mirror of https://github.com/CISOfy/lynis.git
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests
This commit is contained in:
parent
5ccd0912cf
commit
4ecb9d4d05
13
CHANGELOG.md
13
CHANGELOG.md
|
@ -10,17 +10,28 @@ Lynis 2.5.0 (2017-05-03) - Not released yet
|
|||
This release is a maintenance release with focus on cleaning up the code for
|
||||
readability and future expansion. It includes:
|
||||
|
||||
* Setting ROOTDIR variable instead of fixed paths
|
||||
* Use ROOTDIR variable instead of fixed paths
|
||||
* Introduction of IsEmpty and HasData functions for readability of code
|
||||
* Renamed some variables to better indicate their purpose (counting, data type)
|
||||
* Removal of unused code and comments
|
||||
* Deleted unused tests from database file
|
||||
* Correct levels of identation
|
||||
|
||||
During the maintenance cycle, the project got informed about a flaw that could
|
||||
be possibly abused. This release is therefore highly recommended. See details on
|
||||
[CVE-2017-8108](https://cisofy.com/security/cve/cve-2017-8108/)
|
||||
|
||||
Changes:
|
||||
--------
|
||||
* Support for older mac OS X versions (Lion and Mountain Lion)
|
||||
* Initialized variables for more binaries
|
||||
|
||||
Tests:
|
||||
------
|
||||
* MALW-3280 - Extended test with Symantec components
|
||||
* PKGS-7332 - Detection of macOS ports tool and installed packages
|
||||
* TOOL-5120 - Snort detection
|
||||
* TOOL-5122 - Snort configuration file
|
||||
|
||||
---------------------------------------------------------------------------------
|
||||
|
||||
|
|
30
db/tests.db
30
db/tests.db
|
@ -46,8 +46,6 @@ AUTH-9402:test:security:authentication::Query LDAP authentication support:
|
|||
AUTH-9406:test:security:authentication::Query LDAP servers in client configuration:
|
||||
AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs:
|
||||
BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file:
|
||||
#BANN-7119:test:security:banners::Check MOTD banner file:
|
||||
#BANN-7122:test:security:banners::Check /etc/motd banner file contents:
|
||||
BANN-7124:test:security:banners::Check issue banner file:
|
||||
BANN-7126:test:security:banners::Check issue banner file contents:
|
||||
BANN-7128:test:security:banners::Check issue.net banner file:
|
||||
|
@ -63,7 +61,6 @@ BOOT-5124:test:security:boot_services:FreeBSD:Check for FreeBSD boot loader pres
|
|||
BOOT-5126:test:security:boot_services:NetBSD:Check for NetBSD boot loader presence:
|
||||
BOOT-5139:test:security:boot_services::Check for LILO boot loader presence:
|
||||
BOOT-5142:test:security:boot_services::Check SPARC Improved boot loader (SILO):
|
||||
#BOOT-5144:test:security:boot_services::Check SPARC Improved boot loader (SILO):
|
||||
BOOT-5155:test:security:boot_services::Check for YABOOT boot loader configuration file:
|
||||
BOOT-5159:test:security:boot_services:OpenBSD:Check for OpenBSD boot loader presence:
|
||||
BOOT-5165:test:security:boot_services:FreeBSD:Check for FreeBSD boot services:
|
||||
|
@ -73,7 +70,6 @@ BOOT-5184:test:security:boot_services:Linux:Check permissions for boot files/scr
|
|||
BOOT-5202:test:security:boot_services::Check uptime of system:
|
||||
BOOT-5260:test:security:boot_services::Check single user mode for systemd:
|
||||
CONT-8004:test:security:containers:Solaris:Query running Solaris zones:
|
||||
#CONT-1906:test:security:containers::Query Xen guests:
|
||||
CONT-8102:test:security:containers::Checking Docker status and information:
|
||||
CONT-8104:test:security:containers::Checking Docker info for any warnings:
|
||||
CONT-8106:test:security:containers::Gather basic stats from Docker:
|
||||
|
@ -81,14 +77,11 @@ CONT-8107:test:performance:containers::Check number of unused Docker containers:
|
|||
CONT-8108:test:security:containers::Check file permissions for Docker files:
|
||||
CRYP-7902:test:security:crypto::Check expire date of SSL certificates:
|
||||
DBS-1804:test:security:databases::Checking active MySQL process:
|
||||
#DBS-1808:test:security:databases::Checking MySQL data directory:
|
||||
#DBS-1812:test:security:databases::Checking MySQL data directory permissions:
|
||||
DBS-1816:test:security:databases::Checking MySQL root password:
|
||||
DBS-1818:test:security:databases::MongoDB status:
|
||||
DBS-1820:test:security:databases::Check MongoDB authentication:
|
||||
DBS-1826:test:security:databases::Checking active PostgreSQL processes:
|
||||
DBS-1840:test:security:databases::Checking active Oracle processes:
|
||||
#DBS-1842:test:security:databases::Checking Oracle home paths:
|
||||
DBS-1860:test:security:databases::Checking active DB2 instances:
|
||||
DBS-1880:test:security:databases::Checking active Redis processes:
|
||||
DBS-1882:test:security:databases::Redis configuration file:
|
||||
|
@ -112,7 +105,6 @@ FILE-7524:test:security:file_permissions::Perform file permissions check:
|
|||
FILE-6310:test:security:filesystems::Checking /tmp, /home and /var directory:
|
||||
FILE-6311:test:security:filesystems::Checking LVM volume groups:
|
||||
FILE-6312:test:security:filesystems::Checking LVM volumes:
|
||||
#FILE-6316:test:security:filesystems:Linux:Checking /etc/fstab:
|
||||
FILE-6323:test:security:filesystems:Linux:Checking EXT file systems:
|
||||
FILE-6329:test:security:filesystems::Checking FFS/UFS file systems:
|
||||
FILE-6330:test:security:filesystems:FreeBSD:Checking ZFS file systems:
|
||||
|
@ -145,7 +137,6 @@ FIRE-4586:test:security:firewalls::Check firewall logging:
|
|||
FIRE-4590:test:security:firewalls::Check firewall status:
|
||||
HOME-9302:test:security:homedirs::Create list with home directories:
|
||||
HOME-9310:test:security:homedirs::Checking for suspicious shell history files:
|
||||
#HOME-9314:test:security:homedirs::Create list with home directories:
|
||||
HOME-9350:test:security:homedirs::Collecting information from home directories:
|
||||
HRDN-7220:test:security:hardening::Check if one or more compilers are installed:
|
||||
HRDN-7222:test:security:hardening::Check compiler permissions:
|
||||
|
@ -153,12 +144,9 @@ HRDN-7230:test:security:hardening::Check for malware scanner:
|
|||
HTTP-6622:test:security:webservers::Checking Apache presence:
|
||||
HTTP-6624:test:security:webservers::Testing main Apache configuration file:
|
||||
HTTP-6626:test:security:webservers::Testing other Apache configuration file:
|
||||
#HTTP-6628:test:security:webservers::Testing other Apache configuration file:
|
||||
#HTTP-6630:test:security:webservers::Determining all loaded Apache modules:
|
||||
HTTP-6632:test:security:webservers::Determining all available Apache modules:
|
||||
HTTP-6640:test:security:webservers::Determining existence of specific Apache modules:
|
||||
HTTP-6641:test:security:webservers::Determining existence of specific Apache modules:
|
||||
#HTTP-6642:test:security:webservers::Determining existence of specific Apache modules:
|
||||
HTTP-6643:test:security:webservers::Determining existence of specific Apache modules:
|
||||
HTTP-6702:test:security:webservers::Check nginx process:
|
||||
HTTP-6704:test:security:webservers::Check nginx configuration file:
|
||||
|
@ -168,8 +156,6 @@ HTTP-6710:test:security:webservers::Check nginx SSL configuration settings:
|
|||
HTTP-6712:test:security:webservers::Check nginx access logging:
|
||||
HTTP-6714:test:security:webservers::Check for missing error logs in nginx:
|
||||
HTTP-6716:test:security:webservers::Check for debug mode on error log in nginx:
|
||||
#HTTP-67xx:test:security:webservers::Check nginx virtual hosts:
|
||||
#HTTP-67xx:test:security:webservers::Check nginx virtual hosts:
|
||||
HTTP-6720:test:security:webservers::Check Nginx log files:
|
||||
INSE-8002:test:security:insecure_services::Check for enabled inet daemon:
|
||||
INSE-8004:test:security:insecure_services::Check for enabled inet daemon:
|
||||
|
@ -187,7 +173,6 @@ KRNL-5745:test:security:kernel:FreeBSD:Checking FreeBSD loaded kernel modules:
|
|||
KRNL-5770:test:security:kernel:Solaris:Checking active kernel modules:
|
||||
KRNL-5788:test:security:kernel:Linux:Checking availability new Linux kernel:
|
||||
KRNL-5820:test:security:kernel:Linux:Checking core dumps configuration:
|
||||
#KRNL-5826:test:security:kernel:Linux:Checking core dumps configuration:
|
||||
KRNL-5830:test:security:kernel:Linux:Checking if system is running on the latest installed kernel:
|
||||
KRNL-6000:test:security:kernel_hardening::Check sysctl key pairs in scan profile:
|
||||
LDAP-2219:test:security:ldap::Check running OpenLDAP instance:
|
||||
|
@ -252,14 +237,9 @@ NAME-4036:test:security:nameservices::Check Unbound configuration file:
|
|||
NAME-4202:test:security:nameservices::Check BIND status:
|
||||
NAME-4204:test:security:nameservices::Search BIND configuration file:
|
||||
NAME-4206:test:security:nameservices::Check BIND configuration consistency:
|
||||
#NAME-4050:test:security:nameservices::Check nscd status:
|
||||
NAME-4210:test:security:nameservices::Check DNS banner:
|
||||
#NAME-4212:test:security:nameservices::Check version setting in configuration:
|
||||
#NAME-4220:test:security:nameservices::Check zone transfer:
|
||||
#NAME-4222:test:security:nameservices::Check zone transfer:
|
||||
NAME-4230:test:security:nameservices::Check PowerDNS status:
|
||||
NAME-4232:test:security:nameservices::Search PowerDNS configuration file:
|
||||
#NAME-4234:test:security:nameservices::Check PowerDNS configuration consistency:
|
||||
NAME-4236:test:security:nameservices::Check PowerDNS backends:
|
||||
NAME-4238:test:security:nameservices::Check PowerDNS authoritive status:
|
||||
NAME-4304:test:security:nameservices::Check NIS ypbind status:
|
||||
|
@ -301,6 +281,8 @@ PKGS-7320:test:security:ports_packages:Linux:Check presence of arch-audit for Ar
|
|||
PKGS-7322:test:security:ports_packages:Linux:Discover vulnerable packages on Arch Linux:
|
||||
PKGS-7328:test:security:ports_packages::Querying Zypper for installed packages:
|
||||
PKGS-7330:test:security:ports_packages::Querying Zypper for vulnerable packages:
|
||||
PKGS-7332:test:security:ports_packages::Detection of macOS ports and packages:
|
||||
PKGS-7334:test:security:ports_packages::Detection of available updates for macOS ports:
|
||||
PKGS-7345:test:security:ports_packages::Querying dpkg:
|
||||
PKGS-7346:test:security:ports_packages::Search unpurged packages on system:
|
||||
PKGS-7348:test:security:ports_packages:FreeBSD:Check for old distfiles:
|
||||
|
@ -330,7 +312,6 @@ PRNT-2306:test:security:printers_spools::Check CUPSd configuration file:
|
|||
PRNT-2307:test:security:printers_spools::Check CUPSd configuration file permissions:
|
||||
PRNT-2308:test:security:printers_spools::Check CUPSd network configuration:
|
||||
PRNT-2314:test:security:printers_spools::Check lpd status:
|
||||
#PRNT-23xx:test::printers_spools:Check cupsd address configuration:security:
|
||||
PRNT-2316:test:security:printers_spools:AIX:Checking /etc/qconfig file:
|
||||
PRNT-2418:test:security:printers_spools:AIX:Checking qdaemon printer spooler status:
|
||||
PRNT-2420:test:security:printers_spools:AIX:Checking old print jobs:
|
||||
|
@ -348,8 +329,6 @@ SHLL-6290:test:security:shells::Perform Shellshock vulnerability tests:
|
|||
SNMP-3302:test:security:snmp::Check for running SNMP daemon:
|
||||
SNMP-3304:test:security:snmp::Check SNMP daemon file location:
|
||||
SNMP-3306:test:security:snmp::Check SNMP communities:
|
||||
#SOL-xxxx:test:security:solaris::Check for running SSH daemon:
|
||||
#SOL-xxxx:test:security:solaris::Check for running SSH daemon:
|
||||
SQD-3602:test:security:squid::Check for running Squid daemon:
|
||||
SQD-3604:test:security:squid::Check Squid daemon file location:
|
||||
SQD-3606:test:security:squid::Check Squid version:
|
||||
|
@ -372,7 +351,6 @@ STRG-1902:test:security:storage_nfs::Check rpcinfo registered programs:
|
|||
STRG-1904:test:security:storage_nfs::Check nfs rpc:
|
||||
STRG-1906:test:security:storage_nfs::Check nfs rpc:
|
||||
STRG-1920:test:security:storage_nfs::Checking NFS daemon:
|
||||
#STRG-1924:test:security:storage_nfs::Checking NFS daemon:
|
||||
STRG-1926:test:security:storage_nfs::Checking NFS exports:
|
||||
STRG-1928:test:security:storage_nfs::Checking empty /etc/exports:
|
||||
STRG-1930:test:security:storage_nfs::Check client access to nfs share:
|
||||
|
@ -385,13 +363,13 @@ TIME-3124:test:security:time::Check selected time source:
|
|||
TIME-3128:test:security:time::Check preffered time source:
|
||||
TIME-3132:test:security:time::Check NTP falsetickers:
|
||||
TIME-3136:test:security:time:Linux:Check NTP protocol version:
|
||||
#TIME-3146:test:security:time:Linux:Check /etc/default/ntpdate:
|
||||
TIME-3148:test:performance:time:Linux:Check TZ variable:
|
||||
TIME-3160:test:security:time:Linux:Check empty NTP step-tickers:
|
||||
TIME-3170:test:security:time::Check configuration files:
|
||||
TOOL-5002:test:security:tooling::Checking for automation tools:
|
||||
TOOL-5102:test:security:tooling::Check for presence of Fail2ban:
|
||||
TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:
|
||||
TOOL-5120:test:security:tooling::Presence of Snort IDS:
|
||||
TOOL-5122:test:security:tooling::Snort IDS configuration file:
|
||||
TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling:
|
||||
#VIRT-1920:test::virtualization:Checking VMware guest status:security:
|
||||
# EOF
|
||||
|
|
|
@ -38,7 +38,7 @@
|
|||
# Description : Check all system binaries
|
||||
# Notes : Always perform test, dependency for many other tests
|
||||
Register --test-no CORE-1000 --weight L --network NO --description "Check all system binaries"
|
||||
BINARY_PATHS_FOUND=""; N=0
|
||||
BINARY_PATHS_FOUND=""; COUNT=0
|
||||
Display --indent 2 --text "- Checking system binaries..."
|
||||
LogText "Status: Starting binary scan..."
|
||||
for SCANDIR in ${BIN_PATHS}; do
|
||||
|
@ -73,12 +73,12 @@
|
|||
BINARY_PATHS_FOUND="${BINARY_PATHS_FOUND}, ${SCANDIR}"
|
||||
LogText "Directory ${SCANDIR} exists. Starting directory scanning..."
|
||||
FIND=$(ls ${SCANDIR})
|
||||
for I in ${FIND}; do
|
||||
N=$((N + 1))
|
||||
BINARY="${SCANDIR}/${I}"
|
||||
for FILENAME in ${FIND}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
BINARY="${SCANDIR}/${FILENAME}"
|
||||
DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
|
||||
# Optimized, much quicker (limited file access needed)
|
||||
case ${I} in
|
||||
case ${FILENAME} in
|
||||
aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; LogText " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
|
||||
afick.pl) AFICKFOUND=1; AFICKBINARY=${BINARY}; LogText " Found known binary: afick (file integrity checker) - ${BINARY}" ;;
|
||||
aide) AIDEFOUND=1; AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;;
|
||||
|
@ -205,9 +205,9 @@
|
|||
ps) PSFOUND=1; PSBINARY="${BINARY}"; LogText " Found known binary: ps (process listing) - ${BINARY}" ;;
|
||||
puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; LogText " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
|
||||
puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; LogText " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
|
||||
python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
|
||||
python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
|
||||
python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
|
||||
python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
|
||||
python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
|
||||
python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
|
||||
readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
|
||||
rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
|
||||
rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;
|
||||
|
@ -226,6 +226,7 @@
|
|||
smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=$(${BINARY} -V | grep "^Version" | awk '{ print $2 }'); fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;;
|
||||
smtpctl) SMTPCTLBINARY="${BINARY}"; LogText " Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;;
|
||||
showmount) SHOWMOUNTFOUND=1; SHOWMOUNTBINARY="${BINARY}"; LogText " Found known binary: showmount (NFS mounts) - ${BINARY}" ;;
|
||||
snort) SNORTBINARY="${BINARY}"; LogText " Found known binary: snort (IDS) - ${BINARY}" ;;
|
||||
sockstat) SOCKSTATFOUND=1; SOCKSTATBINARY="${BINARY}"; LogText " Found known binary: sockstat (open network sockets) - ${BINARY}" ;;
|
||||
sort) SORTBINARY="${BINARY}"; LogText " Found known binary: sort (sort data streams) - ${BINARY}" ;;
|
||||
squid) SQUIDFOUND=1; SQUIDBINARY="${BINARY}"; LogText " Found known binary: squid (proxy) - ${BINARY}" ;;
|
||||
|
@ -271,13 +272,12 @@
|
|||
LogText "Result: Directory ${SCANDIR} does NOT exist"
|
||||
fi
|
||||
done
|
||||
BINARY_SCAN_FINISHED=1
|
||||
BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/ //g')
|
||||
LogText "Discovered directories: ${BINARY_PATHS_FOUND}"
|
||||
LogText "Result: found ${COUNT} binaries"
|
||||
Report "binaries_count=${COUNT}"
|
||||
Report "binary_paths=${BINARY_PATHS_FOUND}"
|
||||
BINARY_SCAN_FINISHED=1
|
||||
LogText "Result: found ${N} binaries"
|
||||
Report "binaries_count=${N}"
|
||||
|
||||
else
|
||||
LogText "Result: checking of binaries skipped in this mode"
|
||||
fi
|
||||
|
|
|
@ -59,6 +59,7 @@ unset LANG
|
|||
AUDITD_RUNNING=0
|
||||
APPLICATION_FIREWALL_ACTIVE=0
|
||||
BINARY_SCAN_FINISHED=0
|
||||
BLKIDBINARY=""
|
||||
CAT_BINARY=""
|
||||
CFAGENTBINARY=""
|
||||
CHECK=0
|
||||
|
@ -98,12 +99,14 @@ unset LANG
|
|||
DOCKER_DAEMON_RUNNING=0
|
||||
ECHOCMD=""
|
||||
ERROR_ON_WARNINGS=0
|
||||
FAIL2BANBINARY=""
|
||||
FILEBINARY=""
|
||||
FILEVALUE=""
|
||||
FIND=""
|
||||
FIREWALL_ACTIVE=0
|
||||
FOUNDPATH=0
|
||||
GETENT_BINARY=""
|
||||
GRADMBINARY=""
|
||||
GREPBINARY="grep"
|
||||
GROUP_NAME=""
|
||||
GRPCKBINARY=""
|
||||
|
@ -239,6 +242,7 @@ unset LANG
|
|||
SKIPREASON=""
|
||||
SKIPPED_TESTS_ROOTONLY=""
|
||||
SMTPCTLBINARY=""
|
||||
SNORTBINARY=""
|
||||
SSHKEYSCANBINARY=""
|
||||
SSHKEYSCANFOUND=0
|
||||
SSL_CERTIFICATE_PATHS=""
|
||||
|
|
|
@ -62,7 +62,7 @@
|
|||
# Check if we can find curl
|
||||
# Suggestion: If you want to keep the system hardened, copying the binary from a trusted source is a good alternative.
|
||||
# Restrict access to this binary to the user who is running this script.
|
||||
if [ "${CURLBINARY}" = "" ]; then
|
||||
if IsEmpty "${CURLBINARY}"; then
|
||||
echo "Fatal: can't find curl binary. Please install the related package or put the binary in the PATH. Quitting.."
|
||||
LogText "Error: Could not find cURL binary"
|
||||
exit 1
|
||||
|
|
|
@ -226,7 +226,7 @@
|
|||
# Check if we can find the main type (with or without brackets)
|
||||
LogText "Test: search string $2 in earlier discovered results"
|
||||
FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
ITEM_FOUND=1
|
||||
RETVAL=0
|
||||
LogText "Result: found search string (result: $FIND)"
|
||||
|
@ -244,7 +244,6 @@
|
|||
}
|
||||
|
||||
|
||||
|
||||
################################################################################
|
||||
# Name : CheckUpdates()
|
||||
# Description : Determine if there is an update available
|
||||
|
@ -367,6 +366,7 @@
|
|||
|
||||
# Determine if a directory exists
|
||||
DirectoryExists() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling DirectoryExists function"; fi
|
||||
DIRECTORY_FOUND=0
|
||||
LogText "Test: checking if directory $1 exists"
|
||||
if [ -d $1 ]; then
|
||||
|
@ -674,6 +674,7 @@
|
|||
################################################################################
|
||||
|
||||
FileExists() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling FileExists function"; fi
|
||||
FILE_FOUND=0
|
||||
LogText "Test: checking if file $1 exists"
|
||||
if [ -f $1 ]; then
|
||||
|
@ -718,10 +719,11 @@
|
|||
#
|
||||
# Returns : 0 (empty), 1 (not empty)
|
||||
# EMPTY (0 or 1) - deprecated usage
|
||||
# Usage : xyz
|
||||
# Usage : if FileIsEmpty /etc/passwd; then
|
||||
################################################################################
|
||||
|
||||
FileIsEmpty() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling FileIsEmpty function"; fi
|
||||
EMPTY=0
|
||||
LogText "Test: checking if file $1 is empty"
|
||||
if [ -z $1 ]; then
|
||||
|
@ -858,7 +860,7 @@
|
|||
|
||||
"DragonFly" | "FreeBSD")
|
||||
FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
HOSTID=$(echo ${FIND} | sha1)
|
||||
else
|
||||
ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD"
|
||||
|
@ -877,16 +879,16 @@
|
|||
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
|
||||
|
||||
# If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch)
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr)
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
# If possible directly address eth0 to avoid risking gathering the incorrect MAC address.
|
||||
# If not, then falling back to getting first interface. Better than nothing.
|
||||
if [ ! "${HASETH0}" = "" ]; then
|
||||
if HasData "${HASETH0}"; then
|
||||
FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
else
|
||||
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)"
|
||||
else
|
||||
LogText "Result: No eth0 found (ether found), using first network interface to determine hostid (with ifconfig)"
|
||||
|
@ -902,10 +904,10 @@
|
|||
if [ ! "${IPBINARY}" = "" ]; then
|
||||
# Determine if we have the common available eth0 interface
|
||||
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
# Determine the MAC address of first interface with the ip command
|
||||
FIND=$(${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
ReportException "GetHostID" "Can't create hostid (no MAC addresses found)"
|
||||
fi
|
||||
fi
|
||||
|
@ -915,7 +917,7 @@
|
|||
fi
|
||||
|
||||
# Check if we found a HostID
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Info: using hardware address ${FIND} to create ID"
|
||||
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
|
||||
LogText "Result: Found HostID: ${HOSTID}"
|
||||
|
@ -948,7 +950,7 @@
|
|||
|
||||
"NetBSD")
|
||||
FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
HOSTID=$(echo ${FIND} | sha1)
|
||||
else
|
||||
ReportException "GetHostID" "No MAC address returned on NetBSD"
|
||||
|
@ -957,7 +959,7 @@
|
|||
|
||||
"OpenBSD")
|
||||
FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
HOSTID=$(echo ${FIND} | sha1)
|
||||
else
|
||||
ReportException "GetHostID" "No MAC address returned on OpenBSD"
|
||||
|
@ -1216,10 +1218,10 @@
|
|||
################################################################################
|
||||
|
||||
IsEmpty() {
|
||||
if [ $# -eq 1 ]; then
|
||||
if [ -z "$1" ]; then return 0; else return 1; fi
|
||||
else
|
||||
if [ $# -eq 0 ]; then
|
||||
ExitFatal "Function IsEmpty called without parameters - look in log to determine where this happened, or use sh -x lynis to see all details."
|
||||
else
|
||||
if [ -z "$1" ]; then return 0; else return 1; fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -1232,6 +1234,7 @@
|
|||
################################################################################
|
||||
|
||||
IsRunning() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsRunning function"; fi
|
||||
RUNNING=0
|
||||
PSOPTIONS=""
|
||||
if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then PSOPTIONS=" ax"; fi
|
||||
|
@ -1387,7 +1390,8 @@
|
|||
if [ "${SHORT}" = "" ]; then
|
||||
if [ -x /usr/bin/dmidecode ]; then DMIDECODE_BINARY="/usr/bin/dmidecode"
|
||||
elif [ -x /usr/sbin/dmidecode ]; then DMIDECODE_BINARY="/usr/sbin/dmidecode"
|
||||
else DMIDECODE_BINARY=""
|
||||
else
|
||||
DMIDECODE_BINARY=""
|
||||
fi
|
||||
if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then
|
||||
LogText "Test: trying to guess virtualization with dmidecode"
|
||||
|
@ -1455,12 +1459,12 @@
|
|||
fi
|
||||
|
||||
# lshw
|
||||
if [ "${SHORT}" = "" ]; then
|
||||
if HasData "${SHORT}"; then
|
||||
if [ ${PRIVILEGED} -eq 1 ]; then
|
||||
if [ -x /usr/bin/lshw ]; then
|
||||
LogText "Test: trying to guess virtualization with lshw"
|
||||
FIND=$(lshw -quiet -class system 2> /dev/null | awk '{ if ($1=="product:") { print $2 }}')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: found ${FIND}"
|
||||
SHORT="${FIND}"
|
||||
fi
|
||||
|
@ -1524,6 +1528,7 @@
|
|||
################################################################################
|
||||
|
||||
IsWorldReadable() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldReadable function"; fi
|
||||
sFILE=$1
|
||||
# Check for symlink
|
||||
if [ -L ${sFILE} ]; then
|
||||
|
@ -1550,6 +1555,7 @@
|
|||
|
||||
# Function IsWorldExecutable
|
||||
IsWorldExecutable() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldExecutable function"; fi
|
||||
sFILE=$1
|
||||
# Check for symlink
|
||||
if [ -L ${sFILE} ]; then
|
||||
|
@ -1575,6 +1581,7 @@
|
|||
################################################################################
|
||||
|
||||
IsWorldWritable() {
|
||||
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldWritable function"; fi
|
||||
sFILE=$1
|
||||
FileIsWorldWritable=""
|
||||
|
||||
|
|
|
@ -19,13 +19,12 @@
|
|||
#################################################################################
|
||||
|
||||
if [ $# -eq 0 ]; then
|
||||
|
||||
Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
|
||||
Display --text " "; Display --text " "
|
||||
ExitFatal
|
||||
else
|
||||
else
|
||||
FILE=$(echo $1 | egrep "^http|https")
|
||||
if [ ! "${FILE}" = "" ] ; then
|
||||
if HasData "${FILE}"; then
|
||||
CreateTempFile
|
||||
TMP_FILE="${TEMP_FILE}"
|
||||
Display --indent 2 --text "Downloading URL ${FILE} with wget"
|
||||
|
@ -151,14 +150,14 @@ InsertSection "Basics"
|
|||
|
||||
LogText "Checking usage of wget"
|
||||
FIND_WGET=$(grep wget ${AUDIT_FILE})
|
||||
if [ ! "${FIND_WGET}" = "" ]; then
|
||||
if HasData "${FIND_WGET}"; then
|
||||
Display --indent 4 --text "Download tool" --result "wget"
|
||||
FILE_DOWNLOAD=1
|
||||
fi
|
||||
|
||||
|
||||
FIND=$(grep "^ADD http" ${AUDIT_FILE})
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
FILE_DOWNLOAD=1
|
||||
ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed"
|
||||
LogText "Details: ${FIND}"
|
||||
|
@ -168,7 +167,7 @@ InsertSection "Basics"
|
|||
|
||||
SSL_USED_FIND=$(egrep "(https)" ${AUDIT_FILE})
|
||||
|
||||
if [ ! "${SSL_USED_FIND}" = "" ]; then
|
||||
if HasData "${SSL_USED_FIND}"; then
|
||||
SSL_USED="YES"
|
||||
COLOR="GREEN"
|
||||
else
|
||||
|
@ -192,7 +191,7 @@ InsertSection "Basics"
|
|||
InsertSection "Permissions"
|
||||
|
||||
FIND=$(grep -i "chmod 777" ${AUDIT_FILE})
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
ReportWarning "dockerfile" "Warning: chmod 777 found"
|
||||
fi
|
||||
#
|
||||
|
|
|
@ -187,8 +187,8 @@ if [ $# -gt 0 ]; then
|
|||
"commands")
|
||||
if [ $# -eq 1 ]; then
|
||||
${ECHOCMD} "\n${WHITE}Commands:${NORMAL}"
|
||||
for I in ${COMMANDS}; do
|
||||
${ECHOCMD} "lynis ${CYAN}${I}${NORMAL}"
|
||||
for ITEM in ${COMMANDS}; do
|
||||
${ECHOCMD} "lynis ${CYAN}${ITEM}${NORMAL}"
|
||||
done
|
||||
${ECHOCMD} ""
|
||||
else
|
||||
|
@ -255,8 +255,8 @@ if [ $# -gt 0 ]; then
|
|||
${ECHOCMD} "=========================="
|
||||
${ECHOCMD} ""
|
||||
${ECHOCMD} "${WHITE}Commands${NORMAL}:"
|
||||
for I in ${COMMANDS}; do
|
||||
${ECHOCMD} "${CYAN}${I}${NORMAL}"
|
||||
for ITEM in ${COMMANDS}; do
|
||||
${ECHOCMD} "${CYAN}${ITEM}${NORMAL}"
|
||||
done
|
||||
${ECHOCMD} ""
|
||||
${ECHOCMD} "Use 'lynis show help ${CYAN}<command>${NORMAL}' to see details"
|
||||
|
@ -274,7 +274,7 @@ if [ $# -gt 0 ]; then
|
|||
esac
|
||||
fi
|
||||
;;
|
||||
"helpers") for I in ${HELPERS}; do ${ECHOCMD} ${I}; done ;;
|
||||
"helpers") for ITEM in ${HELPERS}; do ${ECHOCMD} ${ITEM}; done ;;
|
||||
"hostids" | "hostid")
|
||||
${ECHOCMD} "hostid=${HOSTID}"
|
||||
${ECHOCMD} "hostid2=${HOSTID2}"
|
||||
|
@ -295,7 +295,7 @@ if [ $# -gt 0 ]; then
|
|||
${ECHOCMD} "OS_VERSION=${OS_VERSION}"
|
||||
;;
|
||||
"pidfile") ${ECHOCMD} "${PIDFILE}" ;;
|
||||
"profile" | "profiles") for I in ${PROFILES}; do ${ECHOCMD} ${I}; done ;;
|
||||
"profile" | "profiles") for ITEM in ${PROFILES}; do ${ECHOCMD} ${ITEM}; done ;;
|
||||
"profiledir") ${ECHOCMD} "${PROFILEDIR}" ;;
|
||||
"plugindir") ${ECHOCMD} "${PLUGINDIR}" ;;
|
||||
"release") ${ECHOCMD} "${PROGRAM_VERSION}-${PROGRAM_RELEASE_TYPE}" ;;
|
||||
|
@ -314,7 +314,7 @@ if [ $# -gt 0 ]; then
|
|||
*)
|
||||
${ECHOCMD} "${RED}Error${NORMAL}: Invalid argument provided to 'lynis show settings'\n\n"
|
||||
${ECHOCMD} "Suggestions:"
|
||||
for I in ${SHOW_SETTINGS_ARGS}; do ${ECHOCMD} "lynis show settings ${I}"; done
|
||||
for ITEM in ${SHOW_SETTINGS_ARGS}; do ${ECHOCMD} "lynis show settings ${ITEM}"; done
|
||||
ExitFatal
|
||||
;;
|
||||
esac
|
||||
|
@ -431,10 +431,10 @@ if [ $# -gt 0 ]; then
|
|||
"?") ${ECHOCMD} "${SHOW_ARGS}" ;;
|
||||
*) ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis show" ;;
|
||||
esac
|
||||
else
|
||||
else
|
||||
${ECHOCMD} "\n ${WHITE}Provide an additional argument${NORMAL}\n\n"
|
||||
for I in ${SHOW_ARGS}; do
|
||||
${ECHOCMD} " lynis show ${BROWN}${I}${NORMAL}"
|
||||
for ITEM in ${SHOW_ARGS}; do
|
||||
${ECHOCMD} " lynis show ${BROWN}${ITEM}${NORMAL}"
|
||||
done
|
||||
${ECHOCMD} "\n"
|
||||
|
||||
|
|
|
@ -46,6 +46,8 @@
|
|||
OS_VERSION_NAME="unknown"
|
||||
OS_FULLNAME="macOS (unknown version)"
|
||||
case ${OS_VERSION} in
|
||||
10.7 | 10.7.[0-9]*) OS_FULLNAME="Mac OS X 10.7 (Lion)" ;;
|
||||
10.8 | 10.8.[0-9]*) OS_FULLNAME="Mac OS X 10.8 (Mountain Lion)" ;;
|
||||
10.9 | 10.9.[0-9]*) OS_FULLNAME="Mac OS X 10.9 (Mavericks)" ;;
|
||||
10.10 | 10.10.[0-9]*) OS_FULLNAME="Mac OS X 10.10 (Yosemite)" ;;
|
||||
10.11 | 10.11.[0-9]*) OS_FULLNAME="Mac OS X 10.11 (El Capitan)" ;;
|
||||
|
|
|
@ -232,8 +232,8 @@
|
|||
--tests
|
||||
--upload
|
||||
--version_(-V)"
|
||||
for I in ${OPTIONS}; do
|
||||
echo "${I}" | tr '_' ' '
|
||||
for ITEM in ${OPTIONS}; do
|
||||
echo "${ITEM}" | tr '_' ' '
|
||||
done
|
||||
ExitClean
|
||||
;;
|
||||
|
|
|
@ -223,7 +223,7 @@
|
|||
|
||||
# Plugin directory
|
||||
plugindir | plugin-dir)
|
||||
if [ "${PLUGINDIR}" = "" ]; then
|
||||
if IsEmpty "${PLUGINDIR}"; then
|
||||
PLUGINDIR="${VALUE}"
|
||||
else
|
||||
LogText "Plugin directory was already set to ${PLUGINDIR} before (most likely as a program argument), not overwriting"
|
||||
|
|
|
@ -22,15 +22,9 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Hardening Index
|
||||
# Define approximately how strong a machine has been hardened
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
# If no hardening has been found, set value to 1
|
||||
if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
|
||||
HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
|
||||
|
@ -39,16 +33,13 @@
|
|||
if [ ${HPINDEX} -lt 50 ]; then
|
||||
HPCOLOR="${RED}"
|
||||
HIDESCRIPTION="System has not or a low amount been hardened"
|
||||
fi
|
||||
if [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
|
||||
elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
|
||||
HPCOLOR="${YELLOW}"
|
||||
HIDESCRIPTION="System has been hardened, but could use additional hardening"
|
||||
fi
|
||||
if [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
|
||||
elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
|
||||
HPCOLOR="${GREEN}"
|
||||
HIDESCRIPTION="System seem to be decent hardened"
|
||||
fi
|
||||
if [ ${HPINDEX} -gt 89 ]; then
|
||||
elif [ ${HPINDEX} -gt 89 ]; then
|
||||
HPCOLOR="${GREEN}"
|
||||
HIDESCRIPTION="System seem to be well hardened"
|
||||
fi
|
||||
|
@ -203,7 +194,8 @@
|
|||
echo " ${SECTION}Lynis Modules${NORMAL}:"
|
||||
if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then
|
||||
if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi
|
||||
else COMPLIANCE="${YELLOW}?";
|
||||
else
|
||||
COMPLIANCE="${YELLOW}?"
|
||||
fi
|
||||
echo " - Compliance Status [${COMPLIANCE}${NORMAL}]"
|
||||
echo " - Security Audit [${GREEN}V${NORMAL}]"
|
||||
|
@ -252,9 +244,9 @@
|
|||
# Split entries
|
||||
FIND=$(echo ${FIND} | sed 's/====/ /g')
|
||||
# Display found entries
|
||||
for I in ${FIND}; do
|
||||
J=$(echo ${I} | sed 's/:space:/ /g')
|
||||
echo " ${J}"
|
||||
for ITEM in ${FIND}; do
|
||||
OUTPUT=$(echo ${ITEM} | sed 's/:space:/ /g')
|
||||
echo " ${OUTPUT}"
|
||||
done
|
||||
echo ""
|
||||
echo "================================================================================"
|
||||
|
|
|
@ -26,7 +26,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
BANNER_FILES="/etc/issue /etc/issue.net /etc/motd"
|
||||
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
|
||||
LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence intrusion law legal monitor owner policy policies private prohibited record restricted secure subject terms this unauthorized"
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -35,108 +35,50 @@
|
|||
# Description : Check FreeBSD COPYRIGHT banner file
|
||||
Register --test-no BANN-7113 --os FreeBSD --weight L --network NO --category security --description "Check COPYRIGHT banner file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT"
|
||||
if [ -f /COPYRIGHT ]; then
|
||||
Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
|
||||
if [ -s /COPYRIGHT ]; then
|
||||
LogText "Result: /COPYRIGHT available and contains text"
|
||||
LogText "Test: Testing existence ${ROOTDIR}COPYRIGHT or ${ROOTDIR}etc/COPYRIGHT"
|
||||
if [ -f ${ROOTDIR}COPYRIGHT ]; then
|
||||
Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
|
||||
if [ -s ${ROOTDIR}COPYRIGHT ]; then
|
||||
LogText "Result: ${ROOTDIR}COPYRIGHT available and contains text"
|
||||
else
|
||||
LogText "Result: /COPYRIGHT available, but empty"
|
||||
LogText "Result: ${ROOTDIR}COPYRIGHT available, but empty"
|
||||
fi
|
||||
else
|
||||
Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: /COPYRIGHT not found"
|
||||
Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: ${ROOTDIR}COPYRIGHT not found"
|
||||
fi
|
||||
|
||||
if [ -f /etc/COPYRIGHT ]; then
|
||||
Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
|
||||
if [ -s /etc/COPYRIGHT ]; then
|
||||
LogText "Result: /etc/COPYRIGHT available and contains text"
|
||||
if [ -f ${ROOTDIR}etc/COPYRIGHT ]; then
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
|
||||
if [ -s ${ROOTDIR}etc/COPYRIGHT ]; then
|
||||
LogText "Result: ${ROOTDIR}etc/COPYRIGHT available and contains text"
|
||||
else
|
||||
LogText "Result: /etc/COPYRIGHT available, but empty"
|
||||
LogText "Result: ${ROOTDIR}etc/COPYRIGHT available, but empty"
|
||||
fi
|
||||
else
|
||||
Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: /etc/COPYRIGHT not found"
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: ${ROOTDIR}etc/COPYRIGHT not found"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : BANN-7119
|
||||
# Description : Check MOTD banner file
|
||||
#Register --test-no BANN-7119 --weight L --network NO --category security --description "Check MOTD banner file"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# LogText "Test: Testing existence /etc/motd"
|
||||
# if [ -f /etc/motd ]; then
|
||||
# LogText "Result: file /etc/motd exists"
|
||||
# Display --indent 2 --text "- /etc/motd" --result "${STATUS_FOUND}" --color GREEN
|
||||
# if [ ! -L /etc/motd ]; then
|
||||
# if IsWorldWritable /etc/motd; then
|
||||
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_WARNING}" --color RED
|
||||
# LogText "Result: /etc/motd is world writable. Users can change this file!"
|
||||
# ReportWarning ${TEST_NO} "/etc/motd is world writable"
|
||||
# else
|
||||
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_OK}" --color GREEN
|
||||
# LogText "Result: /etc/motd is not world writable."
|
||||
# fi
|
||||
# else
|
||||
# LogText "Result: file /etc/motd is symlink"
|
||||
# fi
|
||||
# else
|
||||
# LogText "Result: File /etc/motd not found"
|
||||
# Display --indent 2 --text "- /etc/motd" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
# fi
|
||||
#fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : BANN-7122
|
||||
# Description : Check motd file to see if it contains some form of message
|
||||
# to discourage unauthorized users to leave the system alone
|
||||
#if [ -f /etc/motd -a ! -L /etc/motd ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
#Register --test-no BANN-7122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/motd banner file contents"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# N=0
|
||||
# LogText "Test: Checking file /etc/motd contents for legal key words"
|
||||
# for I in ${LEGAL_BANNER_STRINGS}; do
|
||||
# FIND=$(${GREPBINARY} -i "${I}" /etc/motd)
|
||||
# if [ ! "${FIND}" = "" ]; then
|
||||
# LogText "Result: found string '${I}'"
|
||||
# N=$((N + 1))
|
||||
# fi
|
||||
# done
|
||||
# # Check if we have 5 or more key words
|
||||
# if [ ${N} -gt 4 ]; then
|
||||
# LogText "Result: Found ${N} key words, to warn unauthorized users"
|
||||
# Display --indent 4 --text "- /etc/motd contents" --result "${STATUS_OK}" --color GREEN
|
||||
# AddHP 2 2
|
||||
# else
|
||||
# LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
|
||||
# Display --indent 4 --text "- /etc/motd contents" --result WEAK --color YELLOW
|
||||
# ReportSuggestion ${TEST_NO} "Add legal banner to /etc/motd, to warn unauthorized users"
|
||||
# AddHP 0 1
|
||||
# fi
|
||||
#fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : BANN-7124
|
||||
# Description : Check issue banner file
|
||||
Register --test-no BANN-7124 --weight L --network NO --category security --description "Check issue banner file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking file /etc/issue"
|
||||
if [ -f /etc/issue ]; then
|
||||
LogText "Test: Checking file ${ROOTDIR}etc/issue"
|
||||
if [ -f ${ROOTDIR}etc/issue ]; then
|
||||
# Check for symlink
|
||||
if [ -L /etc/issue ]; then
|
||||
LogText "Result: file /etc/issue exists (symlink)"
|
||||
Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN
|
||||
if [ -L ${ROOTDIR}etc/issue ]; then
|
||||
LogText "Result: file ${ROOTDIR}etc/issue exists (symlink)"
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result SYMLINK --color GREEN
|
||||
else
|
||||
Display --indent 2 --text "- /etc/issue" --result "${STATUS_FOUND}" --color GREEN
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_FOUND}" --color GREEN
|
||||
fi
|
||||
else
|
||||
LogText "Result: file /etc/issue does not exist"
|
||||
Display --indent 2 --text "- /etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: file ${ROOTDIR}etc/issue does not exist"
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -145,26 +87,26 @@
|
|||
# Test : BANN-7126
|
||||
# Description : Check issue file to see if it contains some form of message
|
||||
# to discourage unauthorized users to leave the system alone
|
||||
if [ -f /etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -f ${ROOTDIR}etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no BANN-7126 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue banner file contents"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
FILE="${ROOTDIR}etc/issue"
|
||||
LogText "Test: Checking file ${FILE} contents for legal key words"
|
||||
for I in ${LEGAL_BANNER_STRINGS}; do
|
||||
FIND=$(${GREPBINARY} -i "${I}" ${FILE})
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: found string '${I}'"
|
||||
N=$((N + 1))
|
||||
for ITEM in ${LEGAL_BANNER_STRINGS}; do
|
||||
FIND=$(${GREPBINARY} -i "${ITEM}" ${FILE})
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: found string '${ITEM}'"
|
||||
COUNT=$((COUNT + 1))
|
||||
fi
|
||||
done
|
||||
# Check if we have 5 or more key words
|
||||
if [ ${N} -gt 4 ]; then
|
||||
LogText "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users"
|
||||
if [ ${COUNT} -gt 4 ]; then
|
||||
LogText "Result: Found ${COUNT} key words (5 or more suggested), to warn unauthorized users"
|
||||
Display --indent 4 --text "- ${FILE} contents" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 2 2
|
||||
else
|
||||
LogText "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased"
|
||||
LogText "Result: Found only ${COUNT} key words (5 or more suggested), to warn unauthorized users and could be increased"
|
||||
Display --indent 4 --text "- ${FILE} contents" --result WEAK --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Add a legal banner to ${FILE}, to warn unauthorized users"
|
||||
AddHP 0 1
|
||||
|
@ -178,19 +120,19 @@
|
|||
# Description : Check issue.net banner file
|
||||
Register --test-no BANN-7128 --weight L --network NO --category security --description "Check issue.net banner file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking file /etc/issue.net"
|
||||
if [ -f /etc/issue.net ]; then
|
||||
LogText "Test: Checking file ${ROOTDIR}etc/issue.net"
|
||||
if [ -f ${ROOTDIR}etc/issue.net ]; then
|
||||
# Check for symlink
|
||||
if [ -L /etc/issue.net ]; then
|
||||
LogText "Result: file /etc/issue.net exists (symlink)"
|
||||
Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN
|
||||
if [ -L ${ROOTDIR}etc/issue.net ]; then
|
||||
LogText "Result: file ${ROOTDIR}etc/issue.net exists (symlink)"
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result SYMLINK --color GREEN
|
||||
else
|
||||
LogText "Result: file /etc/issue.net exists"
|
||||
Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: file ${ROOTDIR}etc/issue.net exists"
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_FOUND}" --color GREEN
|
||||
fi
|
||||
else
|
||||
LogText "Result: file /etc/issue.net does not exist"
|
||||
Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: file ${ROOTDIR}etc/issue.net does not exist"
|
||||
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -199,26 +141,26 @@
|
|||
# Test : BANN-7130
|
||||
# Description : Check issue.net file to see if it contains some form of message
|
||||
# to discourage unauthorized users to leave the system alone
|
||||
if [ -f /etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -f ${ROOTDIR}etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no BANN-7130 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue.net banner file contents"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
LogText "Test: Checking file /etc/issue.net contents for legal key words"
|
||||
for I in ${LEGAL_BANNER_STRINGS}; do
|
||||
FIND=$(${GREPBINARY} -i "${I}" /etc/issue.net)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found string '${I}'"
|
||||
N=$((N + 1))
|
||||
COUNT=0
|
||||
LogText "Test: Checking file ${ROOTDIR}etc/issue.net contents for legal key words"
|
||||
for ITEM in ${LEGAL_BANNER_STRINGS}; do
|
||||
FIND=$(${GREPBINARY} -i "${ITEM}" ${ROOTDIR}etc/issue.net)
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: found string '${ITEM}'"
|
||||
COUNT=$((COUNT + 1))
|
||||
fi
|
||||
done
|
||||
# Check if we have 5 or more key words
|
||||
if [ ${N} -gt 4 ]; then
|
||||
LogText "Result: Found ${N} key words, to warn unauthorized users"
|
||||
Display --indent 4 --text "- /etc/issue.net contents" --result "${STATUS_OK}" --color GREEN
|
||||
if [ ${COUNT} -gt 4 ]; then
|
||||
LogText "Result: Found ${COUNT} key words, to warn unauthorized users"
|
||||
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 2 2
|
||||
else
|
||||
LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
|
||||
Display --indent 4 --text "- /etc/issue.net contents" --result WEAK --color YELLOW
|
||||
LogText "Result: Found only ${COUNT} key words, to warn unauthorized users and could be increased"
|
||||
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result WEAK --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users"
|
||||
AddHP 0 1
|
||||
fi
|
||||
|
|
|
@ -414,7 +414,7 @@
|
|||
Register --test-no BOOT-5142 --weight L --network NO --category security --description "Check SPARC Improved boot loader (SILO)"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
BOOT_LOADER_SEARCHED=1
|
||||
if [ -f /etc/silo.conf ]; then
|
||||
if [ -f ${ROOTDIR}etc/silo.conf ]; then
|
||||
LogText "Result: Found SILO configuration file (/etc/silo.conf)"
|
||||
Display --indent 2 --text "- Checking boot loader SILO" --result "${STATUS_FOUND}" --color GREEN
|
||||
BOOT_LOADER="SILO"
|
||||
|
@ -497,24 +497,24 @@
|
|||
# Description : Check for FreeBSD boot services
|
||||
Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --category security --description "Check for FreeBSD boot services"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ! -z "${SERVICEBINARY}" ]; then
|
||||
if HasData "${SERVICEBINARY}"; then
|
||||
# FreeBSD (Ask services(8) for enabled services)
|
||||
LogText "Searching for services at startup (service)"
|
||||
FIND=$(${SERVICEBINARY} -e | ${SEDBINARY} 's|^.*\/||' | ${SORTBINARY})
|
||||
else
|
||||
# FreeBSD (Read /etc/rc.conf file for enabled services)
|
||||
LogText "Searching for services at startup (rc.conf)"
|
||||
FIND=$(${EGREPBINARY} -v -i '^#|none' /etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
|
||||
FIND=$(${EGREPBINARY} -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
|
||||
fi
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
LogText "Found service (service/rc.conf): ${I}"
|
||||
Report "boottask[]=${I}"
|
||||
N=$((N + 1))
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found service (service/rc.conf): ${ITEM}"
|
||||
Report "boottask[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 6 --text "Result: found $N services/options set"
|
||||
LogText "Found $N services/options to run at startup"
|
||||
Display --indent 6 --text "Result: found ${COUNT} services/options set"
|
||||
LogText "Found ${COUNT} services/options to run at startup"
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -527,37 +527,37 @@
|
|||
CHECKED=0
|
||||
LogText "Test: checking presence systemctl binary"
|
||||
# Determine if we have systemctl on board
|
||||
if [ ! -z "${SYSTEMCTLBINARY}" ]; then
|
||||
if HasData "${SYSTEMCTLBINARY}"; then
|
||||
LogText "Result: systemctl binary found, trying that to discover information"
|
||||
# Running services
|
||||
LogText "Searching for running services (systemctl services only)"
|
||||
FIND=$(${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }')
|
||||
N=0
|
||||
COUNT=0
|
||||
Report "running_service_tool=systemctl"
|
||||
for I in ${FIND}; do
|
||||
LogText "Found running service: ${I}"
|
||||
Report "running_service[]=${I}"
|
||||
N=$((N + 1))
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found running service: ${ITEM}"
|
||||
Report "running_service[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
LogText "Note: Run systemctl --full --type=service to see all services"
|
||||
Display --indent 2 --text "- Check running services (systemctl)" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 8 --text "Result: found $N running services"
|
||||
LogText "Result: Found $N enabled services"
|
||||
Display --indent 8 --text "Result: found ${COUNT} running services"
|
||||
LogText "Result: Found ${COUNT} enabled services"
|
||||
|
||||
# Services at boot
|
||||
LogText "Searching for enabled services (systemctl services only)"
|
||||
FIND=$(${SYSTEMCTLBINARY} list-unit-files --type=service | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }')
|
||||
N=0
|
||||
COUNT=0
|
||||
Report "boot_service_tool=systemctl"
|
||||
for I in ${FIND}; do
|
||||
LogText "Found enabled service at boot: ${I}"
|
||||
Report "boot_service[]=${I}"
|
||||
N=$((N + 1))
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found enabled service at boot: ${ITEM}"
|
||||
Report "boot_service[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
LogText "Note: Run systemctl list-unit-files --type=service to see all services"
|
||||
Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 8 --text "Result: found $N enabled services"
|
||||
LogText "Result: Found $N running services"
|
||||
Display --indent 8 --text "Result: found ${COUNT} enabled services"
|
||||
LogText "Result: Found ${COUNT} running services"
|
||||
|
||||
else
|
||||
|
||||
|
@ -566,17 +566,17 @@
|
|||
LogText "Result: chkconfig binary found, trying that to discover information"
|
||||
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
|
||||
FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
|
||||
N=0
|
||||
COUNT=0
|
||||
Report "boot_service_tool=chkconfig"
|
||||
for I in ${FIND}; do
|
||||
LogText "Found service (at boot, runlevel 3 or 5): ${I}"
|
||||
Report "boot_service[]=${I}"
|
||||
N=$((N + 1))
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found service (at boot, runlevel 3 or 5): ${ITEM}"
|
||||
Report "boot_service[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
LogText "Hint: Run chkconfig --list to see all services and disable unneeded services"
|
||||
Display --indent 2 --text "- Check services at startup (chkconfig)" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 8 --text "Result: found $N services"
|
||||
LogText "Result: Found $N services at startup"
|
||||
Display --indent 8 --text "Result: found ${COUNT} services"
|
||||
LogText "Result: Found ${COUNT} services at startup"
|
||||
else
|
||||
LogText "Result: both systemctl and chkconfig not found. Skipping this test"
|
||||
fi
|
||||
|
@ -598,14 +598,14 @@
|
|||
LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found"
|
||||
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort)
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
for SERVICE in ${FIND}; do
|
||||
LogText "Found service (at boot, runlevel 2): ${SERVICE}"
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "${STATUS_DONE}" --color WHITE
|
||||
Display --indent 4 --text "Result: found $N services"
|
||||
LogText "Result: found $N services"
|
||||
Display --indent 4 --text "Result: found ${COUNT} services"
|
||||
LogText "Result: found ${COUNT} services"
|
||||
fi
|
||||
elif [ -z "${sRUNLEVEL}" ]; then
|
||||
ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
|
||||
|
@ -623,35 +623,35 @@
|
|||
FOUND=0
|
||||
CHECKDIRS="${ROOTDIR}etc/init.d ${ROOTDIR}etc/rc.d ${ROOTDIR}etc/rcS.d"
|
||||
|
||||
LogText "Result: checking /etc/init.d scripts for writable bit"
|
||||
for I in ${CHECKDIRS}; do
|
||||
LogText "Test: checking if directory ${I} exists"
|
||||
if [ -d ${I} ]; then
|
||||
LogText "Result: directory ${I} found"
|
||||
LogText "Result: checking ${ROOTDIR}etc/init.d scripts for writable bit"
|
||||
for DIR in ${CHECKDIRS}; do
|
||||
LogText "Test: checking if directory ${DIR} exists"
|
||||
if [ -d ${DIR} ]; then
|
||||
LogText "Result: directory ${DIR} found"
|
||||
LogText "Test: checking for available files in directory"
|
||||
FIND=$(${FINDBINARY} ${I} -type f -print)
|
||||
FIND=$(${FINDBINARY} ${DIR} -type f -print)
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: found files in directory, checking permissions now"
|
||||
for J in ${FIND}; do
|
||||
LogText "Test: checking permissions of file ${J}"
|
||||
if IsWorldWritable ${J}; then
|
||||
for FILE in ${FIND}; do
|
||||
LogText "Test: checking permissions of file ${FILE}"
|
||||
if IsWorldWritable ${FILE}; then
|
||||
FOUND=1
|
||||
LogText "Result: warning, file ${J} is world writable"
|
||||
LogText "Result: warning, file ${FILE} is world writable"
|
||||
else
|
||||
LogText "Result: good, file ${J} not world writable"
|
||||
LogText "Result: good, file ${FILE} not world writable"
|
||||
fi
|
||||
done
|
||||
else
|
||||
LogText "Result: found no files in directory."
|
||||
fi
|
||||
else
|
||||
LogText "Result: directory ${I} not found. Skipping.."
|
||||
LogText "Result: directory ${DIR} not found. Skipping.."
|
||||
fi
|
||||
done
|
||||
|
||||
# /etc/rc[0-6].d
|
||||
for NO in 0 1 2 3 4 5 6; do
|
||||
LogText "Test: Checking /etc/rc${NO}.d scripts for writable bit"
|
||||
LogText "Test: Checking ${ROOTDIR}etc/rc${NO}.d scripts for writable bit"
|
||||
if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then
|
||||
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print)
|
||||
for I in ${FIND}; do
|
||||
|
|
|
@ -41,16 +41,16 @@
|
|||
LogText "Test: query zoneadm to list all running zones"
|
||||
FIND=$(${ROOTDIR}usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
N=$((N + 1))
|
||||
ZONEID=$(echo ${I} | ${CUTBINARY} -d ':' -f1)
|
||||
ZONENAME=$(echo ${I} | ${CUTBINARY} -d ':' -f2)
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
ZONEID=$(echo ${ITEM} | ${CUTBINARY} -d ':' -f1)
|
||||
ZONENAME=$(echo ${ITEM} | ${CUTBINARY} -d ':' -f2)
|
||||
LogText "Result: found zone ${ZONENAME} (running)"
|
||||
Report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
|
||||
done
|
||||
LogText "Result: total of ${N} running zones"
|
||||
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
|
||||
LogText "Result: total of ${COUNT} running zones"
|
||||
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${COUNT} zones" --color GREEN
|
||||
else
|
||||
LogText "Result: no running zones found"
|
||||
Display --indent 2 --text "- Checking Solaris Zones" --result "${STATUS_NONE}" --color WHITE
|
||||
|
@ -59,7 +59,9 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : CONT-1906
|
||||
# Do you have Xen running? Help us testing this test and submit a pull request on GitHub
|
||||
|
||||
# Test : CONT-1906 TODO
|
||||
# Description : Query running Xen zones
|
||||
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
#Register --test-no CONT-1906 --weight L --network NO --category security --description "Query Xen guests"
|
||||
|
@ -95,7 +97,7 @@
|
|||
# Test : CONT-8104
|
||||
# Description : Checking Docker info for any warnings
|
||||
# Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory
|
||||
if [ ! -z "${DOCKERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${DOCKERBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Docker info for any warnings"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
COUNT=0
|
||||
|
|
|
@ -118,14 +118,14 @@
|
|||
LogText "Result: found MongoDB configuration file (${FILE})"
|
||||
LogText "Test: determine authorization setting in new style YAML format"
|
||||
AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)")
|
||||
if [ ! -z "${AUTH_IN_CONFIG}" ]; then
|
||||
if HasData "${AUTH_IN_CONFIG}"; then
|
||||
LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format)"
|
||||
MONGODB_AUTHORIZATION_ENABLED=1
|
||||
else
|
||||
LogText "Result: did NOT find authorization option enabled in configuration file (with YAML format)"
|
||||
LogText "Test: now searching for old style configuration (auth = true) in configuration file"
|
||||
AUTH_IN_CONFIG=$(${GREPBINARY} "auth = true" ${FILE} | ${GREPBINARY} -v "noauth" | ${GREPBINARY} -E -v "(^#|#auth)")
|
||||
if [ -z "${AUTH_IN_CONFIG}" ]; then
|
||||
if IsEmpty "${AUTH_IN_CONFIG}"; then
|
||||
LogText "Result: did NOT find auth = true in configuration file"
|
||||
else
|
||||
LogText "Result: GOOD, found authorization option enabled in configuration file (old format)"
|
||||
|
@ -139,7 +139,7 @@
|
|||
|
||||
# Now check authorization on the command line
|
||||
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
|
||||
if [ ! -z "${PGREPBINARY}" ]; then
|
||||
if HasData "${PGREPBINARY}"; then
|
||||
AUTH_ON_CMDLINE=$(for I in $(${PGREPBINARY} mongo); do cat /proc/${I}/cmdline | xargs -0 echo | ${GREPBINARY} -E "\-\-auth( |$)"; done)
|
||||
if [ ! -z "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi
|
||||
else
|
||||
|
|
|
@ -350,29 +350,29 @@
|
|||
#
|
||||
# Test : FILE-6354
|
||||
# Description : Search files within /tmp which are older than 3 months
|
||||
if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -d ${ROOTDIR}tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Searching for old files in /tmp"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Searching for old files in /tmp"
|
||||
# Search for files only in /tmp, with an access time older than X days
|
||||
FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: no files found in /tmp which are older than 3 months"
|
||||
LogText "Test: Searching for old files in ${ROOTDIR}tmp"
|
||||
# Search for files only in ${ROOTDIR}tmp, with an access time older than X days
|
||||
FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
|
||||
if IsEmpty "${FIND}"; then
|
||||
Display --indent 2 --text "- Checking for old files in ${ROOTDIR}tmp" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: no files found in ${ROOTDIR}tmp which are older than 3 months"
|
||||
else
|
||||
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
||||
Display --indent 2 --text "- Checking for old files in ${ROOTDIR}tmp" --result "${STATUS_FOUND}" --color RED
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
FILE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
|
||||
LogText "Old temporary file: ${FILE}"
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
LogText "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
|
||||
LogText "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain"
|
||||
LogText "Result: found old files in ${ROOTDIR}tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
|
||||
LogText "Advice: check and clean up unused files in ${ROOTDIR}tmp. Old files can fill up a disk or contain"
|
||||
LogText "private information and should be deleted it not being used actively. Use a tool like lsof to"
|
||||
LogText "see which programs possibly are using a particular file. Some systems can cleanup temporary"
|
||||
LogText "directories by setting a boot option."
|
||||
ReportSuggestion ${TEST_NO} "Check ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days"
|
||||
ReportSuggestion ${TEST_NO} "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -380,18 +380,18 @@
|
|||
#
|
||||
# Test : FILE-6362
|
||||
# Description : Check for sticky bit on /tmp
|
||||
if [ -d /tmp -a ! -L /tmp ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No /tmp or /tmp is symlinked"; fi
|
||||
if [ -d ${ROOTDIR}tmp -a ! -L ${ROOTDIR}tmp ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No /tmp or /tmp is symlinked"; fi
|
||||
Register --test-no FILE-6362 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking /tmp sticky bit"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Depending on OS, number of field with 'tmp' differs
|
||||
FIND=$(${LSBINARY} -ld /tmp | ${AWKBINARY} '$1 ~ /[tT]/ { print 1 }')
|
||||
FIND=$(${LSBINARY} -ld ${ROOTDIR}tmp | ${AWKBINARY} '$1 ~ /[tT]/ { print 1 }')
|
||||
if [ "${FIND}" = "1" ]; then
|
||||
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: sticky bit found on /tmp directory"
|
||||
Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: sticky bit found on ${ROOTDIR}tmp directory"
|
||||
AddHP 3 3
|
||||
else
|
||||
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Set the sticky bit on /tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
|
||||
Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
|
||||
AddHP 0 3
|
||||
fi
|
||||
unset FIND
|
||||
|
@ -579,8 +579,8 @@
|
|||
# Description : Bind mount the /var/tmp directory to /tmp
|
||||
Register --test-no FILE-6376 --os Linux --weight L --network NO --category security --description "Determine if /var/tmp is bound to /tmp"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -f /etc/fstab ]; then
|
||||
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab)
|
||||
if [ -f ${ROOTDIR}etc/fstab ]; then
|
||||
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' ${ROOTDIR}etc/fstab)
|
||||
BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
|
||||
|
@ -600,7 +600,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6378
|
||||
# Test : FILE-6378 TODO
|
||||
# Description : Check for nodirtime option
|
||||
|
||||
# Want to contribute to Lynis? Create this test
|
||||
|
@ -608,7 +608,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6380
|
||||
# Test : FILE-6380 TODO
|
||||
# Description : Check for relatime
|
||||
|
||||
# Want to contribute to Lynis? Create this test
|
||||
|
@ -616,7 +616,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6390
|
||||
# Test : FILE-6390 TODO
|
||||
# Description : Check writeback/journalling mode (ext3)
|
||||
# More info : data=writeback | data=ordered | data=journal
|
||||
|
||||
|
@ -625,7 +625,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6394
|
||||
# Test : FILE-6394 TODO
|
||||
# Description : Check vm.swappiness (Linux)
|
||||
|
||||
# Want to contribute to Lynis? Create this test
|
||||
|
@ -633,7 +633,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6398
|
||||
# Test : FILE-6398 TODO
|
||||
# Description : Check if JBD (Journal Block Device) driver is loaded
|
||||
|
||||
# Want to contribute to Lynis? Create this test
|
||||
|
@ -651,14 +651,14 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking locate database"
|
||||
FOUND=0
|
||||
LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locate/locatedb /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database"
|
||||
for I in ${LOCATE_DBS}; do
|
||||
if [ -f ${I} ]; then
|
||||
LogText "Result: locate database found (${I})"
|
||||
LOCATE_DBS="${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/slocate/slocate.db ${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database"
|
||||
for FILE in ${LOCATE_DBS}; do
|
||||
if [ -f ${FILE} ]; then
|
||||
LogText "Result: locate database found (${FILE})"
|
||||
FOUND=1
|
||||
LOCATE_DB="${I}"
|
||||
LOCATE_DB="${FILE}"
|
||||
else
|
||||
LogText "Result: file ${I} not found"
|
||||
LogText "Result: file ${FILE} not found"
|
||||
fi
|
||||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
|
@ -673,7 +673,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6420
|
||||
# Test : FILE-6420 TODO
|
||||
# Description : Check automount process
|
||||
|
||||
# Want to contribute to Lynis? Create this test
|
||||
|
@ -681,7 +681,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6422
|
||||
# Test : FILE-6422 TODO
|
||||
# Description : Check automount maps (files or for example LDAP based)
|
||||
# Notes : Warn when automounter is running
|
||||
|
||||
|
@ -690,7 +690,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6424
|
||||
# Test : FILE-6424 TODO
|
||||
# Description : Check automount map files
|
||||
|
||||
# Want to contribute to Lynis? Create this test
|
||||
|
@ -698,7 +698,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FILE-6425
|
||||
# Test : FILE-6425 TODO
|
||||
# Description : Check mounted files systems via automounter
|
||||
# Notes : Warn when no systems are mounted?
|
||||
|
||||
|
@ -728,11 +728,11 @@
|
|||
LogText "Test: Checking if ${FS} is active"
|
||||
# Check if FS is present in lsmod output
|
||||
FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: module ${FS} is not loaded in the kernel"
|
||||
AddHP 2 3
|
||||
#Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN
|
||||
# Tip to disable a particular module if it is not loaded
|
||||
if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi
|
||||
# Tip to disable a particular module if it is not loaded TODO
|
||||
#ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'"
|
||||
FOUND=1
|
||||
AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} "
|
||||
|
@ -742,7 +742,7 @@
|
|||
fi
|
||||
else
|
||||
AddHP 3 3
|
||||
#Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN
|
||||
if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi
|
||||
fi
|
||||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
|
|
|
@ -181,7 +181,7 @@
|
|||
Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY})
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: There are no unused rules present"
|
||||
else
|
||||
|
@ -418,7 +418,7 @@
|
|||
#
|
||||
# Test : FIRE-4536
|
||||
# Description : Check nftables kernel module
|
||||
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables")
|
||||
|
@ -437,7 +437,7 @@
|
|||
#
|
||||
# Test : FIRE-4538
|
||||
# Description : Check nftables configuration
|
||||
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables basic configuration"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Retrieve nft version
|
||||
|
@ -450,7 +450,7 @@
|
|||
#
|
||||
# Test : FIRE-4540
|
||||
# Description : Check nftables configuration
|
||||
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for empty nftables configuration"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Check for empty ruleset
|
||||
|
@ -464,12 +464,6 @@
|
|||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Ideas:
|
||||
# Suggestion to disable iptables if nftables is enabled
|
||||
# Check for specific features in nftables releases
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : FIRE-4586
|
||||
# Description : Check firewall logging
|
||||
|
@ -520,6 +514,12 @@ Report "firewall_software=${FIREWALL_SOFTWARE}"
|
|||
|
||||
WaitForKeyPress
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# TODO
|
||||
# Suggestion to disable iptables if nftables is enabled
|
||||
# Check for specific features in nftables releases
|
||||
#
|
||||
#================================================================================
|
||||
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|
||||
|
|
|
@ -40,10 +40,10 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Checking if we can find the systemd default target
|
||||
LogText "Test: Checking for systemd default.target"
|
||||
if [ -L /etc/systemd/system/default.target ]; then
|
||||
if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then
|
||||
LogText "Result: symlink found"
|
||||
if HasData "${READLINKBINARY}"; then
|
||||
FIND=$(${READLINKBINARY} /etc/systemd/system/default.target)
|
||||
FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target)
|
||||
if ! HasData "${FIND}"; then
|
||||
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
|
||||
ReportException "${TEST_NO}:01"
|
||||
|
@ -65,9 +65,9 @@
|
|||
fi
|
||||
else
|
||||
LogText "Result: no systemd found, so trying inittab"
|
||||
LogText "Test: Checking /etc/inittab"
|
||||
if [ -f /etc/inittab ]; then
|
||||
LogText "Result: file /etc/inittab found"
|
||||
LogText "Test: Checking ${ROOTDIR}etc/inittab"
|
||||
if [ -f ${ROOTDIR}etc/inittab ]; then
|
||||
LogText "Result: file ${ROOTDIR}etc/inittab found"
|
||||
LogText "Test: Checking default Linux run level"
|
||||
FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' ${ROOTDIR}etc/inittab | head -n 1)
|
||||
if IsEmpty "${FIND}"; then
|
||||
|
@ -211,13 +211,13 @@
|
|||
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Loaded modules according lsmod:"
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
LogText "Loaded module: ${I}"
|
||||
Report "loaded_kernel_module[]=${I}"
|
||||
N=$((N + 1))
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Loaded module: ${ITEM}"
|
||||
Report "loaded_kernel_module[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
Display --indent 6 --text "Found ${N} active modules"
|
||||
Display --indent 6 --text "Found ${COUNT} active modules"
|
||||
else
|
||||
LogText "Result: no loaded modules found"
|
||||
LogText "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel"
|
||||
|
@ -295,13 +295,13 @@
|
|||
FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
|
||||
if [ $? -eq 0 ]; then
|
||||
LogText "Loaded modules according kldstat:"
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
LogText "Loaded module: ${I}"
|
||||
Report "loaded_kernel_module[]=${I}"
|
||||
N=$((N + 1))
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Loaded module: ${ITEM}"
|
||||
Report "loaded_kernel_module[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
else
|
||||
Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Problem with executing kldstat"
|
||||
|
@ -321,24 +321,24 @@
|
|||
LogText "Test: Active kernel modules (KLDs)"
|
||||
LogText "Description: View all active kernel modules (including kernel)"
|
||||
LogText "Test: Checking modules"
|
||||
if [ -f /sbin/kldstat ]; then
|
||||
FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
|
||||
if [ -f ${ROOTDIR}sbin/kldstat ]; then
|
||||
FIND=$(${ROOTDIR}sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
|
||||
if [ $? -eq 0 ]; then
|
||||
LogText "Loaded modules according kldstat:"
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
LogText "Loaded module: ${I}"
|
||||
Report "loaded_kernel_module[]=${I}"
|
||||
N=$((N + 1))
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Loaded module: ${ITEM}"
|
||||
Report "loaded_kernel_module[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
else
|
||||
Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Problem with executing kldstat"
|
||||
fi
|
||||
else
|
||||
echo "[ ${WHITE}SKIPPED${NORMAL} ]"
|
||||
LogText "Result: no results, can't find /sbin/kldstat"
|
||||
LogText "Result: no results, can NOT find ${ROOTDIR}sbin/kldstat"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -351,9 +351,9 @@
|
|||
LogText "Test: searching loaded kernel modules"
|
||||
FIND=$(/usr/sbin/modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort)
|
||||
if HasData "${FIND}"; then
|
||||
for I in ${FIND}; do
|
||||
LogText "Found module: ${I}"
|
||||
Report "loaded_kernel_module[]=${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found module: ${ITEM}"
|
||||
Report "loaded_kernel_module[]=${ITEM}"
|
||||
done
|
||||
Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
else
|
||||
|
@ -370,21 +370,21 @@
|
|||
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
|
||||
if [ -x /usr/bin/apt-cache ]; then
|
||||
LogText "Result: found /usr/bin/apt-cache"
|
||||
LogText "Test: checking readlink location of /vmlinuz"
|
||||
if [ -f /vmlinuz ]; then
|
||||
FINDKERNFILE=$(readlink -f /vmlinuz)
|
||||
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
|
||||
LogText "Result: found ${ROOTDIR}usr/bin/apt-cache"
|
||||
LogText "Test: checking readlink location of ${ROOTDIR}vmlinuz"
|
||||
if [ -f ${ROOTDIR}vmlinuz ]; then
|
||||
FINDKERNFILE=$(readlink -f ${ROOTDIR}vmlinuz)
|
||||
LogText "Output: readlink reported file ${FINDKERNFILE}"
|
||||
LogText "Test: checking package from dpkg -S"
|
||||
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}')
|
||||
LogText "Output: dpkg -S reported package ${FINDKERNEL}"
|
||||
elif [ -e /dev/grsec ]; then
|
||||
elif [ -e ${ROOTDIR}dev/grsec ]; then
|
||||
FINDKERNEL=linux-image-$(uname -r)
|
||||
LogText "/vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
|
||||
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
|
||||
else
|
||||
LogText "This system is missing /vmlinuz. Unable to check whether kernel is up-to-date."
|
||||
ReportSuggestion ${TEST_NO} "Determine why /vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz"
|
||||
LogText "This system is missing ${ROOTDIR}vmlinuz. Unable to check whether kernel is up-to-date."
|
||||
ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz"
|
||||
fi
|
||||
LogText "Test: Using apt-cache policy to determine if there is an update available"
|
||||
FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
|
||||
|
|
|
@ -281,21 +281,21 @@
|
|||
#
|
||||
# Test : LOGG-2150
|
||||
# Description : Checking log directories rotated with logrotate
|
||||
if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${LOGROTATEBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking which directories can be found in logrotate configuration"
|
||||
FIND=$(${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
|
||||
if IsEmpty "${FIND}" ]; then
|
||||
LogText "Result: nothing found"
|
||||
else
|
||||
LogText "Result: found one or more directories (via logrotate configuration)"
|
||||
for I in ${FIND}; do
|
||||
if [ -d ${I} ]; then
|
||||
LogText "Directory found: ${I}"
|
||||
Report "log_directory[]=${I}"
|
||||
for DIR in ${FIND}; do
|
||||
if [ -d ${DIR} ]; then
|
||||
LogText "Directory found: ${DIR}"
|
||||
Report "log_directory[]=${DIR}"
|
||||
else
|
||||
LogText "Directory could not be found: ${I}"
|
||||
LogText "Result: Directory could not be found: ${DIR}"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
|
|
@ -126,7 +126,7 @@
|
|||
#
|
||||
# Test : MACF-6234
|
||||
# Description : Check SELINUX status
|
||||
if [ ! "${SESTATUSBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${SESTATUSBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Status: Enabled/Disabled
|
||||
|
@ -180,7 +180,7 @@
|
|||
else
|
||||
Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
if [ ! -z "${GRADMBINARY}" ]; then
|
||||
if HasData "${GRADMBINARY}"; then
|
||||
FIND=$(${GRADMBINARY} --status)
|
||||
if [ "${FIND}" = "The RBAC system is currently enabled." ]; then
|
||||
MAC_FRAMEWORK_ACTIVE=1
|
||||
|
|
|
@ -36,7 +36,7 @@
|
|||
MCAFEE_SCANNER_RUNNING=0
|
||||
MALWARE_SCANNER_INSTALLED=0
|
||||
SOPHOS_SCANNER_RUNNING=0
|
||||
SYMANTEC_SCANNER_RUNNING=
|
||||
SYMANTEC_SCANNER_RUNNING=0
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
|
|
@ -67,26 +67,26 @@
|
|||
# Notes : Maximum of one search keyword is allowed in /etc/resolv.conf
|
||||
Register --test-no NAME-4018 --weight L --network NO --category security --description "Check /etc/resolv.conf search domains"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
LogText "Test: check ${ROOTDIR}etc/resolv.conf for search domains"
|
||||
if [ -f ${ROOTDIR}etc/resolv.conf ]; then
|
||||
LogText "Result: ${ROOTDIR}etc/resolv.conf found"
|
||||
FIND=$(${AWKBINARY} '/^search/ { print $2 }' ${ROOTDIR}etc/resolv.conf)
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: no search domains found, default domain is being used"
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
LogText "Found search domain: ${I}"
|
||||
Report "resolv_conf_search_domain[]=${I}"
|
||||
N=$((N + 1))
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found search domain: ${ITEM}"
|
||||
Report "resolv_conf_search_domain[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
# Warn if we have more than 6 search domains, which is maximum in most resolvers
|
||||
if [ ${N} -gt 6 ]; then
|
||||
LogText "Result: Found ${N} search domains"
|
||||
if [ ${COUNT} -gt 6 ]; then
|
||||
LogText "Result: Found ${COUNT} search domains"
|
||||
Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW
|
||||
ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
|
||||
else
|
||||
LogText "Result: Found ${N} search domains"
|
||||
LogText "Result: Found ${COUNT} search domains"
|
||||
Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN
|
||||
fi
|
||||
fi
|
||||
|
@ -115,15 +115,16 @@
|
|||
if [ -f ${ROOTDIR}etc/resolv.conf ]; then
|
||||
LogText "Result: ${ROOTDIR}etc/resolv.conf found"
|
||||
FIND=$(${GREPBINARY} "^options" ${ROOTDIR}etc/resolv.conf | ${AWKBINARY} '{ print $2 }')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: no specific other options configured in /etc/resolv.conf"
|
||||
if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
LogText "Found option: ${I}"
|
||||
Report "resolv_conf_option[]=${I}"
|
||||
#rotate --> add performance tune point
|
||||
#timeout <3 --> add performe tune point
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found option: ${ITEM}"
|
||||
Report "resolv_conf_option[]=${ITEM}"
|
||||
# TODO add suggestions for the related options
|
||||
# rotate --> add performance tune point
|
||||
# timeout --> add performe tune point when smaller than 3 seconds
|
||||
done
|
||||
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN
|
||||
fi
|
||||
|
@ -171,25 +172,10 @@
|
|||
Register --test-no NAME-4028 --weight L --network NO --category security --description "Check domain name"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
DOMAINNAME=""
|
||||
# NIS
|
||||
#LogText "Test: Checking file /etc/domainname"
|
||||
#if [ -f /etc/domainname ]; then
|
||||
# LogText "Result: file /etc/domainname exists"
|
||||
# FIND2=$(cat /etc/domainname)
|
||||
# if [ ! "${FIND}" = "" ]; then
|
||||
# LogText "Found domain name: ${FIND}"
|
||||
# DOMAINNAME="${FIND}"
|
||||
# else
|
||||
# LogText "Result: no domain name found in file"
|
||||
# fi
|
||||
# else
|
||||
# LogText "Result: file /etc/domainname does not exist"
|
||||
#fi
|
||||
|
||||
LogText "Test: Checking if dnsdomainname command is available"
|
||||
if [ ! -z "${DNSDOMAINNAMEBINARY}" ]; then
|
||||
if HasData "${DNSDOMAINNAMEBINARY}"; then
|
||||
FIND2=$(${DNSDOMAINNAMEBINARY} 2> /dev/null)
|
||||
if [ ! "${FIND2}" = "" ]; then
|
||||
if HasData "${FIND2}"; then
|
||||
LogText "Result: dnsdomainname command returned a value"
|
||||
LogText "Found domain name: ${FIND2}"
|
||||
DOMAINNAME="${FIND2}"
|
||||
|
@ -349,13 +335,6 @@
|
|||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : NAME-4208
|
||||
# Description : Check DNS server type (master, slave, caching, forwarding)
|
||||
#Register --test-no NAME-4050 --weight L --network NO --category security --description "Check nscd status"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : NAME-4210
|
||||
# Description : Check if we can determine useful information from banner
|
||||
|
@ -379,21 +358,21 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : NAME-4212
|
||||
# Test : NAME-4212 TODO
|
||||
# Description : Check version option in BIND configuration
|
||||
#if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
#Register --test-no NAME-4212 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check version setting in configuration"
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : NAME-4220
|
||||
# Test : NAME-4220 TODO
|
||||
# Description : Check if we can perform a zone transfer of primary domain
|
||||
#Register --test-no NAME-4220 --weight L --network NO --category security --description "Check zone transfer"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : NAME-4222
|
||||
# Test : NAME-4222 TODO
|
||||
# Description : Check if we can perform a zone transfer of PTR (of primary domain)
|
||||
#Register --test-no NAME-4222 --weight L --network NO --category security --description "Check zone transfer"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
|
@ -424,13 +403,13 @@
|
|||
Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search PowerDNS configuration file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Search PowerDNS configuration file"
|
||||
for I in ${POWERDNS_CONFIG_LOCS}; do
|
||||
if [ -f ${I}/pdns.conf ]; then
|
||||
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
|
||||
for DIR in ${POWERDNS_CONFIG_LOCS}; do
|
||||
if [ -f ${DIR}/pdns.conf ]; then
|
||||
POWERDNS_AUTH_CONFIG_LOCATION="${DIR}/pdns.conf"
|
||||
LogText "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})"
|
||||
fi
|
||||
done
|
||||
if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then
|
||||
if HasData "${POWERDNS_AUTH_CONFIG_LOCATION}"; then
|
||||
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
|
@ -455,9 +434,9 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking for PowerDNS backends"
|
||||
FIND=$(${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION})
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
for I in ${FIND}; do
|
||||
LogText "Found backend: ${I}"
|
||||
if HasData "${FIND}"; then
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found backend: ${ITEM}"
|
||||
done
|
||||
Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
|
@ -636,7 +615,7 @@
|
|||
#
|
||||
# Test : NAME-4406
|
||||
# Description : Check server hostname mapping
|
||||
if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if HasData "${HOSTNAME}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Check server hostname not locally mapped in /etc/hosts"
|
||||
|
|
|
@ -216,7 +216,6 @@
|
|||
Register --test-no NETW-3004 --weight L --network NO --category security --description "Search for available network interfaces"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=""
|
||||
N=0
|
||||
case ${OS} in
|
||||
AIX)
|
||||
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }')
|
||||
|
@ -239,12 +238,11 @@
|
|||
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find available network interfaces"
|
||||
;;
|
||||
esac
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
for I in ${FIND}; do
|
||||
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${I}"
|
||||
LogText "Found network interface: ${I}"
|
||||
N=$((N + 1))
|
||||
Report "network_interface[]=${I}"
|
||||
if HasData "${FIND}"; then
|
||||
for ITEM in ${FIND}; do
|
||||
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${ITEM}"
|
||||
LogText "Found network interface: ${ITEM}"
|
||||
Report "network_interface[]=${ITEM}"
|
||||
done
|
||||
else
|
||||
ReportException "${TEST_NO}:1" "No interfaces found on this system (OS=${OS})"
|
||||
|
@ -294,11 +292,9 @@
|
|||
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find MAC information"
|
||||
;;
|
||||
esac
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
LogText "Found MAC address: ${I}"
|
||||
N=$((N + 1))
|
||||
Report "network_mac_address[]=${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found MAC address: ${ITEM}"
|
||||
Report "network_mac_address[]=${ITEM}"
|
||||
done
|
||||
fi
|
||||
#
|
||||
|
@ -350,20 +346,17 @@
|
|||
ReportException "${TEST_NO}:1" "IP address information test not implemented for this operating system"
|
||||
;;
|
||||
esac
|
||||
N=0
|
||||
|
||||
# IPv4
|
||||
for I in ${FIND}; do
|
||||
LogText "Found IPv4 address: ${I}"
|
||||
N=$((N + 1))
|
||||
Report "network_ipv4_address[]=${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found IPv4 address: ${ITEM}"
|
||||
Report "network_ipv4_address[]=${ITEM}"
|
||||
done
|
||||
# IPv6
|
||||
for I in ${FIND2}; do
|
||||
LogText "Found IPv6 address: ${I}"
|
||||
N=$((N + 1))
|
||||
Report "network_ipv6_address[]=${I}"
|
||||
for ITEM in ${FIND2}; do
|
||||
LogText "Found IPv6 address: ${ITEM}"
|
||||
Report "network_ipv6_address[]=${ITEM}"
|
||||
done
|
||||
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -373,7 +366,7 @@
|
|||
Register --test-no NETW-3012 --weight L --network NO --category security --description "Check listening ports"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=""; FIND2=""
|
||||
N=0
|
||||
COUNT=0
|
||||
case ${OS} in
|
||||
DragonFly|FreeBSD)
|
||||
if [ ! -z "${SOCKSTATBINARY}" ]; then
|
||||
|
@ -440,26 +433,26 @@
|
|||
|
||||
# Retrieve information from sockstat, when available
|
||||
LogText "Test: Retrieving sockstat information to find listening ports"
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
for I in ${FIND}; do
|
||||
N=$((N + 1))
|
||||
LogText "Found listening info: ${I}"
|
||||
Report "network_listen_port[]=${I}"
|
||||
if HasData "${FIND}"; then
|
||||
for ITEM in ${FIND}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Found listening info: ${ITEM}"
|
||||
Report "network_listen_port[]=${ITEM}"
|
||||
done
|
||||
fi
|
||||
|
||||
if [ ! "${FIND2}" = "" ]; then
|
||||
for I in ${FIND2}; do
|
||||
N=$((N + 1))
|
||||
LogText "Found listening info: ${I}"
|
||||
Report "network_listen_port[]=${I}"
|
||||
for ITEM in ${FIND2}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Found listening info: ${ITEM}"
|
||||
Report "network_listen_port[]=${ITEM}"
|
||||
done
|
||||
fi
|
||||
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
|
||||
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW
|
||||
else
|
||||
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 6 --text "* Found ${N} ports"
|
||||
Display --indent 6 --text "* Found ${COUNT} ports"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -473,14 +466,14 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking promiscuous interfaces (FreeBSD)"
|
||||
FIND=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: Promiscuous interfaces: ${FIND}"
|
||||
for I in ${FIND}; do
|
||||
for ITEM in ${FIND}; do
|
||||
WHITELISTED=0
|
||||
for PROFILE in ${PROFILES}; do
|
||||
Debug "Checking if interface ${I} is whitelisted in profile ${PROFILE}"
|
||||
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
|
||||
if [ ! "${ISWHITELISTED}" = "" ]; then
|
||||
Debug "Checking if interface ${ITEM} is whitelisted in profile ${PROFILE}"
|
||||
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${ITEM}:" ${PROFILE})
|
||||
if HasData "${ISWHITELISTED}"; then
|
||||
WHITELISTED=1
|
||||
LogText "Result: this interface was whitelisted in profile (${PROFILE})"
|
||||
fi
|
||||
|
@ -543,8 +536,10 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : NETW-3020
|
||||
# Description : Checking multipath configuration (Solaris)
|
||||
# Do you have a multipath configuration on Linux or other OS? Create a related test and send in a pull request on GitHub
|
||||
|
||||
# Test : NETW-3020 TODO
|
||||
# Description : Checking multipath configuration
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
@ -557,7 +552,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Using netstat for check for connections in WAIT state"
|
||||
FIND=$(${NETSTATBINARY} -an | ${GREPBINARY} WAIT | ${WCBINARY} -l | ${AWKBINARY} '{ print $1 }')
|
||||
if [ -z "${OPTIONS_CONN_MAX_WAIT_STATE}" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
|
||||
if IsEmpty "${OPTIONS_CONN_MAX_WAIT_STATE}"; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
|
||||
LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
|
||||
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
|
||||
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW
|
||||
|
|
|
@ -62,10 +62,10 @@
|
|||
#
|
||||
# Test : PKGS-7302
|
||||
# Description : Query FreeBSD/NetBSD pkg_info
|
||||
if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD/NetBSD pkg_info"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
Display --indent 4 --text "- Checking pkg_info" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found pkg_info"
|
||||
Report "package_manager[]=pkg_info"
|
||||
|
@ -74,13 +74,13 @@
|
|||
LogText "Output:"; LogText "-----"
|
||||
SPACKAGES=$(${ROOTDIR}usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1 | ${SEDBINARY} -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g')
|
||||
for ITEM in ${SPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
sPKG_NAME=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f1)
|
||||
sPKG_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f2)
|
||||
LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${ITEM}"
|
||||
done
|
||||
Report "installed_packages=${N}"
|
||||
Report "installed_packages=${COUNT}"
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -93,6 +93,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found brew"
|
||||
PACKAGE_MGR_PKG=1
|
||||
Report "package_manager[]=brew"
|
||||
LogText "Test: Querying brew to get package list"
|
||||
Display --indent 4 --text "- Querying brew for installed packages"
|
||||
|
@ -120,9 +121,9 @@
|
|||
Display --indent 4 --text "- Querying portage for installed packages"
|
||||
LogText "Output:"; LogText "-----"
|
||||
GPACKAGES=$(equery l '*' | ${SEDBINARY} -e 's/[.*]//g')
|
||||
for J in ${GPACKAGES}; do
|
||||
LogText "Found package ${J}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
|
||||
for PKG in ${GPACKAGES}; do
|
||||
LogText "Found package ${PKG}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0,"
|
||||
done
|
||||
else
|
||||
LogText "Result: emerge can NOT be found on this system"
|
||||
|
@ -139,6 +140,7 @@
|
|||
Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found Solaris pkginfo"
|
||||
Report "package_manager[]=pkginfo"
|
||||
PACKAGE_MGR_PKG=1
|
||||
LogText "Test: Querying pkginfo to get package list"
|
||||
Display --indent 4 --text "- Querying pkginfo for installed packages"
|
||||
LogText "Output:"; LogText "-----"
|
||||
|
@ -159,7 +161,7 @@
|
|||
if [ ! -z "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
Display --indent 4 --text "- Searching RPM package manager" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found rpm binary (${RPMBINARY})"
|
||||
Report "package_manager[]=rpm"
|
||||
|
@ -172,14 +174,14 @@
|
|||
LogText "Info: looks like the rpm binary is installed, but not used for package installation"
|
||||
ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages"
|
||||
else
|
||||
for J in ${SPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{print $1}')
|
||||
PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{print $2}')
|
||||
LogText "Found package: ${J}"
|
||||
for PKG in ${SPACKAGES}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{print $1}')
|
||||
PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{print $2}')
|
||||
LogText "Found package: ${PKG}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION},"
|
||||
done
|
||||
Report "installed_packages=${N}"
|
||||
Report "installed_packages=${COUNT}"
|
||||
fi
|
||||
else
|
||||
LogText "Result: RPM binary NOT found on this system, test skipped"
|
||||
|
@ -192,10 +194,11 @@
|
|||
if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
Display --indent 4 --text "- Searching pacman package manager" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found pacman binary (${PACMANBINARY})"
|
||||
Report "package_manager[]=pacman"
|
||||
PACKAGE_MGR_PKG=1
|
||||
LogText "Test: Querying 'pacman -Q' to get package list"
|
||||
Display --indent 6 --text "- Querying pacman package manager"
|
||||
LogText "Output:"; LogText "--------"
|
||||
|
@ -204,14 +207,14 @@
|
|||
LogText "Result: pacman binary available, but package list seems to be empty"
|
||||
LogText "Info: looks like the pacman binary is installed, but not used for package installation"
|
||||
else
|
||||
for J in ${SPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{ print $1 }')
|
||||
PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{ print $2 }')
|
||||
for PKG in ${SPACKAGES}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $1 }')
|
||||
PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $2 }')
|
||||
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG}"
|
||||
done
|
||||
Report "installed_packages=${N}"
|
||||
Report "installed_packages=${COUNT}"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -322,20 +325,20 @@
|
|||
if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
PACKAGE_AUDIT_TOOL="zypper"
|
||||
FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
for I in ${FIND}; do
|
||||
N=$((N + 1))
|
||||
LogText "Installed package: ${I}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
|
||||
for PKG in ${FIND}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Installed package: ${PKG}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0,"
|
||||
done
|
||||
Report "installed_packages=${N}"
|
||||
Report "installed_packages=${COUNT}"
|
||||
else
|
||||
# Could not find any installed packages
|
||||
ReportException ${TEST_NO} "No installed packages found with Zypper"
|
||||
ReportException "${TEST_NO}" "No installed packages found with Zypper"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -357,10 +360,10 @@
|
|||
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
|
||||
FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
|
||||
LogText "List of vulnerable packages/version:"
|
||||
for I in ${FIND}; do
|
||||
for PKG in ${FIND}; do
|
||||
VULNERABLE_PACKAGES_FOUND=1
|
||||
Report "vulnerable_package[]=${I}"
|
||||
LogText "Vulnerable package: ${I}"
|
||||
Report "vulnerable_package[]=${PKG}"
|
||||
LogText "Vulnerable package: ${PKG}"
|
||||
# Decrease hardening points for every found vulnerable package
|
||||
AddHP 1 2
|
||||
done
|
||||
|
@ -368,28 +371,80 @@
|
|||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : PKGS-7332
|
||||
# Description : Query macOS ports
|
||||
if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7332 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --description "Query macOS ports"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${ROOTDIR}opt/local/bin/port installed 2>&1 | ${GREPBINARY} active | ${SORTBINARY}; ${ROOTDIR}bin/echo $?)
|
||||
if [ "${FIND}" = "0" ]; then
|
||||
Display --indent 4 --text "- Searching packages with port" --result "{STATUS_FOUND}" --color GREEN
|
||||
Report "package_manager[]=port"
|
||||
PACKAGE_MGR_PKG=1
|
||||
LogText "Result: Found port utility"
|
||||
LogText "Test: Querying port to get package list"
|
||||
Display --indent 6 --text "- Querying port for installed packages"
|
||||
LogText "Output:"; LogText "-----"
|
||||
SPACKAGES=$(${ROOTDIR}opt/local/bin/port installed | ${GREPBINARY} active)
|
||||
for ITEM in ${SPACKAGES}; do
|
||||
SPORT_NAME=$(echo ${ITEM} | ${CUTBINARY} -d@ -f1)
|
||||
SPORT_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d@ -f2 | ${CUTBINARY} -d' ' -f1)
|
||||
LogText "Installed package: ${SPORT_NAME} (version: ${SPORT_VERSION})"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PORTS}|${ITEM}"
|
||||
done
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : PKGS-7334
|
||||
# Description : Query macOS ports for available port upgrades
|
||||
if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7334 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query port for port upgrades"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
COUNT=0
|
||||
LogText "Test: Querying ports for possible port upgrades"
|
||||
UPACKAGES=$(${ROOTDIR}opt/local/bin/port outdated 2> /dev/null | ${CUTBINARY} -d' ' -f1)
|
||||
for J in ${UPACKAGES}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Upgrade available (new version): ${J}"
|
||||
Report "upgrade_available[]=${J}"
|
||||
done
|
||||
Report "upgrade_available_count=${COUNT}"
|
||||
if [ ${COUNT} -eq 0 ]; then
|
||||
LogText "Result: no upgrades found"
|
||||
Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_NONE}" --color GREEN
|
||||
AddHP 2 2
|
||||
else
|
||||
Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_FOUND}" --color YELLOW
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : PKGS-7345
|
||||
# Description : Debian package based systems (dpkg)
|
||||
if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying dpkg"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
Display --indent 4 --text "- Searching dpkg package manager" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: Found dpkg binary"
|
||||
Report "package_manager[]=dpkg"
|
||||
PACKAGE_MGR_PKG=1
|
||||
LogText "Test: Querying dpkg -l to get package list"
|
||||
Display --indent 6 --text "- Querying package manager"
|
||||
LogText "Output:"
|
||||
SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort)
|
||||
for J in ${SPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
|
||||
PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f3)
|
||||
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
|
||||
done
|
||||
Report "installed_packages=${N}"
|
||||
Report "installed_packages=${COUNT}"
|
||||
else
|
||||
LogText "Result: dpkg can NOT be found on this system, test skipped"
|
||||
fi
|
||||
|
@ -399,12 +454,12 @@
|
|||
# Test : PKGS-7346
|
||||
# Description : Check packages which are removed, but still own configuration files, cron jobs etc
|
||||
# Notes : Cleanup: for pkg in $(dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3); do aptitude purge ${pkg}; done
|
||||
if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
LogText "Test: Querying dpkg -l to get unpurged packages"
|
||||
SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort)
|
||||
SPACKAGES=$(${ROOTDIR}usr/bin/dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort)
|
||||
if [ -z "${SPACKAGES}" ]; then
|
||||
Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN
|
||||
LogText "Result: no packages found with left overs"
|
||||
|
@ -413,10 +468,10 @@
|
|||
LogText "Result: found one or more packages with left over configuration files, cron jobs etc"
|
||||
LogText "Output:"
|
||||
for J in ${SPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Found unpurged package: ${J}"
|
||||
done
|
||||
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
|
||||
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
|
||||
fi
|
||||
else
|
||||
LogText "Result: dpkg can NOT be found on this system, test skipped"
|
||||
|
@ -431,8 +486,8 @@
|
|||
# Add portmaster --clean-distfiles-all
|
||||
Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -x /usr/local/sbin/portsclean ]; then
|
||||
FIND=$(/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ')
|
||||
if [ -x ${ROOTDIR}usr/local/sbin/portsclean ]; then
|
||||
FIND=$(${ROOTDIR}usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ')
|
||||
if [ ${FIND} -eq 0 ]; then
|
||||
Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: no unused distfiles found"
|
||||
|
@ -452,6 +507,7 @@
|
|||
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
COUNT=0
|
||||
Display --indent 4 --text "- Searching DNF package manager" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: found DNF (Dandified YUM) utility (binary: ${DNFBINARY})"
|
||||
Report "package_manager[]=dnf"
|
||||
|
@ -460,14 +516,14 @@
|
|||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
PACKAGE_AUDIT_TOOL="dnf"
|
||||
SPACKAGES=$(${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}')
|
||||
for J in ${SPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1)
|
||||
PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
|
||||
for PKG in ${SPACKAGES}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ',' -f1)
|
||||
PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ',' -f2)
|
||||
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
|
||||
done
|
||||
Report "installed_packages=${N}"
|
||||
Report "installed_packages=${COUNT}"
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -594,19 +650,20 @@
|
|||
if [ -x ${ROOTDIR}usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query portmaster for port upgrades"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
LogText "Test: Querying portmaster for possible port upgrades"
|
||||
UPACKAGES=$(${ROOTDIR}usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }')
|
||||
for J in ${UPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
LogText "Upgrade available (new version): ${J}"
|
||||
Report "upgrade_available[]=${J}"
|
||||
for PKG in ${UPACKAGES}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Upgrade available (new version): ${PKG}"
|
||||
Report "upgrade_available[]=${PKG}"
|
||||
done
|
||||
Report "upgrade_available_count=${N}"
|
||||
if [ ${N} -eq 0 ]; then
|
||||
LogText "Result: no upgrades found"
|
||||
Report "upgrade_available_count=${COUNT}"
|
||||
if [ ${COUNT} -eq 0 ]; then
|
||||
LogText "Result: no updates found"
|
||||
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_NONE}" --color GREEN
|
||||
else
|
||||
LogText "Result: found ${COUNT} updates"
|
||||
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_FOUND}" --color YELLOW
|
||||
fi
|
||||
fi
|
||||
|
@ -617,11 +674,11 @@
|
|||
# Description : Check for vulnerable NetBSD packages (with pkg_admin)
|
||||
Register --test-no PKGS-7380 --os NetBSD --weight L --network NO --category security --description "Check for vulnerable NetBSD packages"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -x /usr/sbin/pkg_admin ]; then
|
||||
if [ -x ${ROOTDIR}usr/sbin/pkg_admin ]; then
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
PACKAGE_AUDIT_TOOL="pkg_admin audit"
|
||||
if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then
|
||||
FIND=$(/usr/sbin/pkg_admin audit)
|
||||
if [ -f ${ROOTDIR}var/db/pkg/pkgs-vulnerabilities ]; then
|
||||
FIND=$(${ROOTDIR}usr/sbin/pkg_admin audit)
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: pkg_admin audit results are clean"
|
||||
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
|
||||
|
@ -631,7 +688,7 @@
|
|||
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
|
||||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
|
||||
LogText "List of vulnerable packages/version:"
|
||||
for I in $(/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
|
||||
for I in $(${ROOTDIR}usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
|
||||
VULNERABLE_PACKAGES_FOUND=1
|
||||
Report "vulnerable_package[]=${I}"
|
||||
LogText "Vulnerable package: ${I}"
|
||||
|
@ -701,11 +758,11 @@
|
|||
# Test : PKGS-7382
|
||||
# Description : Check for vulnerable FreeBSD packages
|
||||
# Notes : Newer machines should use pkg audit instead of portaudit
|
||||
if [ -x /usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
FIND=$(/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found')
|
||||
FIND=$(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found')
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: Portaudit results are clean"
|
||||
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
|
||||
|
@ -716,10 +773,10 @@
|
|||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
|
||||
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
|
||||
LogText "List of vulnerable packages/version:"
|
||||
for I in $(/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
|
||||
for PKG in $(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
|
||||
VULNERABLE_PACKAGES_FOUND=1
|
||||
Report "vulnerable_package[]=${I}"
|
||||
LogText "Vulnerable package: ${I}"
|
||||
Report "vulnerable_package[]=${PKG}"
|
||||
LogText "Vulnerable package: ${PKG}"
|
||||
# Decrease hardening points for every found vulnerable package
|
||||
AddHP 1 2
|
||||
done
|
||||
|
@ -753,11 +810,11 @@
|
|||
if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -x /usr/bin/package-cleanup ]; then
|
||||
LogText "Result: found YUM utils package (/usr/bin/package-cleanup)"
|
||||
if [ -x ${ROOTDIR}usr/bin/package-cleanup ]; then
|
||||
LogText "Result: found YUM utils package (${ROOTDIR}usr/bin/package-cleanup)"
|
||||
# Check for duplicates
|
||||
LogText "Test: Checking for duplicate packages"
|
||||
FIND=$(/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?)
|
||||
FIND=$(${ROOTDIR}usr/bin/package-cleanup -q --dupes > /dev/null; echo $?)
|
||||
if [ "${FIND}" = "0" ]; then
|
||||
LogText "Result: No duplicate packages found"
|
||||
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -770,7 +827,7 @@
|
|||
|
||||
# Check for package database problems
|
||||
LogText "Test: Checking for database problems"
|
||||
FIND=$(/usr/bin/package-cleanup --problems > /dev/null; echo $?)
|
||||
FIND=$(${ROOTDIR}usr/bin/package-cleanup --problems > /dev/null; echo $?)
|
||||
if [ "${FIND}" = "0" ]; then
|
||||
LogText "Result: No package database problems found"
|
||||
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -869,7 +926,7 @@
|
|||
#
|
||||
# Test : PKGS-7387
|
||||
# Description : Search for YUM GPG check
|
||||
if [ -x /usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ! -z "${PYTHONBINARY}" ]; then
|
||||
|
@ -892,16 +949,18 @@
|
|||
done
|
||||
fi
|
||||
FOUND=0
|
||||
FileExists /etc/yum.conf
|
||||
FileExists ${ROOTDIR}etc/yum.conf
|
||||
if [ ${FILE_FOUND} -eq 1 ]; then
|
||||
SearchItem "^gpgenabled\s*=\s*1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
|
||||
SearchItem "^gpgcheck\s*=\s*1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
|
||||
SearchItem "^gpgenabled\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
|
||||
SearchItem "^gpgcheck\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
LogText "Result: GPG check is enabled"
|
||||
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 3 3
|
||||
else
|
||||
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED
|
||||
ReportWarning ${TEST_NO} "No GPG signing option found in yum.conf"
|
||||
AddHP 2 3
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
@ -959,11 +1018,11 @@
|
|||
#
|
||||
# Test : PKGS-7390
|
||||
# Description : Check Ubuntu database consistency
|
||||
if [ "${LINUX_VERSION}" = "Ubuntu" -a -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ "${LINUX_VERSION}" = "Ubuntu" -a -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Package database consistency by running apt-get check"
|
||||
FIND=$(/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?)
|
||||
FIND=$(${ROOTDIR}usr/bin/apt-get -q=2 check 2> /dev/null; echo $?)
|
||||
if [ "${FIND}" = "0" ]; then
|
||||
Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: package database seems to be consistent."
|
||||
|
@ -979,7 +1038,7 @@
|
|||
#
|
||||
# Test : PKGS-7392
|
||||
# Description : Check Debian/Ubuntu vulnerable packages
|
||||
if [ -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --category security --description "Check for Debian/Ubuntu security updates"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
VULNERABLE_PACKAGES_FOUND=0
|
||||
|
@ -989,16 +1048,20 @@
|
|||
PACKAGE_AUDIT_TOOL="apt-get"
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
# Update the repository, outdated repositories don't give much information
|
||||
LogText "Action: updating repository with apt-get"
|
||||
/usr/bin/apt-get -q=2 update
|
||||
if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
|
||||
LogText "Action: updating package repository with apt-get"
|
||||
${ROOTDIR}usr/bin/apt-get -q=2 update
|
||||
LogText "Result: apt-get finished"
|
||||
LogText "Test: Checking if /usr/lib/update-notifier/apt-check exists"
|
||||
if [ -x /usr/lib/update-notifier/apt-check ]; then
|
||||
else
|
||||
LogText "Result: using a possibly outdated repository, as updating is disabled via configuration"
|
||||
fi
|
||||
LogText "Test: Checking if ${ROOTDIR}usr/lib/update-notifier/apt-check exists"
|
||||
if [ -x ${ROOTDIR}usr/lib/update-notifier/apt-check ]; then
|
||||
PACKAGE_AUDIT_TOOL="apt-check"
|
||||
LogText "Result: found /usr/lib/update-notifier/apt-check"
|
||||
LogText "Result: found ${ROOTDIR}usr/lib/update-notifier/apt-check"
|
||||
LogText "Test: checking if any of the updates contain security updates"
|
||||
# apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only
|
||||
FIND=$(/usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }')
|
||||
FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }')
|
||||
# Check if we get the proper line back and amount of security patches available
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: did not find security updates line"
|
||||
|
@ -1028,9 +1091,9 @@
|
|||
LogText "Result: found vulnerable package(s) via apt-get (-security channel)"
|
||||
PACKAGE_AUDIT_TOOL="apt-get"
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
for I in ${FIND}; do
|
||||
LogText "Found vulnerable package: ${I}"
|
||||
Report "vulnerable_package[]=${I}"
|
||||
for PKG in ${FIND}; do
|
||||
LogText "Found vulnerable package: ${PKG}"
|
||||
Report "vulnerable_package[]=${PKG}"
|
||||
done
|
||||
fi
|
||||
if [ ${SCAN_PERFORMED} -eq 1 ]; then
|
||||
|
@ -1052,7 +1115,7 @@
|
|||
#
|
||||
# Test : PKGS-7393
|
||||
# Description : Check Gentoo vulnerable packages
|
||||
if [ -x /usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7393 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Gentoo vulnerable packages"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
VULNERABLE_PACKAGES_FOUND=0
|
||||
|
@ -1063,19 +1126,19 @@
|
|||
# "most friendly" way.
|
||||
if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
|
||||
LogText "Action: updating portage with emerge-webrsync"
|
||||
/usr/bin/emerge-webrsync --quiet 2> /dev/null
|
||||
${ROOTDIR}usr/bin/emerge-webrsync --quiet 2> /dev/null
|
||||
LogText "Result: emerge-webrsync finished"
|
||||
else
|
||||
LogText "Result: using a possibly outdated repository, as updating is disabled"
|
||||
fi
|
||||
LogText "Test: checking if /usr/bin/glsa-check exists"
|
||||
if [ -x /usr/bin/glsa-check ]; then
|
||||
LogText "Test: checking if ${ROOTDIR}usr/bin/glsa-check exists"
|
||||
if [ -x ${ROOTDIR}usr/bin/glsa-check ]; then
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
PACKAGE_AUDIT_TOOL="glsa-check"
|
||||
LogText "Result: found /usr/bin/glsa-check"
|
||||
LogText "Result: found ${ROOTDIR}usr/bin/glsa-check"
|
||||
LogText "Test: checking if there are any vulnerable packages"
|
||||
# glsa-check reports the GLSA date/ID string, not the vulnerable package.
|
||||
FIND=$(/usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l)
|
||||
FIND=$(${ROOTDIR}usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l)
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found."
|
||||
LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result"
|
||||
|
@ -1106,11 +1169,11 @@
|
|||
if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: checking /usr/bin/apt-show-versions"
|
||||
if [ -x /usr/bin/apt-show-versions ]; then
|
||||
LogText "Result: found /usr/bin/apt-show-versions"
|
||||
LogText "Test: checking ${ROOTDIR}usr/bin/apt-show-versions"
|
||||
if [ -x ${ROOTDIR}usr/bin/apt-show-versions ]; then
|
||||
LogText "Result: found ${ROOTDIR}usr/bin/apt-show-versions"
|
||||
LogText "Test: Checking packages which can be upgraded via apt-show-versions"
|
||||
FIND=$(/usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g')
|
||||
FIND=$(${ROOTDIR}usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: no packages found which can be upgraded"
|
||||
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN
|
||||
|
@ -1125,7 +1188,7 @@
|
|||
done
|
||||
fi
|
||||
else
|
||||
LogText "Result: /usr/bin/apt-show-versions not found"
|
||||
LogText "Result: ${ROOTDIR}usr/bin/apt-show-versions not found"
|
||||
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE
|
||||
ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
|
||||
fi
|
||||
|
@ -1158,7 +1221,7 @@
|
|||
#################################################################################
|
||||
#
|
||||
# Description : AIX patches
|
||||
# Notes : /usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1
|
||||
# Notes : ${ROOTDIR}usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
|
|
@ -88,15 +88,15 @@
|
|||
Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Searching cupsd configuration file"
|
||||
for I in ${CUPSD_CONFIG_LOCS}; do
|
||||
if [ -f ${I}/cupsd.conf ]; then
|
||||
if FileIsReadable ${I}/cupsd.conf; then
|
||||
CUPSD_CONFIG_FILE="${I}/cupsd.conf"
|
||||
for DIR in ${CUPSD_CONFIG_LOCS}; do
|
||||
if [ -f ${DIR}/cupsd.conf ]; then
|
||||
if FileIsReadable ${DIR}/cupsd.conf; then
|
||||
CUPSD_CONFIG_FILE="${DIR}/cupsd.conf"
|
||||
LogText "Result: found ${CUPSD_CONFIG_FILE}"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ ! -z "${CUPSD_CONFIG_FILE}" ]; then
|
||||
if HasData "${CUPSD_CONFIG_FILE}"; then
|
||||
Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})"
|
||||
CUPSD_FOUND=1
|
||||
|
@ -111,12 +111,12 @@
|
|||
#
|
||||
# Test : PRNT-2307
|
||||
# Description : Check CUPSd configuration file permissions
|
||||
# To Do : Add function
|
||||
# TODO : Add function
|
||||
if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file permissions"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking CUPS configuration file permissions"
|
||||
FIND=$(ls -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
|
||||
FIND=$(${LSBINARY} -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
|
||||
LogText "Result: found ${FIND}"
|
||||
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
|
||||
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
|
||||
|
@ -139,17 +139,17 @@
|
|||
# Checking network addresses
|
||||
LogText "Test: Checking CUPS daemon listening network addresses"
|
||||
FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
LogText "Found network address: ${I}"
|
||||
N=$((N + 1))
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found network address: ${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
FOUND=1
|
||||
done
|
||||
|
||||
# Check if daemon is only running on localhost
|
||||
if [ ${FOUND} -eq 0 ]; then
|
||||
LogText "Result: no listen statement found in CUPS configuration file"
|
||||
elif [ ${N} -eq 1 ]; then
|
||||
elif [ ${COUNT} -eq 1 ]; then
|
||||
if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
|
||||
LogText "Result: CUPS daemon only running on localhost"
|
||||
AddHP 2 2
|
||||
|
@ -167,12 +167,12 @@
|
|||
# Checking sockets
|
||||
LogText "Test: Checking cups daemon listening sockets"
|
||||
FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }')
|
||||
for I in ${FIND}; do
|
||||
LogText "Found socket address: ${I}"
|
||||
N=$((N + 1))
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found socket address: ${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
|
||||
if [ ${N} -eq 0 ]; then
|
||||
if [ ${COUNT} -eq 0 ]; then
|
||||
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_NONE}" --color WHITE
|
||||
LogText "Result: no addresses found on which CUPS daemon is listening"
|
||||
else
|
||||
|
@ -255,17 +255,17 @@
|
|||
Register --test-no PRNT-2420 --os AIX --weight L --network NO --category security --description "Checking old print jobs"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking old print jobs"
|
||||
DirectoryExists /var/spool/lpd/qdir
|
||||
DirectoryExists ${ROOTDIR}var/spool/lpd/qdir
|
||||
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
|
||||
FIND=$(find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
||||
FIND=$(find ${ROOTDIR}var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
|
||||
if HasData "${FIND}"; then
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
FILE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
|
||||
LogText "Found old print job: ${FILE}"
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir"
|
||||
LogText "Result: Found ${COUNT} old print jobs in /var/spool/lpd/qdir"
|
||||
Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
|
||||
LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"
|
||||
|
|
|
@ -36,8 +36,9 @@
|
|||
Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )")
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: no cron daemon found"
|
||||
AddHP 3 3
|
||||
else
|
||||
LogText "Result: cron daemon running"
|
||||
CROND_RUNNING=1
|
||||
|
@ -63,42 +64,42 @@
|
|||
if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
|
||||
if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
|
||||
FindCronJob ${CRONTAB_FILE}
|
||||
for I in ${sCRONJOBS}; do
|
||||
LogText "Found cronjob (${CRONTAB_FILE}): ${I}"
|
||||
Report "cronjob[]=${I}"
|
||||
for ITEM in ${sCRONJOBS}; do
|
||||
LogText "Found cronjob (${CRONTAB_FILE}): ${ITEM}"
|
||||
Report "cronjob[]=${ITEM}"
|
||||
done
|
||||
fi
|
||||
|
||||
CRON_DIRS="${ROOTDIR}etc/cron.d"
|
||||
for I in ${CRON_DIRS}; do
|
||||
LogText "Test: checking directory ${I}"
|
||||
if [ -d ${I} ]; then
|
||||
if FileIsReadable ${I}; then
|
||||
LogText "Result: found directory ${I}"
|
||||
LogText "Test: searching files in ${I}"
|
||||
FIND=$(${FINDBINARY} ${I} -type f -print | ${GREPBINARY} -v ".placeholder")
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: no files found in ${I}"
|
||||
for DIR in ${CRON_DIRS}; do
|
||||
LogText "Test: checking directory ${DIR}"
|
||||
if [ -d ${DIR} ]; then
|
||||
if FileIsReadable ${DIR}; then
|
||||
LogText "Result: found directory ${DIR}"
|
||||
LogText "Test: searching files in ${DIR}"
|
||||
FIND=$(${FINDBINARY} ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder")
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: no files found in ${DIR}"
|
||||
else
|
||||
LogText "Result: found one or more files in ${I}. Analyzing files.."
|
||||
for J in ${FIND}; do
|
||||
if IsWorldWritable ${J}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
|
||||
if ! IsOwnedByRoot ${J}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
|
||||
FindCronJob ${J}
|
||||
if [ ! -z "${sCRONJOBS}" ]; then
|
||||
LogText "Result: found one or more files in ${DIR}. Analyzing files.."
|
||||
for FILE in ${FIND}; do
|
||||
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
|
||||
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
|
||||
FindCronJob ${FILE}
|
||||
if HasData "${sCRONJOBS}"; then
|
||||
for K in ${sCRONJOBS}; do
|
||||
LogText "Result: Found cronjob (${J}): ${K}"
|
||||
Report "cronjob[]=${J}"
|
||||
LogText "Result: Found cronjob (${FILE}): ${K}"
|
||||
Report "cronjob[]=${FILE}"
|
||||
done
|
||||
fi
|
||||
done
|
||||
LogText "Result: done with analyzing files in ${I}"
|
||||
LogText "Result: done with analyzing files in ${DIR}"
|
||||
fi
|
||||
else
|
||||
LogText "Result: can not read file or directory ${I}"
|
||||
LogText "Result: can not read file or directory ${DIR}"
|
||||
fi
|
||||
else
|
||||
LogText "Result: directory ${I} does not exist"
|
||||
LogText "Result: directory ${DIR} does not exist"
|
||||
fi
|
||||
done
|
||||
|
||||
|
@ -218,11 +219,11 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
AT_UNKNOWN=0
|
||||
case ${OS} in
|
||||
FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;;
|
||||
HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;;
|
||||
Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;;
|
||||
OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;;
|
||||
SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;;
|
||||
FreeBSD) AT_ALLOW="${ROOTDIR}var/at/at.allow"; AT_DENY="${ROOTDIR}var/at/at.deny" ;;
|
||||
HPUX) AT_ALLOW="${ROOTDIR}usr/lib/cron/at.allow"; AT_DENY="${ROOTDIR}usr/lib/cron/at.deny" ;;
|
||||
Linux) AT_ALLOW="${ROOTDIR}etc/at.allow"; AT_DENY="${ROOTDIR}etc/at.deny" ;;
|
||||
OpenBSD) AT_ALLOW="${ROOTDIR}var/cron/at.allow"; AT_DENY="${ROOTDIR}var/cron/at.deny" ;;
|
||||
SunOS) AT_ALLOW="${ROOTDIR}etc/cron.d/at.allow"; AT_DENY="${ROOTDIR}etc/cron.d/at.deny" ;;
|
||||
*) AT_UNKNOWN=1; LogText "Test skipped, files for at unknown" ;;
|
||||
esac
|
||||
if [ ${AT_UNKNOWN} -eq 0 ]; then
|
||||
|
@ -232,11 +233,11 @@
|
|||
if [ ${CANREAD} -eq 1 ]; then
|
||||
LogText "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
|
||||
FIND=$(${SORTBINARY} ${AT_ALLOW})
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: File empty, no users are allowed to schedule at jobs"
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
LogText "Allowed at user: ${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Allowed at user: ${ITEM}"
|
||||
done
|
||||
fi
|
||||
else
|
||||
|
@ -253,8 +254,8 @@
|
|||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: file is empty, no users are denied access to schedule jobs"
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
LogText "Denied at user: ${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Denied at user: ${ITEM}"
|
||||
done
|
||||
fi
|
||||
else
|
||||
|
@ -281,10 +282,10 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Check scheduled at jobs"
|
||||
FIND=$(atq | ${GREPBINARY} -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: found one or more jobs"
|
||||
for I in ${FIND}; do
|
||||
VALUE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
||||
for ITEM in ${FIND}; do
|
||||
VALUE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
|
||||
LogText "Found at job: ${VALUE}"
|
||||
done
|
||||
Display --indent 4 --text "- Checking at jobs" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
|
|
@ -201,63 +201,62 @@
|
|||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid access control lists"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
LogText "Test: checking ACLs"
|
||||
FIND=$(${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
LogText "Result: No ACLs found"
|
||||
Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
N=$((N + 1))
|
||||
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
||||
LogText "Found ACL: ${I}"
|
||||
#Report "squid_acl=${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
COUNT=$((COUNT + 1))
|
||||
ITEM=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
|
||||
LogText "Found ACL: ${ITEM}"
|
||||
#Report "squid_acl=${ITEM}" # TODO
|
||||
done
|
||||
LogText "Result: Found ${N} ACLs"
|
||||
Display --indent 6 --text "- Checking Access Control Lists" --result "${N} ACLs FOUND" --color GREEN
|
||||
LogText "Result: Found ${COUNT} ACLs"
|
||||
Display --indent 6 --text "- Checking Access Control Lists" --result "${COUNT} ACLs FOUND" --color GREEN
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : SQD-3624 [T]
|
||||
# Test : SQD-3624
|
||||
# Description : Check unsecure ports in Safe_ports list
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid safe ports"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
LogText "Test: checking ACL Safe_ports http_access option"
|
||||
FIND=$(${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports")
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: no Safe_ports found"
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
|
||||
else
|
||||
LogText "Result: checking ACL safe ports"
|
||||
FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }')
|
||||
if [ -z "${FIND2}" ]; then
|
||||
if IsEmpty "${FIND2}"; then
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
|
||||
AddHP 0 1
|
||||
else
|
||||
LogText "Result: Safe_ports found"
|
||||
for I in ${FIND}; do
|
||||
LogText "Found safe port: ${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found safe port: ${ITEM}"
|
||||
done
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "${STATUS_FOUND}" --color GREEN
|
||||
AddHP 1 1
|
||||
fi
|
||||
#SQUID_DAEMON_UNSAFE_PORTS_LIST
|
||||
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
|
||||
LogText "Test: Checking port ${I} in Safe_ports list"
|
||||
FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG})
|
||||
if [ -z "${FIND2}" ]; then
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN
|
||||
|
||||
for ITEM in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
|
||||
LogText "Test: Checking port ${ITEM} in Safe_ports list"
|
||||
FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${ITEM}" ${SQUID_DAEMON_CONFIG})
|
||||
if IsEmpty "${FIND2}"; then
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_NOT_FOUND}" --color GREEN
|
||||
AddHP 1 1
|
||||
else
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_FOUND}" --color RED
|
||||
ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_FOUND}" --color RED
|
||||
ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}"
|
||||
AddHP 0 1
|
||||
fi
|
||||
done
|
||||
|
@ -277,10 +276,9 @@
|
|||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
LogText "Test: checking option reply_body_max_size"
|
||||
FIND=$(${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ -z "${FIND}" ]; then
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: option reply_body_max_size not configured"
|
||||
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
|
||||
AddHP 1 2
|
||||
|
|
|
@ -250,30 +250,30 @@
|
|||
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
COUNT=0
|
||||
LogText "Test: Checking stratum 16 sources from ntpq peers list"
|
||||
FIND=$(${NTPQBINARY} -p -n | ${AWKBINARY} '{ if ($2!=".POOL." && $3=="16") { print $1 }}')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: All peers are lower than stratum 16"
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
LogText "Found stratum 16 peer: ${I}"
|
||||
FIND2=$(${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE})
|
||||
if [ -z "${FIND2}" ]; then
|
||||
N=$((N + 1))
|
||||
Report "ntp_stratum_16_peer[]=${I}"
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found stratum 16 peer: ${ITEM}"
|
||||
FIND2=$(${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${ITEM}:" ${PROFILE})
|
||||
if IsEmpty "${FIND2}"; then
|
||||
COUNT=$((COUNT + 1))
|
||||
Report "ntp_stratum_16_peer[]=${ITEM}"
|
||||
else
|
||||
LogText "Output: host ${I} ignored by profile"
|
||||
LogText "Output: host ${ITEM} ignored by profile"
|
||||
fi
|
||||
done
|
||||
# Check if one or more high stratum time servers are found
|
||||
if [ ${N} -eq 0 ]; then
|
||||
if [ ${COUNT} -eq 0 ]; then
|
||||
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile"
|
||||
else
|
||||
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Found one or more high stratum (16) peers)"
|
||||
LogText "Result: Found ${COUNT} high stratum (16) peers)"
|
||||
ReportSuggestion ${TEST_NO} "Check ntpq peers output for stratum 16 peers"
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -31,6 +31,8 @@
|
|||
FAIL2BAN_EMAIL=0
|
||||
FAIL2BAN_SILENT=0
|
||||
PERFORM_FAIL2BAN_TESTS=0
|
||||
SNORT_FOUND=0
|
||||
SNORT_RUNNING=0
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
@ -160,7 +162,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Intrusion Prevention tools
|
||||
# Intrusion Detection and Prevention tools
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
@ -299,6 +301,52 @@
|
|||
# fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : TOOL-5120
|
||||
# Description : Check for Snort
|
||||
Register --test-no TOOL-5120 --weight L --network NO --category security --description "Check for presence of Snort"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
|
||||
# Snort presence
|
||||
if [ -n "${SNORTBINARY}" ]; then
|
||||
SNORT_FOUND=1
|
||||
IDS_IPS_TOOL_FOUND=1
|
||||
LogText "Result: Snort is installed (${SNORTBINARY})"
|
||||
Report "ids_ips_tooling[]=snort"
|
||||
Display --indent 2 --text "- Checking presence of Snort" --result "${STATUS_FOUND}" --color GREEN
|
||||
fi
|
||||
|
||||
IsRunning snort
|
||||
if [ ${SNORT_RUNNING} -eq 1 ]; then
|
||||
SNORT_FOUND=1
|
||||
SNORT_RUNNING=1
|
||||
SNORT_LOG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $4}' | ${HEADBINARY} -1)
|
||||
else
|
||||
LogText "Result: Snort not present (Snort not running)"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : TOOL-5122
|
||||
# Description : Check for Snort configuration
|
||||
Register --test-no TOOL-5122 --weight L --network NO --category security --description "Check Snort configuration file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
|
||||
# Continue if tooling is available and snort is running
|
||||
if [ -n ${SNORT_FOUND} ] || [ -n ${SNORT_RUNNING} ]; then
|
||||
if [ ${SNORT_FOUND} -eq 1 ] && [ ${SNORT_RUNNING} -eq 1 ]; then
|
||||
SNORT_CONFIG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $3}' | ${HEADBINARY} -1)
|
||||
if HasData "${SNORT_CONFIG}"; then
|
||||
LogText "Result: found Snort configuration file: ${SNORT_CONFIG}"
|
||||
Report "snort_config=${SNORT_CONFIG}"
|
||||
fi
|
||||
SNORT=$(which snort 2> /dev/null)
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : TOOL-5190
|
||||
# Description : Check for an IDS/IPS tool
|
||||
|
|
|
@ -193,6 +193,9 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# TODO
|
||||
# Do you have Apache running and want to contribute? Help us testing this control and send in a pull request
|
||||
|
||||
# Test : HTTP-6630
|
||||
# Description : Search for all loaded modules
|
||||
#if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
|
@ -219,24 +222,24 @@
|
|||
Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining all available Apache modules"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: searching available Apache modules"
|
||||
N=0
|
||||
for I in ${APACHE_MODULES_LOCS}; do
|
||||
DirectoryExists ${I}
|
||||
COUNT=0
|
||||
for DIR in ${APACHE_MODULES_LOCS}; do
|
||||
DirectoryExists ${DIR}
|
||||
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
|
||||
FIND=$(find ${I} -name "mod_*" -print | sort)
|
||||
for J in ${FIND}; do
|
||||
Report "apache_module[]=${J}"
|
||||
LogText "Result: found Apache module ${J}"
|
||||
N=$((N + 1))
|
||||
FIND=$(${FINDBINARY} ${DIR} -name "mod_*" -print | ${SORTBINARY})
|
||||
for ITEM in ${FIND}; do
|
||||
Report "apache_module[]=${ITEM}"
|
||||
LogText "Result: found Apache module ${ITEM}"
|
||||
COUNT=$((COUNT + 1))
|
||||
done
|
||||
fi
|
||||
done
|
||||
if [ ${N} -eq 0 ]; then
|
||||
if [ ${COUNT} -eq 0 ]; then
|
||||
Display --indent 4 --text "* Loadable modules" --result "${STATUS_NONE}" --color WHITE
|
||||
ReportException "${TEST_NO}:1" "No loadable Apache modules found"
|
||||
else
|
||||
Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND}" --color GREEN
|
||||
Display --indent 8 --text "- Found ${N} loadable modules"
|
||||
Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND} (${COUNT})" --color GREEN
|
||||
Display --indent 8 --text "- Found ${COUNT} loadable modules"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -300,7 +303,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : HTTP-6660
|
||||
# Test : HTTP-6660 TODO
|
||||
# Description : Search for "TraceEnable off" in configuration files
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -311,7 +314,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: searching running nginx process"
|
||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep")
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: found running nginx process(es)"
|
||||
Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN
|
||||
NGINX_RUNNING=1
|
||||
|
@ -330,14 +333,14 @@
|
|||
Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx configuration file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: searching nginx configuration file"
|
||||
for I in ${NGINX_CONF_LOCS}; do
|
||||
if [ -f ${I}/nginx.conf ]; then
|
||||
NGINX_CONF_LOCATION="${I}/nginx.conf"
|
||||
for DIR in ${NGINX_CONF_LOCS}; do
|
||||
if [ -f ${DIR}/nginx.conf ]; then
|
||||
NGINX_CONF_LOCATION="${DIR}/nginx.conf"
|
||||
LogText "Found file ${NGINX_CONF_LOCATION}"
|
||||
NGINX_CONF_FILES="${I}/nginx.conf"
|
||||
NGINX_CONF_FILES="${DIR}/nginx.conf"
|
||||
fi
|
||||
done
|
||||
if [ ! -z "${NGINX_CONF_LOCATION}" ]; then
|
||||
if HasData "${NGINX_CONF_LOCATION}"; then
|
||||
LogText "Result: found nginx configuration file"
|
||||
Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
|
||||
Display --indent 4 --text "- Searching nginx configuration file" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
@ -357,7 +360,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Remove temp file
|
||||
if [ ! -z "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
|
||||
N=0
|
||||
COUNT=0
|
||||
${SEDBINARY} -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}
|
||||
# Search for included configuration files (may include directories and wild cards)
|
||||
FIND=$(${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g')
|
||||
|
@ -366,7 +369,7 @@
|
|||
for J in ${FIND2}; do
|
||||
# Ensure that we are parsing normal files
|
||||
if [ -f ${J} ]; then
|
||||
N=$((N + 1))
|
||||
COUNT=$((COUNT + 1))
|
||||
LogText "Result: found Nginx configuration file ${J}"
|
||||
Report "nginx_sub_conf_file[]=${J}"
|
||||
FileIsReadable ${J}
|
||||
|
@ -390,10 +393,10 @@
|
|||
# Remove unsorted file for next tests
|
||||
if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi
|
||||
|
||||
if [ ${N} -eq 0 ]; then
|
||||
if [ ${COUNT} -eq 0 ]; then
|
||||
LogText "Result: no nginx include statements found"
|
||||
else
|
||||
Display --indent 6 --text "- Found nginx includes" --result "${N} FOUND" --color GREEN
|
||||
Display --indent 6 --text "- Found nginx includes" --result "${COUNT} FOUND" --color GREEN
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -407,14 +410,14 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: start parsing all discovered nginx options"
|
||||
Display --indent 4 --text "- Parsing configuration options"
|
||||
for I in ${NGINX_CONF_FILES}; do
|
||||
FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}')
|
||||
for FILE in ${NGINX_CONF_FILES}; do
|
||||
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
|
||||
if [ ! "${FILENAME}" = "mime.types" ]; then
|
||||
if FileIsReadable ${I}; then
|
||||
Display --indent 8 --text "- ${I}"
|
||||
ParseNginx ${I}
|
||||
if FileIsReadable ${FILE}; then
|
||||
Display --indent 8 --text "- ${FILE}"
|
||||
ParseNginx ${FILE}
|
||||
else
|
||||
Display --indent 8 --text "- ${I}" --result "SKIPPED (NOT READABLE)" --color YELLOW
|
||||
Display --indent 8 --text "- ${FILE}" --result "SKIPPED (NOT READABLE)" --color YELLOW
|
||||
fi
|
||||
else
|
||||
LogText "Result: this configuration file is skipped, as it contains usually no interesting details"
|
||||
|
|
12
lynis
12
lynis
|
@ -34,7 +34,7 @@
|
|||
PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com"
|
||||
|
||||
# Version details
|
||||
PROGRAM_RELEASE_DATE="2017-04-23"
|
||||
PROGRAM_RELEASE_DATE="2017-04-30"
|
||||
PROGRAM_RELEASE_TIMESTAMP=1490800090
|
||||
PROGRAM_RELEASE_TYPE="dev" # dev or final
|
||||
PROGRAM_VERSION="2.5.0"
|
||||
|
@ -572,9 +572,9 @@ ${NORMAL}
|
|||
if [ -z "${PLUGINDIR}" ]; then
|
||||
#LogText "Result: Searching for plugindir"
|
||||
tPLUGIN_TARGETS="/usr/local/lynis/plugins /usr/local/share/lynis/plugins /usr/share/lynis/plugins /etc/lynis/plugins ./plugins"
|
||||
for I in ${tPLUGIN_TARGETS}; do
|
||||
if [ -d ${I} -a -z "${PLUGINDIR}" ]; then
|
||||
PLUGINDIR=${I}
|
||||
for DIR in ${tPLUGIN_TARGETS}; do
|
||||
if [ -d ${DIR} -a -z "${PLUGINDIR}" ]; then
|
||||
PLUGINDIR=${DIR}
|
||||
Debug "Result: found plugindir ${PLUGINDIR}"
|
||||
fi
|
||||
done
|
||||
|
@ -706,7 +706,7 @@ ${NORMAL}
|
|||
fi
|
||||
|
||||
# Test for older releases, without testing via update mechanism
|
||||
if [ "$OS" = "Solaris" ]; then
|
||||
if [ "${OS}" = "Solaris" ]; then
|
||||
NOW=$(nawk 'BEGIN{print srand()}')
|
||||
else
|
||||
NOW=$(date "+%s")
|
||||
|
@ -780,7 +780,7 @@ ${NORMAL}
|
|||
#################################################################################
|
||||
#
|
||||
# Check for systemd presence
|
||||
if [ -d /lib/systemd/system -a -f /usr/lib/systemd/systemd ]; then
|
||||
if [ -d ${ROOTDIR}lib/systemd/system -a -f ${ROOTDIR}usr/lib/systemd/systemd ]; then
|
||||
LogText "Result: systemd is using systemd"
|
||||
HAS_SYSTEMD=1
|
||||
Report "systemd=1"
|
||||
|
|
|
@ -6,12 +6,12 @@
|
|||
#-----------------------------------------------------
|
||||
# PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
|
||||
# PLUGIN_CATEGORY=authentication
|
||||
# PLUGIN_DATE=2017-03-01
|
||||
# PLUGIN_DATE=2017-04-30
|
||||
# PLUGIN_DESC=PAM
|
||||
# PLUGIN_NAME=pam
|
||||
# PLUGIN_PACKAGE=all
|
||||
# PLUGIN_REQUIRED_TESTS=
|
||||
# PLUGIN_VERSION=1.0.1
|
||||
# PLUGIN_VERSION=1.0.2
|
||||
#-----------------------------------------------------
|
||||
#########################################################################
|
||||
#
|
||||
|
@ -27,8 +27,8 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
for LINE in $(${GREPBINARY} -v "^#" ${FILE} | ${TRBINARY} -d " "); do
|
||||
for I in ${LINE}; do
|
||||
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
|
||||
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
|
||||
OPTION=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
|
||||
VALUE=$(echo ${I} | ${AWKBINARY} -F= '{ print $2 }')
|
||||
case ${OPTION} in
|
||||
minlen)
|
||||
DigitsOnly ${VALUE}
|
||||
|
@ -69,8 +69,7 @@
|
|||
if [ -d ${PAM_DIRECTORY} ]; then
|
||||
LogText "Result: /etc/pam.d exists"
|
||||
FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print)
|
||||
# First check /etc/pam.conf if it exists.
|
||||
#if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi
|
||||
|
||||
for PAM_FILE in ${FIND_FILES}; do
|
||||
LogText "Now checking PAM file ${PAM_FILE}"
|
||||
while read line; do
|
||||
|
@ -370,7 +369,7 @@ Report "authentication_two_factor_required=${PAM_2F_AUTH_ENABLED}"
|
|||
if [ ! "${AUTH_UNLOCK_TIME}" = "-1" ]; then
|
||||
LogText "[PAM] Authentication unlock time: ${AUTH_UNLOCK_TIME}"
|
||||
Report "authentication_unlock_time=${AUTH_UNLOCK_TIME}"
|
||||
else
|
||||
else
|
||||
LogText "[PAM] Authentication unlock time: not configured"
|
||||
fi
|
||||
|
||||
|
@ -383,7 +382,7 @@ fi
|
|||
if [ ! "${MIN_PASSWORD_LENGTH}" = "-1" ]; then
|
||||
LogText "[PAM] Minimum password length: ${MIN_PASSWORD_LENGTH}"
|
||||
Report "minimum_password_length=${MIN_PASSWORD_LENGTH}"
|
||||
else
|
||||
else
|
||||
LogText "[PAM] Minimum password length: not configured"
|
||||
fi
|
||||
|
||||
|
@ -445,7 +444,7 @@ fi
|
|||
if [ ! -z "${MAX_PASSWORD_RETRY}" ]; then
|
||||
LogText "[PAM] Password maximum retry: ${MAX_PASSWORD_RETRY}"
|
||||
Report "max_password_retry=${MAX_PASSWORD_RETRY}"
|
||||
else
|
||||
else
|
||||
LogText "[PAM] Password maximum retry: Not configured"
|
||||
fi
|
||||
|
||||
|
@ -460,7 +459,7 @@ if [ ${PAM_PASSWORD_PWHISTORY_ENABLED} -eq 1 ]; then
|
|||
LogText "[PAM] Password history with pam_pwhistory enabled: ${PAM_PASSWORD_PWHISTORY_ENABLED}"
|
||||
LogText "[PAM] Password history with pam_pwhistory amount: ${PAM_PASSWORD_PWHISTORY_AMOUNT}"
|
||||
Report "password_history_amount=${PAM_PASSWORD_PWHISTORY_AMOUNT}"
|
||||
else
|
||||
else
|
||||
LogText "[PAM] Password history with pam_pwhistory IS NOT enabled"
|
||||
fi
|
||||
|
||||
|
@ -468,7 +467,7 @@ if [ ${PAM_PASSWORD_UXHISTORY_ENABLED} -eq 1 ]; then
|
|||
LogText "[PAM] Password history with pam_unix enabled: ${PAM_PASSWORD_UXHISTORY_ENABLED}"
|
||||
LogText "[PAM] Password history with pam_unix amount: ${PAM_PASSWORD_UXHISTORY_AMOUNT}"
|
||||
Report "password_history_amount=${PAM_PASSWORD_UXHISTORY_AMOUNT}"
|
||||
else
|
||||
else
|
||||
LogText "[PAM] Password history with pam_unix IS NOT enabled"
|
||||
fi
|
||||
|
||||
|
|
|
@ -16,12 +16,12 @@
|
|||
#-----------------------------------------------------
|
||||
# PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
|
||||
# PLUGIN_CATEGORY=essentials
|
||||
# PLUGIN_DATE=2016-04-28
|
||||
# PLUGIN_DATE=2017-04-30
|
||||
# PLUGIN_DESC=Tests related to systemd tooling
|
||||
# PLUGIN_NAME=systemd
|
||||
# PLUGIN_PACKAGE=community
|
||||
# PLUGIN_REQUIRED_TESTS=
|
||||
# PLUGIN_VERSION=1.0.1
|
||||
# PLUGIN_VERSION=1.0.2
|
||||
#-----------------------------------------------------
|
||||
#
|
||||
#########################################################################
|
||||
|
@ -63,7 +63,7 @@
|
|||
Report "systemd_version=${FIND}"
|
||||
LogText "Result: found systemd version ${FIND}"
|
||||
fi
|
||||
FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1)
|
||||
FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
Report "systemd_builtin_components=${FIND}"
|
||||
LogText "Result: found builtin components list"
|
||||
|
@ -77,7 +77,7 @@
|
|||
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }')
|
||||
FIND=`${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }'`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found systemd unit files via systemctl list-unit-files"
|
||||
for I in ${FIND}; do
|
||||
|
@ -94,7 +94,7 @@
|
|||
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }')
|
||||
FIND=`${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }'`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found systemd unit files via systemctl list-unit-files"
|
||||
for I in ${FIND}; do
|
||||
|
@ -125,7 +125,7 @@
|
|||
if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(find /usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
|
||||
FIND=$(${FINDBINARY} ${ROOTDIR}usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
Report "systemd_binaries=${FIND}"
|
||||
LogText "Result: found systemd binaries in /usr/lib/systemd"
|
||||
|
@ -160,7 +160,7 @@
|
|||
if [ ! "${FIND}" = "" ]; then
|
||||
Report "journal_contains_errors=1"
|
||||
for I in ${FIND}; do
|
||||
LINE=$(echo ${I} | sed 's/:space:/ /g')
|
||||
LINE=`echo ${I} | sed 's/:space:/ /g'`
|
||||
LogText "Output (fails): ${LINE}"
|
||||
done
|
||||
else
|
||||
|
@ -176,7 +176,7 @@
|
|||
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}')
|
||||
FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}'`
|
||||
Report "journal_disk_size=${FIND}"
|
||||
LogText "Result: journals are ${FIND} in size"
|
||||
fi
|
||||
|
@ -188,7 +188,7 @@
|
|||
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g')
|
||||
FIND=`${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g'`
|
||||
Report "journal_meta_data=${FIND}"
|
||||
fi
|
||||
#
|
||||
|
@ -228,7 +228,7 @@
|
|||
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }')
|
||||
FIND=`${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }'`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
for I in ${FIND}; do
|
||||
Report "systemd_unit_not_found[]=${I}"
|
||||
|
@ -243,7 +243,7 @@
|
|||
if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}')
|
||||
FIND=`${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}'`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found one or more services with faulty state"
|
||||
for I in ${FIND}; do
|
||||
|
@ -261,7 +261,7 @@
|
|||
Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
SYSTEMD_COREDUMP_USED=1
|
||||
FIND=$(cat /proc/sys/kernel/core_pattern | grep systemd-coredump)
|
||||
FIND=`cat /proc/sys/kernel/core_pattern | grep systemd-coredump`
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: systemd uses systemd-coredump to handle coredumps"
|
||||
Report "systemd_coredump_used=1"
|
||||
|
|
Loading…
Reference in New Issue