tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[bulk change] cleaning up, code enhancements, initialization of variables, and new tests

This commit is contained in:
Michael Boelen 2017-04-30 17:59:35 +02:00
parent 5ccd0912cf
commit 4ecb9d4d05
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
38 changed files with 1066 additions and 1043 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGELOG.md
View File

@ -10,17 +10,28 @@ Lynis 2.5.0 (2017-05-03) - Not released yet
This release is a maintenance release with focus on cleaning up the code for
readability and future expansion. It includes:
* Setting ROOTDIR variable instead of fixed paths
* Use ROOTDIR variable instead of fixed paths
* Introduction of IsEmpty and HasData functions for readability of code
* Renamed some variables to better indicate their purpose (counting, data type)
* Removal of unused code and comments
* Deleted unused tests from database file
* Correct levels of identation
During the maintenance cycle, the project got informed about a flaw that could
be possibly abused. This release is therefore highly recommended. See details on
[CVE-2017-8108](https://cisofy.com/security/cve/cve-2017-8108/)
Changes:
--------
* Support for older mac OS X versions (Lion and Mountain Lion)
* Initialized variables for more binaries
Tests:
------
* MALW-3280 - Extended test with Symantec components
* PKGS-7332 - Detection of macOS ports tool and installed packages
* TOOL-5120 - Snort detection
* TOOL-5122 - Snort configuration file
---------------------------------------------------------------------------------

30
db/tests.db
View File

@ -46,8 +46,6 @@ AUTH-9402:test:security:authentication::Query LDAP authentication support:
AUTH-9406:test:security:authentication::Query LDAP servers in client configuration:
AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs:
BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file:
#BANN-7119:test:security:banners::Check MOTD banner file:
#BANN-7122:test:security:banners::Check /etc/motd banner file contents:
BANN-7124:test:security:banners::Check issue banner file:
BANN-7126:test:security:banners::Check issue banner file contents:
BANN-7128:test:security:banners::Check issue.net banner file:
@ -63,7 +61,6 @@ BOOT-5124:test:security:boot_services:FreeBSD:Check for FreeBSD boot loader pres
BOOT-5126:test:security:boot_services:NetBSD:Check for NetBSD boot loader presence:
BOOT-5139:test:security:boot_services::Check for LILO boot loader presence:
BOOT-5142:test:security:boot_services::Check SPARC Improved boot loader (SILO):
#BOOT-5144:test:security:boot_services::Check SPARC Improved boot loader (SILO):
BOOT-5155:test:security:boot_services::Check for YABOOT boot loader configuration file:
BOOT-5159:test:security:boot_services:OpenBSD:Check for OpenBSD boot loader presence:
BOOT-5165:test:security:boot_services:FreeBSD:Check for FreeBSD boot services:
@ -73,7 +70,6 @@ BOOT-5184:test:security:boot_services:Linux:Check permissions for boot files/scr
BOOT-5202:test:security:boot_services::Check uptime of system:
BOOT-5260:test:security:boot_services::Check single user mode for systemd:
CONT-8004:test:security:containers:Solaris:Query running Solaris zones:
#CONT-1906:test:security:containers::Query Xen guests:
CONT-8102:test:security:containers::Checking Docker status and information:
CONT-8104:test:security:containers::Checking Docker info for any warnings:
CONT-8106:test:security:containers::Gather basic stats from Docker:
@ -81,14 +77,11 @@ CONT-8107:test:performance:containers::Check number of unused Docker containers:
CONT-8108:test:security:containers::Check file permissions for Docker files:
CRYP-7902:test:security:crypto::Check expire date of SSL certificates:
DBS-1804:test:security:databases::Checking active MySQL process:
#DBS-1808:test:security:databases::Checking MySQL data directory:
#DBS-1812:test:security:databases::Checking MySQL data directory permissions:
DBS-1816:test:security:databases::Checking MySQL root password:
DBS-1818:test:security:databases::MongoDB status:
DBS-1820:test:security:databases::Check MongoDB authentication:
DBS-1826:test:security:databases::Checking active PostgreSQL processes:
DBS-1840:test:security:databases::Checking active Oracle processes:
#DBS-1842:test:security:databases::Checking Oracle home paths:
DBS-1860:test:security:databases::Checking active DB2 instances:
DBS-1880:test:security:databases::Checking active Redis processes:
DBS-1882:test:security:databases::Redis configuration file:
@ -112,7 +105,6 @@ FILE-7524:test:security:file_permissions::Perform file permissions check:
FILE-6310:test:security:filesystems::Checking /tmp, /home and /var directory:
FILE-6311:test:security:filesystems::Checking LVM volume groups:
FILE-6312:test:security:filesystems::Checking LVM volumes:
#FILE-6316:test:security:filesystems:Linux:Checking /etc/fstab:
FILE-6323:test:security:filesystems:Linux:Checking EXT file systems:
FILE-6329:test:security:filesystems::Checking FFS/UFS file systems:
FILE-6330:test:security:filesystems:FreeBSD:Checking ZFS file systems:
@ -145,7 +137,6 @@ FIRE-4586:test:security:firewalls::Check firewall logging:
FIRE-4590:test:security:firewalls::Check firewall status:
HOME-9302:test:security:homedirs::Create list with home directories:
HOME-9310:test:security:homedirs::Checking for suspicious shell history files:
#HOME-9314:test:security:homedirs::Create list with home directories:
HOME-9350:test:security:homedirs::Collecting information from home directories:
HRDN-7220:test:security:hardening::Check if one or more compilers are installed:
HRDN-7222:test:security:hardening::Check compiler permissions:
@ -153,12 +144,9 @@ HRDN-7230:test:security:hardening::Check for malware scanner:
HTTP-6622:test:security:webservers::Checking Apache presence:
HTTP-6624:test:security:webservers::Testing main Apache configuration file:
HTTP-6626:test:security:webservers::Testing other Apache configuration file:
#HTTP-6628:test:security:webservers::Testing other Apache configuration file:
#HTTP-6630:test:security:webservers::Determining all loaded Apache modules:
HTTP-6632:test:security:webservers::Determining all available Apache modules:
HTTP-6640:test:security:webservers::Determining existence of specific Apache modules:
HTTP-6641:test:security:webservers::Determining existence of specific Apache modules:
#HTTP-6642:test:security:webservers::Determining existence of specific Apache modules:
HTTP-6643:test:security:webservers::Determining existence of specific Apache modules:
HTTP-6702:test:security:webservers::Check nginx process:
HTTP-6704:test:security:webservers::Check nginx configuration file:
@ -168,8 +156,6 @@ HTTP-6710:test:security:webservers::Check nginx SSL configuration settings:
HTTP-6712:test:security:webservers::Check nginx access logging:
HTTP-6714:test:security:webservers::Check for missing error logs in nginx:
HTTP-6716:test:security:webservers::Check for debug mode on error log in nginx:
#HTTP-67xx:test:security:webservers::Check nginx virtual hosts:
#HTTP-67xx:test:security:webservers::Check nginx virtual hosts:
HTTP-6720:test:security:webservers::Check Nginx log files:
INSE-8002:test:security:insecure_services::Check for enabled inet daemon:
INSE-8004:test:security:insecure_services::Check for enabled inet daemon:
@ -187,7 +173,6 @@ KRNL-5745:test:security:kernel:FreeBSD:Checking FreeBSD loaded kernel modules:
KRNL-5770:test:security:kernel:Solaris:Checking active kernel modules:
KRNL-5788:test:security:kernel:Linux:Checking availability new Linux kernel:
KRNL-5820:test:security:kernel:Linux:Checking core dumps configuration:
#KRNL-5826:test:security:kernel:Linux:Checking core dumps configuration:
KRNL-5830:test:security:kernel:Linux:Checking if system is running on the latest installed kernel:
KRNL-6000:test:security:kernel_hardening::Check sysctl key pairs in scan profile:
LDAP-2219:test:security:ldap::Check running OpenLDAP instance:
@ -252,14 +237,9 @@ NAME-4036:test:security:nameservices::Check Unbound configuration file:
NAME-4202:test:security:nameservices::Check BIND status:
NAME-4204:test:security:nameservices::Search BIND configuration file:
NAME-4206:test:security:nameservices::Check BIND configuration consistency:
#NAME-4050:test:security:nameservices::Check nscd status:
NAME-4210:test:security:nameservices::Check DNS banner:
#NAME-4212:test:security:nameservices::Check version setting in configuration:
#NAME-4220:test:security:nameservices::Check zone transfer:
#NAME-4222:test:security:nameservices::Check zone transfer:
NAME-4230:test:security:nameservices::Check PowerDNS status:
NAME-4232:test:security:nameservices::Search PowerDNS configuration file:
#NAME-4234:test:security:nameservices::Check PowerDNS configuration consistency:
NAME-4236:test:security:nameservices::Check PowerDNS backends:
NAME-4238:test:security:nameservices::Check PowerDNS authoritive status:
NAME-4304:test:security:nameservices::Check NIS ypbind status:
@ -301,6 +281,8 @@ PKGS-7320:test:security:ports_packages:Linux:Check presence of arch-audit for Ar
PKGS-7322:test:security:ports_packages:Linux:Discover vulnerable packages on Arch Linux:
PKGS-7328:test:security:ports_packages::Querying Zypper for installed packages:
PKGS-7330:test:security:ports_packages::Querying Zypper for vulnerable packages:
PKGS-7332:test:security:ports_packages::Detection of macOS ports and packages:
PKGS-7334:test:security:ports_packages::Detection of available updates for macOS ports:
PKGS-7345:test:security:ports_packages::Querying dpkg:
PKGS-7346:test:security:ports_packages::Search unpurged packages on system:
PKGS-7348:test:security:ports_packages:FreeBSD:Check for old distfiles:
@ -330,7 +312,6 @@ PRNT-2306:test:security:printers_spools::Check CUPSd configuration file:
PRNT-2307:test:security:printers_spools::Check CUPSd configuration file permissions:
PRNT-2308:test:security:printers_spools::Check CUPSd network configuration:
PRNT-2314:test:security:printers_spools::Check lpd status:
#PRNT-23xx:test::printers_spools:Check cupsd address configuration:security:
PRNT-2316:test:security:printers_spools:AIX:Checking /etc/qconfig file:
PRNT-2418:test:security:printers_spools:AIX:Checking qdaemon printer spooler status:
PRNT-2420:test:security:printers_spools:AIX:Checking old print jobs:
@ -348,8 +329,6 @@ SHLL-6290:test:security:shells::Perform Shellshock vulnerability tests:
SNMP-3302:test:security:snmp::Check for running SNMP daemon:
SNMP-3304:test:security:snmp::Check SNMP daemon file location:
SNMP-3306:test:security:snmp::Check SNMP communities:
#SOL-xxxx:test:security:solaris::Check for running SSH daemon:
#SOL-xxxx:test:security:solaris::Check for running SSH daemon:
SQD-3602:test:security:squid::Check for running Squid daemon:
SQD-3604:test:security:squid::Check Squid daemon file location:
SQD-3606:test:security:squid::Check Squid version:
@ -372,7 +351,6 @@ STRG-1902:test:security:storage_nfs::Check rpcinfo registered programs:
STRG-1904:test:security:storage_nfs::Check nfs rpc:
STRG-1906:test:security:storage_nfs::Check nfs rpc:
STRG-1920:test:security:storage_nfs::Checking NFS daemon:
#STRG-1924:test:security:storage_nfs::Checking NFS daemon:
STRG-1926:test:security:storage_nfs::Checking NFS exports:
STRG-1928:test:security:storage_nfs::Checking empty /etc/exports:
STRG-1930:test:security:storage_nfs::Check client access to nfs share:
@ -385,13 +363,13 @@ TIME-3124:test:security:time::Check selected time source:
TIME-3128:test:security:time::Check preffered time source:
TIME-3132:test:security:time::Check NTP falsetickers:
TIME-3136:test:security:time:Linux:Check NTP protocol version:
#TIME-3146:test:security:time:Linux:Check /etc/default/ntpdate:
TIME-3148:test:performance:time:Linux:Check TZ variable:
TIME-3160:test:security:time:Linux:Check empty NTP step-tickers:
TIME-3170:test:security:time::Check configuration files:
TOOL-5002:test:security:tooling::Checking for automation tools:
TOOL-5102:test:security:tooling::Check for presence of Fail2ban:
TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:
TOOL-5120:test:security:tooling::Presence of Snort IDS:
TOOL-5122:test:security:tooling::Snort IDS configuration file:
TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling:
#VIRT-1920:test::virtualization:Checking VMware guest status:security:
# EOF

38
include/binaries
View File

@ -38,7 +38,7 @@
# Description : Check all system binaries
# Notes : Always perform test, dependency for many other tests
Register --test-no CORE-1000 --weight L --network NO --description "Check all system binaries"
BINARY_PATHS_FOUND=""; N=0
BINARY_PATHS_FOUND=""; COUNT=0
Display --indent 2 --text "- Checking system binaries..."
LogText "Status: Starting binary scan..."
for SCANDIR in ${BIN_PATHS}; do
@ -55,10 +55,10 @@
LogText "Result: found the path behind this symlink (${SCANDIR} --> ${sFILE})"
ORGPATH="${SCANDIR}"
SCANDIR="${sFILE}"
else
else
SKIPDIR=1; LogText "Result: Symlink variable empty, or directory to symlink is non-existing"
fi
else
else
SKIPDIR=1; LogText "Result: Could not find the location of this symlink, or is not a directory"
fi
fi
@ -73,12 +73,12 @@
BINARY_PATHS_FOUND="${BINARY_PATHS_FOUND}, ${SCANDIR}"
LogText "Directory ${SCANDIR} exists. Starting directory scanning..."
FIND=$(ls ${SCANDIR})
for I in ${FIND}; do
N=$((N + 1))
BINARY="${SCANDIR}/${I}"
for FILENAME in ${FIND}; do
COUNT=$((COUNT + 1))
BINARY="${SCANDIR}/${FILENAME}"
DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
# Optimized, much quicker (limited file access needed)
case ${I} in
case ${FILENAME} in
aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; LogText " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
afick.pl) AFICKFOUND=1; AFICKBINARY=${BINARY}; LogText " Found known binary: afick (file integrity checker) - ${BINARY}" ;;
aide) AIDEFOUND=1; AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;;
@ -205,9 +205,9 @@
ps) PSFOUND=1; PSBINARY="${BINARY}"; LogText " Found known binary: ps (process listing) - ${BINARY}" ;;
puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; LogText " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; LogText " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;
@ -217,7 +217,7 @@
salt-master) SALTMASTERFOUND=1; SALTMASTERBINARY="${BINARY}"; LogText " Found known binary: salt-master (SaltStack master) - ${BINARY}" ;;
salt-minion) SALTMINIONFOUND=1; SALTMINIONBINARY="${BINARY}"; LogText " Found known binary: salt-minion (SaltStack client) - ${BINARY}" ;;
samhain) SAMHAINFOUND=1; SAMHAINBINARY="${BINARY}"; LogText " Found known binary: samhain (integrity tool) - ${BINARY}" ;;
service) SERVICEFOUND=1; SERVICEBINARY="${BINARY}"; LogText " Found known binary: service (system services) - ${BINARY}" ;;
service) SERVICEFOUND=1; SERVICEBINARY="${BINARY}"; LogText " Found known binary: service (system services) - ${BINARY}" ;;
sed) SEDBINARY="${BINARY}"
LogText " Found known binary: sed (text stream editor) - ${BINARY}"
;;
@ -226,8 +226,9 @@
smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=$(${BINARY} -V | grep "^Version" | awk '{ print $2 }'); fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;;
smtpctl) SMTPCTLBINARY="${BINARY}"; LogText " Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;;
showmount) SHOWMOUNTFOUND=1; SHOWMOUNTBINARY="${BINARY}"; LogText " Found known binary: showmount (NFS mounts) - ${BINARY}" ;;
snort) SNORTBINARY="${BINARY}"; LogText " Found known binary: snort (IDS) - ${BINARY}" ;;
sockstat) SOCKSTATFOUND=1; SOCKSTATBINARY="${BINARY}"; LogText " Found known binary: sockstat (open network sockets) - ${BINARY}" ;;
sort) SORTBINARY="${BINARY}"; LogText " Found known binary: sort (sort data streams) - ${BINARY}" ;;
sort) SORTBINARY="${BINARY}"; LogText " Found known binary: sort (sort data streams) - ${BINARY}" ;;
squid) SQUIDFOUND=1; SQUIDBINARY="${BINARY}"; LogText " Found known binary: squid (proxy) - ${BINARY}" ;;
ss) SSFOUND=1; SSBINARY="${BINARY}"; LogText " Found known binary: ss (show sockets) - ${BINARY}" ;;
sshd) SSHDFOUND=1; SSHDBINARY="${BINARY}"; SSHDVERSION=$(${BINARY} -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 | tr -d ',' | tr -d '\r'); LogText "Found ${BINARY} (version ${SSHDVERSION})" ;;
@ -263,22 +264,21 @@
zypper) ZYPPERFOUND=1; ZYPPERBINARY="${BINARY}"; LogText " Found known binary: zypper (package manager) - ${BINARY}" ;;
esac
done
else
else
LogText "Result: Directory ${SCANDIR} skipped"
if [ ! "${ORGPATH}" = "" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi
fi
else
else
LogText "Result: Directory ${SCANDIR} does NOT exist"
fi
done
BINARY_SCAN_FINISHED=1
BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/ //g')
LogText "Discovered directories: ${BINARY_PATHS_FOUND}"
LogText "Result: found ${COUNT} binaries"
Report "binaries_count=${COUNT}"
Report "binary_paths=${BINARY_PATHS_FOUND}"
BINARY_SCAN_FINISHED=1
LogText "Result: found ${N} binaries"
Report "binaries_count=${N}"
else
else
LogText "Result: checking of binaries skipped in this mode"
fi

4
include/consts
View File

@ -59,6 +59,7 @@ unset LANG
AUDITD_RUNNING=0
APPLICATION_FIREWALL_ACTIVE=0
BINARY_SCAN_FINISHED=0
BLKIDBINARY=""
CAT_BINARY=""
CFAGENTBINARY=""
CHECK=0
@ -98,12 +99,14 @@ unset LANG
DOCKER_DAEMON_RUNNING=0
ECHOCMD=""
ERROR_ON_WARNINGS=0
FAIL2BANBINARY=""
FILEBINARY=""
FILEVALUE=""
FIND=""
FIREWALL_ACTIVE=0
FOUNDPATH=0
GETENT_BINARY=""
GRADMBINARY=""
GREPBINARY="grep"
GROUP_NAME=""
GRPCKBINARY=""
@ -239,6 +242,7 @@ unset LANG
SKIPREASON=""
SKIPPED_TESTS_ROOTONLY=""
SMTPCTLBINARY=""
SNORTBINARY=""
SSHKEYSCANBINARY=""
SSHKEYSCANFOUND=0
SSL_CERTIFICATE_PATHS=""

14
include/data_upload
View File

@ -38,7 +38,7 @@
# Additional options to curl
if [ "${UPLOAD_OPTIONS}" = "" ]; then
CURL_OPTIONS=""
else
else
CURL_OPTIONS=" ${UPLOAD_OPTIONS}"
fi
@ -62,7 +62,7 @@
# Check if we can find curl
# Suggestion: If you want to keep the system hardened, copying the binary from a trusted source is a good alternative.
# Restrict access to this binary to the user who is running this script.
if [ "${CURLBINARY}" = "" ]; then
if IsEmpty "${CURLBINARY}"; then
echo "Fatal: can't find curl binary. Please install the related package or put the binary in the PATH. Quitting.."
LogText "Error: Could not find cURL binary"
exit 1
@ -73,7 +73,7 @@
echo "Fatal: no license key found. Quitting.."
LogText "Error: no license key was specified in the profile (${PROFILE})"
ExitFatal
else
else
Output "License key = ${LICENSE_KEY}"
fi
@ -189,7 +189,7 @@
if [ "${UPLOAD_CODE}" = "100" ]; then
Output "${WHITE}License is valid${NORMAL}"
LogText "Result: license is valid"
else
else
LogText "Result: error while checking license"
LogText "Output: ${UPLOAD_CODE}"
echo "${RED}Fatal error: ${WHITE}Error while checking the license.${NORMAL}"
@ -237,16 +237,16 @@
echo ""
# Quit
ExitClean
else
else
Display --indent 2 --text "Data upload status" --result OK --color GREEN
fi
else
else
echo "${RED}Error${NORMAL}: No hostid and/or hostid2 found. Can not upload report file."
echo "Suggested command: lynis show hostids"
# Quit
ExitFatal
fi
else
else
Output "${YELLOW}No report file found to upload.${NORMAL}"
ExitFatal
fi

385
include/functions
View File

@ -124,7 +124,7 @@
HPTOTAL=$((HPTOTAL + HPADDMAX))
if [ ${HPADD} -eq ${HPADDMAX} ]; then
LogText "Hardening: assigned maximum number of hardening points for this item (${HPADDMAX}). Currently having ${HPPOINTS} points (out of ${HPTOTAL})"
else
else
LogText "Hardening: assigned partial number of hardening points (${HPADD} of ${HPADDMAX}). Currently having ${HPPOINTS} points (out of ${HPTOTAL})"
fi
}
@ -151,7 +151,7 @@
FIND=$(egrep "^${SETTING};" ${SETTINGS_FILE})
if [ -z "${FIND}" ]; then
echo "${SETTING};${VALUE};${DESCRIPTION};" >> ${SETTINGS_FILE}
else
else
Debug "Setting '${SETTING}' was already configured, overwriting previous line '${FIND}' in ${SETTINGS_FILE} with value '${VALUE}'"
# Delete line first, then add new value (inline search and replace is messy)
CreateTempFile
@ -194,12 +194,12 @@
CHECKFILE=$1
if [ ! -d ${CHECKFILE} -a ! -f ${CHECKFILE} ]; then
PERMS="FILE_NOT_FOUND"
else
else
# If 'file' is an directory, use -d
if [ -d ${CHECKFILE} ]; then
FILEVALUE=$(ls -d -l ${CHECKFILE} | cut -c 2-10)
PROFILEVALUE=$(grep '^permdir' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3)
else
else
FILEVALUE=$(ls -l ${CHECKFILE} | cut -c 2-10)
PROFILEVALUE=$(grep '^permfile' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3)
fi
@ -218,33 +218,32 @@
################################################################################
CheckItem() {
ITEM_FOUND=0
RETVAL=255
if [ $# -eq 2 ]; then
# Don't search in /dev/null, it's too empty there
if [ ! "${REPORTFILE}" = "/dev/null" ]; then
# Check if we can find the main type (with or without brackets)
LogText "Test: search string $2 in earlier discovered results"
FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2")
if [ ! "${FIND}" = "" ]; then
ITEM_FOUND=1
RETVAL=0
LogText "Result: found search string (result: $FIND)"
else
LogText "Result: search string NOT found"
RETVAL=1
fi
else
LogText "Skipping search, as /dev/null is being used"
fi
return ${RETVAL}
else
ReportException ${TEST_NO} "Error in function call to CheckItem"
fi
ITEM_FOUND=0
RETVAL=255
if [ $# -eq 2 ]; then
# Don't search in /dev/null, it's too empty there
if [ ! "${REPORTFILE}" = "/dev/null" ]; then
# Check if we can find the main type (with or without brackets)
LogText "Test: search string $2 in earlier discovered results"
FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2")
if HasData "${FIND}"; then
ITEM_FOUND=1
RETVAL=0
LogText "Result: found search string (result: $FIND)"
else
LogText "Result: search string NOT found"
RETVAL=1
fi
else
LogText "Skipping search, as /dev/null is being used"
fi
return ${RETVAL}
else
ReportException ${TEST_NO} "Error in function call to CheckItem"
fi
}
################################################################################
# Name : CheckUpdates()
# Description : Determine if there is an update available
@ -344,12 +343,12 @@
RANDOMSTRING1=$(echo lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}'))
TEMP_FILE="/tmp/${RANDOMSTRING1}"
touch ${TEMP_FILE}
else
else
TEMP_FILE=$(mktemp /tmp/lynis.XXXXXXXXXX) || exit 1
fi
if [ ! "${TEMP_FILE}" = "" ]; then
LogText "Action: created temporary file ${TEMP_FILE}"
else
else
Fatal "Could not create a temporary file"
fi
# Add temporary file to queue for cleanup later
@ -367,13 +366,14 @@
# Determine if a directory exists
DirectoryExists() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling DirectoryExists function"; fi
DIRECTORY_FOUND=0
LogText "Test: checking if directory $1 exists"
if [ -d $1 ]; then
LogText "Result: directory $1 exists"
DIRECTORY_FOUND=1
return 0
else
else
LogText "Result: directory $1 NOT found"
return 1
fi
@ -434,7 +434,7 @@
Debug "Already discovered default.prf - skipping this file (${PLOC}/${PNAME})"
elif [ "${PNAME}" = "custom.prf" -a ! "${CUSTOM_PROFILE}" = "" ]; then
Debug "Already discovered custom.prf - skipping this file (${PLOC}/${PNAME})"
else
else
if [ "${PLOC}" = "." ]; then FILE="${WORKDIR}/${PNAME}"; else FILE="${PLOC}/${PNAME}"; fi
if [ -r ${FILE} ]; then
PROFILES="${PROFILES} ${FILE}"
@ -460,7 +460,7 @@
echo "${RED}Fatal error: ${WHITE}No profile defined and could not find default profile${NORMAL}"
echo "Search paths used --> ${tPROFILE_TARGETS}"
ExitCustom 66
else
else
PROFILES=$(echo ${PROFILES} | sed 's/^ //')
fi
}
@ -513,10 +513,10 @@
if [ "${RESULT}" = "" ]; then
RESULTPART=""
else
else
if [ ${CRONJOB} -eq 0 ]; then
RESULTPART=" [ ${COLOR}${RESULT}${NORMAL} ]"
else
else
RESULTPART=" [ ${RESULT} ]"
fi
fi
@ -540,7 +540,7 @@
# Check if we already have already discovered a proper echo command tool. It not, set it default to 'echo'.
if [ "${ECHOCMD}" = "" ]; then ECHOCMD="echo"; fi
${ECHOCMD} "\033[${INDENT}C${TEXT}\033[${SPACES}C${RESULTPART}${DEBUGTEXT}"
else
else
echo "${TEXT}${RESULTPART}"
fi
fi
@ -637,7 +637,7 @@
if [ $# -eq 1 ]; then
LogText "${PROGRAM_NAME} ended with exit code $1."
exit $1
else
else
LogText "${PROGRAM_NAME} ended with exit code 1."
exit 1
fi
@ -674,13 +674,14 @@
################################################################################
FileExists() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling FileExists function"; fi
FILE_FOUND=0
LogText "Test: checking if file $1 exists"
if [ -f $1 ]; then
LogText "Result: file $1 exists"
FILE_FOUND=1
return 0
else
else
LogText "Result: file $1 NOT found"
return 1
fi
@ -718,17 +719,18 @@
#
# Returns : 0 (empty), 1 (not empty)
# EMPTY (0 or 1) - deprecated usage
# Usage : xyz
# Usage : if FileIsEmpty /etc/passwd; then
################################################################################
FileIsEmpty() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling FileIsEmpty function"; fi
EMPTY=0
LogText "Test: checking if file $1 is empty"
if [ -z $1 ]; then
LogText "Result: file $1 is empty"
EMPTY=1
return 0
else
else
LogText "Result: file $1 is NOT empty"
return 1
fi
@ -851,117 +853,117 @@
else
ReportException "GetHostID" "No sha1, sha1sum, csum or openssl binary available on AIX"
fi
else
else
ReportException "GetHostID" "No output from entstat on interfaces: en0, ent0"
fi
;;
"DragonFly" | "FreeBSD")
FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then
HOSTID=$(echo ${FIND} | sha1)
else
ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD"
fi
FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if HasData "${FIND}"; then
HOSTID=$(echo ${FIND} | sha1)
else
ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD"
fi
;;
"Linux")
# Define preferred interfaces
#PREFERRED_INTERFACES="eth0 eth1 eth2 enp0s25"
# Define preferred interfaces
#PREFERRED_INTERFACES="eth0 eth1 eth2 enp0s25"
# Only use ifconfig if no ip binary has been found
if [ ! "${IFCONFIGBINARY}" = "" ]; then
# Determine if we have ETH0 at all (not all Linux distro have this, e.g. Arch)
HASETH0=$(${IFCONFIGBINARY} | grep "^eth0")
# Check if we can find it with HWaddr on the line
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
# Only use ifconfig if no ip binary has been found
if [ ! "${IFCONFIGBINARY}" = "" ]; then
# Determine if we have ETH0 at all (not all Linux distro have this, e.g. Arch)
HASETH0=$(${IFCONFIGBINARY} | grep "^eth0")
# Check if we can find it with HWaddr on the line
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
# If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch)
if [ "${FIND}" = "" ]; then
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr)
if [ "${FIND}" = "" ]; then
# If possible directly address eth0 to avoid risking gathering the incorrect MAC address.
# If not, then falling back to getting first interface. Better than nothing.
if [ ! "${HASETH0}" = "" ]; then
FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
else
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]')
if [ "${FIND}" = "" ]; then
ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)"
else
LogText "Result: No eth0 found (ether found), using first network interface to determine hostid (with ifconfig)"
fi
fi
else
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
LogText "GetHostID: No eth0 found (but HWaddr was found), using first network interface to determine hostid, with ifconfig"
fi
fi
else
# See if we can use ip binary instead
if [ ! "${IPBINARY}" = "" ]; then
# Determine if we have the common available eth0 interface
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ "${FIND}" = "" ]; then
# Determine the MAC address of first interface with the ip command
FIND=$(${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ "${FIND}" = "" ]; then
ReportException "GetHostID" "Can't create hostid (no MAC addresses found)"
# If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch)
if IsEmpty "${FIND}"; then
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr)
if IsEmpty "${FIND}"; then
# If possible directly address eth0 to avoid risking gathering the incorrect MAC address.
# If not, then falling back to getting first interface. Better than nothing.
if HasData "${HASETH0}"; then
FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
else
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]')
if IsEmpty "${FIND}"; then
ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)"
else
LogText "Result: No eth0 found (ether found), using first network interface to determine hostid (with ifconfig)"
fi
fi
else
ReportException "GetHostID" "Can't create hostid, missing both ifconfig and ip binary"
else
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
LogText "GetHostID: No eth0 found (but HWaddr was found), using first network interface to determine hostid, with ifconfig"
fi
fi
# Check if we found a HostID
if [ ! "${FIND}" = "" ]; then
LogText "Info: using hardware address ${FIND} to create ID"
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
LogText "Result: Found HostID: ${HOSTID}"
else
ReportException "GetHostID" "Can't create HOSTID, command ip not found"
else
# See if we can use ip binary instead
if [ ! "${IPBINARY}" = "" ]; then
# Determine if we have the common available eth0 interface
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if IsEmpty "${FIND}"; then
# Determine the MAC address of first interface with the ip command
FIND=$(${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if IsEmpty "${FIND}"; then
ReportException "GetHostID" "Can't create hostid (no MAC addresses found)"
fi
fi
else
ReportException "GetHostID" "Can't create hostid, missing both ifconfig and ip binary"
fi
fi
# Check if we found a HostID
if HasData "${FIND}"; then
LogText "Info: using hardware address ${FIND} to create ID"
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
LogText "Result: Found HostID: ${HOSTID}"
else
ReportException "GetHostID" "Can't create HOSTID, command ip not found"
fi
;;
"macOS")
FIND=$(${IFCONFIGBINARY} en0 | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then
HOSTID=$(echo ${FIND} | shasum | awk '{ print $1 }')
else
ReportException "GetHostID" "No MAC address returned on macOS"
fi
LYNIS_HOSTID2_PART1=$(hostname -s)
if [ ! -z "${LYNIS_HOSTID2_PART1}" ]; then
LogText "Info: using hostname ${LYNIS_HOSTID2_PART1}"
LYNIS_HOSTID2_PART2=$(sysctl -n kern.uuid 2> /dev/null)
if [ ! -z "${LYNIS_HOSTID2_PART2}" ]; then
LogText "Info: using UUID ${LYNIS_HOSTID2_PART2}"
else
LogText "Info: could not create HOSTID2 as kern.uuid sysctl key is missing"
fi
HOSTID2=$(echo "${LYNIS_HOSTID2_PART1}${LYNIS_HOSTID2_PART2}" | shasum -a 256 | awk '{ print $1 }')
else
LogText "Info: could not create HOSTID2 as hostname is missing"
fi
FIND=$(${IFCONFIGBINARY} en0 | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then
HOSTID=$(echo ${FIND} | shasum | awk '{ print $1 }')
else
ReportException "GetHostID" "No MAC address returned on macOS"
fi
LYNIS_HOSTID2_PART1=$(hostname -s)
if [ ! -z "${LYNIS_HOSTID2_PART1}" ]; then
LogText "Info: using hostname ${LYNIS_HOSTID2_PART1}"
LYNIS_HOSTID2_PART2=$(sysctl -n kern.uuid 2> /dev/null)
if [ ! -z "${LYNIS_HOSTID2_PART2}" ]; then
LogText "Info: using UUID ${LYNIS_HOSTID2_PART2}"
else
LogText "Info: could not create HOSTID2 as kern.uuid sysctl key is missing"
fi
HOSTID2=$(echo "${LYNIS_HOSTID2_PART1}${LYNIS_HOSTID2_PART2}" | shasum -a 256 | awk '{ print $1 }')
else
LogText "Info: could not create HOSTID2 as hostname is missing"
fi
;;
"NetBSD")
FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then
HOSTID=$(echo ${FIND} | sha1)
else
ReportException "GetHostID" "No MAC address returned on NetBSD"
fi
FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if HasData "${FIND}"; then
HOSTID=$(echo ${FIND} | sha1)
else
ReportException "GetHostID" "No MAC address returned on NetBSD"
fi
;;
"OpenBSD")
FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then
HOSTID=$(echo ${FIND} | sha1)
else
ReportException "GetHostID" "No MAC address returned on OpenBSD"
fi
FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if HasData "${FIND}"; then
HOSTID=$(echo ${FIND} | sha1)
else
ReportException "GetHostID" "No MAC address returned on OpenBSD"
fi
;;
"Solaris")
@ -979,10 +981,10 @@
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
elif [ ! "${OPENSSLBINARY}" = "" ]; then
HOSTID=$(echo ${FIND} | ${OPENSSLBINARY} sha -sha1 | awk '{ print $2 }')
else
else
ReportException "GetHostID" "Can not find sha1/sha1sum or openssl"
fi
else
else
ReportException "GetHostID" "No interface found op Solaris to create HostID"
fi
;;
@ -1000,7 +1002,7 @@
fi
done
fi
else
else
ReportException "GetHostID" "Can't create HOSTID as there is no SHA1 hash tool available (sha1, sha1sum, openssl)"
fi
@ -1027,13 +1029,13 @@
if [ ! "${SHA1SUMBINARY}" = "" ]; then
HOSTID=$(cat /etc/ssh/${I} | ${SHA1SUMBINARY} | awk '{ print $1 }')
LogText "result: Created HostID with SSH key ($I): ${HOSTID}"
else
else
ReportException "GetHostID" "Can't create HOSTID with SSH key, as sha1sum binary is missing"
fi
fi
fi
done
else
else
LogText "Result: no /etc/ssh directory found, skipping"
fi
fi
@ -1055,7 +1057,7 @@
fi
fi
done
else
else
LogText "Result: no /etc/ssh directory found, skipping"
fi
@ -1216,10 +1218,10 @@
################################################################################
IsEmpty() {
if [ $# -eq 1 ]; then
if [ -z "$1" ]; then return 0; else return 1; fi
else
if [ $# -eq 0 ]; then
ExitFatal "Function IsEmpty called without parameters - look in log to determine where this happened, or use sh -x lynis to see all details."
else
if [ -z "$1" ]; then return 0; else return 1; fi
fi
}
@ -1232,6 +1234,7 @@
################################################################################
IsRunning() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsRunning function"; fi
RUNNING=0
PSOPTIONS=""
if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then PSOPTIONS=" ax"; fi
@ -1240,7 +1243,7 @@
RUNNING=1
LogText "IsRunning: process '$1' found (${FIND})"
return 0
else
else
LogText "IsRunning: process '$1' not found"
return 1
fi
@ -1290,14 +1293,14 @@
if [ "${PERMS}" = "" ]; then
PERMS=$(ls -n ${FILE} | ${AWKBINARY} '{ print $3":"$4 }')
fi
else
else
ReportException "IsOwnedByRoot" "Functions needs 1 argument"
return 255
fi
if [ "${PERMS}" = "0:0" ]; then
if IsDeveloperMode; then LogText "Debug: found incorrect file permissions on ${FILE}"; fi
return 0
else
else
return 1
fi
}
@ -1340,10 +1343,10 @@
LogText "Result: facter says this machine is not a virtual"
;;
esac
else
else
LogText "Result: facter utility not found"
fi
else
else
LogText "Result: skipped facter test, as we already found machine type"
fi
@ -1356,10 +1359,10 @@
LogText "Result: found ${FIND}"
SHORT="${FIND}"
fi
else
else
LogText "Result: systemd-detect-virt not found"
fi
else
else
LogText "Result: skipped systemd test, as we already found machine type"
fi
@ -1372,13 +1375,13 @@
if [ ! "${FIND}" = "" ]; then
LogText "Result: found ${FIND}"
SHORT="${FIND}"
else
else
LogText "Result: can't find hypervisor vendor with lscpu"
fi
else
else
LogText "Result: lscpu not found"
fi
else
else
LogText "Result: skipped lscpu test, as we already found machine type"
fi
@ -1387,7 +1390,8 @@
if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/dmidecode ]; then DMIDECODE_BINARY="/usr/bin/dmidecode"
elif [ -x /usr/sbin/dmidecode ]; then DMIDECODE_BINARY="/usr/sbin/dmidecode"
else DMIDECODE_BINARY=""
else
DMIDECODE_BINARY=""
fi
if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then
LogText "Test: trying to guess virtualization with dmidecode"
@ -1395,13 +1399,13 @@
if [ ! "${FIND}" = "" ]; then
LogText "Result: found ${FIND}"
SHORT="${FIND}"
else
else
LogText "Result: can't find product name with dmidecode"
fi
else
else
LogText "Result: dmidecode not found (or no access)"
fi
else
else
LogText "Result: skipped dmidecode test, as we already found machine type"
fi
# Other options
@ -1423,7 +1427,7 @@
if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi
IsRunning VBoxClient
if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi
else
else
LogText "Result: skipped processes test, as we already found platform"
fi
@ -1432,10 +1436,10 @@
LogText "Test: checking specific files for Amazon"
if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then
SHORT="amazon-ec2"
else
else
LogText "Result: system not hosted on Amazon"
fi
else
else
LogText "Result: skipped Amazon EC2 test, as we already found platform"
fi
@ -1450,21 +1454,21 @@
if [ ! "${FIND}" = "" ]; then
SHORT="${FIND}"
fi
else
else
LogText "Result: skipped sysctl test, as we already found platform"
fi
# lshw
if [ "${SHORT}" = "" ]; then
if HasData "${SHORT}"; then
if [ ${PRIVILEGED} -eq 1 ]; then
if [ -x /usr/bin/lshw ]; then
LogText "Test: trying to guess virtualization with lshw"
FIND=$(lshw -quiet -class system 2> /dev/null | awk '{ if ($1=="product:") { print $2 }}')
if [ ! "${FIND}" = "" ]; then
if HasData "${FIND}"; then
LogText "Result: found ${FIND}"
SHORT="${FIND}"
fi
else
else
LogText "Result: lshw not found"
fi
else
@ -1508,7 +1512,7 @@
elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then
LogText "Result: unknown if this system is a virtual machine"
Report "vm=2"
else
else
LogText "Result: system seems to be non-virtual"
fi
}
@ -1524,6 +1528,7 @@
################################################################################
IsWorldReadable() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldReadable function"; fi
sFILE=$1
# Check for symlink
if [ -L ${sFILE} ]; then
@ -1533,7 +1538,7 @@
if [ -f ${sFILE} -o -d ${sFILE} ]; then
FINDVAL=$(ls -ld ${sFILE} | cut -c 8)
if [ "${FINDVAL}" = "r" ]; then return 0; else return 1; fi
else
else
return 255
fi
}
@ -1550,6 +1555,7 @@
# Function IsWorldExecutable
IsWorldExecutable() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldExecutable function"; fi
sFILE=$1
# Check for symlink
if [ -L ${sFILE} ]; then
@ -1559,7 +1565,7 @@
if [ -f ${sFILE} -o -d ${sFILE} ]; then
FINDVAL=$(ls -l ${sFILE} | cut -c 10)
if [ "${FINDVAL}" = "x" ]; then return 0; else return 1; fi
else
else
return 255
fi
}
@ -1575,6 +1581,7 @@
################################################################################
IsWorldWritable() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldWritable function"; fi
sFILE=$1
FileIsWorldWritable=""
@ -1583,7 +1590,7 @@
FINDVAL=$(ls -ld ${sFILE} | cut -c 9)
if IsDeveloperMode; then Debug "File mode of ${sFILE} is ${FINDVAL}"; fi
if [ "${FINDVAL}" = "w" ]; then return 0; else return 1; fi
else
else
return 255
fi
}
@ -1752,7 +1759,7 @@
if [ "${VALUE}" = "off" ]; then
LogText "Result: found logging disabled for one virtual host"
NGINX_ACCESS_LOG_DISABLED=1
else
else
if [ ! "${VALUE}" = "" ]; then
# If multiple values follow, select first one
VALUE=$(echo ${VALUE} | awk '{ print $1 }')
@ -1796,7 +1803,7 @@
if [ ! -f ${FILE} ]; then
NGINX_ERROR_LOG_MISSING=1
fi
else
else
LogText "Warning: did not find a filename after error_log in nginx configuration"
fi
;;
@ -1908,18 +1915,18 @@
PortIsListening() {
if [ "${LSOFBINARY}" = "" ]; then
return 255
else
else
if [ $# -eq 2 ] && [ $1 = "TCP" -o $1 = "UDP" ]; then
LogText "Test: find service listening on $1:$2"
if [ $1 = "TCP" ]; then FIND=$(${LSOFBINARY} -i${1} -s${1}:LISTEN -P -n | grep ":${2} "); else FIND=$(${LSOFBINARY} -i${1} -P -n | grep ":${2} "); fi
if [ ! "${FIND}" = "" ]; then
LogText "Result: found service listening on port $2 ($1)"
return 0
else
else
LogText "Result: did not find service listening on port $2 ($1)"
return 1
fi
else
else
return 255
ReportException ${TEST_NO} "Error in function call to PortIsListening"
fi
@ -1945,7 +1952,7 @@
# If the No-Break version of echo is known, use that (usually breaks in combination with -e)
if [ ! "${ECHONB}" = "" ]; then
${ECHONB} "$1"
else
else
${ECHOCMD} -en "$1"
fi
fi
@ -2023,7 +2030,7 @@
ROOT_ONLY=1
elif [ "$1" = "NO" -o "$1" = "no" ]; then
ROOT_ONLY=0
else
else
Debug "Invalid option for --root-only parameter of Register function"
fi
;;
@ -2111,7 +2118,7 @@
if IsVerbose; then Debug "Performing test ID ${TEST_NO} (${TEST_DESCRIPTION})"; fi
fi
TESTS_EXECUTED="${TEST_NO}|${TESTS_EXECUTED}"
else
else
if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Skipped test ${TEST_NO} (${TEST_DESCRIPTION})"; fi
if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Reason to skip: ${SKIPREASON}"; fi
TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}"
@ -2167,7 +2174,7 @@
if [ -f ${PIDFILE} ]; then
rm -f $PIDFILE;
LogText "PID file removed (${PIDFILE})"
else
else
LogText "PID file not found (${PIDFILE})"
fi
fi
@ -2190,14 +2197,14 @@
if [ -f ${TMPFILE} ]; then
LogText "Action: removing temporary file ${TMPFILE}"
rm -f ${TMPFILE}
else
else
LogText "Info: temporary file ${TMPFILE} was already removed"
fi
else
else
LogText "Found invalid temporary file (${FILE}), not removed. Check your /tmp directory."
fi
done
else
else
LogText "No temporary files to be deleted"
fi
}
@ -2429,10 +2436,10 @@
LogText "File permissions are OK"
return 0
fi
else
else
ReportException "SafePerms()" "Invalid number of arguments for function"
fi
else
else
PERMS_OK=1
return 0
fi
@ -2483,11 +2490,11 @@
LogText "Result: found search string '${STRING}'"
if [ ${MASK_LOG} -eq 0 ]; then LogText "Full string returned: ${FIND}"; fi
RETVAL=0
else
else
LogText "Result: search search string '${STRING}' NOT found"
RETVAL=1
fi
else
else
LogText "Skipping search, file (${FILE}) does not exist"
ReportException "${TEST_NO}" "Test is trying to search for a string in nonexistent file"
fi
@ -2664,7 +2671,7 @@
sFILE="${tFILE}"
LogText "Result: symlink found, pointing to directory ${sFILE}"
FOUNDPATH=1
else
else
# Check the full path of the symlink, strip the filename, copy the path and linked filename together
tDIR=$(echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}')
tFILE="${tDIR}/${tFILE}"
@ -2700,7 +2707,7 @@
LogText "Result: file ${tFILE} in ${tDIR} not found"
fi
fi
else
else
LogText "Result: file ${sFILE} is not a symlink"
fi
# Now check if our new location is actually a file or directory destination
@ -2710,7 +2717,7 @@
fi
if [ ${FOUNDPATH} -eq 1 ]; then
SYMLINK="${sFILE}"
else
else
SYMLINK=""
fi
}
@ -2735,7 +2742,7 @@
STRING=$(echo $1 | tr '[:lower:]' '[:upper:]')
if [ "${I}" = "${STRING}" ]; then RETVAL=0; LogText "Atomic test ($1) skipped by configuration (skip-test)"; fi
done
else
else
ReportException "SkipAtomicTest()" "Function called without right number of arguments (1)"
fi
return $RETVAL
@ -2860,7 +2867,7 @@
if [ "${RETVAL}" -lt 2 ]; then
return ${RESULT}
else
else
Fatal "ERROR: No result returned from function (TestValue). Incorrect usage?"
#ExitFatal
fi
@ -2964,14 +2971,14 @@
RETVAL=1
if [ "$#" -ne "2" ]; then
ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}"
else
else
LogText "${FUNCNAME}: checking value for application ${APP}"
LogText "${FUNCNAME}: ${OPTION} is set to ${1}"
if [ "$1" != "$2" ]; then
LogText "${FUNCNAME}: ${1} is not equal to ${2}"
RETVAL=0
else
else
LogText "${FUNCNAME}: ${1} is equal to ${2}"
fi
fi
@ -2988,14 +2995,14 @@
RETVAL=1
if [ "$#" -ne "2" ]; then
ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}"
else
else
LogText "${FUNCNAME}: checking value for application ${APP}"
LogText "${FUNCNAME}: ${OPTION} is set to ${1}"
LogText "${FUNCNAME}: checking if ${1} is greater than ${2}"
if [ "$1" > "$2" ]; then
LogText "${FUNCNAME}: ${1} is greater than ${2}"
RETVAL=0
else
else
LogText "${FUNCNAME}: ${1} is not greater than ${2}"
fi
fi
@ -3013,7 +3020,7 @@
RETVAL=1
if [ "$#" -ne "2" ]; then
ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}"
else
else
LogText "${FUNCNAME}: checking value for application ${APP}"
LogText "${FUNCNAME}: ${OPTION} is set to ${1}"
LogText "${FUNCNAME}: checking if ${1} is greater or equal ${2}"
@ -3035,7 +3042,7 @@
RETVAL=1
if [ "$#" -ne "2" ]; then
ReportException "${TEST_NO}" "Error in function call to TestCase_GreaterOrEqual"
else
else
LogText "${FUNCNAME}: checking value for application ${APP}"
LogText "${FUNCNAME}: ${OPTION} is set to ${1}"
@ -3059,7 +3066,7 @@
RETVAL=1
if [ "$#" -ne "2" ]; then
ReportException "${TEST_NO}" "Error in function call to ${FUNCNAME}"
else
else
LogText "${FUNCNAME}: checking value for application ${APP}"
LogText "${FUNCNAME}: ${OPTION} is set to ${1}"
LogText "${FUNCNAME}: checking if ${1} is less or equal ${2}"

27
include/helper_audit_dockerfile
View File

@ -19,30 +19,29 @@
#################################################################################
if [ $# -eq 0 ]; then
Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
Display --text " "; Display --text " "
ExitFatal
else
else
FILE=$(echo $1 | egrep "^http|https")
if [ ! "${FILE}" = "" ] ; then
if HasData "${FILE}"; then
CreateTempFile
TMP_FILE="${TEMP_FILE}"
Display --indent 2 --text "Downloading URL ${FILE} with wget"
wget -o ${TMP_FILE} ${FILE}
if [ $? -gt 0 ]; then
AUDIT_FILE="${TMP_FILE}"
else
else
if [ -f ${TMP_FILE} ]; then
rm -f ${TMP_FILE}
fi
Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
ExitFatal
fi
else
else
if [ -f $1 ]; then
AUDIT_FILE="$1"
else
else
Display --indent 2 --text "File $1 does not exist"
ExitFatal
fi
@ -98,7 +97,7 @@ InsertSection "Basics"
FIND=$(egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g')
if [ "${FIND}" = "" ]; then
ReportWarning "dockerfile" "No maintainer found. Unclear who created this file."
else
else
MAINTAINER=$(echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}')
Display --indent 2 --text "Maintainer" --result "${MAINTAINER}"
fi
@ -114,7 +113,7 @@ InsertSection "Basics"
FIND=$(egrep "apt-get(.*) install" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then
LogText "Found installation via apt-get"
else
else
LogText "No installations found via apt-get"
fi
;;
@ -151,14 +150,14 @@ InsertSection "Basics"
LogText "Checking usage of wget"
FIND_WGET=$(grep wget ${AUDIT_FILE})
if [ ! "${FIND_WGET}" = "" ]; then
if HasData "${FIND_WGET}"; then
Display --indent 4 --text "Download tool" --result "wget"
FILE_DOWNLOAD=1
fi
FIND=$(grep "^ADD http" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then
if HasData "${FIND}"; then
FILE_DOWNLOAD=1
ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed"
LogText "Details: ${FIND}"
@ -168,10 +167,10 @@ InsertSection "Basics"
SSL_USED_FIND=$(egrep "(https)" ${AUDIT_FILE})
if [ ! "${SSL_USED_FIND}" = "" ]; then
if HasData "${SSL_USED_FIND}"; then
SSL_USED="YES"
COLOR="GREEN"
else
else
SSL_USED="NO"
COLOR="RED"
ReportSuggestion "Use SSL downloads when possible to increase security (DNSSEC, HTTPS, validation of domain, avoid MitM)"
@ -182,7 +181,7 @@ InsertSection "Basics"
KEYS_USED=$(egrep "(apt-key adv)" ${AUDIT_FILE})
Display --indent 2 --text "Signing keys used" --result ${SSL_USED}
Display --indent 2 --text "All downloads properly checked" --result "?"
else
else
Display --indent 2 --text "No files seems to be downloaded in this Dockerfile"
fi
@ -192,7 +191,7 @@ InsertSection "Basics"
InsertSection "Permissions"
FIND=$(grep -i "chmod 777" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then
if HasData "${FIND}"; then
ReportWarning "dockerfile" "Warning: chmod 777 found"
fi
#

28
include/helper_show
View File

@ -187,11 +187,11 @@ if [ $# -gt 0 ]; then
"commands")
if [ $# -eq 1 ]; then
${ECHOCMD} "\n${WHITE}Commands:${NORMAL}"
for I in ${COMMANDS}; do
${ECHOCMD} "lynis ${CYAN}${I}${NORMAL}"
for ITEM in ${COMMANDS}; do
${ECHOCMD} "lynis ${CYAN}${ITEM}${NORMAL}"
done
${ECHOCMD} ""
else
else
shift
if [ $# -eq 1 ]; then
case $1 in
@ -200,7 +200,7 @@ if [ $# -gt 0 ]; then
"update") ${ECHOCMD} "No help available yet" ;;
*) DisplayError "Unknown argument for 'commands'"
esac
else
else
shift
case $1 in
"dockerfile")
@ -223,7 +223,7 @@ if [ $# -gt 0 ]; then
if [ -z "${LOGFILE}" ]; then DisplayError "Could not find log file to parse"; fi
if [ $# -eq 1 ]; then
DisplayError "This command needs a test ID (e.g. CORE-1000) to search for."
else
else
shift
if [ $# -eq 1 ]; then
TESTID="$1"
@ -255,14 +255,14 @@ if [ $# -gt 0 ]; then
${ECHOCMD} "=========================="
${ECHOCMD} ""
${ECHOCMD} "${WHITE}Commands${NORMAL}:"
for I in ${COMMANDS}; do
${ECHOCMD} "${CYAN}${I}${NORMAL}"
for ITEM in ${COMMANDS}; do
${ECHOCMD} "${CYAN}${ITEM}${NORMAL}"
done
${ECHOCMD} ""
${ECHOCMD} "Use 'lynis show help ${CYAN}<command>${NORMAL}' to see details"
${ECHOCMD} ""; ${ECHOCMD} ""
${ECHOCMD} "${WHITE}Options${NORMAL}:\n${GRAY}${OPTIONS}${NORMAL}"
else
else
shift
case $1 in
"audit") ${ECHOCMD} "${AUDIT_HELP}" ;;
@ -274,7 +274,7 @@ if [ $# -gt 0 ]; then
esac
fi
;;
"helpers") for I in ${HELPERS}; do ${ECHOCMD} ${I}; done ;;
"helpers") for ITEM in ${HELPERS}; do ${ECHOCMD} ${ITEM}; done ;;
"hostids" | "hostid")
${ECHOCMD} "hostid=${HOSTID}"
${ECHOCMD} "hostid2=${HOSTID2}"
@ -295,7 +295,7 @@ if [ $# -gt 0 ]; then
${ECHOCMD} "OS_VERSION=${OS_VERSION}"
;;
"pidfile") ${ECHOCMD} "${PIDFILE}" ;;
"profile" | "profiles") for I in ${PROFILES}; do ${ECHOCMD} ${I}; done ;;
"profile" | "profiles") for ITEM in ${PROFILES}; do ${ECHOCMD} ${ITEM}; done ;;
"profiledir") ${ECHOCMD} "${PROFILEDIR}" ;;
"plugindir") ${ECHOCMD} "${PLUGINDIR}" ;;
"release") ${ECHOCMD} "${PROGRAM_VERSION}-${PROGRAM_RELEASE_TYPE}" ;;
@ -314,7 +314,7 @@ if [ $# -gt 0 ]; then
*)
${ECHOCMD} "${RED}Error${NORMAL}: Invalid argument provided to 'lynis show settings'\n\n"
${ECHOCMD} "Suggestions:"
for I in ${SHOW_SETTINGS_ARGS}; do ${ECHOCMD} "lynis show settings ${I}"; done
for ITEM in ${SHOW_SETTINGS_ARGS}; do ${ECHOCMD} "lynis show settings ${ITEM}"; done
ExitFatal
;;
esac
@ -431,10 +431,10 @@ if [ $# -gt 0 ]; then
"?") ${ECHOCMD} "${SHOW_ARGS}" ;;
*) ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis show" ;;
esac
else
else
${ECHOCMD} "\n ${WHITE}Provide an additional argument${NORMAL}\n\n"
for I in ${SHOW_ARGS}; do
${ECHOCMD} " lynis show ${BROWN}${I}${NORMAL}"
for ITEM in ${SHOW_ARGS}; do
${ECHOCMD} " lynis show ${BROWN}${ITEM}${NORMAL}"
done
${ECHOCMD} "\n"

4
include/helper_update
View File

@ -69,11 +69,11 @@ elif [ "$1" = "info" ]; then
echo -n " Status : "
if [ ${PROGRAM_LV} -eq 0 ]; then
echo "${RED}Unknown${NORMAL}";
elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
echo "${YELLOW}Outdated${NORMAL}";
echo " Installed version : ${PROGRAM_AC}"
echo " Latest version : ${PROGRAM_LV}"
else
else
echo "${GREEN}Up-to-date${NORMAL}"
fi
echo " Release date : ${PROGRAM_RELEASE_DATE}"

2
include/osdetection
View File

@ -46,6 +46,8 @@
OS_VERSION_NAME="unknown"
OS_FULLNAME="macOS (unknown version)"
case ${OS_VERSION} in
10.7 | 10.7.[0-9]*) OS_FULLNAME="Mac OS X 10.7 (Lion)" ;;
10.8 | 10.8.[0-9]*) OS_FULLNAME="Mac OS X 10.8 (Mountain Lion)" ;;
10.9 | 10.9.[0-9]*) OS_FULLNAME="Mac OS X 10.9 (Mavericks)" ;;
10.10 | 10.10.[0-9]*) OS_FULLNAME="Mac OS X 10.10 (Yosemite)" ;;
10.11 | 10.11.[0-9]*) OS_FULLNAME="Mac OS X 10.11 (El Capitan)" ;;

12
include/parameters
View File

@ -40,7 +40,7 @@
echo "${RED}Error: ${WHITE}Missing file name or URL${NORMAL}"
echo "Example: $0 audit dockerfile /root/Dockerfile"
ExitFatal
else
else
shift; shift
HELPER_PARAMS="$1"
HELPER="audit_dockerfile"
@ -55,7 +55,7 @@
echo "${RED}Error: ${WHITE}Missing remote location${NORMAL}"
echo "Example: $0 audit system remote 192.168.1.100"
ExitFatal
else
else
REMOTE_TARGET="$3"
shift; shift; shift # shift out first three arguments
EXTRA_PARAMS=""
@ -88,7 +88,7 @@
;;
esac
else
else
echo "${RED}Error: ${WHITE}Need a target to audit${NORMAL}"
echo " "
echo "Examples:"
@ -232,8 +232,8 @@
--tests
--upload
--version_(-V)"
for I in ${OPTIONS}; do
echo "${I}" | tr '_' ' '
for ITEM in ${OPTIONS}; do
echo "${ITEM}" | tr '_' ' '
done
ExitClean
;;
@ -386,7 +386,7 @@
if [ -f lynis.8 ]; then
nroff -man lynis.8
exit 0
else
else
echo "Error: man page file not found (lynis.8)"
echo "If you are running an installed version of Lynis, use 'man lynis'"
exit 1

4
include/profiles
View File

@ -223,9 +223,9 @@
# Plugin directory
plugindir | plugin-dir)
if [ "${PLUGINDIR}" = "" ]; then
if IsEmpty "${PLUGINDIR}"; then
PLUGINDIR="${VALUE}"
else
else
LogText "Plugin directory was already set to ${PLUGINDIR} before (most likely as a program argument), not overwriting"
fi
AddSetting "plugin-dir" "${PLUGINDIR}" "Plugin directory"

118
include/report
View File

@ -22,64 +22,55 @@
#
#################################################################################
#
#
#################################################################################
#
# Hardening Index
# Define approximately how strong a machine has been hardened
#
#################################################################################
#
# If no hardening has been found, set value to 1
if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL))
# Set color related to rating
if [ ${HPINDEX} -lt 50 ]; then
HPCOLOR="${RED}"
HIDESCRIPTION="System has not or a low amount been hardened"
fi
if [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
HPCOLOR="${YELLOW}"
HIDESCRIPTION="System has been hardened, but could use additional hardening"
fi
if [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be decent hardened"
fi
if [ ${HPINDEX} -gt 89 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be well hardened"
fi
case ${HPAOBLOCKS} in
0) HPBLOCKS="#"; HPEMPTY=" " ;;
1) HPBLOCKS="#"; HPEMPTY=" " ;;
2) HPBLOCKS="##"; HPEMPTY=" " ;;
3) HPBLOCKS="###"; HPEMPTY=" " ;;
4) HPBLOCKS="####"; HPEMPTY=" " ;;
5) HPBLOCKS="#####"; HPEMPTY=" " ;;
6) HPBLOCKS="######"; HPEMPTY=" " ;;
7) HPBLOCKS="#######"; HPEMPTY=" " ;;
8) HPBLOCKS="########"; HPEMPTY=" " ;;
9) HPBLOCKS="#########"; HPEMPTY=" " ;;
10) HPBLOCKS="##########"; HPEMPTY=" " ;;
11) HPBLOCKS="###########"; HPEMPTY=" " ;;
12) HPBLOCKS="############"; HPEMPTY=" " ;;
13) HPBLOCKS="#############"; HPEMPTY=" " ;;
14) HPBLOCKS="##############"; HPEMPTY=" " ;;
15) HPBLOCKS="###############"; HPEMPTY=" " ;;
16) HPBLOCKS="################"; HPEMPTY=" " ;;
17) HPBLOCKS="#################"; HPEMPTY=" " ;;
18) HPBLOCKS="##################"; HPEMPTY=" " ;;
19) HPBLOCKS="###################"; HPEMPTY=" " ;;
20) HPBLOCKS="####################"; HPEMPTY="" ;;
esac
# If no hardening has been found, set value to 1
if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL))
# Set color related to rating
if [ ${HPINDEX} -lt 50 ]; then
HPCOLOR="${RED}"
HIDESCRIPTION="System has not or a low amount been hardened"
elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
HPCOLOR="${YELLOW}"
HIDESCRIPTION="System has been hardened, but could use additional hardening"
elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be decent hardened"
elif [ ${HPINDEX} -gt 89 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be well hardened"
fi
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
LogText "Hardening strength: ${HIDESCRIPTION}"
case ${HPAOBLOCKS} in
0) HPBLOCKS="#"; HPEMPTY=" " ;;
1) HPBLOCKS="#"; HPEMPTY=" " ;;
2) HPBLOCKS="##"; HPEMPTY=" " ;;
3) HPBLOCKS="###"; HPEMPTY=" " ;;
4) HPBLOCKS="####"; HPEMPTY=" " ;;
5) HPBLOCKS="#####"; HPEMPTY=" " ;;
6) HPBLOCKS="######"; HPEMPTY=" " ;;
7) HPBLOCKS="#######"; HPEMPTY=" " ;;
8) HPBLOCKS="########"; HPEMPTY=" " ;;
9) HPBLOCKS="#########"; HPEMPTY=" " ;;
10) HPBLOCKS="##########"; HPEMPTY=" " ;;
11) HPBLOCKS="###########"; HPEMPTY=" " ;;
12) HPBLOCKS="############"; HPEMPTY=" " ;;
13) HPBLOCKS="#############"; HPEMPTY=" " ;;
14) HPBLOCKS="##############"; HPEMPTY=" " ;;
15) HPBLOCKS="###############"; HPEMPTY=" " ;;
16) HPBLOCKS="################"; HPEMPTY=" " ;;
17) HPBLOCKS="#################"; HPEMPTY=" " ;;
18) HPBLOCKS="##################"; HPEMPTY=" " ;;
19) HPBLOCKS="###################"; HPEMPTY=" " ;;
20) HPBLOCKS="####################"; HPEMPTY="" ;;
esac
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
LogText "Hardening strength: ${HIDESCRIPTION}"
# Only show overview if not running in quiet mode
@ -111,7 +102,7 @@
SWARNINGS=$(${GREPBINARY} -i 'warning:' ${LOGFILE} | sed 's/ /!space!/g')
if [ -z "${SWARNINGS}" ]; then
echo " ${OK}Great, no warnings${NORMAL}"; echo ""
else
else
echo " ${WARNING}Warnings${NORMAL} (${TOTAL_WARNINGS}):"
echo " ${WHITE}----------------------------${NORMAL}"
for WARNING in ${SWARNINGS}; do
@ -132,7 +123,7 @@
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
if [ -z "${IS_CUSTOM}" ]; then
echo " ${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}"
else
else
echo " ${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}"
fi
echo ""
@ -144,7 +135,7 @@
if [ "${SSUGGESTIONS}" = "" ]; then
echo " ${OK}No suggestions${NORMAL}"; echo ""
else
else
echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):"
echo " ${WHITE}----------------------------${NORMAL}"
for SUGGESTION in ${SSUGGESTIONS}; do
@ -165,7 +156,7 @@
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
if [ -z "${IS_CUSTOM}" ]; then
echo " ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"
else
else
echo " ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}"
fi
echo ""
@ -203,7 +194,8 @@
echo " ${SECTION}Lynis Modules${NORMAL}:"
if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then
if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi
else COMPLIANCE="${YELLOW}?";
else
COMPLIANCE="${YELLOW}?"
fi
echo " - Compliance Status [${COMPLIANCE}${NORMAL}]"
echo " - Security Audit [${GREEN}V${NORMAL}]"
@ -218,7 +210,7 @@
echo " ${NOTICE}Notice: ${WHITE}${PROGRAM_NAME} ${GEN_UPDATE_AVAILABLE}${NORMAL}"
echo " ${GEN_CURRENT_VERSION} : ${WHITE}${PROGRAM_AC}${NORMAL} ${GEN_LATEST_VERSION} : ${WHITE}${PROGRAM_LV}${NORMAL}"
echo "================================================================================"
else
else
###########################################################################################
#
# Software quality program
@ -252,9 +244,9 @@
# Split entries
FIND=$(echo ${FIND} | sed 's/====/ /g')
# Display found entries
for I in ${FIND}; do
J=$(echo ${I} | sed 's/:space:/ /g')
echo " ${J}"
for ITEM in ${FIND}; do
OUTPUT=$(echo ${ITEM} | sed 's/:space:/ /g')
echo " ${OUTPUT}"
done
echo ""
echo "================================================================================"

192
include/tests_banners
View File

@ -26,7 +26,7 @@
#
#################################################################################
#
BANNER_FILES="/etc/issue /etc/issue.net /etc/motd"
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence intrusion law legal monitor owner policy policies private prohibited record restricted secure subject terms this unauthorized"
#
#################################################################################
@ -35,109 +35,51 @@
# Description : Check FreeBSD COPYRIGHT banner file
Register --test-no BANN-7113 --os FreeBSD --weight L --network NO --category security --description "Check COPYRIGHT banner file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT"
if [ -f /COPYRIGHT ]; then
Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s /COPYRIGHT ]; then
LogText "Result: /COPYRIGHT available and contains text"
else
LogText "Result: /COPYRIGHT available, but empty"
LogText "Test: Testing existence ${ROOTDIR}COPYRIGHT or ${ROOTDIR}etc/COPYRIGHT"
if [ -f ${ROOTDIR}COPYRIGHT ]; then
Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s ${ROOTDIR}COPYRIGHT ]; then
LogText "Result: ${ROOTDIR}COPYRIGHT available and contains text"
else
LogText "Result: ${ROOTDIR}COPYRIGHT available, but empty"
fi
else
Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: /COPYRIGHT not found"
else
Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: ${ROOTDIR}COPYRIGHT not found"
fi
if [ -f /etc/COPYRIGHT ]; then
Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s /etc/COPYRIGHT ]; then
LogText "Result: /etc/COPYRIGHT available and contains text"
else
LogText "Result: /etc/COPYRIGHT available, but empty"
if [ -f ${ROOTDIR}etc/COPYRIGHT ]; then
Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s ${ROOTDIR}etc/COPYRIGHT ]; then
LogText "Result: ${ROOTDIR}etc/COPYRIGHT available and contains text"
else
LogText "Result: ${ROOTDIR}etc/COPYRIGHT available, but empty"
fi
else
Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: /etc/COPYRIGHT not found"
else
Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: ${ROOTDIR}etc/COPYRIGHT not found"
fi
fi
#
#################################################################################
#
# Test : BANN-7119
# Description : Check MOTD banner file
#Register --test-no BANN-7119 --weight L --network NO --category security --description "Check MOTD banner file"
#if [ ${SKIPTEST} -eq 0 ]; then
# LogText "Test: Testing existence /etc/motd"
# if [ -f /etc/motd ]; then
# LogText "Result: file /etc/motd exists"
# Display --indent 2 --text "- /etc/motd" --result "${STATUS_FOUND}" --color GREEN
# if [ ! -L /etc/motd ]; then
# if IsWorldWritable /etc/motd; then
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_WARNING}" --color RED
# LogText "Result: /etc/motd is world writable. Users can change this file!"
# ReportWarning ${TEST_NO} "/etc/motd is world writable"
# else
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_OK}" --color GREEN
# LogText "Result: /etc/motd is not world writable."
# fi
# else
# LogText "Result: file /etc/motd is symlink"
# fi
# else
# LogText "Result: File /etc/motd not found"
# Display --indent 2 --text "- /etc/motd" --result "${STATUS_NOT_FOUND}" --color WHITE
# fi
#fi
#
#################################################################################
#
# Test : BANN-7122
# Description : Check motd file to see if it contains some form of message
# to discourage unauthorized users to leave the system alone
#if [ -f /etc/motd -a ! -L /etc/motd ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no BANN-7122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/motd banner file contents"
#if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# LogText "Test: Checking file /etc/motd contents for legal key words"
# for I in ${LEGAL_BANNER_STRINGS}; do
# FIND=$(${GREPBINARY} -i "${I}" /etc/motd)
# if [ ! "${FIND}" = "" ]; then
# LogText "Result: found string '${I}'"
# N=$((N + 1))
# fi
# done
# # Check if we have 5 or more key words
# if [ ${N} -gt 4 ]; then
# LogText "Result: Found ${N} key words, to warn unauthorized users"
# Display --indent 4 --text "- /etc/motd contents" --result "${STATUS_OK}" --color GREEN
# AddHP 2 2
# else
# LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
# Display --indent 4 --text "- /etc/motd contents" --result WEAK --color YELLOW
# ReportSuggestion ${TEST_NO} "Add legal banner to /etc/motd, to warn unauthorized users"
# AddHP 0 1
# fi
#fi
#
#################################################################################
#
# Test : BANN-7124
# Description : Check issue banner file
Register --test-no BANN-7124 --weight L --network NO --category security --description "Check issue banner file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking file /etc/issue"
if [ -f /etc/issue ]; then
LogText "Test: Checking file ${ROOTDIR}etc/issue"
if [ -f ${ROOTDIR}etc/issue ]; then
# Check for symlink
if [ -L /etc/issue ]; then
LogText "Result: file /etc/issue exists (symlink)"
Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN
else
Display --indent 2 --text "- /etc/issue" --result "${STATUS_FOUND}" --color GREEN
if [ -L ${ROOTDIR}etc/issue ]; then
LogText "Result: file ${ROOTDIR}etc/issue exists (symlink)"
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result SYMLINK --color GREEN
else
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_FOUND}" --color GREEN
fi
else
LogText "Result: file /etc/issue does not exist"
Display --indent 2 --text "- /etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
else
LogText "Result: file ${ROOTDIR}etc/issue does not exist"
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
@ -145,26 +87,26 @@
# Test : BANN-7126
# Description : Check issue file to see if it contains some form of message
# to discourage unauthorized users to leave the system alone
if [ -f /etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -f ${ROOTDIR}etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BANN-7126 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue banner file contents"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
FILE="${ROOTDIR}etc/issue"
LogText "Test: Checking file ${FILE} contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do
FIND=$(${GREPBINARY} -i "${I}" ${FILE})
if [ ! -z "${FIND}" ]; then
LogText "Result: found string '${I}'"
N=$((N + 1))
for ITEM in ${LEGAL_BANNER_STRINGS}; do
FIND=$(${GREPBINARY} -i "${ITEM}" ${FILE})
if HasData "${FIND}"; then
LogText "Result: found string '${ITEM}'"
COUNT=$((COUNT + 1))
fi
done
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
LogText "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users"
if [ ${COUNT} -gt 4 ]; then
LogText "Result: Found ${COUNT} key words (5 or more suggested), to warn unauthorized users"
Display --indent 4 --text "- ${FILE} contents" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased"
else
LogText "Result: Found only ${COUNT} key words (5 or more suggested), to warn unauthorized users and could be increased"
Display --indent 4 --text "- ${FILE} contents" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add a legal banner to ${FILE}, to warn unauthorized users"
AddHP 0 1
@ -178,19 +120,19 @@
# Description : Check issue.net banner file
Register --test-no BANN-7128 --weight L --network NO --category security --description "Check issue.net banner file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking file /etc/issue.net"
if [ -f /etc/issue.net ]; then
LogText "Test: Checking file ${ROOTDIR}etc/issue.net"
if [ -f ${ROOTDIR}etc/issue.net ]; then
# Check for symlink
if [ -L /etc/issue.net ]; then
LogText "Result: file /etc/issue.net exists (symlink)"
Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN
else
LogText "Result: file /etc/issue.net exists"
Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_FOUND}" --color GREEN
if [ -L ${ROOTDIR}etc/issue.net ]; then
LogText "Result: file ${ROOTDIR}etc/issue.net exists (symlink)"
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result SYMLINK --color GREEN
else
LogText "Result: file ${ROOTDIR}etc/issue.net exists"
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_FOUND}" --color GREEN
fi
else
LogText "Result: file /etc/issue.net does not exist"
Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE
else
LogText "Result: file ${ROOTDIR}etc/issue.net does not exist"
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -199,26 +141,26 @@
# Test : BANN-7130
# Description : Check issue.net file to see if it contains some form of message
# to discourage unauthorized users to leave the system alone
if [ -f /etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -f ${ROOTDIR}etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BANN-7130 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue.net banner file contents"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: Checking file /etc/issue.net contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do
FIND=$(${GREPBINARY} -i "${I}" /etc/issue.net)
if [ ! "${FIND}" = "" ]; then
LogText "Result: found string '${I}'"
N=$((N + 1))
COUNT=0
LogText "Test: Checking file ${ROOTDIR}etc/issue.net contents for legal key words"
for ITEM in ${LEGAL_BANNER_STRINGS}; do
FIND=$(${GREPBINARY} -i "${ITEM}" ${ROOTDIR}etc/issue.net)
if HasData "${FIND}"; then
LogText "Result: found string '${ITEM}'"
COUNT=$((COUNT + 1))
fi
done
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
LogText "Result: Found ${N} key words, to warn unauthorized users"
Display --indent 4 --text "- /etc/issue.net contents" --result "${STATUS_OK}" --color GREEN
if [ ${COUNT} -gt 4 ]; then
LogText "Result: Found ${COUNT} key words, to warn unauthorized users"
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/issue.net contents" --result WEAK --color YELLOW
else
LogText "Result: Found only ${COUNT} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users"
AddHP 0 1
fi

102
include/tests_boot_services
View File

@ -414,12 +414,12 @@
Register --test-no BOOT-5142 --weight L --network NO --category security --description "Check SPARC Improved boot loader (SILO)"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
if [ -f /etc/silo.conf ]; then
if [ -f ${ROOTDIR}etc/silo.conf ]; then
LogText "Result: Found SILO configuration file (/etc/silo.conf)"
Display --indent 2 --text "- Checking boot loader SILO" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="SILO"
BOOT_LOADER_FOUND=1
else
else
LogText "Result: no SILO configuration file found."
fi
fi
@ -497,24 +497,24 @@
# Description : Check for FreeBSD boot services
Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --category security --description "Check for FreeBSD boot services"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${SERVICEBINARY}" ]; then
if HasData "${SERVICEBINARY}"; then
# FreeBSD (Ask services(8) for enabled services)
LogText "Searching for services at startup (service)"
FIND=$(${SERVICEBINARY} -e | ${SEDBINARY} 's|^.*\/||' | ${SORTBINARY})
else
# FreeBSD (Read /etc/rc.conf file for enabled services)
LogText "Searching for services at startup (rc.conf)"
FIND=$(${EGREPBINARY} -v -i '^#|none' /etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
FIND=$(${EGREPBINARY} -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
fi
N=0
for I in ${FIND}; do
LogText "Found service (service/rc.conf): ${I}"
Report "boottask[]=${I}"
N=$((N + 1))
COUNT=0
for ITEM in ${FIND}; do
LogText "Found service (service/rc.conf): ${ITEM}"
Report "boottask[]=${ITEM}"
COUNT=$((COUNT + 1))
done
Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "${STATUS_DONE}" --color GREEN
Display --indent 6 --text "Result: found $N services/options set"
LogText "Found $N services/options to run at startup"
Display --indent 6 --text "Result: found ${COUNT} services/options set"
LogText "Found ${COUNT} services/options to run at startup"
fi
#
#################################################################################
@ -527,56 +527,56 @@
CHECKED=0
LogText "Test: checking presence systemctl binary"
# Determine if we have systemctl on board
if [ ! -z "${SYSTEMCTLBINARY}" ]; then
if HasData "${SYSTEMCTLBINARY}"; then
LogText "Result: systemctl binary found, trying that to discover information"
# Running services
LogText "Searching for running services (systemctl services only)"
FIND=$(${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }')
N=0
COUNT=0
Report "running_service_tool=systemctl"
for I in ${FIND}; do
LogText "Found running service: ${I}"
Report "running_service[]=${I}"
N=$((N + 1))
for ITEM in ${FIND}; do
LogText "Found running service: ${ITEM}"
Report "running_service[]=${ITEM}"
COUNT=$((COUNT + 1))
done
LogText "Note: Run systemctl --full --type=service to see all services"
Display --indent 2 --text "- Check running services (systemctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found $N running services"
LogText "Result: Found $N enabled services"
Display --indent 8 --text "Result: found ${COUNT} running services"
LogText "Result: Found ${COUNT} enabled services"
# Services at boot
LogText "Searching for enabled services (systemctl services only)"
FIND=$(${SYSTEMCTLBINARY} list-unit-files --type=service | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }')
N=0
COUNT=0
Report "boot_service_tool=systemctl"
for I in ${FIND}; do
LogText "Found enabled service at boot: ${I}"
Report "boot_service[]=${I}"
N=$((N + 1))
for ITEM in ${FIND}; do
LogText "Found enabled service at boot: ${ITEM}"
Report "boot_service[]=${ITEM}"
COUNT=$((COUNT + 1))
done
LogText "Note: Run systemctl list-unit-files --type=service to see all services"
Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found $N enabled services"
LogText "Result: Found $N running services"
Display --indent 8 --text "Result: found ${COUNT} enabled services"
LogText "Result: Found ${COUNT} running services"
else
else
LogText "Result: systemctl binary not found, checking chkconfig binary"
if [ ! -z "${CHKCONFIGBINARY}" ]; then
LogText "Result: chkconfig binary found, trying that to discover information"
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
N=0
COUNT=0
Report "boot_service_tool=chkconfig"
for I in ${FIND}; do
LogText "Found service (at boot, runlevel 3 or 5): ${I}"
Report "boot_service[]=${I}"
N=$((N + 1))
for ITEM in ${FIND}; do
LogText "Found service (at boot, runlevel 3 or 5): ${ITEM}"
Report "boot_service[]=${ITEM}"
COUNT=$((COUNT + 1))
done
LogText "Hint: Run chkconfig --list to see all services and disable unneeded services"
Display --indent 2 --text "- Check services at startup (chkconfig)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found $N services"
LogText "Result: Found $N services at startup"
Display --indent 8 --text "Result: found ${COUNT} services"
LogText "Result: Found ${COUNT} services at startup"
else
LogText "Result: both systemctl and chkconfig not found. Skipping this test"
fi
@ -598,14 +598,14 @@
LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found"
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort)
if [ ! -z "${FIND}" ]; then
N=0
COUNT=0
for SERVICE in ${FIND}; do
LogText "Found service (at boot, runlevel 2): ${SERVICE}"
N=$((N + 1))
COUNT=$((COUNT + 1))
done
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "${STATUS_DONE}" --color WHITE
Display --indent 4 --text "Result: found $N services"
LogText "Result: found $N services"
Display --indent 4 --text "Result: found ${COUNT} services"
LogText "Result: found ${COUNT} services"
fi
elif [ -z "${sRUNLEVEL}" ]; then
ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
@ -623,35 +623,35 @@
FOUND=0
CHECKDIRS="${ROOTDIR}etc/init.d ${ROOTDIR}etc/rc.d ${ROOTDIR}etc/rcS.d"
LogText "Result: checking /etc/init.d scripts for writable bit"
for I in ${CHECKDIRS}; do
LogText "Test: checking if directory ${I} exists"
if [ -d ${I} ]; then
LogText "Result: directory ${I} found"
LogText "Result: checking ${ROOTDIR}etc/init.d scripts for writable bit"
for DIR in ${CHECKDIRS}; do
LogText "Test: checking if directory ${DIR} exists"
if [ -d ${DIR} ]; then
LogText "Result: directory ${DIR} found"
LogText "Test: checking for available files in directory"
FIND=$(${FINDBINARY} ${I} -type f -print)
FIND=$(${FINDBINARY} ${DIR} -type f -print)
if [ ! -z "${FIND}" ]; then
LogText "Result: found files in directory, checking permissions now"
for J in ${FIND}; do
LogText "Test: checking permissions of file ${J}"
if IsWorldWritable ${J}; then
for FILE in ${FIND}; do
LogText "Test: checking permissions of file ${FILE}"
if IsWorldWritable ${FILE}; then
FOUND=1
LogText "Result: warning, file ${J} is world writable"
LogText "Result: warning, file ${FILE} is world writable"
else
LogText "Result: good, file ${J} not world writable"
LogText "Result: good, file ${FILE} not world writable"
fi
done
else
LogText "Result: found no files in directory."
fi
else
LogText "Result: directory ${I} not found. Skipping.."
LogText "Result: directory ${DIR} not found. Skipping.."
fi
done
# /etc/rc[0-6].d
for NO in 0 1 2 3 4 5 6; do
LogText "Test: Checking /etc/rc${NO}.d scripts for writable bit"
LogText "Test: Checking ${ROOTDIR}etc/rc${NO}.d scripts for writable bit"
if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print)
for I in ${FIND}; do

20
include/tests_containers
View File

@ -41,16 +41,16 @@
LogText "Test: query zoneadm to list all running zones"
FIND=$(${ROOTDIR}usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }')
if [ ! -z "${FIND}" ]; then
N=0
for I in ${FIND}; do
N=$((N + 1))
ZONEID=$(echo ${I} | ${CUTBINARY} -d ':' -f1)
ZONENAME=$(echo ${I} | ${CUTBINARY} -d ':' -f2)
COUNT=0
for ITEM in ${FIND}; do
COUNT=$((COUNT + 1))
ZONEID=$(echo ${ITEM} | ${CUTBINARY} -d ':' -f1)
ZONENAME=$(echo ${ITEM} | ${CUTBINARY} -d ':' -f2)
LogText "Result: found zone ${ZONENAME} (running)"
Report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
LogText "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
LogText "Result: total of ${COUNT} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${COUNT} zones" --color GREEN
else
LogText "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result "${STATUS_NONE}" --color WHITE
@ -59,7 +59,9 @@
#
#################################################################################
#
# Test : CONT-1906
# Do you have Xen running? Help us testing this test and submit a pull request on GitHub
# Test : CONT-1906 TODO
# Description : Query running Xen zones
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no CONT-1906 --weight L --network NO --category security --description "Query Xen guests"
@ -95,7 +97,7 @@
# Test : CONT-8104
# Description : Checking Docker info for any warnings
# Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory
if [ ! -z "${DOCKERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${DOCKERBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Docker info for any warnings"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0

8
include/tests_databases
View File

@ -86,7 +86,7 @@
if IsVerbose; then Display --indent 4 --text "- Checking MySQL root password" --result "${STATUS_OK}" --color GREEN; fi
AddHP 2 2
fi
else
else
LogText "Test skipped, MySQL daemon not running or no MySQL client available"
fi
#
@ -118,14 +118,14 @@
LogText "Result: found MongoDB configuration file (${FILE})"
LogText "Test: determine authorization setting in new style YAML format"
AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)")
if [ ! -z "${AUTH_IN_CONFIG}" ]; then
if HasData "${AUTH_IN_CONFIG}"; then
LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format)"
MONGODB_AUTHORIZATION_ENABLED=1
else
LogText "Result: did NOT find authorization option enabled in configuration file (with YAML format)"
LogText "Test: now searching for old style configuration (auth = true) in configuration file"
AUTH_IN_CONFIG=$(${GREPBINARY} "auth = true" ${FILE} | ${GREPBINARY} -v "noauth" | ${GREPBINARY} -E -v "(^#|#auth)")
if [ -z "${AUTH_IN_CONFIG}" ]; then
if IsEmpty "${AUTH_IN_CONFIG}"; then
LogText "Result: did NOT find auth = true in configuration file"
else
LogText "Result: GOOD, found authorization option enabled in configuration file (old format)"
@ -139,7 +139,7 @@
# Now check authorization on the command line
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
if [ ! -z "${PGREPBINARY}" ]; then
if HasData "${PGREPBINARY}"; then
AUTH_ON_CMDLINE=$(for I in $(${PGREPBINARY} mongo); do cat /proc/${I}/cmdline | xargs -0 echo | ${GREPBINARY} -E "\-\-auth( |$)"; done)
if [ ! -z "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi
else

96
include/tests_filesystems
View File

@ -279,7 +279,7 @@
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_OK}" --color GREEN
else
else
Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_NONE}" --color YELLOW
LogText "Result: no swap partitions found in /etc/fstab"
fi
@ -350,29 +350,29 @@
#
# Test : FILE-6354
# Description : Search files within /tmp which are older than 3 months
if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -d ${ROOTDIR}tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Searching for old files in /tmp"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for old files in /tmp"
# Search for files only in /tmp, with an access time older than X days
FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} | ${SEDBINARY} 's/ /!space!/g')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN
LogText "Result: no files found in /tmp which are older than 3 months"
LogText "Test: Searching for old files in ${ROOTDIR}tmp"
# Search for files only in ${ROOTDIR}tmp, with an access time older than X days
FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
if IsEmpty "${FIND}"; then
Display --indent 2 --text "- Checking for old files in ${ROOTDIR}tmp" --result "${STATUS_OK}" --color GREEN
LogText "Result: no files found in ${ROOTDIR}tmp which are older than 3 months"
else
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED
N=0
for I in ${FIND}; do
FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
Display --indent 2 --text "- Checking for old files in ${ROOTDIR}tmp" --result "${STATUS_FOUND}" --color RED
COUNT=0
for ITEM in ${FIND}; do
FILE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
LogText "Old temporary file: ${FILE}"
N=$((N + 1))
COUNT=$((COUNT + 1))
done
LogText "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
LogText "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain"
LogText "Result: found old files in ${ROOTDIR}tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
LogText "Advice: check and clean up unused files in ${ROOTDIR}tmp. Old files can fill up a disk or contain"
LogText "private information and should be deleted it not being used actively. Use a tool like lsof to"
LogText "see which programs possibly are using a particular file. Some systems can cleanup temporary"
LogText "directories by setting a boot option."
ReportSuggestion ${TEST_NO} "Check ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days"
ReportSuggestion ${TEST_NO} "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days"
fi
fi
#
@ -380,18 +380,18 @@
#
# Test : FILE-6362
# Description : Check for sticky bit on /tmp
if [ -d /tmp -a ! -L /tmp ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No /tmp or /tmp is symlinked"; fi
if [ -d ${ROOTDIR}tmp -a ! -L ${ROOTDIR}tmp ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No /tmp or /tmp is symlinked"; fi
Register --test-no FILE-6362 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking /tmp sticky bit"
if [ ${SKIPTEST} -eq 0 ]; then
# Depending on OS, number of field with 'tmp' differs
FIND=$(${LSBINARY} -ld /tmp | ${AWKBINARY} '$1 ~ /[tT]/ { print 1 }')
FIND=$(${LSBINARY} -ld ${ROOTDIR}tmp | ${AWKBINARY} '$1 ~ /[tT]/ { print 1 }')
if [ "${FIND}" = "1" ]; then
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_OK}" --color GREEN
LogText "Result: sticky bit found on /tmp directory"
Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_OK}" --color GREEN
LogText "Result: sticky bit found on ${ROOTDIR}tmp directory"
AddHP 3 3
else
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Set the sticky bit on /tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
AddHP 0 3
fi
unset FIND
@ -440,10 +440,10 @@
if [ ! -z "${FIND2}" ]; then
LogText "Result: found ACL option in default mount options"
FOUND=1
else
else
LogText "Result: no ACL option found in default mount options list"
fi
else
else
LogText "Result: No file system found with root file system"
fi
fi
@ -566,7 +566,7 @@
AddHP 4 5
fi
fi
else
else
LogText "Result: file system ${FILESYSTEM} not found in /etc/fstab"
fi
done
@ -579,8 +579,8 @@
# Description : Bind mount the /var/tmp directory to /tmp
Register --test-no FILE-6376 --os Linux --weight L --network NO --category security --description "Determine if /var/tmp is bound to /tmp"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/fstab ]; then
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab)
if [ -f ${ROOTDIR}etc/fstab ]; then
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' ${ROOTDIR}etc/fstab)
BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
if [ ! -z "${FIND}" ]; then
LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
@ -600,7 +600,7 @@
#
#################################################################################
#
# Test : FILE-6378
# Test : FILE-6378 TODO
# Description : Check for nodirtime option
# Want to contribute to Lynis? Create this test
@ -608,7 +608,7 @@
#
#################################################################################
#
# Test : FILE-6380
# Test : FILE-6380 TODO
# Description : Check for relatime
# Want to contribute to Lynis? Create this test
@ -616,7 +616,7 @@
#
#################################################################################
#
# Test : FILE-6390
# Test : FILE-6390 TODO
# Description : Check writeback/journalling mode (ext3)
# More info : data=writeback | data=ordered | data=journal
@ -625,7 +625,7 @@
#
#################################################################################
#
# Test : FILE-6394
# Test : FILE-6394 TODO
# Description : Check vm.swappiness (Linux)
# Want to contribute to Lynis? Create this test
@ -633,7 +633,7 @@
#
#################################################################################
#
# Test : FILE-6398
# Test : FILE-6398 TODO
# Description : Check if JBD (Journal Block Device) driver is loaded
# Want to contribute to Lynis? Create this test
@ -651,20 +651,20 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking locate database"
FOUND=0
LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locate/locatedb /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database"
for I in ${LOCATE_DBS}; do
if [ -f ${I} ]; then
LogText "Result: locate database found (${I})"
LOCATE_DBS="${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/slocate/slocate.db ${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database"
for FILE in ${LOCATE_DBS}; do
if [ -f ${FILE} ]; then
LogText "Result: locate database found (${FILE})"
FOUND=1
LOCATE_DB="${I}"
else
LogText "Result: file ${I} not found"
LOCATE_DB="${FILE}"
else
LogText "Result: file ${FILE} not found"
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking Locate database" --result "${STATUS_FOUND}" --color GREEN
Report "locate_db=${LOCATE_DB}"
else
else
LogText "Result: database not found"
Display --indent 2 --text "- Checking Locate database" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
@ -673,7 +673,7 @@
#
#################################################################################
#
# Test : FILE-6420
# Test : FILE-6420 TODO
# Description : Check automount process
# Want to contribute to Lynis? Create this test
@ -681,7 +681,7 @@
#
#################################################################################
#
# Test : FILE-6422
# Test : FILE-6422 TODO
# Description : Check automount maps (files or for example LDAP based)
# Notes : Warn when automounter is running
@ -690,7 +690,7 @@
#
#################################################################################
#
# Test : FILE-6424
# Test : FILE-6424 TODO
# Description : Check automount map files
# Want to contribute to Lynis? Create this test
@ -698,7 +698,7 @@
#
#################################################################################
#
# Test : FILE-6425
# Test : FILE-6425 TODO
# Description : Check mounted files systems via automounter
# Notes : Warn when no systems are mounted?
@ -728,11 +728,11 @@
LogText "Test: Checking if ${FS} is active"
# Check if FS is present in lsmod output
FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: module ${FS} is not loaded in the kernel"
AddHP 2 3
#Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN
# Tip to disable a particular module if it is not loaded
if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi
# Tip to disable a particular module if it is not loaded TODO
#ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'"
FOUND=1
AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} "
@ -742,7 +742,7 @@
fi
else
AddHP 3 3
#Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN
if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi
fi
done
if [ ${FOUND} -eq 1 ]; then

58
include/tests_firewalls
View File

@ -166,7 +166,7 @@
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active"
else
else
LogText "Result: one or more rules are available (${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN
fi
@ -181,10 +181,10 @@
Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY})
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN
LogText "Result: There are no unused rules present"
else
else
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW
LogText "Result: Found one or more possible unused rules"
LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
@ -226,7 +226,7 @@
LogText "Result: pf is enabled"
PFFOUND=1
AddHP 3 3
else
else
Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW
ReportException ${TEST_NO} "Unknown status of pf firewall"
fi
@ -240,11 +240,11 @@
FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko')
if [ -z "${FIND}" ]; then
LogText "Result: Can not find pf KLD"
else
else
LogText "Result: pf KLD loaded"
PFFOUND=1
fi
else
else
LogText "Result: no kldstat binary, skipping this part"
fi
@ -254,7 +254,7 @@
Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN
PFFOUND=1
PFLOGDFOUND=1
else
else
LogText "Result: pflog daemon not found in process list"
fi
fi
@ -263,7 +263,7 @@
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="pf"
Report "firewall_software[]=pf"
else
else
LogText "Result: pf not running on this system"
fi
fi
@ -284,12 +284,12 @@
if [ -z "${PFWARNINGS}" ]; then
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN
LogText "Result: no pf filter warnings found"
else
else
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED
LogText "Result: found one or more warnings in the pf filter rules"
ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
fi
else
else
LogText "Result: /etc/pf.conf does NOT exist"
fi
fi
@ -313,7 +313,7 @@
FIREWALL_SOFTWARE="csf"
Report "firewall_software[]=csf"
Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN
else
else
LogText "Result: ${FILE} does NOT exist"
fi
fi
@ -332,7 +332,7 @@
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipf"
Report "firewall_software[]=ipf"
else
else
Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
LogText "Result: ipf is not running"
fi
@ -357,15 +357,15 @@
if [ "${IPFW_ENABLED}" = "ipfw" ]; then
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN
LogText "Result: IPFW is enabled at start-up for IPv4"
else
else
Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result "${STATUS_NO}" --color YELLOW
LogText "Result: IPFW is disabled at start-up for IPv4"
fi
else
else
if IsVerbose; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_NOT_RUNNING}" --color YELLOW; fi
LogText "Result: IPFW is not running for IPv4"
fi
else
else
ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)"
fi
fi
@ -386,7 +386,7 @@
APPLICATION_FIREWALL_ACTIVE=1
Report "firewall_software[]=macosx-app-fw"
Report "app_fw[]=macosx-app-fw"
else
else
if IsVerbose; then Display --indent 2 --text "- Checking macOS: Application Firewall" --result "${STATUS_DISABLED}" --color YELLOW; fi
AddHP 1 3
LogText "Result: application firewall of macOS is disabled"
@ -407,7 +407,7 @@
APPLICATION_FIREWALL_ACTIVE=1
Report "app_fw[]=little-snitch"
Report "firewall_software[]=little-snitch"
else
else
if IsVerbose; then Display --indent 2 --text "- Checking Little Snitch Daemon" --result "${STATUS_DISABLED}" --color YELLOW; fi
AddHP 1 3
LogText "Result: could not find Little Snitch"
@ -418,7 +418,7 @@
#
# Test : FIRE-4536
# Description : Check nftables kernel module
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables")
@ -428,7 +428,7 @@
FIREWALL_ACTIVE=1
NFTABLES_ACTIVE=1
Report "firewall_software[]=nftables"
else
else
LogText "Result: no nftables kernel module found"
fi
fi
@ -437,7 +437,7 @@
#
# Test : FIRE-4538
# Description : Check nftables configuration
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables basic configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Retrieve nft version
@ -450,7 +450,7 @@
#
# Test : FIRE-4540
# Description : Check nftables configuration
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for empty nftables configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Check for empty ruleset
@ -458,18 +458,12 @@
if [ ${NFT_RULES_LENGTH} -le 16 ]; then
FIREWALL_EMPTY_RULESET=1
LogText "Result: this firewall set has 16 rules or less and is considered to be empty"
else
else
LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration"
fi
fi
#
#################################################################################
#
# Ideas:
# Suggestion to disable iptables if nftables is enabled
# Check for specific features in nftables releases
#
#################################################################################
#
# Test : FIRE-4586
# Description : Check firewall logging
@ -501,7 +495,7 @@
# YYY Solaris ipf (determine default policy)
Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic"
AddHP 5 5
else
else
Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW
LogText "Result: no host based firewall/packet filter found or configured"
ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic"
@ -520,6 +514,12 @@ Report "firewall_software=${FIREWALL_SOFTWARE}"
WaitForKeyPress
#
#################################################################################
#
# TODO
# Suggestion to disable iptables if nftables is enabled
# Check for specific features in nftables releases
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com

2
include/tests_hardening
View File

@ -52,7 +52,7 @@
HARDEN_COMPILERS_NEEDED=0
if [ ${COMPILER_INSTALLED} -eq 0 ]; then
LogText "Result: no compilers found"
else
else
# as
if [ ! -z "${ASBINARY}" ]; then
LogText "Test: Check file permissions for as (Assembler)"

76
include/tests_kernel
View File

@ -40,10 +40,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Checking if we can find the systemd default target
LogText "Test: Checking for systemd default.target"
if [ -L /etc/systemd/system/default.target ]; then
if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then
LogText "Result: symlink found"
if HasData "${READLINKBINARY}"; then
FIND=$(${READLINKBINARY} /etc/systemd/system/default.target)
FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target)
if ! HasData "${FIND}"; then
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
ReportException "${TEST_NO}:01"
@ -65,9 +65,9 @@
fi
else
LogText "Result: no systemd found, so trying inittab"
LogText "Test: Checking /etc/inittab"
if [ -f /etc/inittab ]; then
LogText "Result: file /etc/inittab found"
LogText "Test: Checking ${ROOTDIR}etc/inittab"
if [ -f ${ROOTDIR}etc/inittab ]; then
LogText "Result: file ${ROOTDIR}etc/inittab found"
LogText "Test: Checking default Linux run level"
FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' ${ROOTDIR}etc/inittab | head -n 1)
if IsEmpty "${FIND}"; then
@ -211,13 +211,13 @@
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
if HasData "${FIND}"; then
LogText "Loaded modules according lsmod:"
N=0
for I in ${FIND}; do
LogText "Loaded module: ${I}"
Report "loaded_kernel_module[]=${I}"
N=$((N + 1))
COUNT=0
for ITEM in ${FIND}; do
LogText "Loaded module: ${ITEM}"
Report "loaded_kernel_module[]=${ITEM}"
COUNT=$((COUNT + 1))
done
Display --indent 6 --text "Found ${N} active modules"
Display --indent 6 --text "Found ${COUNT} active modules"
else
LogText "Result: no loaded modules found"
LogText "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel"
@ -295,13 +295,13 @@
FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ $? -eq 0 ]; then
LogText "Loaded modules according kldstat:"
N=0
for I in ${FIND}; do
LogText "Loaded module: ${I}"
Report "loaded_kernel_module[]=${I}"
N=$((N + 1))
COUNT=0
for ITEM in ${FIND}; do
LogText "Loaded module: ${ITEM}"
Report "loaded_kernel_module[]=${ITEM}"
COUNT=$((COUNT + 1))
done
Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN
Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN
else
Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
LogText "Result: Problem with executing kldstat"
@ -321,24 +321,24 @@
LogText "Test: Active kernel modules (KLDs)"
LogText "Description: View all active kernel modules (including kernel)"
LogText "Test: Checking modules"
if [ -f /sbin/kldstat ]; then
FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ -f ${ROOTDIR}sbin/kldstat ]; then
FIND=$(${ROOTDIR}sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ $? -eq 0 ]; then
LogText "Loaded modules according kldstat:"
N=0
for I in ${FIND}; do
LogText "Loaded module: ${I}"
Report "loaded_kernel_module[]=${I}"
N=$((N + 1))
COUNT=0
for ITEM in ${FIND}; do
LogText "Loaded module: ${ITEM}"
Report "loaded_kernel_module[]=${ITEM}"
COUNT=$((COUNT + 1))
done
Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN
Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN
else
Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
LogText "Result: Problem with executing kldstat"
fi
else
echo "[ ${WHITE}SKIPPED${NORMAL} ]"
LogText "Result: no results, can't find /sbin/kldstat"
LogText "Result: no results, can NOT find ${ROOTDIR}sbin/kldstat"
fi
fi
#
@ -351,9 +351,9 @@
LogText "Test: searching loaded kernel modules"
FIND=$(/usr/sbin/modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort)
if HasData "${FIND}"; then
for I in ${FIND}; do
LogText "Found module: ${I}"
Report "loaded_kernel_module[]=${I}"
for ITEM in ${FIND}; do
LogText "Found module: ${ITEM}"
Report "loaded_kernel_module[]=${ITEM}"
done
Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_DONE}" --color GREEN
else
@ -370,21 +370,21 @@
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x /usr/bin/apt-cache ]; then
LogText "Result: found /usr/bin/apt-cache"
LogText "Test: checking readlink location of /vmlinuz"
if [ -f /vmlinuz ]; then
FINDKERNFILE=$(readlink -f /vmlinuz)
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
LogText "Result: found ${ROOTDIR}usr/bin/apt-cache"
LogText "Test: checking readlink location of ${ROOTDIR}vmlinuz"
if [ -f ${ROOTDIR}vmlinuz ]; then
FINDKERNFILE=$(readlink -f ${ROOTDIR}vmlinuz)
LogText "Output: readlink reported file ${FINDKERNFILE}"
LogText "Test: checking package from dpkg -S"
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}')
LogText "Output: dpkg -S reported package ${FINDKERNEL}"
elif [ -e /dev/grsec ]; then
elif [ -e ${ROOTDIR}dev/grsec ]; then
FINDKERNEL=linux-image-$(uname -r)
LogText "/vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
else
LogText "This system is missing /vmlinuz. Unable to check whether kernel is up-to-date."
ReportSuggestion ${TEST_NO} "Determine why /vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz"
LogText "This system is missing ${ROOTDIR}vmlinuz. Unable to check whether kernel is up-to-date."
ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz"
fi
LogText "Test: Using apt-cache policy to determine if there is an update available"
FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')

22
include/tests_logging
View File

@ -281,21 +281,21 @@
#
# Test : LOGG-2150
# Description : Checking log directories rotated with logrotate
if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${LOGROTATEBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which directories can be found in logrotate configuration"
FIND=$(${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
if [ "${FIND}" = "" ]; then
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
if IsEmpty "${FIND}" ]; then
LogText "Result: nothing found"
else
else
LogText "Result: found one or more directories (via logrotate configuration)"
for I in ${FIND}; do
if [ -d ${I} ]; then
LogText "Directory found: ${I}"
Report "log_directory[]=${I}"
else
LogText "Directory could not be found: ${I}"
for DIR in ${FIND}; do
if [ -d ${DIR} ]; then
LogText "Directory found: ${DIR}"
Report "log_directory[]=${DIR}"
else
LogText "Result: Directory could not be found: ${DIR}"
fi
done
fi
@ -379,7 +379,7 @@
AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN
fi
else
else
LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"
fi
fi

6
include/tests_mac_frameworks
View File

@ -126,7 +126,7 @@
#
# Test : MACF-6234
# Description : Check SELINUX status
if [ ! "${SESTATUSBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${SESTATUSBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status"
if [ ${SKIPTEST} -eq 0 ]; then
# Status: Enabled/Disabled
@ -151,7 +151,7 @@
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
fi
Display --indent 8 --text "Current SELinux mode: ${FIND}"
else
else
LogText "Result: SELinux framework is disabled"
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW
fi
@ -180,7 +180,7 @@
else
Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
if [ ! -z "${GRADMBINARY}" ]; then
if HasData "${GRADMBINARY}"; then
FIND=$(${GRADMBINARY} --status)
if [ "${FIND}" = "The RBAC system is currently enabled." ]; then
MAC_FRAMEWORK_ACTIVE=1

2
include/tests_malware
View File

@ -36,7 +36,7 @@
MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0
SOPHOS_SCANNER_RUNNING=0
SYMANTEC_SCANNER_RUNNING=
SYMANTEC_SCANNER_RUNNING=0
#
#################################################################################
#

91
include/tests_nameservices
View File

@ -67,26 +67,26 @@
# Notes : Maximum of one search keyword is allowed in /etc/resolv.conf
Register --test-no NAME-4018 --weight L --network NO --category security --description "Check /etc/resolv.conf search domains"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
LogText "Test: check ${ROOTDIR}etc/resolv.conf for search domains"
if [ -f ${ROOTDIR}etc/resolv.conf ]; then
LogText "Result: ${ROOTDIR}etc/resolv.conf found"
FIND=$(${AWKBINARY} '/^search/ { print $2 }' ${ROOTDIR}etc/resolv.conf)
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: no search domains found, default domain is being used"
else
for I in ${FIND}; do
LogText "Found search domain: ${I}"
Report "resolv_conf_search_domain[]=${I}"
N=$((N + 1))
for ITEM in ${FIND}; do
LogText "Found search domain: ${ITEM}"
Report "resolv_conf_search_domain[]=${ITEM}"
COUNT=$((COUNT + 1))
done
# Warn if we have more than 6 search domains, which is maximum in most resolvers
if [ ${N} -gt 6 ]; then
LogText "Result: Found ${N} search domains"
if [ ${COUNT} -gt 6 ]; then
LogText "Result: Found ${COUNT} search domains"
Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW
ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
else
LogText "Result: Found ${N} search domains"
LogText "Result: Found ${COUNT} search domains"
Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN
fi
fi
@ -115,15 +115,16 @@
if [ -f ${ROOTDIR}etc/resolv.conf ]; then
LogText "Result: ${ROOTDIR}etc/resolv.conf found"
FIND=$(${GREPBINARY} "^options" ${ROOTDIR}etc/resolv.conf | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: no specific other options configured in /etc/resolv.conf"
if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi
else
for I in ${FIND}; do
LogText "Found option: ${I}"
Report "resolv_conf_option[]=${I}"
#rotate --> add performance tune point
#timeout <3 --> add performe tune point
for ITEM in ${FIND}; do
LogText "Found option: ${ITEM}"
Report "resolv_conf_option[]=${ITEM}"
# TODO add suggestions for the related options
# rotate --> add performance tune point
# timeout --> add performe tune point when smaller than 3 seconds
done
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN
fi
@ -171,25 +172,10 @@
Register --test-no NAME-4028 --weight L --network NO --category security --description "Check domain name"
if [ ${SKIPTEST} -eq 0 ]; then
DOMAINNAME=""
# NIS
#LogText "Test: Checking file /etc/domainname"
#if [ -f /etc/domainname ]; then
# LogText "Result: file /etc/domainname exists"
# FIND2=$(cat /etc/domainname)
# if [ ! "${FIND}" = "" ]; then
# LogText "Found domain name: ${FIND}"
# DOMAINNAME="${FIND}"
# else
# LogText "Result: no domain name found in file"
# fi
# else
# LogText "Result: file /etc/domainname does not exist"
#fi
LogText "Test: Checking if dnsdomainname command is available"
if [ ! -z "${DNSDOMAINNAMEBINARY}" ]; then
if HasData "${DNSDOMAINNAMEBINARY}"; then
FIND2=$(${DNSDOMAINNAMEBINARY} 2> /dev/null)
if [ ! "${FIND2}" = "" ]; then
if HasData "${FIND2}"; then
LogText "Result: dnsdomainname command returned a value"
LogText "Found domain name: ${FIND2}"
DOMAINNAME="${FIND2}"
@ -280,7 +266,7 @@
Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW
ReportWarning "${TEST_NO}" "Found Unbound configuration file issues (run unbound-checkconf)"
fi
else
else
LogText "Result: skipped, can't find unbound-checkconf utility"
fi
fi
@ -338,24 +324,17 @@
if [ "${FIND}" = "0" ]; then
LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine"
Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_OK}" --color GREEN
else
else
LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file"
fi
else
else
LogText "Result: named-checkconf not found, skipping test"
fi
fi
#
#################################################################################
#
# Test : NAME-4208
# Description : Check DNS server type (master, slave, caching, forwarding)
#Register --test-no NAME-4050 --weight L --network NO --category security --description "Check nscd status"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : NAME-4210
# Description : Check if we can determine useful information from banner
@ -379,21 +358,21 @@
#
#################################################################################
#
# Test : NAME-4212
# Test : NAME-4212 TODO
# Description : Check version option in BIND configuration
#if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no NAME-4212 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check version setting in configuration"
#
#################################################################################
#
# Test : NAME-4220
# Test : NAME-4220 TODO
# Description : Check if we can perform a zone transfer of primary domain
#Register --test-no NAME-4220 --weight L --network NO --category security --description "Check zone transfer"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : NAME-4222
# Test : NAME-4222 TODO
# Description : Check if we can perform a zone transfer of PTR (of primary domain)
#Register --test-no NAME-4222 --weight L --network NO --category security --description "Check zone transfer"
#if [ ${SKIPTEST} -eq 0 ]; then
@ -410,7 +389,7 @@
LogText "Result: found PowerDNS process"
Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_RUNNING}" --color GREEN
POWERDNS_RUNNING=1
else
else
LogText "Result: PowerDNS not running"
if IsVerbose; then Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
@ -424,13 +403,13 @@
Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search PowerDNS configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Search PowerDNS configuration file"
for I in ${POWERDNS_CONFIG_LOCS}; do
if [ -f ${I}/pdns.conf ]; then
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
for DIR in ${POWERDNS_CONFIG_LOCS}; do
if [ -f ${DIR}/pdns.conf ]; then
POWERDNS_AUTH_CONFIG_LOCATION="${DIR}/pdns.conf"
LogText "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})"
fi
done
if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then
if HasData "${POWERDNS_AUTH_CONFIG_LOCATION}"; then
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
@ -455,9 +434,9 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for PowerDNS backends"
FIND=$(${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! -z "${FIND}" ]; then
for I in ${FIND}; do
LogText "Found backend: ${I}"
if HasData "${FIND}"; then
for ITEM in ${FIND}; do
LogText "Found backend: ${ITEM}"
done
Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_FOUND}" --color GREEN
else
@ -514,7 +493,7 @@
else
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
fi
else
else
LogText "Result: ypbind is not active"
if IsVerbose; then Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
@ -623,7 +602,7 @@
if [ "${sFIND}" != "" ]; then
LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN
else
else
LogText "Result: No entry found for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving"
@ -636,7 +615,7 @@
#
# Test : NAME-4406
# Description : Check server hostname mapping
if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${HOSTNAME}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check server hostname not locally mapped in /etc/hosts"

85
include/tests_networking
View File

@ -216,7 +216,6 @@
Register --test-no NETW-3004 --weight L --network NO --category security --description "Search for available network interfaces"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""
N=0
case ${OS} in
AIX)
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }')
@ -239,12 +238,11 @@
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find available network interfaces"
;;
esac
if [ ! -z "${FIND}" ]; then
for I in ${FIND}; do
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${I}"
LogText "Found network interface: ${I}"
N=$((N + 1))
Report "network_interface[]=${I}"
if HasData "${FIND}"; then
for ITEM in ${FIND}; do
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${ITEM}"
LogText "Found network interface: ${ITEM}"
Report "network_interface[]=${ITEM}"
done
else
ReportException "${TEST_NO}:1" "No interfaces found on this system (OS=${OS})"
@ -272,7 +270,7 @@
if [ ! -z "${IPBINARY}" ]; then
LogText "Test: Using ip binary to gather hardware addresses"
FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }')
else
else
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
fi
fi
@ -294,11 +292,9 @@
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find MAC information"
;;
esac
N=0
for I in ${FIND}; do
LogText "Found MAC address: ${I}"
N=$((N + 1))
Report "network_mac_address[]=${I}"
for ITEM in ${FIND}; do
LogText "Found MAC address: ${ITEM}"
Report "network_mac_address[]=${ITEM}"
done
fi
#
@ -350,20 +346,17 @@
ReportException "${TEST_NO}:1" "IP address information test not implemented for this operating system"
;;
esac
N=0
# IPv4
for I in ${FIND}; do
LogText "Found IPv4 address: ${I}"
N=$((N + 1))
Report "network_ipv4_address[]=${I}"
for ITEM in ${FIND}; do
LogText "Found IPv4 address: ${ITEM}"
Report "network_ipv4_address[]=${ITEM}"
done
# IPv6
for I in ${FIND2}; do
LogText "Found IPv6 address: ${I}"
N=$((N + 1))
Report "network_ipv6_address[]=${I}"
for ITEM in ${FIND2}; do
LogText "Found IPv6 address: ${ITEM}"
Report "network_ipv6_address[]=${ITEM}"
done
fi
#
#################################################################################
@ -373,7 +366,7 @@
Register --test-no NETW-3012 --weight L --network NO --category security --description "Check listening ports"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""; FIND2=""
N=0
COUNT=0
case ${OS} in
DragonFly|FreeBSD)
if [ ! -z "${SOCKSTATBINARY}" ]; then
@ -390,13 +383,13 @@
FIND=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:')
# TCP
FIND2=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:')
else
else
if [ ! "${SSBINARY}" = "" ]; then
# UDP
FIND=$(${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
# TCP
FIND2=$(${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local)
else
else
ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports"
fi
fi
@ -440,26 +433,26 @@
# Retrieve information from sockstat, when available
LogText "Test: Retrieving sockstat information to find listening ports"
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
N=$((N + 1))
LogText "Found listening info: ${I}"
Report "network_listen_port[]=${I}"
if HasData "${FIND}"; then
for ITEM in ${FIND}; do
COUNT=$((COUNT + 1))
LogText "Found listening info: ${ITEM}"
Report "network_listen_port[]=${ITEM}"
done
fi
if [ ! "${FIND2}" = "" ]; then
for I in ${FIND2}; do
N=$((N + 1))
LogText "Found listening info: ${I}"
Report "network_listen_port[]=${I}"
for ITEM in ${FIND2}; do
COUNT=$((COUNT + 1))
LogText "Found listening info: ${ITEM}"
Report "network_listen_port[]=${ITEM}"
done
fi
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW
else
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN
Display --indent 6 --text "* Found ${N} ports"
Display --indent 6 --text "* Found ${COUNT} ports"
fi
fi
#
@ -473,14 +466,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking promiscuous interfaces (FreeBSD)"
FIND=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1)
if [ ! "${FIND}" = "" ]; then
if HasData "${FIND}"; then
LogText "Result: Promiscuous interfaces: ${FIND}"
for I in ${FIND}; do
for ITEM in ${FIND}; do
WHITELISTED=0
for PROFILE in ${PROFILES}; do
Debug "Checking if interface ${I} is whitelisted in profile ${PROFILE}"
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
if [ ! "${ISWHITELISTED}" = "" ]; then
Debug "Checking if interface ${ITEM} is whitelisted in profile ${PROFILE}"
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${ITEM}:" ${PROFILE})
if HasData "${ISWHITELISTED}"; then
WHITELISTED=1
LogText "Result: this interface was whitelisted in profile (${PROFILE})"
fi
@ -536,15 +529,17 @@
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
LogText "Result: No promiscuous interfaces found"
else
else
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
fi
fi
#
#################################################################################
#
# Test : NETW-3020
# Description : Checking multipath configuration (Solaris)
# Do you have a multipath configuration on Linux or other OS? Create a related test and send in a pull request on GitHub
# Test : NETW-3020 TODO
# Description : Checking multipath configuration
#
#################################################################################
#
@ -557,7 +552,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Using netstat for check for connections in WAIT state"
FIND=$(${NETSTATBINARY} -an | ${GREPBINARY} WAIT | ${WCBINARY} -l | ${AWKBINARY} '{ print $1 }')
if [ -z "${OPTIONS_CONN_MAX_WAIT_STATE}" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
if IsEmpty "${OPTIONS_CONN_MAX_WAIT_STATE}"; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW

271
include/tests_ports_packages
View File

@ -62,10 +62,10 @@
#
# Test : PKGS-7302
# Description : Query FreeBSD/NetBSD pkg_info
if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD/NetBSD pkg_info"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
Display --indent 4 --text "- Checking pkg_info" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found pkg_info"
Report "package_manager[]=pkg_info"
@ -74,13 +74,13 @@
LogText "Output:"; LogText "-----"
SPACKAGES=$(${ROOTDIR}usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1 | ${SEDBINARY} -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g')
for ITEM in ${SPACKAGES}; do
N=$((N + 1))
COUNT=$((COUNT + 1))
sPKG_NAME=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f1)
sPKG_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f2)
LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${ITEM}"
done
Report "installed_packages=${N}"
Report "installed_packages=${COUNT}"
fi
#
#################################################################################
@ -93,6 +93,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found brew"
PACKAGE_MGR_PKG=1
Report "package_manager[]=brew"
LogText "Test: Querying brew to get package list"
Display --indent 4 --text "- Querying brew for installed packages"
@ -120,11 +121,11 @@
Display --indent 4 --text "- Querying portage for installed packages"
LogText "Output:"; LogText "-----"
GPACKAGES=$(equery l '*' | ${SEDBINARY} -e 's/[.*]//g')
for J in ${GPACKAGES}; do
LogText "Found package ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
for PKG in ${GPACKAGES}; do
LogText "Found package ${PKG}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0,"
done
else
else
LogText "Result: emerge can NOT be found on this system"
fi
#
@ -139,6 +140,7 @@
Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found Solaris pkginfo"
Report "package_manager[]=pkginfo"
PACKAGE_MGR_PKG=1
LogText "Test: Querying pkginfo to get package list"
Display --indent 4 --text "- Querying pkginfo for installed packages"
LogText "Output:"; LogText "-----"
@ -159,7 +161,7 @@
if [ ! -z "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
Display --indent 4 --text "- Searching RPM package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found rpm binary (${RPMBINARY})"
Report "package_manager[]=rpm"
@ -172,16 +174,16 @@
LogText "Info: looks like the rpm binary is installed, but not used for package installation"
ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages"
else
for J in ${SPACKAGES}; do
N=$((N + 1))
PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{print $1}')
PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{print $2}')
LogText "Found package: ${J}"
for PKG in ${SPACKAGES}; do
COUNT=$((COUNT + 1))
PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{print $1}')
PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{print $2}')
LogText "Found package: ${PKG}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION},"
done
Report "installed_packages=${N}"
Report "installed_packages=${COUNT}"
fi
else
else
LogText "Result: RPM binary NOT found on this system, test skipped"
fi
#
@ -192,10 +194,11 @@
if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
Display --indent 4 --text "- Searching pacman package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found pacman binary (${PACMANBINARY})"
Report "package_manager[]=pacman"
PACKAGE_MGR_PKG=1
LogText "Test: Querying 'pacman -Q' to get package list"
Display --indent 6 --text "- Querying pacman package manager"
LogText "Output:"; LogText "--------"
@ -204,14 +207,14 @@
LogText "Result: pacman binary available, but package list seems to be empty"
LogText "Info: looks like the pacman binary is installed, but not used for package installation"
else
for J in ${SPACKAGES}; do
N=$((N + 1))
PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{ print $1 }')
PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{ print $2 }')
for PKG in ${SPACKAGES}; do
COUNT=$((COUNT + 1))
PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $1 }')
PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $2 }')
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG}"
done
Report "installed_packages=${N}"
Report "installed_packages=${COUNT}"
fi
fi
#
@ -237,10 +240,10 @@
else
Display --indent 4 --text "- Searching update status (checkupdates)" --result "UP-TO-DATE" --color GREEN
fi
else
else
LogText "Result: skipping this test, can't find checkupdates binary"
fi
else
else
LogText "Result: pacman binary NOT found on this system, test skipped"
fi
#
@ -322,20 +325,20 @@
if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="zypper"
FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
if [ ! -z "${FIND}" ]; then
for I in ${FIND}; do
N=$((N + 1))
LogText "Installed package: ${I}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
for PKG in ${FIND}; do
COUNT=$((COUNT + 1))
LogText "Installed package: ${PKG}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0,"
done
Report "installed_packages=${N}"
Report "installed_packages=${COUNT}"
else
# Could not find any installed packages
ReportException ${TEST_NO} "No installed packages found with Zypper"
ReportException "${TEST_NO}" "No installed packages found with Zypper"
fi
fi
#
@ -357,10 +360,10 @@
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
LogText "List of vulnerable packages/version:"
for I in ${FIND}; do
for PKG in ${FIND}; do
VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
Report "vulnerable_package[]=${PKG}"
LogText "Vulnerable package: ${PKG}"
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
@ -368,28 +371,80 @@
fi
#
#################################################################################
#
# Test : PKGS-7332
# Description : Query macOS ports
if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7332 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --description "Query macOS ports"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${ROOTDIR}opt/local/bin/port installed 2>&1 | ${GREPBINARY} active | ${SORTBINARY}; ${ROOTDIR}bin/echo $?)
if [ "${FIND}" = "0" ]; then
Display --indent 4 --text "- Searching packages with port" --result "{STATUS_FOUND}" --color GREEN
Report "package_manager[]=port"
PACKAGE_MGR_PKG=1
LogText "Result: Found port utility"
LogText "Test: Querying port to get package list"
Display --indent 6 --text "- Querying port for installed packages"
LogText "Output:"; LogText "-----"
SPACKAGES=$(${ROOTDIR}opt/local/bin/port installed | ${GREPBINARY} active)
for ITEM in ${SPACKAGES}; do
SPORT_NAME=$(echo ${ITEM} | ${CUTBINARY} -d@ -f1)
SPORT_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d@ -f2 | ${CUTBINARY} -d' ' -f1)
LogText "Installed package: ${SPORT_NAME} (version: ${SPORT_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PORTS}|${ITEM}"
done
fi
fi
#
#################################################################################
#
# Test : PKGS-7334
# Description : Query macOS ports for available port upgrades
if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7334 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query port for port upgrades"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
LogText "Test: Querying ports for possible port upgrades"
UPACKAGES=$(${ROOTDIR}opt/local/bin/port outdated 2> /dev/null | ${CUTBINARY} -d' ' -f1)
for J in ${UPACKAGES}; do
COUNT=$((COUNT + 1))
LogText "Upgrade available (new version): ${J}"
Report "upgrade_available[]=${J}"
done
Report "upgrade_available_count=${COUNT}"
if [ ${COUNT} -eq 0 ]; then
LogText "Result: no upgrades found"
Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_NONE}" --color GREEN
AddHP 2 2
else
Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_FOUND}" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : PKGS-7345
# Description : Debian package based systems (dpkg)
if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying dpkg"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
Display --indent 4 --text "- Searching dpkg package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found dpkg binary"
Report "package_manager[]=dpkg"
PACKAGE_MGR_PKG=1
LogText "Test: Querying dpkg -l to get package list"
Display --indent 6 --text "- Querying package manager"
LogText "Output:"
SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort)
for J in ${SPACKAGES}; do
N=$((N + 1))
COUNT=$((COUNT + 1))
PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f3)
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done
Report "installed_packages=${N}"
Report "installed_packages=${COUNT}"
else
LogText "Result: dpkg can NOT be found on this system, test skipped"
fi
@ -399,12 +454,12 @@
# Test : PKGS-7346
# Description : Check packages which are removed, but still own configuration files, cron jobs etc
# Notes : Cleanup: for pkg in $(dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3); do aptitude purge ${pkg}; done
if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
LogText "Test: Querying dpkg -l to get unpurged packages"
SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort)
SPACKAGES=$(${ROOTDIR}usr/bin/dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort)
if [ -z "${SPACKAGES}" ]; then
Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN
LogText "Result: no packages found with left overs"
@ -413,10 +468,10 @@
LogText "Result: found one or more packages with left over configuration files, cron jobs etc"
LogText "Output:"
for J in ${SPACKAGES}; do
N=$((N + 1))
COUNT=$((COUNT + 1))
LogText "Found unpurged package: ${J}"
done
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
fi
else
LogText "Result: dpkg can NOT be found on this system, test skipped"
@ -431,8 +486,8 @@
# Add portmaster --clean-distfiles-all
Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/local/sbin/portsclean ]; then
FIND=$(/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ')
if [ -x ${ROOTDIR}usr/local/sbin/portsclean ]; then
FIND=$(${ROOTDIR}usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ')
if [ ${FIND} -eq 0 ]; then
Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN
LogText "Result: no unused distfiles found"
@ -452,6 +507,7 @@
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
Display --indent 4 --text "- Searching DNF package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found DNF (Dandified YUM) utility (binary: ${DNFBINARY})"
Report "package_manager[]=dnf"
@ -460,14 +516,14 @@
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="dnf"
SPACKAGES=$(${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}')
for J in ${SPACKAGES}; do
N=$((N + 1))
PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1)
PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
for PKG in ${SPACKAGES}; do
COUNT=$((COUNT + 1))
PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ',' -f1)
PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ',' -f2)
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done
Report "installed_packages=${N}"
Report "installed_packages=${COUNT}"
fi
#
#################################################################################
@ -594,19 +650,20 @@
if [ -x ${ROOTDIR}usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query portmaster for port upgrades"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
LogText "Test: Querying portmaster for possible port upgrades"
UPACKAGES=$(${ROOTDIR}usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }')
for J in ${UPACKAGES}; do
N=$((N + 1))
LogText "Upgrade available (new version): ${J}"
Report "upgrade_available[]=${J}"
for PKG in ${UPACKAGES}; do
COUNT=$((COUNT + 1))
LogText "Upgrade available (new version): ${PKG}"
Report "upgrade_available[]=${PKG}"
done
Report "upgrade_available_count=${N}"
if [ ${N} -eq 0 ]; then
LogText "Result: no upgrades found"
Report "upgrade_available_count=${COUNT}"
if [ ${COUNT} -eq 0 ]; then
LogText "Result: no updates found"
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_NONE}" --color GREEN
else
LogText "Result: found ${COUNT} updates"
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_FOUND}" --color YELLOW
fi
fi
@ -617,11 +674,11 @@
# Description : Check for vulnerable NetBSD packages (with pkg_admin)
Register --test-no PKGS-7380 --os NetBSD --weight L --network NO --category security --description "Check for vulnerable NetBSD packages"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/sbin/pkg_admin ]; then
if [ -x ${ROOTDIR}usr/sbin/pkg_admin ]; then
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="pkg_admin audit"
if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then
FIND=$(/usr/sbin/pkg_admin audit)
if [ -f ${ROOTDIR}var/db/pkg/pkgs-vulnerabilities ]; then
FIND=$(${ROOTDIR}usr/sbin/pkg_admin audit)
if [ -z "${FIND}" ]; then
LogText "Result: pkg_admin audit results are clean"
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
@ -631,7 +688,7 @@
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
LogText "List of vulnerable packages/version:"
for I in $(/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
for I in $(${ROOTDIR}usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
@ -701,11 +758,11 @@
# Test : PKGS-7382
# Description : Check for vulnerable FreeBSD packages
# Notes : Newer machines should use pkg audit instead of portaudit
if [ -x /usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit"
if [ ${SKIPTEST} -eq 0 ]; then
PACKAGE_AUDIT_TOOL_FOUND=1
FIND=$(/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found')
FIND=$(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found')
if [ -z "${FIND}" ]; then
LogText "Result: Portaudit results are clean"
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
@ -716,10 +773,10 @@
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
LogText "List of vulnerable packages/version:"
for I in $(/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
for PKG in $(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
Report "vulnerable_package[]=${PKG}"
LogText "Vulnerable package: ${PKG}"
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
@ -753,11 +810,11 @@
if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/bin/package-cleanup ]; then
LogText "Result: found YUM utils package (/usr/bin/package-cleanup)"
if [ -x ${ROOTDIR}usr/bin/package-cleanup ]; then
LogText "Result: found YUM utils package (${ROOTDIR}usr/bin/package-cleanup)"
# Check for duplicates
LogText "Test: Checking for duplicate packages"
FIND=$(/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?)
FIND=$(${ROOTDIR}usr/bin/package-cleanup -q --dupes > /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: No duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN
@ -770,7 +827,7 @@
# Check for package database problems
LogText "Test: Checking for database problems"
FIND=$(/usr/bin/package-cleanup --problems > /dev/null; echo $?)
FIND=$(${ROOTDIR}usr/bin/package-cleanup --problems > /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: No package database problems found"
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN
@ -869,7 +926,7 @@
#
# Test : PKGS-7387
# Description : Search for YUM GPG check
if [ -x /usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${PYTHONBINARY}" ]; then
@ -892,16 +949,18 @@
done
fi
FOUND=0
FileExists /etc/yum.conf
FileExists ${ROOTDIR}etc/yum.conf
if [ ${FILE_FOUND} -eq 1 ]; then
SearchItem "^gpgenabled\s*=\s*1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
SearchItem "^gpgcheck\s*=\s*1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
SearchItem "^gpgenabled\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
SearchItem "^gpgcheck\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
if [ ${FOUND} -eq 1 ]; then
LogText "Result: GPG check is enabled"
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
else
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED
ReportWarning ${TEST_NO} "No GPG signing option found in yum.conf"
AddHP 2 3
fi
fi
fi
@ -959,11 +1018,11 @@
#
# Test : PKGS-7390
# Description : Check Ubuntu database consistency
if [ "${LINUX_VERSION}" = "Ubuntu" -a -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ "${LINUX_VERSION}" = "Ubuntu" -a -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Package database consistency by running apt-get check"
FIND=$(/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?)
FIND=$(${ROOTDIR}usr/bin/apt-get -q=2 check 2> /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN
LogText "Result: package database seems to be consistent."
@ -979,7 +1038,7 @@
#
# Test : PKGS-7392
# Description : Check Debian/Ubuntu vulnerable packages
if [ -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --category security --description "Check for Debian/Ubuntu security updates"
if [ ${SKIPTEST} -eq 0 ]; then
VULNERABLE_PACKAGES_FOUND=0
@ -989,16 +1048,20 @@
PACKAGE_AUDIT_TOOL="apt-get"
PACKAGE_AUDIT_TOOL_FOUND=1
# Update the repository, outdated repositories don't give much information
LogText "Action: updating repository with apt-get"
/usr/bin/apt-get -q=2 update
LogText "Result: apt-get finished"
LogText "Test: Checking if /usr/lib/update-notifier/apt-check exists"
if [ -x /usr/lib/update-notifier/apt-check ]; then
if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
LogText "Action: updating package repository with apt-get"
${ROOTDIR}usr/bin/apt-get -q=2 update
LogText "Result: apt-get finished"
else
LogText "Result: using a possibly outdated repository, as updating is disabled via configuration"
fi
LogText "Test: Checking if ${ROOTDIR}usr/lib/update-notifier/apt-check exists"
if [ -x ${ROOTDIR}usr/lib/update-notifier/apt-check ]; then
PACKAGE_AUDIT_TOOL="apt-check"
LogText "Result: found /usr/lib/update-notifier/apt-check"
LogText "Result: found ${ROOTDIR}usr/lib/update-notifier/apt-check"
LogText "Test: checking if any of the updates contain security updates"
# apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only
FIND=$(/usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }')
FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }')
# Check if we get the proper line back and amount of security patches available
if [ -z "${FIND}" ]; then
LogText "Result: did not find security updates line"
@ -1028,9 +1091,9 @@
LogText "Result: found vulnerable package(s) via apt-get (-security channel)"
PACKAGE_AUDIT_TOOL="apt-get"
PACKAGE_AUDIT_TOOL_FOUND=1
for I in ${FIND}; do
LogText "Found vulnerable package: ${I}"
Report "vulnerable_package[]=${I}"
for PKG in ${FIND}; do
LogText "Found vulnerable package: ${PKG}"
Report "vulnerable_package[]=${PKG}"
done
fi
if [ ${SCAN_PERFORMED} -eq 1 ]; then
@ -1052,7 +1115,7 @@
#
# Test : PKGS-7393
# Description : Check Gentoo vulnerable packages
if [ -x /usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7393 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Gentoo vulnerable packages"
if [ ${SKIPTEST} -eq 0 ]; then
VULNERABLE_PACKAGES_FOUND=0
@ -1063,19 +1126,19 @@
# "most friendly" way.
if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
LogText "Action: updating portage with emerge-webrsync"
/usr/bin/emerge-webrsync --quiet 2> /dev/null
${ROOTDIR}usr/bin/emerge-webrsync --quiet 2> /dev/null
LogText "Result: emerge-webrsync finished"
else
LogText "Result: using a possibly outdated repository, as updating is disabled"
fi
LogText "Test: checking if /usr/bin/glsa-check exists"
if [ -x /usr/bin/glsa-check ]; then
LogText "Test: checking if ${ROOTDIR}usr/bin/glsa-check exists"
if [ -x ${ROOTDIR}usr/bin/glsa-check ]; then
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="glsa-check"
LogText "Result: found /usr/bin/glsa-check"
LogText "Result: found ${ROOTDIR}usr/bin/glsa-check"
LogText "Test: checking if there are any vulnerable packages"
# glsa-check reports the GLSA date/ID string, not the vulnerable package.
FIND=$(/usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l)
FIND=$(${ROOTDIR}usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l)
if [ -z "${FIND}" ]; then
LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found."
LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result"
@ -1093,7 +1156,7 @@
AddHP 0 25
fi
fi
else
else
LogText "Result: glsa-check tool not found"
ReportSuggestion ${TEST_NO} "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks."
fi
@ -1106,11 +1169,11 @@
if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking /usr/bin/apt-show-versions"
if [ -x /usr/bin/apt-show-versions ]; then
LogText "Result: found /usr/bin/apt-show-versions"
LogText "Test: checking ${ROOTDIR}usr/bin/apt-show-versions"
if [ -x ${ROOTDIR}usr/bin/apt-show-versions ]; then
LogText "Result: found ${ROOTDIR}usr/bin/apt-show-versions"
LogText "Test: Checking packages which can be upgraded via apt-show-versions"
FIND=$(/usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g')
FIND=$(${ROOTDIR}usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g')
if [ -z "${FIND}" ]; then
LogText "Result: no packages found which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN
@ -1124,8 +1187,8 @@
LogText "${ITEM}"
done
fi
else
LogText "Result: /usr/bin/apt-show-versions not found"
else
LogText "Result: ${ROOTDIR}usr/bin/apt-show-versions not found"
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE
ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
fi
@ -1143,7 +1206,7 @@
Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_NONE}" --color RED
ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
LogText "Result: no package audit tool found"
else
else
Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN
Display --indent 4 --text "Found: ${PACKAGE_AUDIT_TOOL}"
LogText "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}"
@ -1158,7 +1221,7 @@
#################################################################################
#
# Description : AIX patches
# Notes : /usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1
# Notes : ${ROOTDIR}usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1
#
#################################################################################
#

58
include/tests_printers_spools
View File

@ -46,7 +46,7 @@
if [ ! -f ${ROOTDIR}usr/sbin/chkprintcap ]; then
Display --indent 2 --text "- Checking chkprintcap" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: ${ROOTDIR}usr/sbin/chkprintcap NOT found, test skipped"
else
else
LogText "Result: ${ROOTDIR}usr/sbin/chkprintcap found"
FIND=$(${ROOTDIR}usr/sbin/chkprintcap > /dev/null ; echo $?)
# Only an exit code of zero should come back. Use string instead of integer, due unexpected trash
@ -88,19 +88,19 @@
Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching cupsd configuration file"
for I in ${CUPSD_CONFIG_LOCS}; do
if [ -f ${I}/cupsd.conf ]; then
if FileIsReadable ${I}/cupsd.conf; then
CUPSD_CONFIG_FILE="${I}/cupsd.conf"
for DIR in ${CUPSD_CONFIG_LOCS}; do
if [ -f ${DIR}/cupsd.conf ]; then
if FileIsReadable ${DIR}/cupsd.conf; then
CUPSD_CONFIG_FILE="${DIR}/cupsd.conf"
LogText "Result: found ${CUPSD_CONFIG_FILE}"
fi
fi
done
if [ ! -z "${CUPSD_CONFIG_FILE}" ]; then
if HasData "${CUPSD_CONFIG_FILE}"; then
Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_OK}" --color GREEN
LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})"
CUPSD_FOUND=1
else
else
Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_NOT_FOUND}" --color RED
LogText "Result: configuration file not found"
LogText "Development: no CUPS configuration file found"
@ -111,17 +111,17 @@
#
# Test : PRNT-2307
# Description : Check CUPSd configuration file permissions
# To Do : Add function
# TODO : Add function
if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking CUPS configuration file permissions"
FIND=$(ls -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
FIND=$(${LSBINARY} -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: found ${FIND}"
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
AddHP 1 1
else
else
Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
AddHP 1 2
@ -139,17 +139,17 @@
# Checking network addresses
LogText "Test: Checking CUPS daemon listening network addresses"
FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
N=0
for I in ${FIND}; do
LogText "Found network address: ${I}"
N=$((N + 1))
COUNT=0
for ITEM in ${FIND}; do
LogText "Found network address: ${ITEM}"
COUNT=$((COUNT + 1))
FOUND=1
done
# Check if daemon is only running on localhost
if [ ${FOUND} -eq 0 ]; then
LogText "Result: no listen statement found in CUPS configuration file"
elif [ ${N} -eq 1 ]; then
elif [ ${COUNT} -eq 1 ]; then
if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
LogText "Result: CUPS daemon only running on localhost"
AddHP 2 2
@ -167,12 +167,12 @@
# Checking sockets
LogText "Test: Checking cups daemon listening sockets"
FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }')
for I in ${FIND}; do
LogText "Found socket address: ${I}"
N=$((N + 1))
for ITEM in ${FIND}; do
LogText "Found socket address: ${ITEM}"
COUNT=$((COUNT + 1))
done
if [ ${N} -eq 0 ]; then
if [ ${COUNT} -eq 0 ]; then
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_NONE}" --color WHITE
LogText "Result: no addresses found on which CUPS daemon is listening"
else
@ -236,12 +236,12 @@
LogText "Result: qdaemon daemon running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_RUNNING}" --color GREEN
QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon"
else
else
if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then
LogText "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color RED
ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs"
else
else
LogText "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
fi
@ -255,17 +255,17 @@
Register --test-no PRNT-2420 --os AIX --weight L --network NO --category security --description "Checking old print jobs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking old print jobs"
DirectoryExists /var/spool/lpd/qdir
DirectoryExists ${ROOTDIR}var/spool/lpd/qdir
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
FIND=$(find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
if [ ! -z "${FIND}" ]; then
N=0
for I in ${FIND}; do
FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
FIND=$(find ${ROOTDIR}var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
if HasData "${FIND}"; then
COUNT=0
for ITEM in ${FIND}; do
FILE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found old print job: ${FILE}"
N=$((N + 1))
COUNT=$((COUNT + 1))
done
LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir"
LogText "Result: Found ${COUNT} old print jobs in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"

77
include/tests_scheduling
View File

@ -36,8 +36,9 @@
Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )")
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: no cron daemon found"
AddHP 3 3
else
LogText "Result: cron daemon running"
CROND_RUNNING=1
@ -63,42 +64,42 @@
if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FindCronJob ${CRONTAB_FILE}
for I in ${sCRONJOBS}; do
LogText "Found cronjob (${CRONTAB_FILE}): ${I}"
Report "cronjob[]=${I}"
for ITEM in ${sCRONJOBS}; do
LogText "Found cronjob (${CRONTAB_FILE}): ${ITEM}"
Report "cronjob[]=${ITEM}"
done
fi
CRON_DIRS="${ROOTDIR}etc/cron.d"
for I in ${CRON_DIRS}; do
LogText "Test: checking directory ${I}"
if [ -d ${I} ]; then
if FileIsReadable ${I}; then
LogText "Result: found directory ${I}"
LogText "Test: searching files in ${I}"
FIND=$(${FINDBINARY} ${I} -type f -print | ${GREPBINARY} -v ".placeholder")
if [ -z "${FIND}" ]; then
LogText "Result: no files found in ${I}"
for DIR in ${CRON_DIRS}; do
LogText "Test: checking directory ${DIR}"
if [ -d ${DIR} ]; then
if FileIsReadable ${DIR}; then
LogText "Result: found directory ${DIR}"
LogText "Test: searching files in ${DIR}"
FIND=$(${FINDBINARY} ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder")
if IsEmpty "${FIND}"; then
LogText "Result: no files found in ${DIR}"
else
LogText "Result: found one or more files in ${I}. Analyzing files.."
for J in ${FIND}; do
if IsWorldWritable ${J}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${J}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FindCronJob ${J}
if [ ! -z "${sCRONJOBS}" ]; then
LogText "Result: found one or more files in ${DIR}. Analyzing files.."
for FILE in ${FIND}; do
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FindCronJob ${FILE}
if HasData "${sCRONJOBS}"; then
for K in ${sCRONJOBS}; do
LogText "Result: Found cronjob (${J}): ${K}"
Report "cronjob[]=${J}"
LogText "Result: Found cronjob (${FILE}): ${K}"
Report "cronjob[]=${FILE}"
done
fi
done
LogText "Result: done with analyzing files in ${I}"
LogText "Result: done with analyzing files in ${DIR}"
fi
else
LogText "Result: can not read file or directory ${I}"
LogText "Result: can not read file or directory ${DIR}"
fi
else
LogText "Result: directory ${I} does not exist"
LogText "Result: directory ${DIR} does not exist"
fi
done
@ -218,11 +219,11 @@
if [ ${SKIPTEST} -eq 0 ]; then
AT_UNKNOWN=0
case ${OS} in
FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;;
HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;;
Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;;
OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;;
SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;;
FreeBSD) AT_ALLOW="${ROOTDIR}var/at/at.allow"; AT_DENY="${ROOTDIR}var/at/at.deny" ;;
HPUX) AT_ALLOW="${ROOTDIR}usr/lib/cron/at.allow"; AT_DENY="${ROOTDIR}usr/lib/cron/at.deny" ;;
Linux) AT_ALLOW="${ROOTDIR}etc/at.allow"; AT_DENY="${ROOTDIR}etc/at.deny" ;;
OpenBSD) AT_ALLOW="${ROOTDIR}var/cron/at.allow"; AT_DENY="${ROOTDIR}var/cron/at.deny" ;;
SunOS) AT_ALLOW="${ROOTDIR}etc/cron.d/at.allow"; AT_DENY="${ROOTDIR}etc/cron.d/at.deny" ;;
*) AT_UNKNOWN=1; LogText "Test skipped, files for at unknown" ;;
esac
if [ ${AT_UNKNOWN} -eq 0 ]; then
@ -232,14 +233,14 @@
if [ ${CANREAD} -eq 1 ]; then
LogText "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
FIND=$(${SORTBINARY} ${AT_ALLOW})
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: File empty, no users are allowed to schedule at jobs"
else
for I in ${FIND}; do
LogText "Allowed at user: ${I}"
for ITEM in ${FIND}; do
LogText "Allowed at user: ${ITEM}"
done
fi
else
else
LogText "Result: can not read ${AT_ALLOW} (no permission)"
fi
else
@ -253,8 +254,8 @@
if [ -z "${FIND}" ]; then
LogText "Result: file is empty, no users are denied access to schedule jobs"
else
for I in ${FIND}; do
LogText "Denied at user: ${I}"
for ITEM in ${FIND}; do
LogText "Denied at user: ${ITEM}"
done
fi
else
@ -281,10 +282,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check scheduled at jobs"
FIND=$(atq | ${GREPBINARY} -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g')
if [ ! -z "${FIND}" ]; then
if HasData "${FIND}"; then
LogText "Result: found one or more jobs"
for I in ${FIND}; do
VALUE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
for ITEM in ${FIND}; do
VALUE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found at job: ${VALUE}"
done
Display --indent 4 --text "- Checking at jobs" --result "${STATUS_FOUND}" --color GREEN

6
include/tests_shells
View File

@ -88,7 +88,7 @@
else
LogText "Shell ${I} not installed. Probably a dummy or non existing shell."
fi
done
done
Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})."
else
LogText "Result: /etc/shells not found, skipping test"
@ -203,14 +203,14 @@
LogText "Result: could not find export, readonly or typeset -r in /etc/profile"
fi
fi
else
else
LogText "Result: skip /etc/profile.d directory test, directory not available on this system"
fi
if [ ${IDLE_TIMEOUT} -eq 1 ]; then
Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
else
Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_NONE}" --color YELLOW
AddHP 1 3
fi

46
include/tests_squid
View File

@ -201,63 +201,62 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid access control lists"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
LogText "Test: checking ACLs"
FIND=$(${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
if [ "${FIND}" = "" ]; then
LogText "Result: No ACLs found"
Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED
else
for I in ${FIND}; do
N=$((N + 1))
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found ACL: ${I}"
#Report "squid_acl=${I}"
for ITEM in ${FIND}; do
COUNT=$((COUNT + 1))
ITEM=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found ACL: ${ITEM}"
#Report "squid_acl=${ITEM}" # TODO
done
LogText "Result: Found ${N} ACLs"
Display --indent 6 --text "- Checking Access Control Lists" --result "${N} ACLs FOUND" --color GREEN
LogText "Result: Found ${COUNT} ACLs"
Display --indent 6 --text "- Checking Access Control Lists" --result "${COUNT} ACLs FOUND" --color GREEN
fi
fi
#
#################################################################################
#
# Test : SQD-3624 [T]
# Test : SQD-3624
# Description : Check unsecure ports in Safe_ports list
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid safe ports"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: checking ACL Safe_ports http_access option"
FIND=$(${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports")
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: no Safe_ports found"
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
else
LogText "Result: checking ACL safe ports"
FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }')
if [ -z "${FIND2}" ]; then
if IsEmpty "${FIND2}"; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
AddHP 0 1
else
LogText "Result: Safe_ports found"
for I in ${FIND}; do
LogText "Found safe port: ${I}"
for ITEM in ${FIND}; do
LogText "Found safe port: ${ITEM}"
done
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1
fi
#SQUID_DAEMON_UNSAFE_PORTS_LIST
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
LogText "Test: Checking port ${I} in Safe_ports list"
FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG})
if [ -z "${FIND2}" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN
for ITEM in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
LogText "Test: Checking port ${ITEM} in Safe_ports list"
FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${ITEM}" ${SQUID_DAEMON_CONFIG})
if IsEmpty "${FIND2}"; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 1 1
else
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_FOUND}" --color RED
ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_FOUND}" --color RED
ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}"
AddHP 0 1
fi
done
@ -277,10 +276,9 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: checking option reply_body_max_size"
FIND=$(${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: option reply_body_max_size not configured"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
AddHP 1 2

22
include/tests_time
View File

@ -250,30 +250,30 @@
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
LogText "Test: Checking stratum 16 sources from ntpq peers list"
FIND=$(${NTPQBINARY} -p -n | ${AWKBINARY} '{ if ($2!=".POOL." && $3=="16") { print $1 }}')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
LogText "Result: All peers are lower than stratum 16"
else
for I in ${FIND}; do
LogText "Found stratum 16 peer: ${I}"
FIND2=$(${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE})
if [ -z "${FIND2}" ]; then
N=$((N + 1))
Report "ntp_stratum_16_peer[]=${I}"
for ITEM in ${FIND}; do
LogText "Found stratum 16 peer: ${ITEM}"
FIND2=$(${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${ITEM}:" ${PROFILE})
if IsEmpty "${FIND2}"; then
COUNT=$((COUNT + 1))
Report "ntp_stratum_16_peer[]=${ITEM}"
else
LogText "Output: host ${I} ignored by profile"
LogText "Output: host ${ITEM} ignored by profile"
fi
done
# Check if one or more high stratum time servers are found
if [ ${N} -eq 0 ]; then
if [ ${COUNT} -eq 0 ]; then
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
LogText "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile"
else
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found one or more high stratum (16) peers)"
LogText "Result: Found ${COUNT} high stratum (16) peers)"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for stratum 16 peers"
fi
fi
@ -457,7 +457,7 @@
fi
LogText "Information: step-tickers is used by ntpdate where as ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially run to set the clock before ntpd to make sure time is within 1000 sec."
LogText "Risk: ntp will not run at boot if the time difference between the server and client by more then 1000 sec."
else
else
LogText "Result: test skipped because ${FILE} not found"
fi
fi

52
include/tests_tooling
View File

@ -31,6 +31,8 @@
FAIL2BAN_EMAIL=0
FAIL2BAN_SILENT=0
PERFORM_FAIL2BAN_TESTS=0
SNORT_FOUND=0
SNORT_RUNNING=0
#
#################################################################################
#
@ -160,7 +162,7 @@
#
#################################################################################
#
# Intrusion Prevention tools
# Intrusion Detection and Prevention tools
#
#################################################################################
#
@ -285,7 +287,7 @@
# if [ ! -z "${CHECK_CHAINS}" ]; then
# LogText "Result: found at least one iptables chain for fail2ban"
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
# else
# else
# LogText "Result: Fail2ban installed but iptables chain not present - fail2ban will not work"
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
# AddHP 0 3
@ -299,6 +301,52 @@
# fi
#
#################################################################################
#
# Test : TOOL-5120
# Description : Check for Snort
Register --test-no TOOL-5120 --weight L --network NO --category security --description "Check for presence of Snort"
if [ ${SKIPTEST} -eq 0 ]; then
# Snort presence
if [ -n "${SNORTBINARY}" ]; then
SNORT_FOUND=1
IDS_IPS_TOOL_FOUND=1
LogText "Result: Snort is installed (${SNORTBINARY})"
Report "ids_ips_tooling[]=snort"
Display --indent 2 --text "- Checking presence of Snort" --result "${STATUS_FOUND}" --color GREEN
fi
IsRunning snort
if [ ${SNORT_RUNNING} -eq 1 ]; then
SNORT_FOUND=1
SNORT_RUNNING=1
SNORT_LOG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $4}' | ${HEADBINARY} -1)
else
LogText "Result: Snort not present (Snort not running)"
fi
fi
#
#################################################################################
#
# Test : TOOL-5122
# Description : Check for Snort configuration
Register --test-no TOOL-5122 --weight L --network NO --category security --description "Check Snort configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
# Continue if tooling is available and snort is running
if [ -n ${SNORT_FOUND} ] || [ -n ${SNORT_RUNNING} ]; then
if [ ${SNORT_FOUND} -eq 1 ] && [ ${SNORT_RUNNING} -eq 1 ]; then
SNORT_CONFIG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $3}' | ${HEADBINARY} -1)
if HasData "${SNORT_CONFIG}"; then
LogText "Result: found Snort configuration file: ${SNORT_CONFIG}"
Report "snort_config=${SNORT_CONFIG}"
fi
SNORT=$(which snort 2> /dev/null)
fi
fi
fi
#
#################################################################################
#
# Test : TOOL-5190
# Description : Check for an IDS/IPS tool

61
include/tests_webservers
View File

@ -87,7 +87,7 @@
else
PREQS_MET="NO"
fi
else
else
PREQS_MET="NO"
fi
Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing main Apache configuration file"
@ -193,6 +193,9 @@
#
#################################################################################
#
# TODO
# Do you have Apache running and want to contribute? Help us testing this control and send in a pull request
# Test : HTTP-6630
# Description : Search for all loaded modules
#if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@ -219,24 +222,24 @@
Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining all available Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching available Apache modules"
N=0
for I in ${APACHE_MODULES_LOCS}; do
DirectoryExists ${I}
COUNT=0
for DIR in ${APACHE_MODULES_LOCS}; do
DirectoryExists ${DIR}
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
FIND=$(find ${I} -name "mod_*" -print | sort)
for J in ${FIND}; do
Report "apache_module[]=${J}"
LogText "Result: found Apache module ${J}"
N=$((N + 1))
FIND=$(${FINDBINARY} ${DIR} -name "mod_*" -print | ${SORTBINARY})
for ITEM in ${FIND}; do
Report "apache_module[]=${ITEM}"
LogText "Result: found Apache module ${ITEM}"
COUNT=$((COUNT + 1))
done
fi
done
if [ ${N} -eq 0 ]; then
if [ ${COUNT} -eq 0 ]; then
Display --indent 4 --text "* Loadable modules" --result "${STATUS_NONE}" --color WHITE
ReportException "${TEST_NO}:1" "No loadable Apache modules found"
else
Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND}" --color GREEN
Display --indent 8 --text "- Found ${N} loadable modules"
Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND} (${COUNT})" --color GREEN
Display --indent 8 --text "- Found ${COUNT} loadable modules"
fi
fi
#
@ -300,7 +303,7 @@
#
#################################################################################
#
# Test : HTTP-6660
# Test : HTTP-6660 TODO
# Description : Search for "TraceEnable off" in configuration files
#
#################################################################################
@ -311,7 +314,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching running nginx process"
FIND=$(${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep")
if [ ! -z "${FIND}" ]; then
if HasData "${FIND}"; then
LogText "Result: found running nginx process(es)"
Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN
NGINX_RUNNING=1
@ -330,14 +333,14 @@
Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching nginx configuration file"
for I in ${NGINX_CONF_LOCS}; do
if [ -f ${I}/nginx.conf ]; then
NGINX_CONF_LOCATION="${I}/nginx.conf"
for DIR in ${NGINX_CONF_LOCS}; do
if [ -f ${DIR}/nginx.conf ]; then
NGINX_CONF_LOCATION="${DIR}/nginx.conf"
LogText "Found file ${NGINX_CONF_LOCATION}"
NGINX_CONF_FILES="${I}/nginx.conf"
NGINX_CONF_FILES="${DIR}/nginx.conf"
fi
done
if [ ! -z "${NGINX_CONF_LOCATION}" ]; then
if HasData "${NGINX_CONF_LOCATION}"; then
LogText "Result: found nginx configuration file"
Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
Display --indent 4 --text "- Searching nginx configuration file" --result "${STATUS_FOUND}" --color GREEN
@ -357,7 +360,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Remove temp file
if [ ! -z "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
N=0
COUNT=0
${SEDBINARY} -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}
# Search for included configuration files (may include directories and wild cards)
FIND=$(${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g')
@ -366,7 +369,7 @@
for J in ${FIND2}; do
# Ensure that we are parsing normal files
if [ -f ${J} ]; then
N=$((N + 1))
COUNT=$((COUNT + 1))
LogText "Result: found Nginx configuration file ${J}"
Report "nginx_sub_conf_file[]=${J}"
FileIsReadable ${J}
@ -390,10 +393,10 @@
# Remove unsorted file for next tests
if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi
if [ ${N} -eq 0 ]; then
if [ ${COUNT} -eq 0 ]; then
LogText "Result: no nginx include statements found"
else
Display --indent 6 --text "- Found nginx includes" --result "${N} FOUND" --color GREEN
Display --indent 6 --text "- Found nginx includes" --result "${COUNT} FOUND" --color GREEN
fi
fi
#
@ -407,14 +410,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: start parsing all discovered nginx options"
Display --indent 4 --text "- Parsing configuration options"
for I in ${NGINX_CONF_FILES}; do
FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}')
for FILE in ${NGINX_CONF_FILES}; do
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
if [ ! "${FILENAME}" = "mime.types" ]; then
if FileIsReadable ${I}; then
Display --indent 8 --text "- ${I}"
ParseNginx ${I}
if FileIsReadable ${FILE}; then
Display --indent 8 --text "- ${FILE}"
ParseNginx ${FILE}
else
Display --indent 8 --text "- ${I}" --result "SKIPPED (NOT READABLE)" --color YELLOW
Display --indent 8 --text "- ${FILE}" --result "SKIPPED (NOT READABLE)" --color YELLOW
fi
else
LogText "Result: this configuration file is skipped, as it contains usually no interesting details"

20
lynis
View File

@ -34,7 +34,7 @@
PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com"
# Version details
PROGRAM_RELEASE_DATE="2017-04-23"
PROGRAM_RELEASE_DATE="2017-04-30"
PROGRAM_RELEASE_TIMESTAMP=1490800090
PROGRAM_RELEASE_TYPE="dev" # dev or final
PROGRAM_VERSION="2.5.0"
@ -416,7 +416,7 @@ ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${
if [ ${WRONGOPTION} -eq 1 ]; then
echo " ${RED}Error${NORMAL}: ${WHITE}Invalid option '${WRONGOPTION_value}'${NORMAL}"
else
else
if [ ${VIEWHELP} -eq 0 ]; then
echo " ${RED}No command provided.${WHITE} Exiting..${NORMAL}"
echo ""
@ -572,13 +572,13 @@ ${NORMAL}
if [ -z "${PLUGINDIR}" ]; then
#LogText "Result: Searching for plugindir"
tPLUGIN_TARGETS="/usr/local/lynis/plugins /usr/local/share/lynis/plugins /usr/share/lynis/plugins /etc/lynis/plugins ./plugins"
for I in ${tPLUGIN_TARGETS}; do
if [ -d ${I} -a -z "${PLUGINDIR}" ]; then
PLUGINDIR=${I}
for DIR in ${tPLUGIN_TARGETS}; do
if [ -d ${DIR} -a -z "${PLUGINDIR}" ]; then
PLUGINDIR=${DIR}
Debug "Result: found plugindir ${PLUGINDIR}"
fi
done
else
else
Debug "Plugin was already set before to ${PLUGINDIR} (most likely via program argument or profile)"
fi
@ -706,9 +706,9 @@ ${NORMAL}
fi
# Test for older releases, without testing via update mechanism
if [ "$OS" = "Solaris" ]; then
if [ "${OS}" = "Solaris" ]; then
NOW=$(nawk 'BEGIN{print srand()}')
else
else
NOW=$(date "+%s")
fi
@ -780,7 +780,7 @@ ${NORMAL}
#################################################################################
#
# Check for systemd presence
if [ -d /lib/systemd/system -a -f /usr/lib/systemd/systemd ]; then
if [ -d ${ROOTDIR}lib/systemd/system -a -f ${ROOTDIR}usr/lib/systemd/systemd ]; then
LogText "Result: systemd is using systemd"
HAS_SYSTEMD=1
Report "systemd=1"
@ -796,7 +796,7 @@ ${NORMAL}
Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "YES" --color GREEN
if IsDebug; then
Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "YES" --color GREEN
else
else
Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "NO" --color RED
fi
fi

4
plugins/custom_plugin.template
View File

@ -62,7 +62,7 @@
# Check if a directory exists
if [ -d ${DIR} ]; then
LogText "Result: log entry for easier debugging or additional information"
else
else
FOUNDPROBLEM=1
LogText "Result: directory ${DIR} was not found!"
ReportWarning "${TEST_NO}" "This is a test warning line" "${DIR}" "text:Create directory ${DIR}"
@ -70,7 +70,7 @@
if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking if everything is OK..." --result OK --color GREEN
else
else
Display --indent 2 --text "- Checking if everything is OK..." --result WARNING --color RED
ReportSuggestion ${TEST_NO} "This is a suggestion"
fi

23
plugins/plugin_pam_phase1
View File

@ -6,12 +6,12 @@
#-----------------------------------------------------
# PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
# PLUGIN_CATEGORY=authentication
# PLUGIN_DATE=2017-03-01
# PLUGIN_DATE=2017-04-30
# PLUGIN_DESC=PAM
# PLUGIN_NAME=pam
# PLUGIN_PACKAGE=all
# PLUGIN_REQUIRED_TESTS=
# PLUGIN_VERSION=1.0.1
# PLUGIN_VERSION=1.0.2
#-----------------------------------------------------
#########################################################################
#
@ -27,8 +27,8 @@
if [ ${SKIPTEST} -eq 0 ]; then
for LINE in $(${GREPBINARY} -v "^#" ${FILE} | ${TRBINARY} -d " "); do
for I in ${LINE}; do
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
OPTION=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
VALUE=$(echo ${I} | ${AWKBINARY} -F= '{ print $2 }')
case ${OPTION} in
minlen)
DigitsOnly ${VALUE}
@ -69,8 +69,7 @@
if [ -d ${PAM_DIRECTORY} ]; then
LogText "Result: /etc/pam.d exists"
FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print)
# First check /etc/pam.conf if it exists.
#if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi
for PAM_FILE in ${FIND_FILES}; do
LogText "Now checking PAM file ${PAM_FILE}"
while read line; do
@ -370,7 +369,7 @@ Report "authentication_two_factor_required=${PAM_2F_AUTH_ENABLED}"
if [ ! "${AUTH_UNLOCK_TIME}" = "-1" ]; then
LogText "[PAM] Authentication unlock time: ${AUTH_UNLOCK_TIME}"
Report "authentication_unlock_time=${AUTH_UNLOCK_TIME}"
else
else
LogText "[PAM] Authentication unlock time: not configured"
fi
@ -383,7 +382,7 @@ fi
if [ ! "${MIN_PASSWORD_LENGTH}" = "-1" ]; then
LogText "[PAM] Minimum password length: ${MIN_PASSWORD_LENGTH}"
Report "minimum_password_length=${MIN_PASSWORD_LENGTH}"
else
else
LogText "[PAM] Minimum password length: not configured"
fi
@ -395,7 +394,7 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
# Show how many password class are required out of 4
LogText "[PAM] Minimum password class out of 4: ${MIN_PASSWORD_CLASS}"
Report "min_password_class=${MIN_PASSWORD_CLASS}"
else
else
LogText "[PAM] Minimum password class setting of ${MIN_PASSWORD_CLASS} out of 4 is ignored since at least 1 class are forced"
Report "min_password_class=ignored"
fi
@ -445,7 +444,7 @@ fi
if [ ! -z "${MAX_PASSWORD_RETRY}" ]; then
LogText "[PAM] Password maximum retry: ${MAX_PASSWORD_RETRY}"
Report "max_password_retry=${MAX_PASSWORD_RETRY}"
else
else
LogText "[PAM] Password maximum retry: Not configured"
fi
@ -460,7 +459,7 @@ if [ ${PAM_PASSWORD_PWHISTORY_ENABLED} -eq 1 ]; then
LogText "[PAM] Password history with pam_pwhistory enabled: ${PAM_PASSWORD_PWHISTORY_ENABLED}"
LogText "[PAM] Password history with pam_pwhistory amount: ${PAM_PASSWORD_PWHISTORY_AMOUNT}"
Report "password_history_amount=${PAM_PASSWORD_PWHISTORY_AMOUNT}"
else
else
LogText "[PAM] Password history with pam_pwhistory IS NOT enabled"
fi
@ -468,7 +467,7 @@ if [ ${PAM_PASSWORD_UXHISTORY_ENABLED} -eq 1 ]; then
LogText "[PAM] Password history with pam_unix enabled: ${PAM_PASSWORD_UXHISTORY_ENABLED}"
LogText "[PAM] Password history with pam_unix amount: ${PAM_PASSWORD_UXHISTORY_AMOUNT}"
Report "password_history_amount=${PAM_PASSWORD_UXHISTORY_AMOUNT}"
else
else
LogText "[PAM] Password history with pam_unix IS NOT enabled"
fi

30
plugins/plugin_systemd_phase1
View File

@ -16,12 +16,12 @@
#-----------------------------------------------------
# PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
# PLUGIN_CATEGORY=essentials
# PLUGIN_DATE=2016-04-28
# PLUGIN_DATE=2017-04-30
# PLUGIN_DESC=Tests related to systemd tooling
# PLUGIN_NAME=systemd
# PLUGIN_PACKAGE=community
# PLUGIN_REQUIRED_TESTS=
# PLUGIN_VERSION=1.0.1
# PLUGIN_VERSION=1.0.2
#-----------------------------------------------------
#
#########################################################################
@ -42,7 +42,7 @@
FIND=$(${SYSTEMCTLBINARY} > /dev/null)
if [ $? -gt 0 ]; then
Report "systemctl_error_message=${FIND}"
else
else
SYSTEMD_RUNNING=1
fi
Report "systemctl_exit_code=$?"
@ -63,7 +63,7 @@
Report "systemd_version=${FIND}"
LogText "Result: found systemd version ${FIND}"
fi
FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1)
FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1`
if [ ! "${FIND}" = "" ]; then
Report "systemd_builtin_components=${FIND}"
LogText "Result: found builtin components list"
@ -77,7 +77,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }')
FIND=`${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found systemd unit files via systemctl list-unit-files"
for I in ${FIND}; do
@ -94,7 +94,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }')
FIND=`${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found systemd unit files via systemctl list-unit-files"
for I in ${FIND}; do
@ -125,11 +125,11 @@
if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(find /usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
FIND=$(${FINDBINARY} ${ROOTDIR}usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
if [ ! "${FIND}" = "" ]; then
Report "systemd_binaries=${FIND}"
LogText "Result: found systemd binaries in /usr/lib/systemd"
else
else
LogText "Result: no binaries found in /usr/lib/systemd"
fi
fi
@ -160,7 +160,7 @@
if [ ! "${FIND}" = "" ]; then
Report "journal_contains_errors=1"
for I in ${FIND}; do
LINE=$(echo ${I} | sed 's/:space:/ /g')
LINE=`echo ${I} | sed 's/:space:/ /g'`
LogText "Output (fails): ${LINE}"
done
else
@ -176,7 +176,7 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}')
FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}'`
Report "journal_disk_size=${FIND}"
LogText "Result: journals are ${FIND} in size"
fi
@ -188,7 +188,7 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g')
FIND=`${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g'`
Report "journal_meta_data=${FIND}"
fi
#
@ -228,7 +228,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }')
FIND=`${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }'`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
Report "systemd_unit_not_found[]=${I}"
@ -243,7 +243,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}')
FIND=`${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found one or more services with faulty state"
for I in ${FIND}; do
@ -261,7 +261,7 @@
Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress
if [ ${SKIPTEST} -eq 0 ]; then
SYSTEMD_COREDUMP_USED=1
FIND=$(cat /proc/sys/kernel/core_pattern | grep systemd-coredump)
FIND=`cat /proc/sys/kernel/core_pattern | grep systemd-coredump`
if [ ! "${FIND}" = "" ]; then
LogText "Result: systemd uses systemd-coredump to handle coredumps"
Report "systemd_coredump_used=1"
@ -285,7 +285,7 @@
if [ ! "${FIND}" = "" ]; then
Report "journal_coredumps_lastday=1"
LogText "Result: found recent coredumps"
else
else
Report "journal_coredumps_lastday=0"
LogText "Result: found no coredumps"
fi