YELLOW}Outdated${NORMAL}";
|
||||
echo " Installed version : ${PROGRAM_AC}"
|
||||
echo " Latest version : ${PROGRAM_LV}"
|
||||
else
|
||||
else
|
||||
echo "${GREEN}Up-to-date${NORMAL}"
|
||||
fi
|
||||
echo " Release date : ${PROGRAM_RELEASE_DATE}"
|
||||
|
|
|
@ -46,6 +46,8 @@
|
|||
OS_VERSION_NAME="unknown"
|
||||
OS_FULLNAME="macOS (unknown version)"
|
||||
case ${OS_VERSION} in
|
||||
10.7 | 10.7.[0-9]*) OS_FULLNAME="Mac OS X 10.7 (Lion)" ;;
|
||||
10.8 | 10.8.[0-9]*) OS_FULLNAME="Mac OS X 10.8 (Mountain Lion)" ;;
|
||||
10.9 | 10.9.[0-9]*) OS_FULLNAME="Mac OS X 10.9 (Mavericks)" ;;
|
||||
10.10 | 10.10.[0-9]*) OS_FULLNAME="Mac OS X 10.10 (Yosemite)" ;;
|
||||
10.11 | 10.11.[0-9]*) OS_FULLNAME="Mac OS X 10.11 (El Capitan)" ;;
|
||||
|
|
|
@ -40,7 +40,7 @@
|
|||
echo "${RED}Error: ${WHITE}Missing file name or URL${NORMAL}"
|
||||
echo "Example: $0 audit dockerfile /root/Dockerfile"
|
||||
ExitFatal
|
||||
else
|
||||
else
|
||||
shift; shift
|
||||
HELPER_PARAMS="$1"
|
||||
HELPER="audit_dockerfile"
|
||||
|
@ -55,7 +55,7 @@
|
|||
echo "${RED}Error: ${WHITE}Missing remote location${NORMAL}"
|
||||
echo "Example: $0 audit system remote 192.168.1.100"
|
||||
ExitFatal
|
||||
else
|
||||
else
|
||||
REMOTE_TARGET="$3"
|
||||
shift; shift; shift # shift out first three arguments
|
||||
EXTRA_PARAMS=""
|
||||
|
@ -88,7 +88,7 @@
|
|||
|
||||
;;
|
||||
esac
|
||||
else
|
||||
else
|
||||
echo "${RED}Error: ${WHITE}Need a target to audit${NORMAL}"
|
||||
echo " "
|
||||
echo "Examples:"
|
||||
|
@ -232,8 +232,8 @@
|
|||
--tests
|
||||
--upload
|
||||
--version_(-V)"
|
||||
for I in ${OPTIONS}; do
|
||||
echo "${I}" | tr '_' ' '
|
||||
for ITEM in ${OPTIONS}; do
|
||||
echo "${ITEM}" | tr '_' ' '
|
||||
done
|
||||
ExitClean
|
||||
;;
|
||||
|
@ -386,7 +386,7 @@
|
|||
if [ -f lynis.8 ]; then
|
||||
nroff -man lynis.8
|
||||
exit 0
|
||||
else
|
||||
else
|
||||
echo "Error: man page file not found (lynis.8)"
|
||||
echo "If you are running an installed version of Lynis, use 'man lynis'"
|
||||
exit 1
|
||||
|
|
|
@ -223,9 +223,9 @@
|
|||
|
||||
# Plugin directory
|
||||
plugindir | plugin-dir)
|
||||
if [ "${PLUGINDIR}" = "" ]; then
|
||||
if IsEmpty "${PLUGINDIR}"; then
|
||||
PLUGINDIR="${VALUE}"
|
||||
else
|
||||
else
|
||||
LogText "Plugin directory was already set to ${PLUGINDIR} before (most likely as a program argument), not overwriting"
|
||||
fi
|
||||
AddSetting "plugin-dir" "${PLUGINDIR}" "Plugin directory"
|
||||
|
|
118
include/report
118
include/report
|
@ -22,64 +22,55 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Hardening Index
|
||||
# Define approximately how strong a machine has been hardened
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# If no hardening has been found, set value to 1
|
||||
if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
|
||||
HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
|
||||
HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL))
|
||||
# Set color related to rating
|
||||
if [ ${HPINDEX} -lt 50 ]; then
|
||||
HPCOLOR="${RED}"
|
||||
HIDESCRIPTION="System has not or a low amount been hardened"
|
||||
fi
|
||||
if [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
|
||||
HPCOLOR="${YELLOW}"
|
||||
HIDESCRIPTION="System has been hardened, but could use additional hardening"
|
||||
fi
|
||||
if [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
|
||||
HPCOLOR="${GREEN}"
|
||||
HIDESCRIPTION="System seem to be decent hardened"
|
||||
fi
|
||||
if [ ${HPINDEX} -gt 89 ]; then
|
||||
HPCOLOR="${GREEN}"
|
||||
HIDESCRIPTION="System seem to be well hardened"
|
||||
fi
|
||||
|
||||
case ${HPAOBLOCKS} in
|
||||
0) HPBLOCKS="#"; HPEMPTY=" " ;;
|
||||
1) HPBLOCKS="#"; HPEMPTY=" " ;;
|
||||
2) HPBLOCKS="##"; HPEMPTY=" " ;;
|
||||
3) HPBLOCKS="###"; HPEMPTY=" " ;;
|
||||
4) HPBLOCKS="####"; HPEMPTY=" " ;;
|
||||
5) HPBLOCKS="#####"; HPEMPTY=" " ;;
|
||||
6) HPBLOCKS="######"; HPEMPTY=" " ;;
|
||||
7) HPBLOCKS="#######"; HPEMPTY=" " ;;
|
||||
8) HPBLOCKS="########"; HPEMPTY=" " ;;
|
||||
9) HPBLOCKS="#########"; HPEMPTY=" " ;;
|
||||
10) HPBLOCKS="##########"; HPEMPTY=" " ;;
|
||||
11) HPBLOCKS="###########"; HPEMPTY=" " ;;
|
||||
12) HPBLOCKS="############"; HPEMPTY=" " ;;
|
||||
13) HPBLOCKS="#############"; HPEMPTY=" " ;;
|
||||
14) HPBLOCKS="##############"; HPEMPTY=" " ;;
|
||||
15) HPBLOCKS="###############"; HPEMPTY=" " ;;
|
||||
16) HPBLOCKS="################"; HPEMPTY=" " ;;
|
||||
17) HPBLOCKS="#################"; HPEMPTY=" " ;;
|
||||
18) HPBLOCKS="##################"; HPEMPTY=" " ;;
|
||||
19) HPBLOCKS="###################"; HPEMPTY=" " ;;
|
||||
20) HPBLOCKS="####################"; HPEMPTY="" ;;
|
||||
esac
|
||||
# If no hardening has been found, set value to 1
|
||||
if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
|
||||
HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
|
||||
HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL))
|
||||
# Set color related to rating
|
||||
if [ ${HPINDEX} -lt 50 ]; then
|
||||
HPCOLOR="${RED}"
|
||||
HIDESCRIPTION="System has not or a low amount been hardened"
|
||||
elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
|
||||
HPCOLOR="${YELLOW}"
|
||||
HIDESCRIPTION="System has been hardened, but could use additional hardening"
|
||||
elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
|
||||
HPCOLOR="${GREEN}"
|
||||
HIDESCRIPTION="System seem to be decent hardened"
|
||||
elif [ ${HPINDEX} -gt 89 ]; then
|
||||
HPCOLOR="${GREEN}"
|
||||
HIDESCRIPTION="System seem to be well hardened"
|
||||
fi
|
||||
|
||||
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
|
||||
LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
|
||||
LogText "Hardening strength: ${HIDESCRIPTION}"
|
||||
case ${HPAOBLOCKS} in
|
||||
0) HPBLOCKS="#"; HPEMPTY=" " ;;
|
||||
1) HPBLOCKS="#"; HPEMPTY=" " ;;
|
||||
2) HPBLOCKS="##"; HPEMPTY=" " ;;
|
||||
3) HPBLOCKS="###"; HPEMPTY=" " ;;
|
||||
4) HPBLOCKS="####"; HPEMPTY=" " ;;
|
||||
5) HPBLOCKS="#####"; HPEMPTY=" " ;;
|
||||
6) HPBLOCKS="######"; HPEMPTY=" " ;;
|
||||
7) HPBLOCKS="#######"; HPEMPTY=" " ;;
|
||||
8) HPBLOCKS="########"; HPEMPTY=" " ;;
|
||||
9) HPBLOCKS="#########"; HPEMPTY=" " ;;
|
||||
10) HPBLOCKS="##########"; HPEMPTY=" " ;;
|
||||
11) HPBLOCKS="###########"; HPEMPTY=" " ;;
|
||||
12) HPBLOCKS="############"; HPEMPTY=" " ;;
|
||||
13) HPBLOCKS="#############"; HPEMPTY=" " ;;
|
||||
14) HPBLOCKS="##############"; HPEMPTY=" " ;;
|
||||
15) HPBLOCKS="###############"; HPEMPTY=" " ;;
|
||||
16) HPBLOCKS="################"; HPEMPTY=" " ;;
|
||||
17) HPBLOCKS="#################"; HPEMPTY=" " ;;
|
||||
18) HPBLOCKS="##################"; HPEMPTY=" " ;;
|
||||
19) HPBLOCKS="###################"; HPEMPTY=" " ;;
|
||||
20) HPBLOCKS="####################"; HPEMPTY="" ;;
|
||||
esac
|
||||
|
||||
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
|
||||
LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
|
||||
LogText "Hardening strength: ${HIDESCRIPTION}"
|
||||
|
||||
|
||||
# Only show overview if not running in quiet mode
|
||||
|
@ -111,7 +102,7 @@
|
|||
SWARNINGS=$(${GREPBINARY} -i 'warning:' ${LOGFILE} | sed 's/ /!space!/g')
|
||||
if [ -z "${SWARNINGS}" ]; then
|
||||
echo " ${OK}Great, no warnings${NORMAL}"; echo ""
|
||||
else
|
||||
else
|
||||
echo " ${WARNING}Warnings${NORMAL} (${TOTAL_WARNINGS}):"
|
||||
echo " ${WHITE}----------------------------${NORMAL}"
|
||||
for WARNING in ${SWARNINGS}; do
|
||||
|
@ -132,7 +123,7 @@
|
|||
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
|
||||
if [ -z "${IS_CUSTOM}" ]; then
|
||||
echo " ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}"
|
||||
else
|
||||
else
|
||||
echo " ${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}"
|
||||
fi
|
||||
echo ""
|
||||
|
@ -144,7 +135,7 @@
|
|||
|
||||
if [ "${SSUGGESTIONS}" = "" ]; then
|
||||
echo " ${OK}No suggestions${NORMAL}"; echo ""
|
||||
else
|
||||
else
|
||||
echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):"
|
||||
echo " ${WHITE}----------------------------${NORMAL}"
|
||||
for SUGGESTION in ${SSUGGESTIONS}; do
|
||||
|
@ -165,7 +156,7 @@
|
|||
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
|
||||
if [ -z "${IS_CUSTOM}" ]; then
|
||||
echo " ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"
|
||||
else
|
||||
else
|
||||
echo " ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}"
|
||||
fi
|
||||
echo ""
|
||||
|
@ -203,7 +194,8 @@
|
|||
echo " ${SECTION}Lynis Modules${NORMAL}:"
|
||||
if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then
|
||||
if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi
|
||||
else COMPLIANCE="${YELLOW}?";
|
||||
else
|
||||
COMPLIANCE="${YELLOW}?"
|
||||
fi
|
||||
echo " - Compliance Status [${COMPLIANCE}${NORMAL}]"
|
||||
echo " - Security Audit [${GREEN}V${NORMAL}]"
|
||||
|
@ -218,7 +210,7 @@
|
|||
echo " ${NOTICE}Notice: ${WHITE}${PROGRAM_NAME} ${GEN_UPDATE_AVAILABLE}${NORMAL}"
|
||||
echo " ${GEN_CURRENT_VERSION} : ${WHITE}${PROGRAM_AC}${NORMAL} ${GEN_LATEST_VERSION} : ${WHITE}${PROGRAM_LV}${NORMAL}"
|
||||
echo "================================================================================"
|
||||
else
|
||||
else
|
||||
###########################################################################################
|
||||
#
|
||||
# Software quality program
|
||||
|
@ -252,9 +244,9 @@
|
|||
# Split entries
|
||||
FIND=$(echo ${FIND} | sed 's/====/ /g')
|
||||
# Display found entries
|
||||
for I in ${FIND}; do
|
||||
J=$(echo ${I} | sed 's/:space:/ /g')
|
||||
echo " ${J}"
|
||||
for ITEM in ${FIND}; do
|
||||
OUTPUT=$(echo ${ITEM} | sed 's/:space:/ /g')
|
||||
echo " ${OUTPUT}"
|
||||
done
|
||||
echo ""
|
||||
echo "================================================================================"
|
||||
|
|
|
@ -26,7 +26,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
BANNER_FILES="/etc/issue /etc/issue.net /etc/motd"
|
||||
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
|
||||
LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence intrusion law legal monitor owner policy policies private prohibited record restricted secure subject terms this unauthorized"
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -35,109 +35,51 @@
|
|||
# Description : Check FreeBSD COPYRIGHT banner file
|
||||
Register --test-no BANN-7113 --os FreeBSD --weight L --network NO --category security --description "Check COPYRIGHT banner file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT"
|
||||
if [ -f /COPYRIGHT ]; then
|
||||
Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
|
||||
if [ -s /COPYRIGHT ]; then
|
||||
LogText "Result: /COPYRIGHT available and contains text"
|
||||
else
|
||||
LogText "Result: /COPYRIGHT available, but empty"
|
||||
LogText "Test: Testing existence ${ROOTDIR}COPYRIGHT or ${ROOTDIR}etc/COPYRIGHT"
|
||||
if [ -f ${ROOTDIR}COPYRIGHT ]; then
|
||||
Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
|
||||
if [ -s ${ROOTDIR}COPYRIGHT ]; then
|
||||
LogText "Result: ${ROOTDIR}COPYRIGHT available and contains text"
|
||||
else
|
||||
LogText "Result: ${ROOTDIR}COPYRIGHT available, but empty"
|
||||
fi
|
||||
else
|
||||
Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: /COPYRIGHT not found"
|
||||
else
|
||||
Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: ${ROOTDIR}COPYRIGHT not found"
|
||||
fi
|
||||
|
||||
if [ -f /etc/COPYRIGHT ]; then
|
||||
Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
|
||||
if [ -s /etc/COPYRIGHT ]; then
|
||||
LogText "Result: /etc/COPYRIGHT available and contains text"
|
||||
else
|
||||
LogText "Result: /etc/COPYRIGHT available, but empty"
|
||||
if [ -f ${ROOTDIR}etc/COPYRIGHT ]; then
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
|
||||
if [ -s ${ROOTDIR}etc/COPYRIGHT ]; then
|
||||
LogText "Result: ${ROOTDIR}etc/COPYRIGHT available and contains text"
|
||||
else
|
||||
LogText "Result: ${ROOTDIR}etc/COPYRIGHT available, but empty"
|
||||
fi
|
||||
else
|
||||
Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: /etc/COPYRIGHT not found"
|
||||
else
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: ${ROOTDIR}etc/COPYRIGHT not found"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : BANN-7119
|
||||
# Description : Check MOTD banner file
|
||||
#Register --test-no BANN-7119 --weight L --network NO --category security --description "Check MOTD banner file"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# LogText "Test: Testing existence /etc/motd"
|
||||
# if [ -f /etc/motd ]; then
|
||||
# LogText "Result: file /etc/motd exists"
|
||||
# Display --indent 2 --text "- /etc/motd" --result "${STATUS_FOUND}" --color GREEN
|
||||
# if [ ! -L /etc/motd ]; then
|
||||
# if IsWorldWritable /etc/motd; then
|
||||
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_WARNING}" --color RED
|
||||
# LogText "Result: /etc/motd is world writable. Users can change this file!"
|
||||
# ReportWarning ${TEST_NO} "/etc/motd is world writable"
|
||||
# else
|
||||
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_OK}" --color GREEN
|
||||
# LogText "Result: /etc/motd is not world writable."
|
||||
# fi
|
||||
# else
|
||||
# LogText "Result: file /etc/motd is symlink"
|
||||
# fi
|
||||
# else
|
||||
# LogText "Result: File /etc/motd not found"
|
||||
# Display --indent 2 --text "- /etc/motd" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
# fi
|
||||
#fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : BANN-7122
|
||||
# Description : Check motd file to see if it contains some form of message
|
||||
# to discourage unauthorized users to leave the system alone
|
||||
#if [ -f /etc/motd -a ! -L /etc/motd ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
#Register --test-no BANN-7122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/motd banner file contents"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# N=0
|
||||
# LogText "Test: Checking file /etc/motd contents for legal key words"
|
||||
# for I in ${LEGAL_BANNER_STRINGS}; do
|
||||
# FIND=$(${GREPBINARY} -i "${I}" /etc/motd)
|
||||
# if [ ! "${FIND}" = "" ]; then
|
||||
# LogText "Result: found string '${I}'"
|
||||
# N=$((N + 1))
|
||||
# fi
|
||||
# done
|
||||
# # Check if we have 5 or more key words
|
||||
# if [ ${N} -gt 4 ]; then
|
||||
# LogText "Result: Found ${N} key words, to warn unauthorized users"
|
||||
# Display --indent 4 --text "- /etc/motd contents" --result "${STATUS_OK}" --color GREEN
|
||||
# AddHP 2 2
|
||||
# else
|
||||
# LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
|
||||
# Display --indent 4 --text "- /etc/motd contents" --result WEAK --color YELLOW
|
||||
# ReportSuggestion ${TEST_NO} "Add legal banner to /etc/motd, to warn unauthorized users"
|
||||
# AddHP 0 1
|
||||
# fi
|
||||
#fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : BANN-7124
|
||||
# Description : Check issue banner file
|
||||
Register --test-no BANN-7124 --weight L --network NO --category security --description "Check issue banner file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking file /etc/issue"
|
||||
if [ -f /etc/issue ]; then
|
||||
LogText "Test: Checking file ${ROOTDIR}etc/issue"
|
||||
if [ -f ${ROOTDIR}etc/issue ]; then
|
||||
# Check for symlink
|
||||
if [ -L /etc/issue ]; then
|
||||
LogText "Result: file /etc/issue exists (symlink)"
|
||||
Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN
|
||||
else
|
||||
Display --indent 2 --text "- /etc/issue" --result "${STATUS_FOUND}" --color GREEN
|
||||
if [ -L ${ROOTDIR}etc/issue ]; then
|
||||
LogText "Result: file ${ROOTDIR}etc/issue exists (symlink)"
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result SYMLINK --color GREEN
|
||||
else
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_FOUND}" --color GREEN
|
||||
fi
|
||||
else
|
||||
LogText "Result: file /etc/issue does not exist"
|
||||
Display --indent 2 --text "- /etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
else
|
||||
LogText "Result: file ${ROOTDIR}etc/issue does not exist"
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -145,26 +87,26 @@
|
|||
# Test : BANN-7126
|
||||
# Description : Check issue file to see if it contains some form of message
|
||||
# to discourage unauthorized users to leave the system alone
|
||||
if [ -f /etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -f ${ROOTDIR}etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no BANN-7126 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue banner file contents"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
FILE="${ROOTDIR}etc/issue"
|
||||
LogText "Test: Checking file ${FILE} contents for legal key words"
|
||||
for I in ${LEGAL_BANNER_STRINGS}; do
|
||||
FIND=$(${GREPBINARY} -i "${I}" ${FILE})
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: found string '${I}'"
|
||||
N=$((N + 1))
|
||||
for ITEM in ${LEGAL_BANNER_STRINGS}; do
|
||||
FIND=$(${GREPBINARY} -i "${ITEM}" ${FILE})
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: found string '${ITEM}'"
|
||||
COUNT=$((COUNT + 1))
|
||||
fi
|
||||
done
|
||||
# Check if we have 5 or more key words
|
||||
if [ ${N} -gt 4 ]; then
|
||||
LogText "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users"
|
||||
if [ ${COUNT} -gt 4 ]; then
|
||||
LogText "Result: Found ${COUNT} key words (5 or more suggested), to warn unauthorized users"
|
||||
Display --indent 4 --text "- ${FILE} contents" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 2 2
|
||||
else
|
||||
LogText "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased"
|
||||
else
|
||||
LogText "Result: Found only ${COUNT} key words (5 or more suggested), to warn unauthorized users and could be increased"
|
||||
Display --indent 4 --text "- ${FILE} contents" --result WEAK --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Add a legal banner to ${FILE}, to warn unauthorized users"
|
||||
AddHP 0 1
|
||||
|
@ -178,19 +120,19 @@
|
|||
# Description : Check issue.net banner file
|
||||
Register --test-no BANN-7128 --weight L --network NO --category security --description "Check issue.net banner file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking file /etc/issue.net"
|
||||
if [ -f /etc/issue.net ]; then
|
||||
LogText "Test: Checking file ${ROOTDIR}etc/issue.net"
|
||||
if [ -f ${ROOTDIR}etc/issue.net ]; then
|
||||
# Check for symlink
|
||||
if [ -L /etc/issue.net ]; then
|
||||
LogText "Result: file /etc/issue.net exists (symlink)"
|
||||
Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN
|
||||
else
|
||||
LogText "Result: file /etc/issue.net exists"
|
||||
Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_FOUND}" --color GREEN
|
||||
if [ -L ${ROOTDIR}etc/issue.net ]; then
|
||||
LogText "Result: file ${ROOTDIR}etc/issue.net exists (symlink)"
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result SYMLINK --color GREEN
|
||||
else
|
||||
LogText "Result: file ${ROOTDIR}etc/issue.net exists"
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_FOUND}" --color GREEN
|
||||
fi
|
||||
else
|
||||
LogText "Result: file /etc/issue.net does not exist"
|
||||
Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
else
|
||||
LogText "Result: file ${ROOTDIR}etc/issue.net does not exist"
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -199,26 +141,26 @@
|
|||
# Test : BANN-7130
|
||||
# Description : Check issue.net file to see if it contains some form of message
|
||||
# to discourage unauthorized users to leave the system alone
|
||||
if [ -f /etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -f ${ROOTDIR}etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no BANN-7130 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue.net banner file contents"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
LogText "Test: Checking file /etc/issue.net contents for legal key words"
|
||||
for I in ${LEGAL_BANNER_STRINGS}; do
|
||||
FIND=$(${GREPBINARY} -i "${I}" /etc/issue.net)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found string '${I}'"
|
||||
N=$((N + 1))
|
||||
COUNT=0
|
||||
LogText "Test: Checking file ${ROOTDIR}etc/issue.net contents for legal key words"
|
||||
for ITEM in ${LEGAL_BANNER_STRINGS}; do
|
||||
FIND=$(${GREPBINARY} -i "${ITEM}" ${ROOTDIR}etc/issue.net)
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: found string '${ITEM}'"
|
||||
COUNT=$((COUNT + 1))
|
||||
fi
|
||||
done
|
||||
# Check if we have 5 or more key words
|
||||
if [ ${N} -gt 4 ]; then
|
||||
LogText "Result: Found ${N} key words, to warn unauthorized users"
|
||||
Display --indent 4 --text "- /etc/issue.net contents" --result "${STATUS_OK}" --color GREEN
|
||||
if [ ${COUNT} -gt 4 ]; then
|
||||
LogText "Result: Found ${COUNT} key words, to warn unauthorized users"
|
||||
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 2 2
|
||||
else
|
||||
LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
|
||||
Display --indent 4 --text "- /etc/issue.net contents" --result WEAK --color YELLOW
|
||||
else
|
||||
LogText "Result: Found only ${COUNT} key words, to warn unauthorized users and could be increased"
|
||||
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result WEAK --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users"
|
||||
AddHP 0 1
|
||||
fi
|
||||
|
|
|
@ -414,12 +414,12 @@
|
|||
Register --test-no BOOT-5142 --weight L --network NO --category security --description "Check SPARC Improved boot loader (SILO)"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
BOOT_LOADER_SEARCHED=1
|
||||
if [ -f /etc/silo.conf ]; then
|
||||
if [ -f ${ROOTDIR}etc/silo.conf ]; then
|
||||
LogText "Result: Found SILO configuration file (/etc/silo.conf)"
|
||||
Display --indent 2 --text "- Checking boot loader SILO" --result "${STATUS_FOUND}" --color GREEN
|
||||
BOOT_LOADER="SILO"
|
||||
BOOT_LOADER_FOUND=1
|
||||
else
|
||||
else
|
||||
LogText "Result: no SILO configuration file found."
|
||||
fi
|
||||
fi
|
||||
|
@ -497,24 +497,24 @@
|
|||
# Description : Check for FreeBSD boot services
|
||||
Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --category security --description "Check for FreeBSD boot services"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ! -z "${SERVICEBINARY}" ]; then
|
||||
if HasData "${SERVICEBINARY}"; then
|
||||
# FreeBSD (Ask services(8) for enabled services)
|
||||
LogText "Searching for services at startup (service)"
|
||||
FIND=$(${SERVICEBINARY} -e | ${SEDBINARY} 's|^.*\/||' | ${SORTBINARY})
|
||||
else
|
||||
# FreeBSD (Read /etc/rc.conf file for enabled services)
|
||||
LogText "Searching for services at startup (rc.conf)"
|
||||
FIND=$(${EGREPBINARY} -v -i '^#|none' /etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
|
||||
FIND=$(${EGREPBINARY} -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
|
||||
fi
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
LogText "Found service (service/rc.conf): ${I}"
|
||||
Report "boottask[]=${I}"
|
||||
N=$((N + 1))
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found service (service/rc.conf): ${ITEM}"
|
||||
Report "boottask[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 6 --text "Result: found $N services/options set"
|
||||
LogText "Found $N services/options to run at startup"
|
||||
Display --indent 6 --text "Result: found ${COUNT} services/options set"
|
||||
LogText "Found ${COUNT} services/options to run at startup"
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -527,56 +527,56 @@
|
|||
CHECKED=0
|
||||
LogText "Test: checking presence systemctl binary"
|
||||
# Determine if we have systemctl on board
|
||||
if [ ! -z "${SYSTEMCTLBINARY}" ]; then
|
||||
if HasData "${SYSTEMCTLBINARY}"; then
|
||||
LogText "Result: systemctl binary found, trying that to discover information"
|
||||
# Running services
|
||||
LogText "Searching for running services (systemctl services only)"
|
||||
FIND=$(${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }')
|
||||
N=0
|
||||
COUNT=0
|
||||
Report "running_service_tool=systemctl"
|
||||
for I in ${FIND}; do
|
||||
LogText "Found running service: ${I}"
|
||||
Report "running_service[]=${I}"
|
||||
N=$((N + 1))
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found running service: ${ITEM}"
|
||||
Report "running_service[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
LogText "Note: Run systemctl --full --type=service to see all services"
|
||||
Display --indent 2 --text "- Check running services (systemctl)" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 8 --text "Result: found $N running services"
|
||||
LogText "Result: Found $N enabled services"
|
||||
Display --indent 8 --text "Result: found ${COUNT} running services"
|
||||
LogText "Result: Found ${COUNT} enabled services"
|
||||
|
||||
# Services at boot
|
||||
LogText "Searching for enabled services (systemctl services only)"
|
||||
FIND=$(${SYSTEMCTLBINARY} list-unit-files --type=service | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }')
|
||||
N=0
|
||||
COUNT=0
|
||||
Report "boot_service_tool=systemctl"
|
||||
for I in ${FIND}; do
|
||||
LogText "Found enabled service at boot: ${I}"
|
||||
Report "boot_service[]=${I}"
|
||||
N=$((N + 1))
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found enabled service at boot: ${ITEM}"
|
||||
Report "boot_service[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
LogText "Note: Run systemctl list-unit-files --type=service to see all services"
|
||||
Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 8 --text "Result: found $N enabled services"
|
||||
LogText "Result: Found $N running services"
|
||||
Display --indent 8 --text "Result: found ${COUNT} enabled services"
|
||||
LogText "Result: Found ${COUNT} running services"
|
||||
|
||||
else
|
||||
else
|
||||
|
||||
LogText "Result: systemctl binary not found, checking chkconfig binary"
|
||||
if [ ! -z "${CHKCONFIGBINARY}" ]; then
|
||||
LogText "Result: chkconfig binary found, trying that to discover information"
|
||||
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
|
||||
FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
|
||||
N=0
|
||||
COUNT=0
|
||||
Report "boot_service_tool=chkconfig"
|
||||
for I in ${FIND}; do
|
||||
LogText "Found service (at boot, runlevel 3 or 5): ${I}"
|
||||
Report "boot_service[]=${I}"
|
||||
N=$((N + 1))
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found service (at boot, runlevel 3 or 5): ${ITEM}"
|
||||
Report "boot_service[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
LogText "Hint: Run chkconfig --list to see all services and disable unneeded services"
|
||||
Display --indent 2 --text "- Check services at startup (chkconfig)" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 8 --text "Result: found $N services"
|
||||
LogText "Result: Found $N services at startup"
|
||||
Display --indent 8 --text "Result: found ${COUNT} services"
|
||||
LogText "Result: Found ${COUNT} services at startup"
|
||||
else
|
||||
LogText "Result: both systemctl and chkconfig not found. Skipping this test"
|
||||
fi
|
||||
|
@ -598,14 +598,14 @@
|
|||
LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found"
|
||||
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort)
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
for SERVICE in ${FIND}; do
|
||||
LogText "Found service (at boot, runlevel 2): ${SERVICE}"
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "${STATUS_DONE}" --color WHITE
|
||||
Display --indent 4 --text "Result: found $N services"
|
||||
LogText "Result: found $N services"
|
||||
Display --indent 4 --text "Result: found ${COUNT} services"
|
||||
LogText "Result: found ${COUNT} services"
|
||||
fi
|
||||
elif [ -z "${sRUNLEVEL}" ]; then
|
||||
ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
|
||||
|
@ -623,35 +623,35 @@
|
|||
FOUND=0
|
||||
CHECKDIRS="${ROOTDIR}etc/init.d ${ROOTDIR}etc/rc.d ${ROOTDIR}etc/rcS.d"
|
||||
|
||||
LogText "Result: checking /etc/init.d scripts for writable bit"
|
||||
for I in ${CHECKDIRS}; do
|
||||
LogText "Test: checking if directory ${I} exists"
|
||||
if [ -d ${I} ]; then
|
||||
LogText "Result: directory ${I} found"
|
||||
LogText "Result: checking ${ROOTDIR}etc/init.d scripts for writable bit"
|
||||
for DIR in ${CHECKDIRS}; do
|
||||
LogText "Test: checking if directory ${DIR} exists"
|
||||
if [ -d ${DIR} ]; then
|
||||
LogText "Result: directory ${DIR} found"
|
||||
LogText "Test: checking for available files in directory"
|
||||
FIND=$(${FINDBINARY} ${I} -type f -print)
|
||||
FIND=$(${FINDBINARY} ${DIR} -type f -print)
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: found files in directory, checking permissions now"
|
||||
for J in ${FIND}; do
|
||||
LogText "Test: checking permissions of file ${J}"
|
||||
if IsWorldWritable ${J}; then
|
||||
for FILE in ${FIND}; do
|
||||
LogText "Test: checking permissions of file ${FILE}"
|
||||
if IsWorldWritable ${FILE}; then
|
||||
FOUND=1
|
||||
LogText "Result: warning, file ${J} is world writable"
|
||||
LogText "Result: warning, file ${FILE} is world writable"
|
||||
else
|
||||
LogText "Result: good, file ${J} not world writable"
|
||||
LogText "Result: good, file ${FILE} not world writable"
|
||||
fi
|
||||
done
|
||||
else
|
||||
LogText "Result: found no files in directory."
|
||||
fi
|
||||
else
|
||||
LogText "Result: directory ${I} not found. Skipping.."
|
||||
LogText "Result: directory ${DIR} not found. Skipping.."
|
||||
fi
|
||||
done
|
||||
|
||||
# /etc/rc[0-6].d
|
||||
for NO in 0 1 2 3 4 5 6; do
|
||||
LogText "Test: Checking /etc/rc${NO}.d scripts for writable bit"
|
||||
LogText "Test: Checking ${ROOTDIR}etc/rc${NO}.d scripts for writable bit"
|
||||
if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then
|
||||
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print)
|
||||
for I in ${FIND}; do
|
||||
|
|
|
@ -41,16 +41,16 @@
|
|||
LogText "Test: query zoneadm to list all running zones"
|
||||
FIND=$(${ROOTDIR}usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
N=$((N + 1))
|
||||
ZONEID=$(echo ${I} | ${CUTBINARY} -d ':' -f1)
|
||||
ZONENAME=$(echo ${I} | ${CUTBINARY} -d ':' -f2)
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
ZONEID=$(echo ${ITEM} | ${CUTBINARY} -d ':' -f1)
|
||||
ZONENAME=$(echo ${ITEM} | ${CUTBINARY} -d ':' -f2)
|
||||
LogText "Result: found zone ${ZONENAME} (running)"
|
||||
Report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
|
||||
done
|
||||
LogText "Result: total of ${N} running zones"
|
||||
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
|
||||
LogText "Result: total of ${COUNT} running zones"
|
||||
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${COUNT} zones" --color GREEN
|
||||
else
|
||||
LogText "Result: no running zones found"
|
||||
Display --indent 2 --text "- Checking Solaris Zones" --result "${STATUS_NONE}" --color WHITE
|
||||
|
@ -59,7 +59,9 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : CONT-1906
|
||||
# Do you have Xen running? Help us testing this test and submit a pull request on GitHub
|
||||
|
||||
# Test : CONT-1906 TODO
|
||||
# Description : Query running Xen zones
|
||||
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
#Register --test-no CONT-1906 --weight L --network NO --category security --description "Query Xen guests"
|
||||
|
@ -95,7 +97,7 @@
|
|||
# Test : CONT-8104
|
||||
# Description : Checking Docker info for any warnings
|
||||
# Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory
|
||||
if [ ! -z "${DOCKERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${DOCKERBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Docker info for any warnings"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
COUNT=0
|
||||
|
|
|
@ -86,7 +86,7 @@
|
|||
if IsVerbose; then Display --indent 4 --text "- Checking MySQL root password" --result "${STATUS_OK}" --color GREEN; fi
|
||||
AddHP 2 2
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Test skipped, MySQL daemon not running or no MySQL client available"
|
||||
fi
|
||||
#
|
||||
|
@ -118,14 +118,14 @@
|
|||
LogText "Result: found MongoDB configuration file (${FILE})"
|
||||
LogText "Test: determine authorization setting in new style YAML format"
|
||||
AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)")
|
||||
if [ ! -z "${AUTH_IN_CONFIG}" ]; then
|
||||
if HasData "${AUTH_IN_CONFIG}"; then
|
||||
LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format)"
|
||||
MONGODB_AUTHORIZATION_ENABLED=1
|
||||
else
|
||||
LogText "Result: did NOT find authorization option enabled in configuration file (with YAML format)"
|
||||
LogText "Test: now searching for old style configuration (auth = true) in configuration file"
|
||||
AUTH_IN_CONFIG=$(${GREPBINARY} "auth = true" ${FILE} | ${GREPBINARY} -v "noauth" | ${GREPBINARY} -E -v "(^#|#auth)")
|
||||
if [ -z "${AUTH_IN_CONFIG}" ]; then
|
||||
if IsEmpty "${AUTH_IN_CONFIG}"; then
|
||||
LogText "Result: did NOT find auth = true in configuration file"
|
||||
else
|
||||
LogText "Result: GOOD, found authorization option enabled in configuration file (old format)"
|
||||
|
@ -139,7 +139,7 @@
|
|||
|
||||
# Now check authorization on the command line
|
||||
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
|
||||
if [ ! -z "${PGREPBINARY}" ]; then
|
||||
if HasData "${PGREPBINARY}"; then
|
||||
AUTH_ON_CMDLINE=$(for I in $(${PGREPBINARY} mongo); do cat /proc/${I}/cmdline | xargs -0 echo | ${GREPBINARY} -E "\-\-auth( |$)"; done)
|
||||
if [ ! -z "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi
|
||||
else
|
||||
|
|
|
@ -279,7 +279,7 @@
|
|||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_NONE}" --color YELLOW
|
||||
LogText "Result: no swap partitions found in /etc/fstab"
|
||||
fi
|
||||
|
@ -350,29 +350,29 @@
|
|||
#
|
||||
# Test : FILE-6354
|
||||
# Description : Search files within /tmp which are older than 3 months
|
||||
if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -d ${ROOTDIR}tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Searching for old files in /tmp"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Searching for old files in /tmp"
|
||||
# Search for files only in /tmp, with an access time older than X days
|
||||
FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: no files found in /tmp which are older than 3 months"
|
||||
LogText "Test: Searching for old files in ${ROOTDIR}tmp"
|
||||
# Search for files only in ${ROOTDIR}tmp, with an access time older than X days
|
||||
FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
|
||||
if IsEmpty "${FIND}"; then
|
||||
Display --indent 2 --text "- Checking for old files in ${ROOTDIR}tmp" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: no files found in ${ROOTDIR}tmp which are older than 3 months"
|
||||
else
|
||||
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
||||
Display --indent 2 --text "- Checking for old files in ${ROOTDIR}tmp" --result "${STATUS_FOUND}" --color RED
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
FILE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
|
||||
LogText "Old temporary file: ${FILE}"
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
LogText "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
|
||||
LogText "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain"
|
||||
LogText "Result: found old files in ${ROOTDIR}tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
|
||||
LogText "Advice: check and clean up unused files in ${ROOTDIR}tmp. Old files can fill up a disk or contain"
|
||||
LogText "private information and should be deleted it not being used actively. Use a tool like lsof to"
|
||||
LogText "see which programs possibly are using a particular file. Some systems can cleanup temporary"
|
||||
LogText "directories by setting a boot option."
|
||||
ReportSuggestion ${TEST_NO} "Check ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days"
|
||||
ReportSuggestion ${TEST_NO} "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -380,18 +380,18 @@
|
|||
#
|
||||
# Test : FILE-6362
|
||||
# Description : Check for sticky bit on /tmp
|
||||
if [ -d /tmp -a ! -L /tmp ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No /tmp or /tmp is symlinked"; fi
|
||||
if [ -d ${ROOTDIR}tmp -a ! -L ${ROOTDIR}tmp ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No /tmp or /tmp is symlinked"; fi
|
||||
Register --test-no FILE-6362 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking /tmp sticky bit"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Depending on OS, number of field with 'tmp' differs
|
||||
FIND=$(${LSBINARY} -ld /tmp | ${AWKBINARY} '$1 ~ /[tT]/ { print 1 }')
|
||||
FIND=$(${LSBINARY} -ld ${ROOTDIR}tmp | ${AWKBINARY} '$1 ~ /[tT]/ { print 1 }')
|
||||
if [ "${FIND}" = "1" ]; then
|
||||
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: sticky bit found on /tmp directory"
|
||||
Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: sticky bit found on ${ROOTDIR}tmp directory"
|
||||
AddHP 3 3
|
||||
else
|
||||
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Set the sticky bit on /tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
|
||||
Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
|
||||
AddHP 0 3
|
||||
fi
|
||||
unset FIND
|
||||
|
@ -440,10 +440,10 @@
|
|||
if [ ! -z "${FIND2}" ]; then
|
||||
LogText "Result: found ACL option in default mount options"
|
||||
FOUND=1
|
||||
else
|
||||
else
|
||||
LogText "Result: no ACL option found in default mount options list"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: No file system found with root file system"
|
||||
fi
|
||||
fi
|
||||
|
@ -566,7 +566,7 @@
|
|||
AddHP 4 5
|
||||
fi
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: file system ${FILESYSTEM} not found in /etc/fstab"
|
||||
fi
|
||||
done
|
||||
|
@ -579,8 +579,8 @@
|
|||
# Description : Bind mount the /var/tmp directory to /tmp
|
||||
Register --test-no FILE-6376 --os Linux --weight L --network NO --category security --description "Determine if /var/tmp is bound to /tmp"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -f /etc/fstab ]; then
|
||||
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab)
|
||||
if [ -f ${ROOTDIR}etc/fstab ]; then
|
||||
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' ${ROOTDIR}etc/fstab)
|
||||
BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
|
||||
|
@ -600,7 +600,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6378
|
||||
# Test : FILE-6378 TODO
|
||||
# Description : Check for nodirtime option
|
||||
|
||||
# Want to contribute to Lynis? Create this test
|
||||
|
@ -608,7 +608,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6380
|
||||
# Test : FILE-6380 TODO
|
||||
# Description : Check for relatime
|
||||
|
||||
# Want to contribute to Lynis? Create this test
|
||||
|
@ -616,7 +616,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6390
|
||||
# Test : FILE-6390 TODO
|
||||
# Description : Check writeback/journalling mode (ext3)
|
||||
# More info : data=writeback | data=ordered | data=journal
|
||||
|
||||
|
@ -625,7 +625,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6394
|
||||
# Test : FILE-6394 TODO
|
||||
# Description : Check vm.swappiness (Linux)
|
||||
|
||||
# Want to contribute to Lynis? Create this test
|
||||
|
@ -633,7 +633,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6398
|
||||
# Test : FILE-6398 TODO
|
||||
# Description : Check if JBD (Journal Block Device) driver is loaded
|
||||
|
||||
# Want to contribute to Lynis? Create this test
|
||||
|
@ -651,20 +651,20 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking locate database"
|
||||
FOUND=0
|
||||
LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locate/locatedb /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database"
|
||||
for I in ${LOCATE_DBS}; do
|
||||
if [ -f ${I} ]; then
|
||||
LogText "Result: locate database found (${I})"
|
||||
LOCATE_DBS="${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/slocate/slocate.db ${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database"
|
||||
for FILE in ${LOCATE_DBS}; do
|
||||
if [ -f ${FILE} ]; then
|
||||
LogText "Result: locate database found (${FILE})"
|
||||
FOUND=1
|
||||
LOCATE_DB="${I}"
|
||||
else
|
||||
LogText "Result: file ${I} not found"
|
||||
LOCATE_DB="${FILE}"
|
||||
else
|
||||
LogText "Result: file ${FILE} not found"
|
||||
fi
|
||||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 2 --text "- Checking Locate database" --result "${STATUS_FOUND}" --color GREEN
|
||||
Report "locate_db=${LOCATE_DB}"
|
||||
else
|
||||
else
|
||||
LogText "Result: database not found"
|
||||
Display --indent 2 --text "- Checking Locate database" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
|
||||
|
@ -673,7 +673,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6420
|
||||
# Test : FILE-6420 TODO
|
||||
# Description : Check automount process
|
||||
|
||||
# Want to contribute to Lynis? Create this test
|
||||
|
@ -681,7 +681,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6422
|
||||
# Test : FILE-6422 TODO
|
||||
# Description : Check automount maps (files or for example LDAP based)
|
||||
# Notes : Warn when automounter is running
|
||||
|
||||
|
@ -690,7 +690,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6424
|
||||
# Test : FILE-6424 TODO
|
||||
# Description : Check automount map files
|
||||
|
||||
# Want to contribute to Lynis? Create this test
|
||||
|
@ -698,7 +698,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6425
|
||||
# Test : FILE-6425 TODO
|
||||
# Description : Check mounted files systems via automounter
|
||||
# Notes : Warn when no systems are mounted?
|
||||
|
||||
|
@ -728,11 +728,11 @@
|
|||
LogText "Test: Checking if ${FS} is active"
|
||||
# Check if FS is present in lsmod output
|
||||
FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: module ${FS} is not loaded in the kernel"
|
||||
AddHP 2 3
|
||||
#Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN
|
||||
# Tip to disable a particular module if it is not loaded
|
||||
if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi
|
||||
# Tip to disable a particular module if it is not loaded TODO
|
||||
#ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'"
|
||||
FOUND=1
|
||||
AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} "
|
||||
|
@ -742,7 +742,7 @@
|
|||
fi
|
||||
else
|
||||
AddHP 3 3
|
||||
#Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN
|
||||
if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi
|
||||
fi
|
||||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
|
|
|
@ -166,7 +166,7 @@
|
|||
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
|
||||
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active"
|
||||
else
|
||||
else
|
||||
LogText "Result: one or more rules are available (${FIND} rules)"
|
||||
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN
|
||||
fi
|
||||
|
@ -181,10 +181,10 @@
|
|||
Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY})
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: There are no unused rules present"
|
||||
else
|
||||
else
|
||||
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW
|
||||
LogText "Result: Found one or more possible unused rules"
|
||||
LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
|
||||
|
@ -226,7 +226,7 @@
|
|||
LogText "Result: pf is enabled"
|
||||
PFFOUND=1
|
||||
AddHP 3 3
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
ReportException ${TEST_NO} "Unknown status of pf firewall"
|
||||
fi
|
||||
|
@ -240,11 +240,11 @@
|
|||
FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko')
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: Can not find pf KLD"
|
||||
else
|
||||
else
|
||||
LogText "Result: pf KLD loaded"
|
||||
PFFOUND=1
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: no kldstat binary, skipping this part"
|
||||
fi
|
||||
|
||||
|
@ -254,7 +254,7 @@
|
|||
Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN
|
||||
PFFOUND=1
|
||||
PFLOGDFOUND=1
|
||||
else
|
||||
else
|
||||
LogText "Result: pflog daemon not found in process list"
|
||||
fi
|
||||
fi
|
||||
|
@ -263,7 +263,7 @@
|
|||
FIREWALL_ACTIVE=1
|
||||
FIREWALL_SOFTWARE="pf"
|
||||
Report "firewall_software[]=pf"
|
||||
else
|
||||
else
|
||||
LogText "Result: pf not running on this system"
|
||||
fi
|
||||
fi
|
||||
|
@ -284,12 +284,12 @@
|
|||
if [ -z "${PFWARNINGS}" ]; then
|
||||
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: no pf filter warnings found"
|
||||
else
|
||||
else
|
||||
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: found one or more warnings in the pf filter rules"
|
||||
ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: /etc/pf.conf does NOT exist"
|
||||
fi
|
||||
fi
|
||||
|
@ -313,7 +313,7 @@
|
|||
FIREWALL_SOFTWARE="csf"
|
||||
Report "firewall_software[]=csf"
|
||||
Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
else
|
||||
LogText "Result: ${FILE} does NOT exist"
|
||||
fi
|
||||
fi
|
||||
|
@ -332,7 +332,7 @@
|
|||
FIREWALL_ACTIVE=1
|
||||
FIREWALL_SOFTWARE="ipf"
|
||||
Report "firewall_software[]=ipf"
|
||||
else
|
||||
else
|
||||
Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
|
||||
LogText "Result: ipf is not running"
|
||||
fi
|
||||
|
@ -357,15 +357,15 @@
|
|||
if [ "${IPFW_ENABLED}" = "ipfw" ]; then
|
||||
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN
|
||||
LogText "Result: IPFW is enabled at start-up for IPv4"
|
||||
else
|
||||
else
|
||||
Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result "${STATUS_NO}" --color YELLOW
|
||||
LogText "Result: IPFW is disabled at start-up for IPv4"
|
||||
fi
|
||||
else
|
||||
else
|
||||
if IsVerbose; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_NOT_RUNNING}" --color YELLOW; fi
|
||||
LogText "Result: IPFW is not running for IPv4"
|
||||
fi
|
||||
else
|
||||
else
|
||||
ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)"
|
||||
fi
|
||||
fi
|
||||
|
@ -386,7 +386,7 @@
|
|||
APPLICATION_FIREWALL_ACTIVE=1
|
||||
Report "firewall_software[]=macosx-app-fw"
|
||||
Report "app_fw[]=macosx-app-fw"
|
||||
else
|
||||
else
|
||||
if IsVerbose; then Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_DISABLED}" --color YELLOW; fi
|
||||
AddHP 1 3
|
||||
LogText "Result: application firewall of macOS is disabled"
|
||||
|
@ -407,7 +407,7 @@
|
|||
APPLICATION_FIREWALL_ACTIVE=1
|
||||
Report "app_fw[]=little-snitch"
|
||||
Report "firewall_software[]=little-snitch"
|
||||
else
|
||||
else
|
||||
if IsVerbose; then Display --indent 2 --text "- Checking Little Snitch Daemon" --result "${STATUS_DISABLED}" --color YELLOW; fi
|
||||
AddHP 1 3
|
||||
LogText "Result: could not find Little Snitch"
|
||||
|
@ -418,7 +418,7 @@
|
|||
#
|
||||
# Test : FIRE-4536
|
||||
# Description : Check nftables kernel module
|
||||
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables")
|
||||
|
@ -428,7 +428,7 @@
|
|||
FIREWALL_ACTIVE=1
|
||||
NFTABLES_ACTIVE=1
|
||||
Report "firewall_software[]=nftables"
|
||||
else
|
||||
else
|
||||
LogText "Result: no nftables kernel module found"
|
||||
fi
|
||||
fi
|
||||
|
@ -437,7 +437,7 @@
|
|||
#
|
||||
# Test : FIRE-4538
|
||||
# Description : Check nftables configuration
|
||||
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables basic configuration"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Retrieve nft version
|
||||
|
@ -450,7 +450,7 @@
|
|||
#
|
||||
# Test : FIRE-4540
|
||||
# Description : Check nftables configuration
|
||||
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for empty nftables configuration"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Check for empty ruleset
|
||||
|
@ -458,18 +458,12 @@
|
|||
if [ ${NFT_RULES_LENGTH} -le 16 ]; then
|
||||
FIREWALL_EMPTY_RULESET=1
|
||||
LogText "Result: this firewall set has 16 rules or less and is considered to be empty"
|
||||
else
|
||||
else
|
||||
LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Ideas:
|
||||
# Suggestion to disable iptables if nftables is enabled
|
||||
# Check for specific features in nftables releases
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FIRE-4586
|
||||
# Description : Check firewall logging
|
||||
|
@ -501,7 +495,7 @@
|
|||
# YYY Solaris ipf (determine default policy)
|
||||
Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic"
|
||||
AddHP 5 5
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW
|
||||
LogText "Result: no host based firewall/packet filter found or configured"
|
||||
ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic"
|
||||
|
@ -520,6 +514,12 @@ Report "firewall_software=${FIREWALL_SOFTWARE}"
|
|||
|
||||
WaitForKeyPress
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# TODO
|
||||
# Suggestion to disable iptables if nftables is enabled
|
||||
# Check for specific features in nftables releases
|
||||
#
|
||||
#================================================================================
|
||||
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|
||||
|
|
|
@ -52,7 +52,7 @@
|
|||
HARDEN_COMPILERS_NEEDED=0
|
||||
if [ ${COMPILER_INSTALLED} -eq 0 ]; then
|
||||
LogText "Result: no compilers found"
|
||||
else
|
||||
else
|
||||
# as
|
||||
if [ ! -z "${ASBINARY}" ]; then
|
||||
LogText "Test: Check file permissions for as (Assembler)"
|
||||
|
|
|
@ -40,10 +40,10 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Checking if we can find the systemd default target
|
||||
LogText "Test: Checking for systemd default.target"
|
||||
if [ -L /etc/systemd/system/default.target ]; then
|
||||
if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then
|
||||
LogText "Result: symlink found"
|
||||
if HasData "${READLINKBINARY}"; then
|
||||
FIND=$(${READLINKBINARY} /etc/systemd/system/default.target)
|
||||
FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target)
|
||||
if ! HasData "${FIND}"; then
|
||||
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
|
||||
ReportException "${TEST_NO}:01"
|
||||
|
@ -65,9 +65,9 @@
|
|||
fi
|
||||
else
|
||||
LogText "Result: no systemd found, so trying inittab"
|
||||
LogText "Test: Checking /etc/inittab"
|
||||
if [ -f /etc/inittab ]; then
|
||||
LogText "Result: file /etc/inittab found"
|
||||
LogText "Test: Checking ${ROOTDIR}etc/inittab"
|
||||
if [ -f ${ROOTDIR}etc/inittab ]; then
|
||||
LogText "Result: file ${ROOTDIR}etc/inittab found"
|
||||
LogText "Test: Checking default Linux run level"
|
||||
FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' ${ROOTDIR}etc/inittab | head -n 1)
|
||||
if IsEmpty "${FIND}"; then
|
||||
|
@ -211,13 +211,13 @@
|
|||
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Loaded modules according lsmod:"
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
LogText "Loaded module: ${I}"
|
||||
Report "loaded_kernel_module[]=${I}"
|
||||
N=$((N + 1))
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Loaded module: ${ITEM}"
|
||||
Report "loaded_kernel_module[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
Display --indent 6 --text "Found ${N} active modules"
|
||||
Display --indent 6 --text "Found ${COUNT} active modules"
|
||||
else
|
||||
LogText "Result: no loaded modules found"
|
||||
LogText "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel"
|
||||
|
@ -295,13 +295,13 @@
|
|||
FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
|
||||
if [ $? -eq 0 ]; then
|
||||
LogText "Loaded modules according kldstat:"
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
LogText "Loaded module: ${I}"
|
||||
Report "loaded_kernel_module[]=${I}"
|
||||
N=$((N + 1))
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Loaded module: ${ITEM}"
|
||||
Report "loaded_kernel_module[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
else
|
||||
Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Problem with executing kldstat"
|
||||
|
@ -321,24 +321,24 @@
|
|||
LogText "Test: Active kernel modules (KLDs)"
|
||||
LogText "Description: View all active kernel modules (including kernel)"
|
||||
LogText "Test: Checking modules"
|
||||
if [ -f /sbin/kldstat ]; then
|
||||
FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
|
||||
if [ -f ${ROOTDIR}sbin/kldstat ]; then
|
||||
FIND=$(${ROOTDIR}sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
|
||||
if [ $? -eq 0 ]; then
|
||||
LogText "Loaded modules according kldstat:"
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
LogText "Loaded module: ${I}"
|
||||
Report "loaded_kernel_module[]=${I}"
|
||||
N=$((N + 1))
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Loaded module: ${ITEM}"
|
||||
Report "loaded_kernel_module[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
else
|
||||
Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Problem with executing kldstat"
|
||||
fi
|
||||
else
|
||||
echo "[ ${WHITE}SKIPPED${NORMAL} ]"
|
||||
LogText "Result: no results, can't find /sbin/kldstat"
|
||||
LogText "Result: no results, can NOT find ${ROOTDIR}sbin/kldstat"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -351,9 +351,9 @@
|
|||
LogText "Test: searching loaded kernel modules"
|
||||
FIND=$(/usr/sbin/modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort)
|
||||
if HasData "${FIND}"; then
|
||||
for I in ${FIND}; do
|
||||
LogText "Found module: ${I}"
|
||||
Report "loaded_kernel_module[]=${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found module: ${ITEM}"
|
||||
Report "loaded_kernel_module[]=${ITEM}"
|
||||
done
|
||||
Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
else
|
||||
|
@ -370,21 +370,21 @@
|
|||
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
|
||||
if [ -x /usr/bin/apt-cache ]; then
|
||||
LogText "Result: found /usr/bin/apt-cache"
|
||||
LogText "Test: checking readlink location of /vmlinuz"
|
||||
if [ -f /vmlinuz ]; then
|
||||
FINDKERNFILE=$(readlink -f /vmlinuz)
|
||||
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
|
||||
LogText "Result: found ${ROOTDIR}usr/bin/apt-cache"
|
||||
LogText "Test: checking readlink location of ${ROOTDIR}vmlinuz"
|
||||
if [ -f ${ROOTDIR}vmlinuz ]; then
|
||||
FINDKERNFILE=$(readlink -f ${ROOTDIR}vmlinuz)
|
||||
LogText "Output: readlink reported file ${FINDKERNFILE}"
|
||||
LogText "Test: checking package from dpkg -S"
|
||||
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}')
|
||||
LogText "Output: dpkg -S reported package ${FINDKERNEL}"
|
||||
elif [ -e /dev/grsec ]; then
|
||||
elif [ -e ${ROOTDIR}dev/grsec ]; then
|
||||
FINDKERNEL=linux-image-$(uname -r)
|
||||
LogText "/vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
|
||||
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
|
||||
else
|
||||
LogText "This system is missing /vmlinuz. Unable to check whether kernel is up-to-date."
|
||||
ReportSuggestion ${TEST_NO} "Determine why /vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz"
|
||||
LogText "This system is missing ${ROOTDIR}vmlinuz. Unable to check whether kernel is up-to-date."
|
||||
ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz"
|
||||
fi
|
||||
LogText "Test: Using apt-cache policy to determine if there is an update available"
|
||||
FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
|
||||
|
|
|
@ -281,21 +281,21 @@
|
|||
#
|
||||
# Test : LOGG-2150
|
||||
# Description : Checking log directories rotated with logrotate
|
||||
if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${LOGROTATEBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking which directories can be found in logrotate configuration"
|
||||
FIND=$(${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
|
||||
if IsEmpty "${FIND}" ]; then
|
||||
LogText "Result: nothing found"
|
||||
else
|
||||
else
|
||||
LogText "Result: found one or more directories (via logrotate configuration)"
|
||||
for I in ${FIND}; do
|
||||
if [ -d ${I} ]; then
|
||||
LogText "Directory found: ${I}"
|
||||
Report "log_directory[]=${I}"
|
||||
else
|
||||
LogText "Directory could not be found: ${I}"
|
||||
for DIR in ${FIND}; do
|
||||
if [ -d ${DIR} ]; then
|
||||
LogText "Directory found: ${DIR}"
|
||||
Report "log_directory[]=${DIR}"
|
||||
else
|
||||
LogText "Result: Directory could not be found: ${DIR}"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
@ -379,7 +379,7 @@
|
|||
AddHP 5 5
|
||||
Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -126,7 +126,7 @@
|
|||
#
|
||||
# Test : MACF-6234
|
||||
# Description : Check SELINUX status
|
||||
if [ ! "${SESTATUSBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${SESTATUSBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Status: Enabled/Disabled
|
||||
|
@ -151,7 +151,7 @@
|
|||
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
|
||||
fi
|
||||
Display --indent 8 --text "Current SELinux mode: ${FIND}"
|
||||
else
|
||||
else
|
||||
LogText "Result: SELinux framework is disabled"
|
||||
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW
|
||||
fi
|
||||
|
@ -180,7 +180,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
if [ ! -z "${GRADMBINARY}" ]; then
|
||||
if HasData "${GRADMBINARY}"; then
|
||||
FIND=$(${GRADMBINARY} --status)
|
||||
if [ "${FIND}" = "The RBAC system is currently enabled." ]; then
|
||||
MAC_FRAMEWORK_ACTIVE=1
|
||||
|
|
|
@ -36,7 +36,7 @@
|
|||
MCAFEE_SCANNER_RUNNING=0
|
||||
MALWARE_SCANNER_INSTALLED=0
|
||||
SOPHOS_SCANNER_RUNNING=0
|
||||
SYMANTEC_SCANNER_RUNNING=
|
||||
SYMANTEC_SCANNER_RUNNING=0
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
|
|
@ -67,26 +67,26 @@
|
|||
# Notes : Maximum of one search keyword is allowed in /etc/resolv.conf
|
||||
Register --test-no NAME-4018 --weight L --network NO --category security --description "Check /etc/resolv.conf search domains"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
LogText "Test: check ${ROOTDIR}etc/resolv.conf for search domains"
|
||||
if [ -f ${ROOTDIR}etc/resolv.conf ]; then
|
||||
LogText "Result: ${ROOTDIR}etc/resolv.conf found"
|
||||
FIND=$(${AWKBINARY} '/^search/ { print $2 }' ${ROOTDIR}etc/resolv.conf)
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: no search domains found, default domain is being used"
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
LogText "Found search domain: ${I}"
|
||||
Report "resolv_conf_search_domain[]=${I}"
|
||||
N=$((N + 1))
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found search domain: ${ITEM}"
|
||||
Report "resolv_conf_search_domain[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
# Warn if we have more than 6 search domains, which is maximum in most resolvers
|
||||
if [ ${N} -gt 6 ]; then
|
||||
LogText "Result: Found ${N} search domains"
|
||||
if [ ${COUNT} -gt 6 ]; then
|
||||
LogText "Result: Found ${COUNT} search domains"
|
||||
Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW
|
||||
ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
|
||||
else
|
||||
LogText "Result: Found ${N} search domains"
|
||||
LogText "Result: Found ${COUNT} search domains"
|
||||
Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN
|
||||
fi
|
||||
fi
|
||||
|
@ -115,15 +115,16 @@
|
|||
if [ -f ${ROOTDIR}etc/resolv.conf ]; then
|
||||
LogText "Result: ${ROOTDIR}etc/resolv.conf found"
|
||||
FIND=$(${GREPBINARY} "^options" ${ROOTDIR}etc/resolv.conf | ${AWKBINARY} '{ print $2 }')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: no specific other options configured in /etc/resolv.conf"
|
||||
if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
LogText "Found option: ${I}"
|
||||
Report "resolv_conf_option[]=${I}"
|
||||
#rotate --> add performance tune point
|
||||
#timeout <3 --> add performe tune point
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found option: ${ITEM}"
|
||||
Report "resolv_conf_option[]=${ITEM}"
|
||||
# TODO add suggestions for the related options
|
||||
# rotate --> add performance tune point
|
||||
# timeout --> add performe tune point when smaller than 3 seconds
|
||||
done
|
||||
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN
|
||||
fi
|
||||
|
@ -171,25 +172,10 @@
|
|||
Register --test-no NAME-4028 --weight L --network NO --category security --description "Check domain name"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
DOMAINNAME=""
|
||||
# NIS
|
||||
#LogText "Test: Checking file /etc/domainname"
|
||||
#if [ -f /etc/domainname ]; then
|
||||
# LogText "Result: file /etc/domainname exists"
|
||||
# FIND2=$(cat /etc/domainname)
|
||||
# if [ ! "${FIND}" = "" ]; then
|
||||
# LogText "Found domain name: ${FIND}"
|
||||
# DOMAINNAME="${FIND}"
|
||||
# else
|
||||
# LogText "Result: no domain name found in file"
|
||||
# fi
|
||||
# else
|
||||
# LogText "Result: file /etc/domainname does not exist"
|
||||
#fi
|
||||
|
||||
LogText "Test: Checking if dnsdomainname command is available"
|
||||
if [ ! -z "${DNSDOMAINNAMEBINARY}" ]; then
|
||||
if HasData "${DNSDOMAINNAMEBINARY}"; then
|
||||
FIND2=$(${DNSDOMAINNAMEBINARY} 2> /dev/null)
|
||||
if [ ! "${FIND2}" = "" ]; then
|
||||
if HasData "${FIND2}"; then
|
||||
LogText "Result: dnsdomainname command returned a value"
|
||||
LogText "Found domain name: ${FIND2}"
|
||||
DOMAINNAME="${FIND2}"
|
||||
|
@ -280,7 +266,7 @@
|
|||
Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW
|
||||
ReportWarning "${TEST_NO}" "Found Unbound configuration file issues (run unbound-checkconf)"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: skipped, can't find unbound-checkconf utility"
|
||||
fi
|
||||
fi
|
||||
|
@ -338,24 +324,17 @@
|
|||
if [ "${FIND}" = "0" ]; then
|
||||
LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine"
|
||||
Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
else
|
||||
LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
|
||||
Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: named-checkconf not found, skipping test"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : NAME-4208
|
||||
# Description : Check DNS server type (master, slave, caching, forwarding)
|
||||
#Register --test-no NAME-4050 --weight L --network NO --category security --description "Check nscd status"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : NAME-4210
|
||||
# Description : Check if we can determine useful information from banner
|
||||
|
@ -379,21 +358,21 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : NAME-4212
|
||||
# Test : NAME-4212 TODO
|
||||
# Description : Check version option in BIND configuration
|
||||
#if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
#Register --test-no NAME-4212 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check version setting in configuration"
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : NAME-4220
|
||||
# Test : NAME-4220 TODO
|
||||
# Description : Check if we can perform a zone transfer of primary domain
|
||||
#Register --test-no NAME-4220 --weight L --network NO --category security --description "Check zone transfer"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : NAME-4222
|
||||
# Test : NAME-4222 TODO
|
||||
# Description : Check if we can perform a zone transfer of PTR (of primary domain)
|
||||
#Register --test-no NAME-4222 --weight L --network NO --category security --description "Check zone transfer"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
|
@ -410,7 +389,7 @@
|
|||
LogText "Result: found PowerDNS process"
|
||||
Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_RUNNING}" --color GREEN
|
||||
POWERDNS_RUNNING=1
|
||||
else
|
||||
else
|
||||
LogText "Result: PowerDNS not running"
|
||||
if IsVerbose; then Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
|
||||
fi
|
||||
|
@ -424,13 +403,13 @@
|
|||
Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search PowerDNS configuration file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Search PowerDNS configuration file"
|
||||
for I in ${POWERDNS_CONFIG_LOCS}; do
|
||||
if [ -f ${I}/pdns.conf ]; then
|
||||
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
|
||||
for DIR in ${POWERDNS_CONFIG_LOCS}; do
|
||||
if [ -f ${DIR}/pdns.conf ]; then
|
||||
POWERDNS_AUTH_CONFIG_LOCATION="${DIR}/pdns.conf"
|
||||
LogText "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})"
|
||||
fi
|
||||
done
|
||||
if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then
|
||||
if HasData "${POWERDNS_AUTH_CONFIG_LOCATION}"; then
|
||||
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
|
@ -455,9 +434,9 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking for PowerDNS backends"
|
||||
FIND=$(${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION})
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
for I in ${FIND}; do
|
||||
LogText "Found backend: ${I}"
|
||||
if HasData "${FIND}"; then
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found backend: ${ITEM}"
|
||||
done
|
||||
Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
|
@ -514,7 +493,7 @@
|
|||
else
|
||||
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: ypbind is not active"
|
||||
if IsVerbose; then Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
|
||||
fi
|
||||
|
@ -623,7 +602,7 @@
|
|||
if [ "${sFIND}" != "" ]; then
|
||||
LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts"
|
||||
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
else
|
||||
LogText "Result: No entry found for ${HOSTNAME} in /etc/hosts"
|
||||
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving"
|
||||
|
@ -636,7 +615,7 @@
|
|||
#
|
||||
# Test : NAME-4406
|
||||
# Description : Check server hostname mapping
|
||||
if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${HOSTNAME}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Check server hostname not locally mapped in /etc/hosts"
|
||||
|
|
|
@ -216,7 +216,6 @@
|
|||
Register --test-no NETW-3004 --weight L --network NO --category security --description "Search for available network interfaces"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=""
|
||||
N=0
|
||||
case ${OS} in
|
||||
AIX)
|
||||
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }')
|
||||
|
@ -239,12 +238,11 @@
|
|||
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find available network interfaces"
|
||||
;;
|
||||
esac
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
for I in ${FIND}; do
|
||||
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${I}"
|
||||
LogText "Found network interface: ${I}"
|
||||
N=$((N + 1))
|
||||
Report "network_interface[]=${I}"
|
||||
if HasData "${FIND}"; then
|
||||
for ITEM in ${FIND}; do
|
||||
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${ITEM}"
|
||||
LogText "Found network interface: ${ITEM}"
|
||||
Report "network_interface[]=${ITEM}"
|
||||
done
|
||||
else
|
||||
ReportException "${TEST_NO}:1" "No interfaces found on this system (OS=${OS})"
|
||||
|
@ -272,7 +270,7 @@
|
|||
if [ ! -z "${IPBINARY}" ]; then
|
||||
LogText "Test: Using ip binary to gather hardware addresses"
|
||||
FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }')
|
||||
else
|
||||
else
|
||||
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
|
||||
fi
|
||||
fi
|
||||
|
@ -294,11 +292,9 @@
|
|||
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find MAC information"
|
||||
;;
|
||||
esac
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
LogText "Found MAC address: ${I}"
|
||||
N=$((N + 1))
|
||||
Report "network_mac_address[]=${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found MAC address: ${ITEM}"
|
||||
Report "network_mac_address[]=${ITEM}"
|
||||
done
|
||||
fi
|
||||
#
|
||||
|
@ -350,20 +346,17 @@
|
|||
ReportException "${TEST_NO}:1" "IP address information test not implemented for this operating system"
|
||||
;;
|
||||
esac
|
||||
N=0
|
||||
|
||||
# IPv4
|
||||
for I in ${FIND}; do
|
||||
LogText "Found IPv4 address: ${I}"
|
||||
N=$((N + 1))
|
||||
Report "network_ipv4_address[]=${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found IPv4 address: ${ITEM}"
|
||||
Report "network_ipv4_address[]=${ITEM}"
|
||||
done
|
||||
# IPv6
|
||||
for I in ${FIND2}; do
|
||||
LogText "Found IPv6 address: ${I}"
|
||||
N=$((N + 1))
|
||||
Report "network_ipv6_address[]=${I}"
|
||||
for ITEM in ${FIND2}; do
|
||||
LogText "Found IPv6 address: ${ITEM}"
|
||||
Report "network_ipv6_address[]=${ITEM}"
|
||||
done
|
||||
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -373,7 +366,7 @@
|
|||
Register --test-no NETW-3012 --weight L --network NO --category security --description "Check listening ports"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=""; FIND2=""
|
||||
N=0
|
||||
COUNT=0
|
||||
case ${OS} in
|
||||
DragonFly|FreeBSD)
|
||||
if [ ! -z "${SOCKSTATBINARY}" ]; then
|
||||
|
@ -390,13 +383,13 @@
|
|||
FIND=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:')
|
||||
# TCP
|
||||
FIND2=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:')
|
||||
else
|
||||
else
|
||||
if [ ! "${SSBINARY}" = "" ]; then
|
||||
# UDP
|
||||
FIND=$(${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
|
||||
# TCP
|
||||
FIND2=$(${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
|
||||
else
|
||||
else
|
||||
ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports"
|
||||
fi
|
||||
fi
|
||||
|
@ -440,26 +433,26 @@
|
|||
|
||||
# Retrieve information from sockstat, when available
|
||||
LogText "Test: Retrieving sockstat information to find listening ports"
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
for I in ${FIND}; do
|
||||
N=$((N + 1))
|
||||
LogText "Found listening info: ${I}"
|
||||
Report "network_listen_port[]=${I}"
|
||||
if HasData "${FIND}"; then
|
||||
for ITEM in ${FIND}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Found listening info: ${ITEM}"
|
||||
Report "network_listen_port[]=${ITEM}"
|
||||
done
|
||||
fi
|
||||
|
||||
if [ ! "${FIND2}" = "" ]; then
|
||||
for I in ${FIND2}; do
|
||||
N=$((N + 1))
|
||||
LogText "Found listening info: ${I}"
|
||||
Report "network_listen_port[]=${I}"
|
||||
for ITEM in ${FIND2}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Found listening info: ${ITEM}"
|
||||
Report "network_listen_port[]=${ITEM}"
|
||||
done
|
||||
fi
|
||||
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
|
||||
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW
|
||||
else
|
||||
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 6 --text "* Found ${N} ports"
|
||||
Display --indent 6 --text "* Found ${COUNT} ports"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -473,14 +466,14 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking promiscuous interfaces (FreeBSD)"
|
||||
FIND=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: Promiscuous interfaces: ${FIND}"
|
||||
for I in ${FIND}; do
|
||||
for ITEM in ${FIND}; do
|
||||
WHITELISTED=0
|
||||
for PROFILE in ${PROFILES}; do
|
||||
Debug "Checking if interface ${I} is whitelisted in profile ${PROFILE}"
|
||||
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
|
||||
if [ ! "${ISWHITELISTED}" = "" ]; then
|
||||
Debug "Checking if interface ${ITEM} is whitelisted in profile ${PROFILE}"
|
||||
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${ITEM}:" ${PROFILE})
|
||||
if HasData "${ISWHITELISTED}"; then
|
||||
WHITELISTED=1
|
||||
LogText "Result: this interface was whitelisted in profile (${PROFILE})"
|
||||
fi
|
||||
|
@ -536,15 +529,17 @@
|
|||
if [ ${FOUNDPROMISC} -eq 0 ]; then
|
||||
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: No promiscuous interfaces found"
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : NETW-3020
|
||||
# Description : Checking multipath configuration (Solaris)
|
||||
# Do you have a multipath configuration on Linux or other OS? Create a related test and send in a pull request on GitHub
|
||||
|
||||
# Test : NETW-3020 TODO
|
||||
# Description : Checking multipath configuration
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
@ -557,7 +552,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Using netstat for check for connections in WAIT state"
|
||||
FIND=$(${NETSTATBINARY} -an | ${GREPBINARY} WAIT | ${WCBINARY} -l | ${AWKBINARY} '{ print $1 }')
|
||||
if [ -z "${OPTIONS_CONN_MAX_WAIT_STATE}" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
|
||||
if IsEmpty "${OPTIONS_CONN_MAX_WAIT_STATE}"; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
|
||||
LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
|
||||
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
|
||||
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW
|
||||
|
|
|
@ -62,10 +62,10 @@
|
|||
#
|
||||
# Test : PKGS-7302
|
||||
# Description : Query FreeBSD/NetBSD pkg_info
|
||||
if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD/NetBSD pkg_info"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
Display --indent 4 --text "- Checking pkg_info" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found pkg_info"
|
||||
Report "package_manager[]=pkg_info"
|
||||
|
@ -74,13 +74,13 @@
|
|||
LogText "Output:"; LogText "-----"
|
||||
SPACKAGES=$(${ROOTDIR}usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1 | ${SEDBINARY} -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g')
|
||||
for ITEM in ${SPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
sPKG_NAME=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f1)
|
||||
sPKG_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f2)
|
||||
LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${ITEM}"
|
||||
done
|
||||
Report "installed_packages=${N}"
|
||||
Report "installed_packages=${COUNT}"
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -93,6 +93,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found brew"
|
||||
PACKAGE_MGR_PKG=1
|
||||
Report "package_manager[]=brew"
|
||||
LogText "Test: Querying brew to get package list"
|
||||
Display --indent 4 --text "- Querying brew for installed packages"
|
||||
|
@ -120,11 +121,11 @@
|
|||
Display --indent 4 --text "- Querying portage for installed packages"
|
||||
LogText "Output:"; LogText "-----"
|
||||
GPACKAGES=$(equery l '*' | ${SEDBINARY} -e 's/[.*]//g')
|
||||
for J in ${GPACKAGES}; do
|
||||
LogText "Found package ${J}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
|
||||
for PKG in ${GPACKAGES}; do
|
||||
LogText "Found package ${PKG}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0,"
|
||||
done
|
||||
else
|
||||
else
|
||||
LogText "Result: emerge can NOT be found on this system"
|
||||
fi
|
||||
#
|
||||
|
@ -139,6 +140,7 @@
|
|||
Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found Solaris pkginfo"
|
||||
Report "package_manager[]=pkginfo"
|
||||
PACKAGE_MGR_PKG=1
|
||||
LogText "Test: Querying pkginfo to get package list"
|
||||
Display --indent 4 --text "- Querying pkginfo for installed packages"
|
||||
LogText "Output:"; LogText "-----"
|
||||
|
@ -159,7 +161,7 @@
|
|||
if [ ! -z "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
Display --indent 4 --text "- Searching RPM package manager" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found rpm binary (${RPMBINARY})"
|
||||
Report "package_manager[]=rpm"
|
||||
|
@ -172,16 +174,16 @@
|
|||
LogText "Info: looks like the rpm binary is installed, but not used for package installation"
|
||||
ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages"
|
||||
else
|
||||
for J in ${SPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{print $1}')
|
||||
PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{print $2}')
|
||||
LogText "Found package: ${J}"
|
||||
for PKG in ${SPACKAGES}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{print $1}')
|
||||
PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{print $2}')
|
||||
LogText "Found package: ${PKG}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION},"
|
||||
done
|
||||
Report "installed_packages=${N}"
|
||||
Report "installed_packages=${COUNT}"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: RPM binary NOT found on this system, test skipped"
|
||||
fi
|
||||
#
|
||||
|
@ -192,10 +194,11 @@
|
|||
if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
Display --indent 4 --text "- Searching pacman package manager" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found pacman binary (${PACMANBINARY})"
|
||||
Report "package_manager[]=pacman"
|
||||
PACKAGE_MGR_PKG=1
|
||||
LogText "Test: Querying 'pacman -Q' to get package list"
|
||||
Display --indent 6 --text "- Querying pacman package manager"
|
||||
LogText "Output:"; LogText "--------"
|
||||
|
@ -204,14 +207,14 @@
|
|||
LogText "Result: pacman binary available, but package list seems to be empty"
|
||||
LogText "Info: looks like the pacman binary is installed, but not used for package installation"
|
||||
else
|
||||
for J in ${SPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{ print $1 }')
|
||||
PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{ print $2 }')
|
||||
for PKG in ${SPACKAGES}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $1 }')
|
||||
PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $2 }')
|
||||
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG}"
|
||||
done
|
||||
Report "installed_packages=${N}"
|
||||
Report "installed_packages=${COUNT}"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -237,10 +240,10 @@
|
|||
else
|
||||
Display --indent 4 --text "- Searching update status (checkupdates)" --result "UP-TO-DATE" --color GREEN
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: skipping this test, can't find checkupdates binary"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: pacman binary NOT found on this system, test skipped"
|
||||
fi
|
||||
#
|
||||
|
@ -322,20 +325,20 @@
|
|||
if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
PACKAGE_AUDIT_TOOL="zypper"
|
||||
FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
for I in ${FIND}; do
|
||||
N=$((N + 1))
|
||||
LogText "Installed package: ${I}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
|
||||
for PKG in ${FIND}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Installed package: ${PKG}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0,"
|
||||
done
|
||||
Report "installed_packages=${N}"
|
||||
Report "installed_packages=${COUNT}"
|
||||
else
|
||||
# Could not find any installed packages
|
||||
ReportException ${TEST_NO} "No installed packages found with Zypper"
|
||||
ReportException "${TEST_NO}" "No installed packages found with Zypper"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -357,10 +360,10 @@
|
|||
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
|
||||
FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
|
||||
LogText "List of vulnerable packages/version:"
|
||||
for I in ${FIND}; do
|
||||
for PKG in ${FIND}; do
|
||||
VULNERABLE_PACKAGES_FOUND=1
|
||||
Report "vulnerable_package[]=${I}"
|
||||
LogText "Vulnerable package: ${I}"
|
||||
Report "vulnerable_package[]=${PKG}"
|
||||
LogText "Vulnerable package: ${PKG}"
|
||||
# Decrease hardening points for every found vulnerable package
|
||||
AddHP 1 2
|
||||
done
|
||||
|
@ -368,28 +371,80 @@
|
|||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : PKGS-7332
|
||||
# Description : Query macOS ports
|
||||
if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7332 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --description "Query macOS ports"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${ROOTDIR}opt/local/bin/port installed 2>&1 | ${GREPBINARY} active | ${SORTBINARY}; ${ROOTDIR}bin/echo $?)
|
||||
if [ "${FIND}" = "0" ]; then
|
||||
Display --indent 4 --text "- Searching packages with port" --result "{STATUS_FOUND}" --color GREEN
|
||||
Report "package_manager[]=port"
|
||||
PACKAGE_MGR_PKG=1
|
||||
LogText "Result: Found port utility"
|
||||
LogText "Test: Querying port to get package list"
|
||||
Display --indent 6 --text "- Querying port for installed packages"
|
||||
LogText "Output:"; LogText "-----"
|
||||
SPACKAGES=$(${ROOTDIR}opt/local/bin/port installed | ${GREPBINARY} active)
|
||||
for ITEM in ${SPACKAGES}; do
|
||||
SPORT_NAME=$(echo ${ITEM} | ${CUTBINARY} -d@ -f1)
|
||||
SPORT_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d@ -f2 | ${CUTBINARY} -d' ' -f1)
|
||||
LogText "Installed package: ${SPORT_NAME} (version: ${SPORT_VERSION})"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PORTS}|${ITEM}"
|
||||
done
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : PKGS-7334
|
||||
# Description : Query macOS ports for available port upgrades
|
||||
if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7334 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query port for port upgrades"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
COUNT=0
|
||||
LogText "Test: Querying ports for possible port upgrades"
|
||||
UPACKAGES=$(${ROOTDIR}opt/local/bin/port outdated 2> /dev/null | ${CUTBINARY} -d' ' -f1)
|
||||
for J in ${UPACKAGES}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Upgrade available (new version): ${J}"
|
||||
Report "upgrade_available[]=${J}"
|
||||
done
|
||||
Report "upgrade_available_count=${COUNT}"
|
||||
if [ ${COUNT} -eq 0 ]; then
|
||||
LogText "Result: no upgrades found"
|
||||
Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_NONE}" --color GREEN
|
||||
AddHP 2 2
|
||||
else
|
||||
Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_FOUND}" --color YELLOW
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : PKGS-7345
|
||||
# Description : Debian package based systems (dpkg)
|
||||
if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying dpkg"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
Display --indent 4 --text "- Searching dpkg package manager" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found dpkg binary"
|
||||
Report "package_manager[]=dpkg"
|
||||
PACKAGE_MGR_PKG=1
|
||||
LogText "Test: Querying dpkg -l to get package list"
|
||||
Display --indent 6 --text "- Querying package manager"
|
||||
LogText "Output:"
|
||||
SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort)
|
||||
for J in ${SPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
|
||||
PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f3)
|
||||
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
|
||||
done
|
||||
Report "installed_packages=${N}"
|
||||
Report "installed_packages=${COUNT}"
|
||||
else
|
||||
LogText "Result: dpkg can NOT be found on this system, test skipped"
|
||||
fi
|
||||
|
@ -399,12 +454,12 @@
|
|||
# Test : PKGS-7346
|
||||
# Description : Check packages which are removed, but still own configuration files, cron jobs etc
|
||||
# Notes : Cleanup: for pkg in $(dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3); do aptitude purge ${pkg}; done
|
||||
if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
LogText "Test: Querying dpkg -l to get unpurged packages"
|
||||
SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort)
|
||||
SPACKAGES=$(${ROOTDIR}usr/bin/dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort)
|
||||
if [ -z "${SPACKAGES}" ]; then
|
||||
Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN
|
||||
LogText "Result: no packages found with left overs"
|
||||
|
@ -413,10 +468,10 @@
|
|||
LogText "Result: found one or more packages with left over configuration files, cron jobs etc"
|
||||
LogText "Output:"
|
||||
for J in ${SPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Found unpurged package: ${J}"
|
||||
done
|
||||
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
|
||||
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
|
||||
fi
|
||||
else
|
||||
LogText "Result: dpkg can NOT be found on this system, test skipped"
|
||||
|
@ -431,8 +486,8 @@
|
|||
# Add portmaster --clean-distfiles-all
|
||||
Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -x /usr/local/sbin/portsclean ]; then
|
||||
FIND=$(/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ')
|
||||
if [ -x ${ROOTDIR}usr/local/sbin/portsclean ]; then
|
||||
FIND=$(${ROOTDIR}usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ')
|
||||
if [ ${FIND} -eq 0 ]; then
|
||||
Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: no unused distfiles found"
|
||||
|
@ -452,6 +507,7 @@
|
|||
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
COUNT=0
|
||||
Display --indent 4 --text "- Searching DNF package manager" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: found DNF (Dandified YUM) utility (binary: ${DNFBINARY})"
|
||||
Report "package_manager[]=dnf"
|
||||
|
@ -460,14 +516,14 @@
|
|||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
PACKAGE_AUDIT_TOOL="dnf"
|
||||
SPACKAGES=$(${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}')
|
||||
for J in ${SPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1)
|
||||
PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
|
||||
for PKG in ${SPACKAGES}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ',' -f1)
|
||||
PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ',' -f2)
|
||||
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
|
||||
done
|
||||
Report "installed_packages=${N}"
|
||||
Report "installed_packages=${COUNT}"
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -594,19 +650,20 @@
|
|||
if [ -x ${ROOTDIR}usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query portmaster for port upgrades"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
LogText "Test: Querying portmaster for possible port upgrades"
|
||||
UPACKAGES=$(${ROOTDIR}usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }')
|
||||
for J in ${UPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
LogText "Upgrade available (new version): ${J}"
|
||||
Report "upgrade_available[]=${J}"
|
||||
for PKG in ${UPACKAGES}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Upgrade available (new version): ${PKG}"
|
||||
Report "upgrade_available[]=${PKG}"
|
||||
done
|
||||
Report "upgrade_available_count=${N}"
|
||||
if [ ${N} -eq 0 ]; then
|
||||
LogText "Result: no upgrades found"
|
||||
Report "upgrade_available_count=${COUNT}"
|
||||
if [ ${COUNT} -eq 0 ]; then
|
||||
LogText "Result: no updates found"
|
||||
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_NONE}" --color GREEN
|
||||
else
|
||||
LogText "Result: found ${COUNT} updates"
|
||||
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_FOUND}" --color YELLOW
|
||||
fi
|
||||
fi
|
||||
|
@ -617,11 +674,11 @@
|
|||
# Description : Check for vulnerable NetBSD packages (with pkg_admin)
|
||||
Register --test-no PKGS-7380 --os NetBSD --weight L --network NO --category security --description "Check for vulnerable NetBSD packages"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -x /usr/sbin/pkg_admin ]; then
|
||||
if [ -x ${ROOTDIR}usr/sbin/pkg_admin ]; then
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
PACKAGE_AUDIT_TOOL="pkg_admin audit"
|
||||
if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then
|
||||
FIND=$(/usr/sbin/pkg_admin audit)
|
||||
if [ -f ${ROOTDIR}var/db/pkg/pkgs-vulnerabilities ]; then
|
||||
FIND=$(${ROOTDIR}usr/sbin/pkg_admin audit)
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: pkg_admin audit results are clean"
|
||||
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
|
||||
|
@ -631,7 +688,7 @@
|
|||
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
|
||||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
|
||||
LogText "List of vulnerable packages/version:"
|
||||
for I in $(/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
|
||||
for I in $(${ROOTDIR}usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
|
||||
VULNERABLE_PACKAGES_FOUND=1
|
||||
Report "vulnerable_package[]=${I}"
|
||||
LogText "Vulnerable package: ${I}"
|
||||
|
@ -701,11 +758,11 @@
|
|||
# Test : PKGS-7382
|
||||
# Description : Check for vulnerable FreeBSD packages
|
||||
# Notes : Newer machines should use pkg audit instead of portaudit
|
||||
if [ -x /usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
FIND=$(/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found')
|
||||
FIND=$(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found')
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: Portaudit results are clean"
|
||||
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
|
||||
|
@ -716,10 +773,10 @@
|
|||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
|
||||
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
|
||||
LogText "List of vulnerable packages/version:"
|
||||
for I in $(/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
|
||||
for PKG in $(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
|
||||
VULNERABLE_PACKAGES_FOUND=1
|
||||
Report "vulnerable_package[]=${I}"
|
||||
LogText "Vulnerable package: ${I}"
|
||||
Report "vulnerable_package[]=${PKG}"
|
||||
LogText "Vulnerable package: ${PKG}"
|
||||
# Decrease hardening points for every found vulnerable package
|
||||
AddHP 1 2
|
||||
done
|
||||
|
@ -753,11 +810,11 @@
|
|||
if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -x /usr/bin/package-cleanup ]; then
|
||||
LogText "Result: found YUM utils package (/usr/bin/package-cleanup)"
|
||||
if [ -x ${ROOTDIR}usr/bin/package-cleanup ]; then
|
||||
LogText "Result: found YUM utils package (${ROOTDIR}usr/bin/package-cleanup)"
|
||||
# Check for duplicates
|
||||
LogText "Test: Checking for duplicate packages"
|
||||
FIND=$(/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?)
|
||||
FIND=$(${ROOTDIR}usr/bin/package-cleanup -q --dupes > /dev/null; echo $?)
|
||||
if [ "${FIND}" = "0" ]; then
|
||||
LogText "Result: No duplicate packages found"
|
||||
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -770,7 +827,7 @@
|
|||
|
||||
# Check for package database problems
|
||||
LogText "Test: Checking for database problems"
|
||||
FIND=$(/usr/bin/package-cleanup --problems > /dev/null; echo $?)
|
||||
FIND=$(${ROOTDIR}usr/bin/package-cleanup --problems > /dev/null; echo $?)
|
||||
if [ "${FIND}" = "0" ]; then
|
||||
LogText "Result: No package database problems found"
|
||||
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -869,7 +926,7 @@
|
|||
#
|
||||
# Test : PKGS-7387
|
||||
# Description : Search for YUM GPG check
|
||||
if [ -x /usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ! -z "${PYTHONBINARY}" ]; then
|
||||
|
@ -892,16 +949,18 @@
|
|||
done
|
||||
fi
|
||||
FOUND=0
|
||||
FileExists /etc/yum.conf
|
||||
FileExists ${ROOTDIR}etc/yum.conf
|
||||
if [ ${FILE_FOUND} -eq 1 ]; then
|
||||
SearchItem "^gpgenabled\s*=\s*1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
|
||||
SearchItem "^gpgcheck\s*=\s*1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
|
||||
SearchItem "^gpgenabled\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
|
||||
SearchItem "^gpgcheck\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
LogText "Result: GPG check is enabled"
|
||||
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 3 3
|
||||
else
|
||||
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED
|
||||
ReportWarning ${TEST_NO} "No GPG signing option found in yum.conf"
|
||||
AddHP 2 3
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
@ -959,11 +1018,11 @@
|
|||
#
|
||||
# Test : PKGS-7390
|
||||
# Description : Check Ubuntu database consistency
|
||||
if [ "${LINUX_VERSION}" = "Ubuntu" -a -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ "${LINUX_VERSION}" = "Ubuntu" -a -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Package database consistency by running apt-get check"
|
||||
FIND=$(/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?)
|
||||
FIND=$(${ROOTDIR}usr/bin/apt-get -q=2 check 2> /dev/null; echo $?)
|
||||
if [ "${FIND}" = "0" ]; then
|
||||
Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: package database seems to be consistent."
|
||||
|
@ -979,7 +1038,7 @@
|
|||
#
|
||||
# Test : PKGS-7392
|
||||
# Description : Check Debian/Ubuntu vulnerable packages
|
||||
if [ -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --category security --description "Check for Debian/Ubuntu security updates"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
VULNERABLE_PACKAGES_FOUND=0
|
||||
|
@ -989,16 +1048,20 @@
|
|||
PACKAGE_AUDIT_TOOL="apt-get"
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
# Update the repository, outdated repositories don't give much information
|
||||
LogText "Action: updating repository with apt-get"
|
||||
/usr/bin/apt-get -q=2 update
|
||||
LogText "Result: apt-get finished"
|
||||
LogText "Test: Checking if /usr/lib/update-notifier/apt-check exists"
|
||||
if [ -x /usr/lib/update-notifier/apt-check ]; then
|
||||
if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
|
||||
LogText "Action: updating package repository with apt-get"
|
||||
${ROOTDIR}usr/bin/apt-get -q=2 update
|
||||
LogText "Result: apt-get finished"
|
||||
else
|
||||
LogText "Result: using a possibly outdated repository, as updating is disabled via configuration"
|
||||
fi
|
||||
LogText "Test: Checking if ${ROOTDIR}usr/lib/update-notifier/apt-check exists"
|
||||
if [ -x ${ROOTDIR}usr/lib/update-notifier/apt-check ]; then
|
||||
PACKAGE_AUDIT_TOOL="apt-check"
|
||||
LogText "Result: found /usr/lib/update-notifier/apt-check"
|
||||
LogText "Result: found ${ROOTDIR}usr/lib/update-notifier/apt-check"
|
||||
LogText "Test: checking if any of the updates contain security updates"
|
||||
# apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only
|
||||
FIND=$(/usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }')
|
||||
FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }')
|
||||
# Check if we get the proper line back and amount of security patches available
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: did not find security updates line"
|
||||
|
@ -1028,9 +1091,9 @@
|
|||
LogText "Result: found vulnerable package(s) via apt-get (-security channel)"
|
||||
PACKAGE_AUDIT_TOOL="apt-get"
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
for I in ${FIND}; do
|
||||
LogText "Found vulnerable package: ${I}"
|
||||
Report "vulnerable_package[]=${I}"
|
||||
for PKG in ${FIND}; do
|
||||
LogText "Found vulnerable package: ${PKG}"
|
||||
Report "vulnerable_package[]=${PKG}"
|
||||
done
|
||||
fi
|
||||
if [ ${SCAN_PERFORMED} -eq 1 ]; then
|
||||
|
@ -1052,7 +1115,7 @@
|
|||
#
|
||||
# Test : PKGS-7393
|
||||
# Description : Check Gentoo vulnerable packages
|
||||
if [ -x /usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7393 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Gentoo vulnerable packages"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
VULNERABLE_PACKAGES_FOUND=0
|
||||
|
@ -1063,19 +1126,19 @@
|
|||
# "most friendly" way.
|
||||
if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
|
||||
LogText "Action: updating portage with emerge-webrsync"
|
||||
/usr/bin/emerge-webrsync --quiet 2> /dev/null
|
||||
${ROOTDIR}usr/bin/emerge-webrsync --quiet 2> /dev/null
|
||||
LogText "Result: emerge-webrsync finished"
|
||||
else
|
||||
LogText "Result: using a possibly outdated repository, as updating is disabled"
|
||||
fi
|
||||
LogText "Test: checking if /usr/bin/glsa-check exists"
|
||||
if [ -x /usr/bin/glsa-check ]; then
|
||||
LogText "Test: checking if ${ROOTDIR}usr/bin/glsa-check exists"
|
||||
if [ -x ${ROOTDIR}usr/bin/glsa-check ]; then
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
PACKAGE_AUDIT_TOOL="glsa-check"
|
||||
LogText "Result: found /usr/bin/glsa-check"
|
||||
LogText "Result: found ${ROOTDIR}usr/bin/glsa-check"
|
||||
LogText "Test: checking if there are any vulnerable packages"
|
||||
# glsa-check reports the GLSA date/ID string, not the vulnerable package.
|
||||
FIND=$(/usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l)
|
||||
FIND=$(${ROOTDIR}usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l)
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found."
|
||||
LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result"
|
||||
|
@ -1093,7 +1156,7 @@
|
|||
AddHP 0 25
|
||||
fi
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: glsa-check tool not found"
|
||||
ReportSuggestion ${TEST_NO} "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks."
|
||||
fi
|
||||
|
@ -1106,11 +1169,11 @@
|
|||
if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: checking /usr/bin/apt-show-versions"
|
||||
if [ -x /usr/bin/apt-show-versions ]; then
|
||||
LogText "Result: found /usr/bin/apt-show-versions"
|
||||
LogText "Test: checking ${ROOTDIR}usr/bin/apt-show-versions"
|
||||
if [ -x ${ROOTDIR}usr/bin/apt-show-versions ]; then
|
||||
LogText "Result: found ${ROOTDIR}usr/bin/apt-show-versions"
|
||||
LogText "Test: Checking packages which can be upgraded via apt-show-versions"
|
||||
FIND=$(/usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g')
|
||||
FIND=$(${ROOTDIR}usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: no packages found which can be upgraded"
|
||||
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN
|
||||
|
@ -1124,8 +1187,8 @@
|
|||
LogText "${ITEM}"
|
||||
done
|
||||
fi
|
||||
else
|
||||
LogText "Result: /usr/bin/apt-show-versions not found"
|
||||
else
|
||||
LogText "Result: ${ROOTDIR}usr/bin/apt-show-versions not found"
|
||||
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE
|
||||
ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
|
||||
fi
|
||||
|
@ -1143,7 +1206,7 @@
|
|||
Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_NONE}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
|
||||
LogText "Result: no package audit tool found"
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN
|
||||
Display --indent 4 --text "Found: ${PACKAGE_AUDIT_TOOL}"
|
||||
LogText "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}"
|
||||
|
@ -1158,7 +1221,7 @@
|
|||
#################################################################################
|
||||
#
|
||||
# Description : AIX patches
|
||||
# Notes : /usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1
|
||||
# Notes : ${ROOTDIR}usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
|
|
@ -46,7 +46,7 @@
|
|||
if [ ! -f ${ROOTDIR}usr/sbin/chkprintcap ]; then
|
||||
Display --indent 2 --text "- Checking chkprintcap" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: ${ROOTDIR}usr/sbin/chkprintcap NOT found, test skipped"
|
||||
else
|
||||
else
|
||||
LogText "Result: ${ROOTDIR}usr/sbin/chkprintcap found"
|
||||
FIND=$(${ROOTDIR}usr/sbin/chkprintcap > /dev/null ; echo $?)
|
||||
# Only an exit code of zero should come back. Use string instead of integer, due unexpected trash
|
||||
|
@ -88,19 +88,19 @@
|
|||
Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Searching cupsd configuration file"
|
||||
for I in ${CUPSD_CONFIG_LOCS}; do
|
||||
if [ -f ${I}/cupsd.conf ]; then
|
||||
if FileIsReadable ${I}/cupsd.conf; then
|
||||
CUPSD_CONFIG_FILE="${I}/cupsd.conf"
|
||||
for DIR in ${CUPSD_CONFIG_LOCS}; do
|
||||
if [ -f ${DIR}/cupsd.conf ]; then
|
||||
if FileIsReadable ${DIR}/cupsd.conf; then
|
||||
CUPSD_CONFIG_FILE="${DIR}/cupsd.conf"
|
||||
LogText "Result: found ${CUPSD_CONFIG_FILE}"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ ! -z "${CUPSD_CONFIG_FILE}" ]; then
|
||||
if HasData "${CUPSD_CONFIG_FILE}"; then
|
||||
Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})"
|
||||
CUPSD_FOUND=1
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_NOT_FOUND}" --color RED
|
||||
LogText "Result: configuration file not found"
|
||||
LogText "Development: no CUPS configuration file found"
|
||||
|
@ -111,17 +111,17 @@
|
|||
#
|
||||
# Test : PRNT-2307
|
||||
# Description : Check CUPSd configuration file permissions
|
||||
# To Do : Add function
|
||||
# TODO : Add function
|
||||
if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file permissions"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking CUPS configuration file permissions"
|
||||
FIND=$(ls -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
|
||||
FIND=$(${LSBINARY} -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
|
||||
LogText "Result: found ${FIND}"
|
||||
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
|
||||
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 1 1
|
||||
else
|
||||
else
|
||||
Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
|
||||
AddHP 1 2
|
||||
|
@ -139,17 +139,17 @@
|
|||
# Checking network addresses
|
||||
LogText "Test: Checking CUPS daemon listening network addresses"
|
||||
FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
LogText "Found network address: ${I}"
|
||||
N=$((N + 1))
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found network address: ${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
FOUND=1
|
||||
done
|
||||
|
||||
# Check if daemon is only running on localhost
|
||||
if [ ${FOUND} -eq 0 ]; then
|
||||
LogText "Result: no listen statement found in CUPS configuration file"
|
||||
elif [ ${N} -eq 1 ]; then
|
||||
elif [ ${COUNT} -eq 1 ]; then
|
||||
if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
|
||||
LogText "Result: CUPS daemon only running on localhost"
|
||||
AddHP 2 2
|
||||
|
@ -167,12 +167,12 @@
|
|||
# Checking sockets
|
||||
LogText "Test: Checking cups daemon listening sockets"
|
||||
FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }')
|
||||
for I in ${FIND}; do
|
||||
LogText "Found socket address: ${I}"
|
||||
N=$((N + 1))
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found socket address: ${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
|
||||
if [ ${N} -eq 0 ]; then
|
||||
if [ ${COUNT} -eq 0 ]; then
|
||||
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_NONE}" --color WHITE
|
||||
LogText "Result: no addresses found on which CUPS daemon is listening"
|
||||
else
|
||||
|
@ -236,12 +236,12 @@
|
|||
LogText "Result: qdaemon daemon running"
|
||||
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_RUNNING}" --color GREEN
|
||||
QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon"
|
||||
else
|
||||
else
|
||||
if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then
|
||||
LogText "Result: qdaemon daemon not running"
|
||||
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs"
|
||||
else
|
||||
else
|
||||
LogText "Result: qdaemon daemon not running"
|
||||
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
|
||||
fi
|
||||
|
@ -255,17 +255,17 @@
|
|||
Register --test-no PRNT-2420 --os AIX --weight L --network NO --category security --description "Checking old print jobs"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking old print jobs"
|
||||
DirectoryExists /var/spool/lpd/qdir
|
||||
DirectoryExists ${ROOTDIR}var/spool/lpd/qdir
|
||||
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
|
||||
FIND=$(find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
||||
FIND=$(find ${ROOTDIR}var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
|
||||
if HasData "${FIND}"; then
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
FILE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
|
||||
LogText "Found old print job: ${FILE}"
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir"
|
||||
LogText "Result: Found ${COUNT} old print jobs in /var/spool/lpd/qdir"
|
||||
Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
|
||||
LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"
|
||||
|
|
|
@ -36,8 +36,9 @@
|
|||
Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )")
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: no cron daemon found"
|
||||
AddHP 3 3
|
||||
else
|
||||
LogText "Result: cron daemon running"
|
||||
CROND_RUNNING=1
|
||||
|
@ -63,42 +64,42 @@
|
|||
if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
|
||||
if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
|
||||
FindCronJob ${CRONTAB_FILE}
|
||||
for I in ${sCRONJOBS}; do
|
||||
LogText "Found cronjob (${CRONTAB_FILE}): ${I}"
|
||||
Report "cronjob[]=${I}"
|
||||
for ITEM in ${sCRONJOBS}; do
|
||||
LogText "Found cronjob (${CRONTAB_FILE}): ${ITEM}"
|
||||
Report "cronjob[]=${ITEM}"
|
||||
done
|
||||
fi
|
||||
|
||||
CRON_DIRS="${ROOTDIR}etc/cron.d"
|
||||
for I in ${CRON_DIRS}; do
|
||||
LogText "Test: checking directory ${I}"
|
||||
if [ -d ${I} ]; then
|
||||
if FileIsReadable ${I}; then
|
||||
LogText "Result: found directory ${I}"
|
||||
LogText "Test: searching files in ${I}"
|
||||
FIND=$(${FINDBINARY} ${I} -type f -print | ${GREPBINARY} -v ".placeholder")
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: no files found in ${I}"
|
||||
for DIR in ${CRON_DIRS}; do
|
||||
LogText "Test: checking directory ${DIR}"
|
||||
if [ -d ${DIR} ]; then
|
||||
if FileIsReadable ${DIR}; then
|
||||
LogText "Result: found directory ${DIR}"
|
||||
LogText "Test: searching files in ${DIR}"
|
||||
FIND=$(${FINDBINARY} ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder")
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: no files found in ${DIR}"
|
||||
else
|
||||
LogText "Result: found one or more files in ${I}. Analyzing files.."
|
||||
for J in ${FIND}; do
|
||||
if IsWorldWritable ${J}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
|
||||
if ! IsOwnedByRoot ${J}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
|
||||
FindCronJob ${J}
|
||||
if [ ! -z "${sCRONJOBS}" ]; then
|
||||
LogText "Result: found one or more files in ${DIR}. Analyzing files.."
|
||||
for FILE in ${FIND}; do
|
||||
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
|
||||
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
|
||||
FindCronJob ${FILE}
|
||||
if HasData "${sCRONJOBS}"; then
|
||||
for K in ${sCRONJOBS}; do
|
||||
LogText "Result: Found cronjob (${J}): ${K}"
|
||||
Report "cronjob[]=${J}"
|
||||
LogText "Result: Found cronjob (${FILE}): ${K}"
|
||||
Report "cronjob[]=${FILE}"
|
||||
done
|
||||
fi
|
||||
done
|
||||
LogText "Result: done with analyzing files in ${I}"
|
||||
LogText "Result: done with analyzing files in ${DIR}"
|
||||
fi
|
||||
else
|
||||
LogText "Result: can not read file or directory ${I}"
|
||||
LogText "Result: can not read file or directory ${DIR}"
|
||||
fi
|
||||
else
|
||||
LogText "Result: directory ${I} does not exist"
|
||||
LogText "Result: directory ${DIR} does not exist"
|
||||
fi
|
||||
done
|
||||
|
||||
|
@ -218,11 +219,11 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
AT_UNKNOWN=0
|
||||
case ${OS} in
|
||||
FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;;
|
||||
HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;;
|
||||
Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;;
|
||||
OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;;
|
||||
SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;;
|
||||
FreeBSD) AT_ALLOW="${ROOTDIR}var/at/at.allow"; AT_DENY="${ROOTDIR}var/at/at.deny" ;;
|
||||
HPUX) AT_ALLOW="${ROOTDIR}usr/lib/cron/at.allow"; AT_DENY="${ROOTDIR}usr/lib/cron/at.deny" ;;
|
||||
Linux) AT_ALLOW="${ROOTDIR}etc/at.allow"; AT_DENY="${ROOTDIR}etc/at.deny" ;;
|
||||
OpenBSD) AT_ALLOW="${ROOTDIR}var/cron/at.allow"; AT_DENY="${ROOTDIR}var/cron/at.deny" ;;
|
||||
SunOS) AT_ALLOW="${ROOTDIR}etc/cron.d/at.allow"; AT_DENY="${ROOTDIR}etc/cron.d/at.deny" ;;
|
||||
*) AT_UNKNOWN=1; LogText "Test skipped, files for at unknown" ;;
|
||||
esac
|
||||
if [ ${AT_UNKNOWN} -eq 0 ]; then
|
||||
|
@ -232,14 +233,14 @@
|
|||
if [ ${CANREAD} -eq 1 ]; then
|
||||
LogText "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
|
||||
FIND=$(${SORTBINARY} ${AT_ALLOW})
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: File empty, no users are allowed to schedule at jobs"
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
LogText "Allowed at user: ${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Allowed at user: ${ITEM}"
|
||||
done
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: can not read ${AT_ALLOW} (no permission)"
|
||||
fi
|
||||
else
|
||||
|
@ -253,8 +254,8 @@
|
|||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: file is empty, no users are denied access to schedule jobs"
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
LogText "Denied at user: ${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Denied at user: ${ITEM}"
|
||||
done
|
||||
fi
|
||||
else
|
||||
|
@ -281,10 +282,10 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Check scheduled at jobs"
|
||||
FIND=$(atq | ${GREPBINARY} -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: found one or more jobs"
|
||||
for I in ${FIND}; do
|
||||
VALUE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
||||
for ITEM in ${FIND}; do
|
||||
VALUE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
|
||||
LogText "Found at job: ${VALUE}"
|
||||
done
|
||||
Display --indent 4 --text "- Checking at jobs" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
|
|
@ -88,7 +88,7 @@
|
|||
else
|
||||
LogText "Shell ${I} not installed. Probably a dummy or non existing shell."
|
||||
fi
|
||||
done
|
||||
done
|
||||
Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})."
|
||||
else
|
||||
LogText "Result: /etc/shells not found, skipping test"
|
||||
|
@ -203,14 +203,14 @@
|
|||
LogText "Result: could not find export, readonly or typeset -r in /etc/profile"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: skip /etc/profile.d directory test, directory not available on this system"
|
||||
fi
|
||||
|
||||
if [ ${IDLE_TIMEOUT} -eq 1 ]; then
|
||||
Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_FOUND}" --color GREEN
|
||||
AddHP 3 3
|
||||
else
|
||||
else
|
||||
Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_NONE}" --color YELLOW
|
||||
AddHP 1 3
|
||||
fi
|
||||
|
|
|
@ -201,63 +201,62 @@
|
|||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid access control lists"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
LogText "Test: checking ACLs"
|
||||
FIND=$(${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
LogText "Result: No ACLs found"
|
||||
Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
N=$((N + 1))
|
||||
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
||||
LogText "Found ACL: ${I}"
|
||||
#Report "squid_acl=${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
ITEM=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
|
||||
LogText "Found ACL: ${ITEM}"
|
||||
#Report "squid_acl=${ITEM}" # TODO
|
||||
done
|
||||
LogText "Result: Found ${N} ACLs"
|
||||
Display --indent 6 --text "- Checking Access Control Lists" --result "${N} ACLs FOUND" --color GREEN
|
||||
LogText "Result: Found ${COUNT} ACLs"
|
||||
Display --indent 6 --text "- Checking Access Control Lists" --result "${COUNT} ACLs FOUND" --color GREEN
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : SQD-3624 [T]
|
||||
# Test : SQD-3624
|
||||
# Description : Check unsecure ports in Safe_ports list
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid safe ports"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
LogText "Test: checking ACL Safe_ports http_access option"
|
||||
FIND=$(${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports")
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: no Safe_ports found"
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
|
||||
else
|
||||
LogText "Result: checking ACL safe ports"
|
||||
FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }')
|
||||
if [ -z "${FIND2}" ]; then
|
||||
if IsEmpty "${FIND2}"; then
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
|
||||
AddHP 0 1
|
||||
else
|
||||
LogText "Result: Safe_ports found"
|
||||
for I in ${FIND}; do
|
||||
LogText "Found safe port: ${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found safe port: ${ITEM}"
|
||||
done
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "${STATUS_FOUND}" --color GREEN
|
||||
AddHP 1 1
|
||||
fi
|
||||
#SQUID_DAEMON_UNSAFE_PORTS_LIST
|
||||
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
|
||||
LogText "Test: Checking port ${I} in Safe_ports list"
|
||||
FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG})
|
||||
if [ -z "${FIND2}" ]; then
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN
|
||||
|
||||
for ITEM in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
|
||||
LogText "Test: Checking port ${ITEM} in Safe_ports list"
|
||||
FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${ITEM}" ${SQUID_DAEMON_CONFIG})
|
||||
if IsEmpty "${FIND2}"; then
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_NOT_FOUND}" --color GREEN
|
||||
AddHP 1 1
|
||||
else
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_FOUND}" --color RED
|
||||
ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_FOUND}" --color RED
|
||||
ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}"
|
||||
AddHP 0 1
|
||||
fi
|
||||
done
|
||||
|
@ -277,10 +276,9 @@
|
|||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
LogText "Test: checking option reply_body_max_size"
|
||||
FIND=$(${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: option reply_body_max_size not configured"
|
||||
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
|
||||
AddHP 1 2
|
||||
|
|
|
@ -250,30 +250,30 @@
|
|||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
LogText "Test: Checking stratum 16 sources from ntpq peers list"
|
||||
FIND=$(${NTPQBINARY} -p -n | ${AWKBINARY} '{ if ($2!=".POOL." && $3=="16") { print $1 }}')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: All peers are lower than stratum 16"
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
LogText "Found stratum 16 peer: ${I}"
|
||||
FIND2=$(${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE})
|
||||
if [ -z "${FIND2}" ]; then
|
||||
N=$((N + 1))
|
||||
Report "ntp_stratum_16_peer[]=${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found stratum 16 peer: ${ITEM}"
|
||||
FIND2=$(${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${ITEM}:" ${PROFILE})
|
||||
if IsEmpty "${FIND2}"; then
|
||||
COUNT=$((COUNT + 1))
|
||||
Report "ntp_stratum_16_peer[]=${ITEM}"
|
||||
else
|
||||
LogText "Output: host ${I} ignored by profile"
|
||||
LogText "Output: host ${ITEM} ignored by profile"
|
||||
fi
|
||||
done
|
||||
# Check if one or more high stratum time servers are found
|
||||
if [ ${N} -eq 0 ]; then
|
||||
if [ ${COUNT} -eq 0 ]; then
|
||||
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile"
|
||||
else
|
||||
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Found one or more high stratum (16) peers)"
|
||||
LogText "Result: Found ${COUNT} high stratum (16) peers)"
|
||||
ReportSuggestion ${TEST_NO} "Check ntpq peers output for stratum 16 peers"
|
||||
fi
|
||||
fi
|
||||
|
@ -457,7 +457,7 @@
|
|||
fi
|
||||
LogText "Information: step-tickers is used by ntpdate where as ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially run to set the clock before ntpd to make sure time is within 1000 sec."
|
||||
LogText "Risk: ntp will not run at boot if the time difference between the server and client by more then 1000 sec."
|
||||
else
|
||||
else
|
||||
LogText "Result: test skipped because ${FILE} not found"
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -31,6 +31,8 @@
|
|||
FAIL2BAN_EMAIL=0
|
||||
FAIL2BAN_SILENT=0
|
||||
PERFORM_FAIL2BAN_TESTS=0
|
||||
SNORT_FOUND=0
|
||||
SNORT_RUNNING=0
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
@ -160,7 +162,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Intrusion Prevention tools
|
||||
# Intrusion Detection and Prevention tools
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
@ -285,7 +287,7 @@
|
|||
# if [ ! -z "${CHECK_CHAINS}" ]; then
|
||||
# LogText "Result: found at least one iptables chain for fail2ban"
|
||||
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
|
||||
# else
|
||||
# else
|
||||
# LogText "Result: Fail2ban installed but iptables chain not present - fail2ban will not work"
|
||||
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
|
||||
# AddHP 0 3
|
||||
|
@ -299,6 +301,52 @@
|
|||
# fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : TOOL-5120
|
||||
# Description : Check for Snort
|
||||
Register --test-no TOOL-5120 --weight L --network NO --category security --description "Check for presence of Snort"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
|
||||
# Snort presence
|
||||
if [ -n "${SNORTBINARY}" ]; then
|
||||
SNORT_FOUND=1
|
||||
IDS_IPS_TOOL_FOUND=1
|
||||
LogText "Result: Snort is installed (${SNORTBINARY})"
|
||||
Report "ids_ips_tooling[]=snort"
|
||||
Display --indent 2 --text "- Checking presence of Snort" --result "${STATUS_FOUND}" --color GREEN
|
||||
fi
|
||||
|
||||
IsRunning snort
|
||||
if [ ${SNORT_RUNNING} -eq 1 ]; then
|
||||
SNORT_FOUND=1
|
||||
SNORT_RUNNING=1
|
||||
SNORT_LOG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $4}' | ${HEADBINARY} -1)
|
||||
else
|
||||
LogText "Result: Snort not present (Snort not running)"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : TOOL-5122
|
||||
# Description : Check for Snort configuration
|
||||
Register --test-no TOOL-5122 --weight L --network NO --category security --description "Check Snort configuration file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
|
||||
# Continue if tooling is available and snort is running
|
||||
if [ -n ${SNORT_FOUND} ] || [ -n ${SNORT_RUNNING} ]; then
|
||||
if [ ${SNORT_FOUND} -eq 1 ] && [ ${SNORT_RUNNING} -eq 1 ]; then
|
||||
SNORT_CONFIG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $3}' | ${HEADBINARY} -1)
|
||||
if HasData "${SNORT_CONFIG}"; then
|
||||
LogText "Result: found Snort configuration file: ${SNORT_CONFIG}"
|
||||
Report "snort_config=${SNORT_CONFIG}"
|
||||
fi
|
||||
SNORT=$(which snort 2> /dev/null)
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : TOOL-5190
|
||||
# Description : Check for an IDS/IPS tool
|
||||
|
|
|
@ -87,7 +87,7 @@
|
|||
else
|
||||
PREQS_MET="NO"
|
||||
fi
|
||||
else
|
||||
else
|
||||
PREQS_MET="NO"
|
||||
fi
|
||||
Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing main Apache configuration file"
|
||||
|
@ -193,6 +193,9 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# TODO
|
||||
# Do you have Apache running and want to contribute? Help us testing this control and send in a pull request
|
||||
|
||||
# Test : HTTP-6630
|
||||
# Description : Search for all loaded modules
|
||||
#if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
|
@ -219,24 +222,24 @@
|
|||
Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining all available Apache modules"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: searching available Apache modules"
|
||||
N=0
|
||||
for I in ${APACHE_MODULES_LOCS}; do
|
||||
DirectoryExists ${I}
|
||||
COUNT=0
|
||||
for DIR in ${APACHE_MODULES_LOCS}; do
|
||||
DirectoryExists ${DIR}
|
||||
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
|
||||
FIND=$(find ${I} -name "mod_*" -print | sort)
|
||||
for J in ${FIND}; do
|
||||
Report "apache_module[]=${J}"
|
||||
LogText "Result: found Apache module ${J}"
|
||||
N=$((N + 1))
|
||||
FIND=$(${FINDBINARY} ${DIR} -name "mod_*" -print | ${SORTBINARY})
|
||||
for ITEM in ${FIND}; do
|
||||
Report "apache_module[]=${ITEM}"
|
||||
LogText "Result: found Apache module ${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
fi
|
||||
done
|
||||
if [ ${N} -eq 0 ]; then
|
||||
if [ ${COUNT} -eq 0 ]; then
|
||||
Display --indent 4 --text "* Loadable modules" --result "${STATUS_NONE}" --color WHITE
|
||||
ReportException "${TEST_NO}:1" "No loadable Apache modules found"
|
||||
else
|
||||
Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND}" --color GREEN
|
||||
Display --indent 8 --text "- Found ${N} loadable modules"
|
||||
Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND} (${COUNT})" --color GREEN
|
||||
Display --indent 8 --text "- Found ${COUNT} loadable modules"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -300,7 +303,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : HTTP-6660
|
||||
# Test : HTTP-6660 TODO
|
||||
# Description : Search for "TraceEnable off" in configuration files
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -311,7 +314,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: searching running nginx process"
|
||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep")
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: found running nginx process(es)"
|
||||
Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN
|
||||
NGINX_RUNNING=1
|
||||
|
@ -330,14 +333,14 @@
|
|||
Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx configuration file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: searching nginx configuration file"
|
||||
for I in ${NGINX_CONF_LOCS}; do
|
||||
if [ -f ${I}/nginx.conf ]; then
|
||||
NGINX_CONF_LOCATION="${I}/nginx.conf"
|
||||
for DIR in ${NGINX_CONF_LOCS}; do
|
||||
if [ -f ${DIR}/nginx.conf ]; then
|
||||
NGINX_CONF_LOCATION="${DIR}/nginx.conf"
|
||||
LogText "Found file ${NGINX_CONF_LOCATION}"
|
||||
NGINX_CONF_FILES="${I}/nginx.conf"
|
||||
NGINX_CONF_FILES="${DIR}/nginx.conf"
|
||||
fi
|
||||
done
|
||||
if [ ! -z "${NGINX_CONF_LOCATION}" ]; then
|
||||
if HasData "${NGINX_CONF_LOCATION}"; then
|
||||
LogText "Result: found nginx configuration file"
|
||||
Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
|
||||
Display --indent 4 --text "- Searching nginx configuration file" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
@ -357,7 +360,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Remove temp file
|
||||
if [ ! -z "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
|
||||
N=0
|
||||
COUNT=0
|
||||
${SEDBINARY} -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}
|
||||
# Search for included configuration files (may include directories and wild cards)
|
||||
FIND=$(${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g')
|
||||
|
@ -366,7 +369,7 @@
|
|||
for J in ${FIND2}; do
|
||||
# Ensure that we are parsing normal files
|
||||
if [ -f ${J} ]; then
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Result: found Nginx configuration file ${J}"
|
||||
Report "nginx_sub_conf_file[]=${J}"
|
||||
FileIsReadable ${J}
|
||||
|
@ -390,10 +393,10 @@
|
|||
# Remove unsorted file for next tests
|
||||
if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi
|
||||
|
||||
if [ ${N} -eq 0 ]; then
|
||||
if [ ${COUNT} -eq 0 ]; then
|
||||
LogText "Result: no nginx include statements found"
|
||||
else
|
||||
Display --indent 6 --text "- Found nginx includes" --result "${N} FOUND" --color GREEN
|
||||
Display --indent 6 --text "- Found nginx includes" --result "${COUNT} FOUND" --color GREEN
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -407,14 +410,14 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: start parsing all discovered nginx options"
|
||||
Display --indent 4 --text "- Parsing configuration options"
|
||||
for I in ${NGINX_CONF_FILES}; do
|
||||
FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}')
|
||||
for FILE in ${NGINX_CONF_FILES}; do
|
||||
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
|
||||
if [ ! "${FILENAME}" = "mime.types" ]; then
|
||||
if FileIsReadable ${I}; then
|
||||
Display --indent 8 --text "- ${I}"
|
||||
ParseNginx ${I}
|
||||
if FileIsReadable ${FILE}; then
|
||||
Display --indent 8 --text "- ${FILE}"
|
||||
ParseNginx ${FILE}
|
||||
else
|
||||
Display --indent 8 --text "- ${I}" --result "SKIPPED (NOT READABLE)" --color YELLOW
|
||||
Display --indent 8 --text "- ${FILE}" --result "SKIPPED (NOT READABLE)" --color YELLOW
|
||||
fi
|
||||
else
|
||||
LogText "Result: this configuration file is skipped, as it contains usually no interesting details"
|
||||
|
|
20
lynis
20
lynis
|
@ -34,7 +34,7 @@
|
|||
PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com"
|
||||
|
||||
# Version details
|
||||
PROGRAM_RELEASE_DATE="2017-04-23"
|
||||
PROGRAM_RELEASE_DATE="2017-04-30"
|
||||
PROGRAM_RELEASE_TIMESTAMP=1490800090
|
||||
PROGRAM_RELEASE_TYPE="dev" # dev or final
|
||||
PROGRAM_VERSION="2.5.0"
|
||||
|
@ -416,7 +416,7 @@ ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${
|
|||
|
||||
if [ ${WRONGOPTION} -eq 1 ]; then
|
||||
echo " ${RED}Error${NORMAL}: ${WHITE}Invalid option '${WRONGOPTION_value}'${NORMAL}"
|
||||
else
|
||||
else
|
||||
if [ ${VIEWHELP} -eq 0 ]; then
|
||||
echo " ${RED}No command provided.${WHITE} Exiting..${NORMAL}"
|
||||
echo ""
|
||||
|
@ -572,13 +572,13 @@ ${NORMAL}
|
|||
if [ -z "${PLUGINDIR}" ]; then
|
||||
#LogText "Result: Searching for plugindir"
|
||||
tPLUGIN_TARGETS="/usr/local/lynis/plugins /usr/local/share/lynis/plugins /usr/share/lynis/plugins /etc/lynis/plugins ./plugins"
|
||||
for I in ${tPLUGIN_TARGETS}; do
|
||||
if [ -d ${I} -a -z "${PLUGINDIR}" ]; then
|
||||
PLUGINDIR=${I}
|
||||
for DIR in ${tPLUGIN_TARGETS}; do
|
||||
if [ -d ${DIR} -a -z "${PLUGINDIR}" ]; then
|
||||
PLUGINDIR=${DIR}
|
||||
Debug "Result: found plugindir ${PLUGINDIR}"
|
||||
fi
|
||||
done
|
||||
else
|
||||
else
|
||||
Debug "Plugin was already set before to ${PLUGINDIR} (most likely via program argument or profile)"
|
||||
fi
|
||||
|
||||
|
@ -706,9 +706,9 @@ ${NORMAL}
|
|||
fi
|
||||
|
||||
# Test for older releases, without testing via update mechanism
|
||||
if [ "$OS" = "Solaris" ]; then
|
||||
if [ "${OS}" = "Solaris" ]; then
|
||||
NOW=$(nawk 'BEGIN{print srand()}')
|
||||
else
|
||||
else
|
||||
NOW=$(date "+%s")
|
||||
fi
|
||||
|
||||
|
@ -780,7 +780,7 @@ ${NORMAL}
|
|||
#################################################################################
|
||||
#
|
||||
# Check for systemd presence
|
||||
if [ -d /lib/systemd/system -a -f /usr/lib/systemd/systemd ]; then
|
||||
if [ -d ${ROOTDIR}lib/systemd/system -a -f ${ROOTDIR}usr/lib/systemd/systemd ]; then
|
||||
LogText "Result: systemd is using systemd"
|
||||
HAS_SYSTEMD=1
|
||||
Report "systemd=1"
|
||||
|
@ -796,7 +796,7 @@ ${NORMAL}
|
|||
Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "YES" --color GREEN
|
||||
if IsDebug; then
|
||||
Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "YES" --color GREEN
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "NO" --color RED
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -62,7 +62,7 @@
|
|||
# Check if a directory exists
|
||||
if [ -d ${DIR} ]; then
|
||||
LogText "Result: log entry for easier debugging or additional information"
|
||||
else
|
||||
else
|
||||
FOUNDPROBLEM=1
|
||||
LogText "Result: directory ${DIR} was not found!"
|
||||
ReportWarning "${TEST_NO}" "This is a test warning line" "${DIR}" "text:Create directory ${DIR}"
|
||||
|
@ -70,7 +70,7 @@
|
|||
|
||||
if [ ${FOUNDPROBLEM} -eq 0 ]; then
|
||||
Display --indent 2 --text "- Checking if everything is OK..." --result OK --color GREEN
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking if everything is OK..." --result WARNING --color RED
|
||||
ReportSuggestion ${TEST_NO} "This is a suggestion"
|
||||
fi
|
||||
|
|
|
@ -6,12 +6,12 @@
|
|||
#-----------------------------------------------------
|
||||
# PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
|
||||
# PLUGIN_CATEGORY=authentication
|
||||
# PLUGIN_DATE=2017-03-01
|
||||
# PLUGIN_DATE=2017-04-30
|
||||
# PLUGIN_DESC=PAM
|
||||
# PLUGIN_NAME=pam
|
||||
# PLUGIN_PACKAGE=all
|
||||
# PLUGIN_REQUIRED_TESTS=
|
||||
# PLUGIN_VERSION=1.0.1
|
||||
# PLUGIN_VERSION=1.0.2
|
||||
#-----------------------------------------------------
|
||||
#########################################################################
|
||||
#
|
||||
|
@ -27,8 +27,8 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
for LINE in $(${GREPBINARY} -v "^#" ${FILE} | ${TRBINARY} -d " "); do
|
||||
for I in ${LINE}; do
|
||||
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
|
||||
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
|
||||
OPTION=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
|
||||
VALUE=$(echo ${I} | ${AWKBINARY} -F= '{ print $2 }')
|
||||
case ${OPTION} in
|
||||
minlen)
|
||||
DigitsOnly ${VALUE}
|
||||
|
@ -69,8 +69,7 @@
|
|||
if [ -d ${PAM_DIRECTORY} ]; then
|
||||
LogText "Result: /etc/pam.d exists"
|
||||
FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print)
|
||||
# First check /etc/pam.conf if it exists.
|
||||
#if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi
|
||||
|
||||
for PAM_FILE in ${FIND_FILES}; do
|
||||
LogText "Now checking PAM file ${PAM_FILE}"
|
||||
while read line; do
|
||||
|
@ -370,7 +369,7 @@ Report "authentication_two_factor_required=${PAM_2F_AUTH_ENABLED}"
|
|||
if [ ! "${AUTH_UNLOCK_TIME}" = "-1" ]; then
|
||||
LogText "[PAM] Authentication unlock time: ${AUTH_UNLOCK_TIME}"
|
||||
Report "authentication_unlock_time=${AUTH_UNLOCK_TIME}"
|
||||
else
|
||||
else
|
||||
LogText "[PAM] Authentication unlock time: not configured"
|
||||
fi
|
||||
|
||||
|
@ -383,7 +382,7 @@ fi
|
|||
if [ ! "${MIN_PASSWORD_LENGTH}" = "-1" ]; then
|
||||
LogText "[PAM] Minimum password length: ${MIN_PASSWORD_LENGTH}"
|
||||
Report "minimum_password_length=${MIN_PASSWORD_LENGTH}"
|
||||
else
|
||||
else
|
||||
LogText "[PAM] Minimum password length: not configured"
|
||||
fi
|
||||
|
||||
|
@ -395,7 +394,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
|
|||
# Show how many password class are required out of 4
|
||||
LogText "[PAM] Minimum password class out of 4: ${MIN_PASSWORD_CLASS}"
|
||||
Report "min_password_class=${MIN_PASSWORD_CLASS}"
|
||||
else
|
||||
else
|
||||
LogText "[PAM] Minimum password class setting of ${MIN_PASSWORD_CLASS} out of 4 is ignored since at least 1 class are forced"
|
||||
Report "min_password_class=ignored"
|
||||
fi
|
||||
|
@ -445,7 +444,7 @@ fi
|
|||
if [ ! -z "${MAX_PASSWORD_RETRY}" ]; then
|
||||
LogText "[PAM] Password maximum retry: ${MAX_PASSWORD_RETRY}"
|
||||
Report "max_password_retry=${MAX_PASSWORD_RETRY}"
|
||||
else
|
||||
else
|
||||
LogText "[PAM] Password maximum retry: Not configured"
|
||||
fi
|
||||
|
||||
|
@ -460,7 +459,7 @@ if [ ${PAM_PASSWORD_PWHISTORY_ENABLED} -eq 1 ]; then
|
|||
LogText "[PAM] Password history with pam_pwhistory enabled: ${PAM_PASSWORD_PWHISTORY_ENABLED}"
|
||||
LogText "[PAM] Password history with pam_pwhistory amount: ${PAM_PASSWORD_PWHISTORY_AMOUNT}"
|
||||
Report "password_history_amount=${PAM_PASSWORD_PWHISTORY_AMOUNT}"
|
||||
else
|
||||
else
|
||||
LogText "[PAM] Password history with pam_pwhistory IS NOT enabled"
|
||||
fi
|
||||
|
||||
|
@ -468,7 +467,7 @@ if [ ${PAM_PASSWORD_UXHISTORY_ENABLED} -eq 1 ]; then
|
|||
LogText "[PAM] Password history with pam_unix enabled: ${PAM_PASSWORD_UXHISTORY_ENABLED}"
|
||||
LogText "[PAM] Password history with pam_unix amount: ${PAM_PASSWORD_UXHISTORY_AMOUNT}"
|
||||
Report "password_history_amount=${PAM_PASSWORD_UXHISTORY_AMOUNT}"
|
||||
else
|
||||
else
|
||||
LogText "[PAM] Password history with pam_unix IS NOT enabled"
|
||||
fi
|
||||
|
||||
|
|
|
@ -16,12 +16,12 @@
|
|||
#-----------------------------------------------------
|
||||
# PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
|
||||
# PLUGIN_CATEGORY=essentials
|
||||
# PLUGIN_DATE=2016-04-28
|
||||
# PLUGIN_DATE=2017-04-30
|
||||
# PLUGIN_DESC=Tests related to systemd tooling
|
||||
# PLUGIN_NAME=systemd
|
||||
# PLUGIN_PACKAGE=community
|
||||
# PLUGIN_REQUIRED_TESTS=
|
||||
# PLUGIN_VERSION=1.0.1
|
||||
# PLUGIN_VERSION=1.0.2
|
||||
#-----------------------------------------------------
|
||||
#
|
||||
#########################################################################
|
||||
|
@ -42,7 +42,7 @@
|
|||
FIND=$(${SYSTEMCTLBINARY} > /dev/null)
|
||||
if [ $? -gt 0 ]; then
|
||||
Report "systemctl_error_message=${FIND}"
|
||||
else
|
||||
else
|
||||
SYSTEMD_RUNNING=1
|
||||
fi
|
||||
Report "systemctl_exit_code=$?"
|
||||
|
@ -63,7 +63,7 @@
|
|||
Report "systemd_version=${FIND}"
|
||||
LogText "Result: found systemd version ${FIND}"
|
||||
fi
|
||||
FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1)
|
||||
FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
Report "systemd_builtin_components=${FIND}"
|
||||
LogText "Result: found builtin components list"
|
||||
|
@ -77,7 +77,7 @@
|
|||
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }')
|
||||
FIND=`${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }'`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found systemd unit files via systemctl list-unit-files"
|
||||
for I in ${FIND}; do
|
||||
|
@ -94,7 +94,7 @@
|
|||
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }')
|
||||
FIND=`${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }'`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found systemd unit files via systemctl list-unit-files"
|
||||
for I in ${FIND}; do
|
||||
|
@ -125,11 +125,11 @@
|
|||
if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(find /usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
|
||||
FIND=$(${FINDBINARY} ${ROOTDIR}usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
Report "systemd_binaries=${FIND}"
|
||||
LogText "Result: found systemd binaries in /usr/lib/systemd"
|
||||
else
|
||||
else
|
||||
LogText "Result: no binaries found in /usr/lib/systemd"
|
||||
fi
|
||||
fi
|
||||
|
@ -160,7 +160,7 @@
|
|||
if [ ! "${FIND}" = "" ]; then
|
||||
Report "journal_contains_errors=1"
|
||||
for I in ${FIND}; do
|
||||
LINE=$(echo ${I} | sed 's/:space:/ /g')
|
||||
LINE=`echo ${I} | sed 's/:space:/ /g'`
|
||||
LogText "Output (fails): ${LINE}"
|
||||
done
|
||||
else
|
||||
|
@ -176,7 +176,7 @@
|
|||
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}')
|
||||
FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}'`
|
||||
Report "journal_disk_size=${FIND}"
|
||||
LogText "Result: journals are ${FIND} in size"
|
||||
fi
|
||||
|
@ -188,7 +188,7 @@
|
|||
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g')
|
||||
FIND=`${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g'`
|
||||
Report "journal_meta_data=${FIND}"
|
||||
fi
|
||||
#
|
||||
|
@ -228,7 +228,7 @@
|
|||
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }')
|
||||
FIND=`${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }'`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
for I in ${FIND}; do
|
||||
Report "systemd_unit_not_found[]=${I}"
|
||||
|
@ -243,7 +243,7 @@
|
|||
if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}')
|
||||
FIND=`${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}'`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found one or more services with faulty state"
|
||||
for I in ${FIND}; do
|
||||
|
@ -261,7 +261,7 @@
|
|||
Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
SYSTEMD_COREDUMP_USED=1
|
||||
FIND=$(cat /proc/sys/kernel/core_pattern | grep systemd-coredump)
|
||||
FIND=`cat /proc/sys/kernel/core_pattern | grep systemd-coredump`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: systemd uses systemd-coredump to handle coredumps"
|
||||
Report "systemd_coredump_used=1"
|
||||
|
@ -285,7 +285,7 @@
|
|||
if [ ! "${FIND}" = "" ]; then
|
||||
Report "journal_coredumps_lastday=1"
|
||||
LogText "Result: found recent coredumps"
|
||||
else
|
||||
else
|
||||
Report "journal_coredumps_lastday=0"
|
||||
LogText "Result: found no coredumps"
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue