tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[bulk change] cleaning up, code enhancements, initialization of variables, and new tests

This commit is contained in:
Michael Boelen 2017-04-30 17:59:35 +02:00
parent 5ccd0912cf
commit 4ecb9d4d05
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
38 changed files with 1066 additions and 1043 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGELOG.md
View File

@ -10,17 +10,28 @@ Lynis 2.5.0 (2017-05-03) - Not released yet
This release is a maintenance release with focus on cleaning up the code for
readability and future expansion. It includes:
* Setting ROOTDIR variable instead of fixed paths
* Use ROOTDIR variable instead of fixed paths
* Introduction of IsEmpty and HasData functions for readability of code
* Renamed some variables to better indicate their purpose (counting, data type)
* Removal of unused code and comments
* Deleted unused tests from database file
* Correct levels of identation
During the maintenance cycle, the project got informed about a flaw that could
be possibly abused. This release is therefore highly recommended. See details on
[CVE-2017-8108](https://cisofy.com/security/cve/cve-2017-8108/)
Changes:
--------
* Support for older mac OS X versions (Lion and Mountain Lion)
* Initialized variables for more binaries
Tests:
------
* MALW-3280 - Extended test with Symantec components
* PKGS-7332 - Detection of macOS ports tool and installed packages
* TOOL-5120 - Snort detection
* TOOL-5122 - Snort configuration file
---------------------------------------------------------------------------------

30
db/tests.db
View File

@ -46,8 +46,6 @@ AUTH-9402:test:security:authentication::Query LDAP authentication support:
AUTH-9406:test:security:authentication::Query LDAP servers in client configuration:
AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs:
BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file:
#BANN-7119:test:security:banners::Check MOTD banner file:
#BANN-7122:test:security:banners::Check /etc/motd banner file contents:
BANN-7124:test:security:banners::Check issue banner file:
BANN-7126:test:security:banners::Check issue banner file contents:
BANN-7128:test:security:banners::Check issue.net banner file:
@ -63,7 +61,6 @@ BOOT-5124:test:security:boot_services:FreeBSD:Check for FreeBSD boot loader pres
BOOT-5126:test:security:boot_services:NetBSD:Check for NetBSD boot loader presence:
BOOT-5139:test:security:boot_services::Check for LILO boot loader presence:
BOOT-5142:test:security:boot_services::Check SPARC Improved boot loader (SILO):
#BOOT-5144:test:security:boot_services::Check SPARC Improved boot loader (SILO):
BOOT-5155:test:security:boot_services::Check for YABOOT boot loader configuration file:
BOOT-5159:test:security:boot_services:OpenBSD:Check for OpenBSD boot loader presence:
BOOT-5165:test:security:boot_services:FreeBSD:Check for FreeBSD boot services:
@ -73,7 +70,6 @@ BOOT-5184:test:security:boot_services:Linux:Check permissions for boot files/scr
BOOT-5202:test:security:boot_services::Check uptime of system:
BOOT-5260:test:security:boot_services::Check single user mode for systemd:
CONT-8004:test:security:containers:Solaris:Query running Solaris zones:
#CONT-1906:test:security:containers::Query Xen guests:
CONT-8102:test:security:containers::Checking Docker status and information:
CONT-8104:test:security:containers::Checking Docker info for any warnings:
CONT-8106:test:security:containers::Gather basic stats from Docker:
@ -81,14 +77,11 @@ CONT-8107:test:performance:containers::Check number of unused Docker containers:
CONT-8108:test:security:containers::Check file permissions for Docker files:
CRYP-7902:test:security:crypto::Check expire date of SSL certificates:
DBS-1804:test:security:databases::Checking active MySQL process:
#DBS-1808:test:security:databases::Checking MySQL data directory:
#DBS-1812:test:security:databases::Checking MySQL data directory permissions:
DBS-1816:test:security:databases::Checking MySQL root password:
DBS-1818:test:security:databases::MongoDB status:
DBS-1820:test:security:databases::Check MongoDB authentication:
DBS-1826:test:security:databases::Checking active PostgreSQL processes:
DBS-1840:test:security:databases::Checking active Oracle processes:
#DBS-1842:test:security:databases::Checking Oracle home paths:
DBS-1860:test:security:databases::Checking active DB2 instances:
DBS-1880:test:security:databases::Checking active Redis processes:
DBS-1882:test:security:databases::Redis configuration file:
@ -112,7 +105,6 @@ FILE-7524:test:security:file_permissions::Perform file permissions check:
FILE-6310:test:security:filesystems::Checking /tmp, /home and /var directory:
FILE-6311:test:security:filesystems::Checking LVM volume groups:
FILE-6312:test:security:filesystems::Checking LVM volumes:
#FILE-6316:test:security:filesystems:Linux:Checking /etc/fstab:
FILE-6323:test:security:filesystems:Linux:Checking EXT file systems:
FILE-6329:test:security:filesystems::Checking FFS/UFS file systems:
FILE-6330:test:security:filesystems:FreeBSD:Checking ZFS file systems:
@ -145,7 +137,6 @@ FIRE-4586:test:security:firewalls::Check firewall logging:
FIRE-4590:test:security:firewalls::Check firewall status:
HOME-9302:test:security:homedirs::Create list with home directories:
HOME-9310:test:security:homedirs::Checking for suspicious shell history files:
#HOME-9314:test:security:homedirs::Create list with home directories:
HOME-9350:test:security:homedirs::Collecting information from home directories:
HRDN-7220:test:security:hardening::Check if one or more compilers are installed:
HRDN-7222:test:security:hardening::Check compiler permissions:
@ -153,12 +144,9 @@ HRDN-7230:test:security:hardening::Check for malware scanner:
HTTP-6622:test:security:webservers::Checking Apache presence:
HTTP-6624:test:security:webservers::Testing main Apache configuration file:
HTTP-6626:test:security:webservers::Testing other Apache configuration file:
#HTTP-6628:test:security:webservers::Testing other Apache configuration file:
#HTTP-6630:test:security:webservers::Determining all loaded Apache modules:
HTTP-6632:test:security:webservers::Determining all available Apache modules:
HTTP-6640:test:security:webservers::Determining existence of specific Apache modules:
HTTP-6641:test:security:webservers::Determining existence of specific Apache modules:
#HTTP-6642:test:security:webservers::Determining existence of specific Apache modules:
HTTP-6643:test:security:webservers::Determining existence of specific Apache modules:
HTTP-6702:test:security:webservers::Check nginx process:
HTTP-6704:test:security:webservers::Check nginx configuration file:
@ -168,8 +156,6 @@ HTTP-6710:test:security:webservers::Check nginx SSL configuration settings:
HTTP-6712:test:security:webservers::Check nginx access logging:
HTTP-6714:test:security:webservers::Check for missing error logs in nginx:
HTTP-6716:test:security:webservers::Check for debug mode on error log in nginx:
#HTTP-67xx:test:security:webservers::Check nginx virtual hosts:
#HTTP-67xx:test:security:webservers::Check nginx virtual hosts:
HTTP-6720:test:security:webservers::Check Nginx log files:
INSE-8002:test:security:insecure_services::Check for enabled inet daemon:
INSE-8004:test:security:insecure_services::Check for enabled inet daemon:
@ -187,7 +173,6 @@ KRNL-5745:test:security:kernel:FreeBSD:Checking FreeBSD loaded kernel modules:
KRNL-5770:test:security:kernel:Solaris:Checking active kernel modules:
KRNL-5788:test:security:kernel:Linux:Checking availability new Linux kernel:
KRNL-5820:test:security:kernel:Linux:Checking core dumps configuration:
#KRNL-5826:test:security:kernel:Linux:Checking core dumps configuration:
KRNL-5830:test:security:kernel:Linux:Checking if system is running on the latest installed kernel:
KRNL-6000:test:security:kernel_hardening::Check sysctl key pairs in scan profile:
LDAP-2219:test:security:ldap::Check running OpenLDAP instance:
@ -252,14 +237,9 @@ NAME-4036:test:security:nameservices::Check Unbound configuration file:
NAME-4202:test:security:nameservices::Check BIND status:
NAME-4204:test:security:nameservices::Search BIND configuration file:
NAME-4206:test:security:nameservices::Check BIND configuration consistency:
#NAME-4050:test:security:nameservices::Check nscd status:
NAME-4210:test:security:nameservices::Check DNS banner:
#NAME-4212:test:security:nameservices::Check version setting in configuration:
#NAME-4220:test:security:nameservices::Check zone transfer:
#NAME-4222:test:security:nameservices::Check zone transfer:
NAME-4230:test:security:nameservices::Check PowerDNS status:
NAME-4232:test:security:nameservices::Search PowerDNS configuration file:
#NAME-4234:test:security:nameservices::Check PowerDNS configuration consistency:
NAME-4236:test:security:nameservices::Check PowerDNS backends:
NAME-4238:test:security:nameservices::Check PowerDNS authoritive status:
NAME-4304:test:security:nameservices::Check NIS ypbind status:
@ -301,6 +281,8 @@ PKGS-7320:test:security:ports_packages:Linux:Check presence of arch-audit for Ar
PKGS-7322:test:security:ports_packages:Linux:Discover vulnerable packages on Arch Linux:
PKGS-7328:test:security:ports_packages::Querying Zypper for installed packages:
PKGS-7330:test:security:ports_packages::Querying Zypper for vulnerable packages:
PKGS-7332:test:security:ports_packages::Detection of macOS ports and packages:
PKGS-7334:test:security:ports_packages::Detection of available updates for macOS ports:
PKGS-7345:test:security:ports_packages::Querying dpkg:
PKGS-7346:test:security:ports_packages::Search unpurged packages on system:
PKGS-7348:test:security:ports_packages:FreeBSD:Check for old distfiles:
@ -330,7 +312,6 @@ PRNT-2306:test:security:printers_spools::Check CUPSd configuration file:
PRNT-2307:test:security:printers_spools::Check CUPSd configuration file permissions:
PRNT-2308:test:security:printers_spools::Check CUPSd network configuration:
PRNT-2314:test:security:printers_spools::Check lpd status:
#PRNT-23xx:test::printers_spools:Check cupsd address configuration:security:
PRNT-2316:test:security:printers_spools:AIX:Checking /etc/qconfig file:
PRNT-2418:test:security:printers_spools:AIX:Checking qdaemon printer spooler status:
PRNT-2420:test:security:printers_spools:AIX:Checking old print jobs:
@ -348,8 +329,6 @@ SHLL-6290:test:security:shells::Perform Shellshock vulnerability tests:
SNMP-3302:test:security:snmp::Check for running SNMP daemon:
SNMP-3304:test:security:snmp::Check SNMP daemon file location:
SNMP-3306:test:security:snmp::Check SNMP communities:
#SOL-xxxx:test:security:solaris::Check for running SSH daemon:
#SOL-xxxx:test:security:solaris::Check for running SSH daemon:
SQD-3602:test:security:squid::Check for running Squid daemon:
SQD-3604:test:security:squid::Check Squid daemon file location:
SQD-3606:test:security:squid::Check Squid version:
@ -372,7 +351,6 @@ STRG-1902:test:security:storage_nfs::Check rpcinfo registered programs:
STRG-1904:test:security:storage_nfs::Check nfs rpc:
STRG-1906:test:security:storage_nfs::Check nfs rpc:
STRG-1920:test:security:storage_nfs::Checking NFS daemon:
#STRG-1924:test:security:storage_nfs::Checking NFS daemon:
STRG-1926:test:security:storage_nfs::Checking NFS exports:
STRG-1928:test:security:storage_nfs::Checking empty /etc/exports:
STRG-1930:test:security:storage_nfs::Check client access to nfs share:
@ -385,13 +363,13 @@ TIME-3124:test:security:time::Check selected time source:
TIME-3128:test:security:time::Check preffered time source:
TIME-3132:test:security:time::Check NTP falsetickers:
TIME-3136:test:security:time:Linux:Check NTP protocol version:
#TIME-3146:test:security:time:Linux:Check /etc/default/ntpdate:
TIME-3148:test:performance:time:Linux:Check TZ variable:
TIME-3160:test:security:time:Linux:Check empty NTP step-tickers:
TIME-3170:test:security:time::Check configuration files:
TOOL-5002:test:security:tooling::Checking for automation tools:
TOOL-5102:test:security:tooling::Check for presence of Fail2ban:
TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:
TOOL-5120:test:security:tooling::Presence of Snort IDS:
TOOL-5122:test:security:tooling::Snort IDS configuration file:
TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling:
#VIRT-1920:test::virtualization:Checking VMware guest status:security:
# EOF

24
include/binaries
View File

@ -38,7 +38,7 @@
# Description : Check all system binaries
# Notes : Always perform test, dependency for many other tests
Register --test-no CORE-1000 --weight L --network NO --description "Check all system binaries"
BINARY_PATHS_FOUND=""; N=0
BINARY_PATHS_FOUND=""; COUNT=0
Display --indent 2 --text "- Checking system binaries..."
LogText "Status: Starting binary scan..."
for SCANDIR in ${BIN_PATHS}; do
@ -73,12 +73,12 @@
BINARY_PATHS_FOUND="${BINARY_PATHS_FOUND}, ${SCANDIR}"
LogText "Directory ${SCANDIR} exists. Starting directory scanning..."
FIND=$(ls ${SCANDIR})
for I in ${FIND}; do
N=$((N + 1))
BINARY="${SCANDIR}/${I}"
for FILENAME in ${FIND}; do
COUNT=$((COUNT + 1))
BINARY="${SCANDIR}/${FILENAME}"
DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
# Optimized, much quicker (limited file access needed)
case ${I} in
case ${FILENAME} in
aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; LogText " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
afick.pl) AFICKFOUND=1; AFICKBINARY=${BINARY}; LogText " Found known binary: afick (file integrity checker) - ${BINARY}" ;;
aide) AIDEFOUND=1; AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;;
@ -205,9 +205,9 @@
ps) PSFOUND=1; PSBINARY="${BINARY}"; LogText " Found known binary: ps (process listing) - ${BINARY}" ;;
puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; LogText " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; LogText " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${I} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
python) PYTHONFOUND=1; PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
python2) PYTHON2FOUND=1; PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
python3) PYTHON3FOUND=1; PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;
@ -226,6 +226,7 @@
smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=$(${BINARY} -V | grep "^Version" | awk '{ print $2 }'); fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;;
smtpctl) SMTPCTLBINARY="${BINARY}"; LogText " Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;;
showmount) SHOWMOUNTFOUND=1; SHOWMOUNTBINARY="${BINARY}"; LogText " Found known binary: showmount (NFS mounts) - ${BINARY}" ;;
snort) SNORTBINARY="${BINARY}"; LogText " Found known binary: snort (IDS) - ${BINARY}" ;;
sockstat) SOCKSTATFOUND=1; SOCKSTATBINARY="${BINARY}"; LogText " Found known binary: sockstat (open network sockets) - ${BINARY}" ;;
sort) SORTBINARY="${BINARY}"; LogText " Found known binary: sort (sort data streams) - ${BINARY}" ;;
squid) SQUIDFOUND=1; SQUIDBINARY="${BINARY}"; LogText " Found known binary: squid (proxy) - ${BINARY}" ;;
@ -271,13 +272,12 @@
LogText "Result: Directory ${SCANDIR} does NOT exist"
fi
done
BINARY_SCAN_FINISHED=1
BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/ //g')
LogText "Discovered directories: ${BINARY_PATHS_FOUND}"
LogText "Result: found ${COUNT} binaries"
Report "binaries_count=${COUNT}"
Report "binary_paths=${BINARY_PATHS_FOUND}"
BINARY_SCAN_FINISHED=1
LogText "Result: found ${N} binaries"
Report "binaries_count=${N}"
else
LogText "Result: checking of binaries skipped in this mode"
fi

4
include/consts
View File

@ -59,6 +59,7 @@ unset LANG
AUDITD_RUNNING=0
APPLICATION_FIREWALL_ACTIVE=0
BINARY_SCAN_FINISHED=0
BLKIDBINARY=""
CAT_BINARY=""
CFAGENTBINARY=""
CHECK=0
@ -98,12 +99,14 @@ unset LANG
DOCKER_DAEMON_RUNNING=0
ECHOCMD=""
ERROR_ON_WARNINGS=0
FAIL2BANBINARY=""
FILEBINARY=""
FILEVALUE=""
FIND=""
FIREWALL_ACTIVE=0
FOUNDPATH=0
GETENT_BINARY=""
GRADMBINARY=""
GREPBINARY="grep"
GROUP_NAME=""
GRPCKBINARY=""
@ -239,6 +242,7 @@ unset LANG
SKIPREASON=""
SKIPPED_TESTS_ROOTONLY=""
SMTPCTLBINARY=""
SNORTBINARY=""
SSHKEYSCANBINARY=""
SSHKEYSCANFOUND=0
SSL_CERTIFICATE_PATHS=""

2
include/data_upload
View File

@ -62,7 +62,7 @@
# Check if we can find curl
# Suggestion: If you want to keep the system hardened, copying the binary from a trusted source is a good alternative.
# Restrict access to this binary to the user who is running this script.
if [ "${CURLBINARY}" = "" ]; then
if IsEmpty "${CURLBINARY}"; then
echo "Fatal: can't find curl binary. Please install the related package or put the binary in the PATH. Quitting.."
LogText "Error: Could not find cURL binary"
exit 1

45
include/functions
View File

@ -226,7 +226,7 @@
# Check if we can find the main type (with or without brackets)
LogText "Test: search string $2 in earlier discovered results"
FIND=$(egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2")
if [ ! "${FIND}" = "" ]; then
if HasData "${FIND}"; then
ITEM_FOUND=1
RETVAL=0
LogText "Result: found search string (result: $FIND)"
@ -244,7 +244,6 @@
}
################################################################################
# Name : CheckUpdates()
# Description : Determine if there is an update available
@ -367,6 +366,7 @@
# Determine if a directory exists
DirectoryExists() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling DirectoryExists function"; fi
DIRECTORY_FOUND=0
LogText "Test: checking if directory $1 exists"
if [ -d $1 ]; then
@ -674,6 +674,7 @@
################################################################################
FileExists() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling FileExists function"; fi
FILE_FOUND=0
LogText "Test: checking if file $1 exists"
if [ -f $1 ]; then
@ -718,10 +719,11 @@
#
# Returns : 0 (empty), 1 (not empty)
# EMPTY (0 or 1) - deprecated usage
# Usage : xyz
# Usage : if FileIsEmpty /etc/passwd; then
################################################################################
FileIsEmpty() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling FileIsEmpty function"; fi
EMPTY=0
LogText "Test: checking if file $1 is empty"
if [ -z $1 ]; then
@ -858,7 +860,7 @@
"DragonFly" | "FreeBSD")
FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then
if HasData "${FIND}"; then
HOSTID=$(echo ${FIND} | sha1)
else
ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD"
@ -877,16 +879,16 @@
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
# If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch)
if [ "${FIND}" = "" ]; then
if IsEmpty "${FIND}"; then
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr)
if [ "${FIND}" = "" ]; then
if IsEmpty "${FIND}"; then
# If possible directly address eth0 to avoid risking gathering the incorrect MAC address.
# If not, then falling back to getting first interface. Better than nothing.
if [ ! "${HASETH0}" = "" ]; then
if HasData "${HASETH0}"; then
FIND=$(${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
else
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]')
if [ "${FIND}" = "" ]; then
if IsEmpty "${FIND}"; then
ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)"
else
LogText "Result: No eth0 found (ether found), using first network interface to determine hostid (with ifconfig)"
@ -902,10 +904,10 @@
if [ ! "${IPBINARY}" = "" ]; then
# Determine if we have the common available eth0 interface
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ "${FIND}" = "" ]; then
if IsEmpty "${FIND}"; then
# Determine the MAC address of first interface with the ip command
FIND=$(${IPBINARY} addr show 2> /dev/null | egrep "link/ether " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ "${FIND}" = "" ]; then
if IsEmpty "${FIND}"; then
ReportException "GetHostID" "Can't create hostid (no MAC addresses found)"
fi
fi
@ -915,7 +917,7 @@
fi
# Check if we found a HostID
if [ ! "${FIND}" = "" ]; then
if HasData "${FIND}"; then
LogText "Info: using hardware address ${FIND} to create ID"
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
LogText "Result: Found HostID: ${HOSTID}"
@ -948,7 +950,7 @@
"NetBSD")
FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then
if HasData "${FIND}"; then
HOSTID=$(echo ${FIND} | sha1)
else
ReportException "GetHostID" "No MAC address returned on NetBSD"
@ -957,7 +959,7 @@
"OpenBSD")
FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then
if HasData "${FIND}"; then
HOSTID=$(echo ${FIND} | sha1)
else
ReportException "GetHostID" "No MAC address returned on OpenBSD"
@ -1216,10 +1218,10 @@
################################################################################
IsEmpty() {
if [ $# -eq 1 ]; then
if [ -z "$1" ]; then return 0; else return 1; fi
else
if [ $# -eq 0 ]; then
ExitFatal "Function IsEmpty called without parameters - look in log to determine where this happened, or use sh -x lynis to see all details."
else
if [ -z "$1" ]; then return 0; else return 1; fi
fi
}
@ -1232,6 +1234,7 @@
################################################################################
IsRunning() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsRunning function"; fi
RUNNING=0
PSOPTIONS=""
if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then PSOPTIONS=" ax"; fi
@ -1387,7 +1390,8 @@
if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/dmidecode ]; then DMIDECODE_BINARY="/usr/bin/dmidecode"
elif [ -x /usr/sbin/dmidecode ]; then DMIDECODE_BINARY="/usr/sbin/dmidecode"
else DMIDECODE_BINARY=""
else
DMIDECODE_BINARY=""
fi
if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then
LogText "Test: trying to guess virtualization with dmidecode"
@ -1455,12 +1459,12 @@
fi
# lshw
if [ "${SHORT}" = "" ]; then
if HasData "${SHORT}"; then
if [ ${PRIVILEGED} -eq 1 ]; then
if [ -x /usr/bin/lshw ]; then
LogText "Test: trying to guess virtualization with lshw"
FIND=$(lshw -quiet -class system 2> /dev/null | awk '{ if ($1=="product:") { print $2 }}')
if [ ! "${FIND}" = "" ]; then
if HasData "${FIND}"; then
LogText "Result: found ${FIND}"
SHORT="${FIND}"
fi
@ -1524,6 +1528,7 @@
################################################################################
IsWorldReadable() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldReadable function"; fi
sFILE=$1
# Check for symlink
if [ -L ${sFILE} ]; then
@ -1550,6 +1555,7 @@
# Function IsWorldExecutable
IsWorldExecutable() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldExecutable function"; fi
sFILE=$1
# Check for symlink
if [ -L ${sFILE} ]; then
@ -1575,6 +1581,7 @@
################################################################################
IsWorldWritable() {
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldWritable function"; fi
sFILE=$1
FileIsWorldWritable=""

13
include/helper_audit_dockerfile
View File

@ -19,13 +19,12 @@
#################################################################################
if [ $# -eq 0 ]; then
Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
Display --text " "; Display --text " "
ExitFatal
else
else
FILE=$(echo $1 | egrep "^http|https")
if [ ! "${FILE}" = "" ] ; then
if HasData "${FILE}"; then
CreateTempFile
TMP_FILE="${TEMP_FILE}"
Display --indent 2 --text "Downloading URL ${FILE} with wget"
@ -151,14 +150,14 @@ InsertSection "Basics"
LogText "Checking usage of wget"
FIND_WGET=$(grep wget ${AUDIT_FILE})
if [ ! "${FIND_WGET}" = "" ]; then
if HasData "${FIND_WGET}"; then
Display --indent 4 --text "Download tool" --result "wget"
FILE_DOWNLOAD=1
fi
FIND=$(grep "^ADD http" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then
if HasData "${FIND}"; then
FILE_DOWNLOAD=1
ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed"
LogText "Details: ${FIND}"
@ -168,7 +167,7 @@ InsertSection "Basics"
SSL_USED_FIND=$(egrep "(https)" ${AUDIT_FILE})
if [ ! "${SSL_USED_FIND}" = "" ]; then
if HasData "${SSL_USED_FIND}"; then
SSL_USED="YES"
COLOR="GREEN"
else
@ -192,7 +191,7 @@ InsertSection "Basics"
InsertSection "Permissions"
FIND=$(grep -i "chmod 777" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then
if HasData "${FIND}"; then
ReportWarning "dockerfile" "Warning: chmod 777 found"
fi
#

20
include/helper_show
View File

@ -187,8 +187,8 @@ if [ $# -gt 0 ]; then
"commands")
if [ $# -eq 1 ]; then
${ECHOCMD} "\n${WHITE}Commands:${NORMAL}"
for I in ${COMMANDS}; do
${ECHOCMD} "lynis ${CYAN}${I}${NORMAL}"
for ITEM in ${COMMANDS}; do
${ECHOCMD} "lynis ${CYAN}${ITEM}${NORMAL}"
done
${ECHOCMD} ""
else
@ -255,8 +255,8 @@ if [ $# -gt 0 ]; then
${ECHOCMD} "=========================="
${ECHOCMD} ""
${ECHOCMD} "${WHITE}Commands${NORMAL}:"
for I in ${COMMANDS}; do
${ECHOCMD} "${CYAN}${I}${NORMAL}"
for ITEM in ${COMMANDS}; do
${ECHOCMD} "${CYAN}${ITEM}${NORMAL}"
done
${ECHOCMD} ""
${ECHOCMD} "Use 'lynis show help ${CYAN}<command>${NORMAL}' to see details"
@ -274,7 +274,7 @@ if [ $# -gt 0 ]; then
esac
fi
;;
"helpers") for I in ${HELPERS}; do ${ECHOCMD} ${I}; done ;;
"helpers") for ITEM in ${HELPERS}; do ${ECHOCMD} ${ITEM}; done ;;
"hostids" | "hostid")
${ECHOCMD} "hostid=${HOSTID}"
${ECHOCMD} "hostid2=${HOSTID2}"
@ -295,7 +295,7 @@ if [ $# -gt 0 ]; then
${ECHOCMD} "OS_VERSION=${OS_VERSION}"
;;
"pidfile") ${ECHOCMD} "${PIDFILE}" ;;
"profile" | "profiles") for I in ${PROFILES}; do ${ECHOCMD} ${I}; done ;;
"profile" | "profiles") for ITEM in ${PROFILES}; do ${ECHOCMD} ${ITEM}; done ;;
"profiledir") ${ECHOCMD} "${PROFILEDIR}" ;;
"plugindir") ${ECHOCMD} "${PLUGINDIR}" ;;
"release") ${ECHOCMD} "${PROGRAM_VERSION}-${PROGRAM_RELEASE_TYPE}" ;;
@ -314,7 +314,7 @@ if [ $# -gt 0 ]; then
*)
${ECHOCMD} "${RED}Error${NORMAL}: Invalid argument provided to 'lynis show settings'\n\n"
${ECHOCMD} "Suggestions:"
for I in ${SHOW_SETTINGS_ARGS}; do ${ECHOCMD} "lynis show settings ${I}"; done
for ITEM in ${SHOW_SETTINGS_ARGS}; do ${ECHOCMD} "lynis show settings ${ITEM}"; done
ExitFatal
;;
esac
@ -431,10 +431,10 @@ if [ $# -gt 0 ]; then
"?") ${ECHOCMD} "${SHOW_ARGS}" ;;
*) ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis show" ;;
esac
else
else
${ECHOCMD} "\n ${WHITE}Provide an additional argument${NORMAL}\n\n"
for I in ${SHOW_ARGS}; do
${ECHOCMD} " lynis show ${BROWN}${I}${NORMAL}"
for ITEM in ${SHOW_ARGS}; do
${ECHOCMD} " lynis show ${BROWN}${ITEM}${NORMAL}"
done
${ECHOCMD} "\n"

2
include/osdetection
View File

@ -46,6 +46,8 @@
OS_VERSION_NAME="unknown"
OS_FULLNAME="macOS (unknown version)"
case ${OS_VERSION} in
10.7 | 10.7.[0-9]*) OS_FULLNAME="Mac OS X 10.7 (Lion)" ;;
10.8 | 10.8.[0-9]*) OS_FULLNAME="Mac OS X 10.8 (Mountain Lion)" ;;
10.9 | 10.9.[0-9]*) OS_FULLNAME="Mac OS X 10.9 (Mavericks)" ;;
10.10 | 10.10.[0-9]*) OS_FULLNAME="Mac OS X 10.10 (Yosemite)" ;;
10.11 | 10.11.[0-9]*) OS_FULLNAME="Mac OS X 10.11 (El Capitan)" ;;

4
include/parameters
View File

@ -232,8 +232,8 @@
--tests
--upload
--version_(-V)"
for I in ${OPTIONS}; do
echo "${I}" | tr '_' ' '
for ITEM in ${OPTIONS}; do
echo "${ITEM}" | tr '_' ' '
done
ExitClean
;;

2
include/profiles
View File

@ -223,7 +223,7 @@
# Plugin directory
plugindir | plugin-dir)
if [ "${PLUGINDIR}" = "" ]; then
if IsEmpty "${PLUGINDIR}"; then
PLUGINDIR="${VALUE}"
else
LogText "Plugin directory was already set to ${PLUGINDIR} before (most likely as a program argument), not overwriting"

26
include/report
View File

@ -22,15 +22,9 @@
#
#################################################################################
#
#
#################################################################################
#
# Hardening Index
# Define approximately how strong a machine has been hardened
#
#################################################################################
#
# If no hardening has been found, set value to 1
if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
HPINDEX=$((HPPOINTS * 100 / HPTOTAL))
@ -39,16 +33,13 @@
if [ ${HPINDEX} -lt 50 ]; then
HPCOLOR="${RED}"
HIDESCRIPTION="System has not or a low amount been hardened"
fi
if [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
HPCOLOR="${YELLOW}"
HIDESCRIPTION="System has been hardened, but could use additional hardening"
fi
if [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be decent hardened"
fi
if [ ${HPINDEX} -gt 89 ]; then
elif [ ${HPINDEX} -gt 89 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be well hardened"
fi
@ -203,7 +194,8 @@
echo " ${SECTION}Lynis Modules${NORMAL}:"
if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then
if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi
else COMPLIANCE="${YELLOW}?";
else
COMPLIANCE="${YELLOW}?"
fi
echo " - Compliance Status [${COMPLIANCE}${NORMAL}]"
echo " - Security Audit [${GREEN}V${NORMAL}]"
@ -252,9 +244,9 @@
# Split entries
FIND=$(echo ${FIND} | sed 's/====/ /g')
# Display found entries
for I in ${FIND}; do
J=$(echo ${I} | sed 's/:space:/ /g')
echo " ${J}"
for ITEM in ${FIND}; do
OUTPUT=$(echo ${ITEM} | sed 's/:space:/ /g')
echo " ${OUTPUT}"
done
echo ""
echo "================================================================================"

170
include/tests_banners
View File

@ -26,7 +26,7 @@
#
#################################################################################
#
BANNER_FILES="/etc/issue /etc/issue.net /etc/motd"
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence intrusion law legal monitor owner policy policies private prohibited record restricted secure subject terms this unauthorized"
#
#################################################################################
@ -35,108 +35,50 @@
# Description : Check FreeBSD COPYRIGHT banner file
Register --test-no BANN-7113 --os FreeBSD --weight L --network NO --category security --description "Check COPYRIGHT banner file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT"
if [ -f /COPYRIGHT ]; then
Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s /COPYRIGHT ]; then
LogText "Result: /COPYRIGHT available and contains text"
LogText "Test: Testing existence ${ROOTDIR}COPYRIGHT or ${ROOTDIR}etc/COPYRIGHT"
if [ -f ${ROOTDIR}COPYRIGHT ]; then
Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s ${ROOTDIR}COPYRIGHT ]; then
LogText "Result: ${ROOTDIR}COPYRIGHT available and contains text"
else
LogText "Result: /COPYRIGHT available, but empty"
LogText "Result: ${ROOTDIR}COPYRIGHT available, but empty"
fi
else
Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: /COPYRIGHT not found"
Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: ${ROOTDIR}COPYRIGHT not found"
fi
if [ -f /etc/COPYRIGHT ]; then
Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s /etc/COPYRIGHT ]; then
LogText "Result: /etc/COPYRIGHT available and contains text"
if [ -f ${ROOTDIR}etc/COPYRIGHT ]; then
Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s ${ROOTDIR}etc/COPYRIGHT ]; then
LogText "Result: ${ROOTDIR}etc/COPYRIGHT available and contains text"
else
LogText "Result: /etc/COPYRIGHT available, but empty"
LogText "Result: ${ROOTDIR}etc/COPYRIGHT available, but empty"
fi
else
Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: /etc/COPYRIGHT not found"
Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: ${ROOTDIR}etc/COPYRIGHT not found"
fi
fi
#
#################################################################################
#
# Test : BANN-7119
# Description : Check MOTD banner file
#Register --test-no BANN-7119 --weight L --network NO --category security --description "Check MOTD banner file"
#if [ ${SKIPTEST} -eq 0 ]; then
# LogText "Test: Testing existence /etc/motd"
# if [ -f /etc/motd ]; then
# LogText "Result: file /etc/motd exists"
# Display --indent 2 --text "- /etc/motd" --result "${STATUS_FOUND}" --color GREEN
# if [ ! -L /etc/motd ]; then
# if IsWorldWritable /etc/motd; then
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_WARNING}" --color RED
# LogText "Result: /etc/motd is world writable. Users can change this file!"
# ReportWarning ${TEST_NO} "/etc/motd is world writable"
# else
# Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_OK}" --color GREEN
# LogText "Result: /etc/motd is not world writable."
# fi
# else
# LogText "Result: file /etc/motd is symlink"
# fi
# else
# LogText "Result: File /etc/motd not found"
# Display --indent 2 --text "- /etc/motd" --result "${STATUS_NOT_FOUND}" --color WHITE
# fi
#fi
#
#################################################################################
#
# Test : BANN-7122
# Description : Check motd file to see if it contains some form of message
# to discourage unauthorized users to leave the system alone
#if [ -f /etc/motd -a ! -L /etc/motd ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no BANN-7122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/motd banner file contents"
#if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# LogText "Test: Checking file /etc/motd contents for legal key words"
# for I in ${LEGAL_BANNER_STRINGS}; do
# FIND=$(${GREPBINARY} -i "${I}" /etc/motd)
# if [ ! "${FIND}" = "" ]; then
# LogText "Result: found string '${I}'"
# N=$((N + 1))
# fi
# done
# # Check if we have 5 or more key words
# if [ ${N} -gt 4 ]; then
# LogText "Result: Found ${N} key words, to warn unauthorized users"
# Display --indent 4 --text "- /etc/motd contents" --result "${STATUS_OK}" --color GREEN
# AddHP 2 2
# else
# LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
# Display --indent 4 --text "- /etc/motd contents" --result WEAK --color YELLOW
# ReportSuggestion ${TEST_NO} "Add legal banner to /etc/motd, to warn unauthorized users"
# AddHP 0 1
# fi
#fi
#
#################################################################################
#
# Test : BANN-7124
# Description : Check issue banner file
Register --test-no BANN-7124 --weight L --network NO --category security --description "Check issue banner file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking file /etc/issue"
if [ -f /etc/issue ]; then
LogText "Test: Checking file ${ROOTDIR}etc/issue"
if [ -f ${ROOTDIR}etc/issue ]; then
# Check for symlink
if [ -L /etc/issue ]; then
LogText "Result: file /etc/issue exists (symlink)"
Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN
if [ -L ${ROOTDIR}etc/issue ]; then
LogText "Result: file ${ROOTDIR}etc/issue exists (symlink)"
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result SYMLINK --color GREEN
else
Display --indent 2 --text "- /etc/issue" --result "${STATUS_FOUND}" --color GREEN
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_FOUND}" --color GREEN
fi
else
LogText "Result: file /etc/issue does not exist"
Display --indent 2 --text "- /etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: file ${ROOTDIR}etc/issue does not exist"
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -145,26 +87,26 @@
# Test : BANN-7126
# Description : Check issue file to see if it contains some form of message
# to discourage unauthorized users to leave the system alone
if [ -f /etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -f ${ROOTDIR}etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BANN-7126 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue banner file contents"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
FILE="${ROOTDIR}etc/issue"
LogText "Test: Checking file ${FILE} contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do
FIND=$(${GREPBINARY} -i "${I}" ${FILE})
if [ ! -z "${FIND}" ]; then
LogText "Result: found string '${I}'"
N=$((N + 1))
for ITEM in ${LEGAL_BANNER_STRINGS}; do
FIND=$(${GREPBINARY} -i "${ITEM}" ${FILE})
if HasData "${FIND}"; then
LogText "Result: found string '${ITEM}'"
COUNT=$((COUNT + 1))
fi
done
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
LogText "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users"
if [ ${COUNT} -gt 4 ]; then
LogText "Result: Found ${COUNT} key words (5 or more suggested), to warn unauthorized users"
Display --indent 4 --text "- ${FILE} contents" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased"
LogText "Result: Found only ${COUNT} key words (5 or more suggested), to warn unauthorized users and could be increased"
Display --indent 4 --text "- ${FILE} contents" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add a legal banner to ${FILE}, to warn unauthorized users"
AddHP 0 1
@ -178,19 +120,19 @@
# Description : Check issue.net banner file
Register --test-no BANN-7128 --weight L --network NO --category security --description "Check issue.net banner file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking file /etc/issue.net"
if [ -f /etc/issue.net ]; then
LogText "Test: Checking file ${ROOTDIR}etc/issue.net"
if [ -f ${ROOTDIR}etc/issue.net ]; then
# Check for symlink
if [ -L /etc/issue.net ]; then
LogText "Result: file /etc/issue.net exists (symlink)"
Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN
if [ -L ${ROOTDIR}etc/issue.net ]; then
LogText "Result: file ${ROOTDIR}etc/issue.net exists (symlink)"
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result SYMLINK --color GREEN
else
LogText "Result: file /etc/issue.net exists"
Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: file ${ROOTDIR}etc/issue.net exists"
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_FOUND}" --color GREEN
fi
else
LogText "Result: file /etc/issue.net does not exist"
Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: file ${ROOTDIR}etc/issue.net does not exist"
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -199,26 +141,26 @@
# Test : BANN-7130
# Description : Check issue.net file to see if it contains some form of message
# to discourage unauthorized users to leave the system alone
if [ -f /etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -f ${ROOTDIR}etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BANN-7130 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue.net banner file contents"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: Checking file /etc/issue.net contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do
FIND=$(${GREPBINARY} -i "${I}" /etc/issue.net)
if [ ! "${FIND}" = "" ]; then
LogText "Result: found string '${I}'"
N=$((N + 1))
COUNT=0
LogText "Test: Checking file ${ROOTDIR}etc/issue.net contents for legal key words"
for ITEM in ${LEGAL_BANNER_STRINGS}; do
FIND=$(${GREPBINARY} -i "${ITEM}" ${ROOTDIR}etc/issue.net)
if HasData "${FIND}"; then
LogText "Result: found string '${ITEM}'"
COUNT=$((COUNT + 1))
fi
done
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
LogText "Result: Found ${N} key words, to warn unauthorized users"
Display --indent 4 --text "- /etc/issue.net contents" --result "${STATUS_OK}" --color GREEN
if [ ${COUNT} -gt 4 ]; then
LogText "Result: Found ${COUNT} key words, to warn unauthorized users"
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/issue.net contents" --result WEAK --color YELLOW
LogText "Result: Found only ${COUNT} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users"
AddHP 0 1
fi

98
include/tests_boot_services
View File

@ -414,7 +414,7 @@
Register --test-no BOOT-5142 --weight L --network NO --category security --description "Check SPARC Improved boot loader (SILO)"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
if [ -f /etc/silo.conf ]; then
if [ -f ${ROOTDIR}etc/silo.conf ]; then
LogText "Result: Found SILO configuration file (/etc/silo.conf)"
Display --indent 2 --text "- Checking boot loader SILO" --result "${STATUS_FOUND}" --color GREEN
BOOT_LOADER="SILO"
@ -497,24 +497,24 @@
# Description : Check for FreeBSD boot services
Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --category security --description "Check for FreeBSD boot services"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${SERVICEBINARY}" ]; then
if HasData "${SERVICEBINARY}"; then
# FreeBSD (Ask services(8) for enabled services)
LogText "Searching for services at startup (service)"
FIND=$(${SERVICEBINARY} -e | ${SEDBINARY} 's|^.*\/||' | ${SORTBINARY})
else
# FreeBSD (Read /etc/rc.conf file for enabled services)
LogText "Searching for services at startup (rc.conf)"
FIND=$(${EGREPBINARY} -v -i '^#|none' /etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
FIND=$(${EGREPBINARY} -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
fi
N=0
for I in ${FIND}; do
LogText "Found service (service/rc.conf): ${I}"
Report "boottask[]=${I}"
N=$((N + 1))
COUNT=0
for ITEM in ${FIND}; do
LogText "Found service (service/rc.conf): ${ITEM}"
Report "boottask[]=${ITEM}"
COUNT=$((COUNT + 1))
done
Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "${STATUS_DONE}" --color GREEN
Display --indent 6 --text "Result: found $N services/options set"
LogText "Found $N services/options to run at startup"
Display --indent 6 --text "Result: found ${COUNT} services/options set"
LogText "Found ${COUNT} services/options to run at startup"
fi
#
#################################################################################
@ -527,37 +527,37 @@
CHECKED=0
LogText "Test: checking presence systemctl binary"
# Determine if we have systemctl on board
if [ ! -z "${SYSTEMCTLBINARY}" ]; then
if HasData "${SYSTEMCTLBINARY}"; then
LogText "Result: systemctl binary found, trying that to discover information"
# Running services
LogText "Searching for running services (systemctl services only)"
FIND=$(${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }')
N=0
COUNT=0
Report "running_service_tool=systemctl"
for I in ${FIND}; do
LogText "Found running service: ${I}"
Report "running_service[]=${I}"
N=$((N + 1))
for ITEM in ${FIND}; do
LogText "Found running service: ${ITEM}"
Report "running_service[]=${ITEM}"
COUNT=$((COUNT + 1))
done
LogText "Note: Run systemctl --full --type=service to see all services"
Display --indent 2 --text "- Check running services (systemctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found $N running services"
LogText "Result: Found $N enabled services"
Display --indent 8 --text "Result: found ${COUNT} running services"
LogText "Result: Found ${COUNT} enabled services"
# Services at boot
LogText "Searching for enabled services (systemctl services only)"
FIND=$(${SYSTEMCTLBINARY} list-unit-files --type=service | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }')
N=0
COUNT=0
Report "boot_service_tool=systemctl"
for I in ${FIND}; do
LogText "Found enabled service at boot: ${I}"
Report "boot_service[]=${I}"
N=$((N + 1))
for ITEM in ${FIND}; do
LogText "Found enabled service at boot: ${ITEM}"
Report "boot_service[]=${ITEM}"
COUNT=$((COUNT + 1))
done
LogText "Note: Run systemctl list-unit-files --type=service to see all services"
Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found $N enabled services"
LogText "Result: Found $N running services"
Display --indent 8 --text "Result: found ${COUNT} enabled services"
LogText "Result: Found ${COUNT} running services"
else
@ -566,17 +566,17 @@
LogText "Result: chkconfig binary found, trying that to discover information"
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
N=0
COUNT=0
Report "boot_service_tool=chkconfig"
for I in ${FIND}; do
LogText "Found service (at boot, runlevel 3 or 5): ${I}"
Report "boot_service[]=${I}"
N=$((N + 1))
for ITEM in ${FIND}; do
LogText "Found service (at boot, runlevel 3 or 5): ${ITEM}"
Report "boot_service[]=${ITEM}"
COUNT=$((COUNT + 1))
done
LogText "Hint: Run chkconfig --list to see all services and disable unneeded services"
Display --indent 2 --text "- Check services at startup (chkconfig)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found $N services"
LogText "Result: Found $N services at startup"
Display --indent 8 --text "Result: found ${COUNT} services"
LogText "Result: Found ${COUNT} services at startup"
else
LogText "Result: both systemctl and chkconfig not found. Skipping this test"
fi
@ -598,14 +598,14 @@
LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found"
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort)
if [ ! -z "${FIND}" ]; then
N=0
COUNT=0
for SERVICE in ${FIND}; do
LogText "Found service (at boot, runlevel 2): ${SERVICE}"
N=$((N + 1))
COUNT=$((COUNT + 1))
done
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "${STATUS_DONE}" --color WHITE
Display --indent 4 --text "Result: found $N services"
LogText "Result: found $N services"
Display --indent 4 --text "Result: found ${COUNT} services"
LogText "Result: found ${COUNT} services"
fi
elif [ -z "${sRUNLEVEL}" ]; then
ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
@ -623,35 +623,35 @@
FOUND=0
CHECKDIRS="${ROOTDIR}etc/init.d ${ROOTDIR}etc/rc.d ${ROOTDIR}etc/rcS.d"
LogText "Result: checking /etc/init.d scripts for writable bit"
for I in ${CHECKDIRS}; do
LogText "Test: checking if directory ${I} exists"
if [ -d ${I} ]; then
LogText "Result: directory ${I} found"
LogText "Result: checking ${ROOTDIR}etc/init.d scripts for writable bit"
for DIR in ${CHECKDIRS}; do
LogText "Test: checking if directory ${DIR} exists"
if [ -d ${DIR} ]; then
LogText "Result: directory ${DIR} found"
LogText "Test: checking for available files in directory"
FIND=$(${FINDBINARY} ${I} -type f -print)
FIND=$(${FINDBINARY} ${DIR} -type f -print)
if [ ! -z "${FIND}" ]; then
LogText "Result: found files in directory, checking permissions now"
for J in ${FIND}; do
LogText "Test: checking permissions of file ${J}"
if IsWorldWritable ${J}; then
for FILE in ${FIND}; do
LogText "Test: checking permissions of file ${FILE}"
if IsWorldWritable ${FILE}; then
FOUND=1
LogText "Result: warning, file ${J} is world writable"
LogText "Result: warning, file ${FILE} is world writable"
else
LogText "Result: good, file ${J} not world writable"
LogText "Result: good, file ${FILE} not world writable"
fi
done
else
LogText "Result: found no files in directory."
fi
else
LogText "Result: directory ${I} not found. Skipping.."
LogText "Result: directory ${DIR} not found. Skipping.."
fi
done
# /etc/rc[0-6].d
for NO in 0 1 2 3 4 5 6; do
LogText "Test: Checking /etc/rc${NO}.d scripts for writable bit"
LogText "Test: Checking ${ROOTDIR}etc/rc${NO}.d scripts for writable bit"
if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print)
for I in ${FIND}; do

20
include/tests_containers
View File

@ -41,16 +41,16 @@
LogText "Test: query zoneadm to list all running zones"
FIND=$(${ROOTDIR}usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }')
if [ ! -z "${FIND}" ]; then
N=0
for I in ${FIND}; do
N=$((N + 1))
ZONEID=$(echo ${I} | ${CUTBINARY} -d ':' -f1)
ZONENAME=$(echo ${I} | ${CUTBINARY} -d ':' -f2)
COUNT=0
for ITEM in ${FIND}; do
COUNT=$((COUNT + 1))
ZONEID=$(echo ${ITEM} | ${CUTBINARY} -d ':' -f1)
ZONENAME=$(echo ${ITEM} | ${CUTBINARY} -d ':' -f2)
LogText "Result: found zone ${ZONENAME} (running)"
Report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
LogText "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
LogText "Result: total of ${COUNT} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${COUNT} zones" --color GREEN
else
LogText "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result "${STATUS_NONE}" --color WHITE
@ -59,7 +59,9 @@
#
#################################################################################
#
# Test : CONT-1906
# Do you have Xen running? Help us testing this test and submit a pull request on GitHub
# Test : CONT-1906 TODO
# Description : Query running Xen zones
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no CONT-1906 --weight L --network NO --category security --description "Query Xen guests"
@ -95,7 +97,7 @@
# Test : CONT-8104
# Description : Checking Docker info for any warnings
# Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory
if [ ! -z "${DOCKERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${DOCKERBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Docker info for any warnings"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0

6
include/tests_databases
View File

@ -118,14 +118,14 @@
LogText "Result: found MongoDB configuration file (${FILE})"
LogText "Test: determine authorization setting in new style YAML format"
AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)")
if [ ! -z "${AUTH_IN_CONFIG}" ]; then
if HasData "${AUTH_IN_CONFIG}"; then
LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format)"
MONGODB_AUTHORIZATION_ENABLED=1
else
LogText "Result: did NOT find authorization option enabled in configuration file (with YAML format)"
LogText "Test: now searching for old style configuration (auth = true) in configuration file"
AUTH_IN_CONFIG=$(${GREPBINARY} "auth = true" ${FILE} | ${GREPBINARY} -v "noauth" | ${GREPBINARY} -E -v "(^#|#auth)")
if [ -z "${AUTH_IN_CONFIG}" ]; then
if IsEmpty "${AUTH_IN_CONFIG}"; then
LogText "Result: did NOT find auth = true in configuration file"
else
LogText "Result: GOOD, found authorization option enabled in configuration file (old format)"
@ -139,7 +139,7 @@
# Now check authorization on the command line
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
if [ ! -z "${PGREPBINARY}" ]; then
if HasData "${PGREPBINARY}"; then
AUTH_ON_CMDLINE=$(for I in $(${PGREPBINARY} mongo); do cat /proc/${I}/cmdline | xargs -0 echo | ${GREPBINARY} -E "\-\-auth( |$)"; done)
if [ ! -z "${AUTH_ON_CMDLINE}" ]; then LogText "Result: found authorization enabled via mongod parameter"; MONGODB_AUTHORIZATION_ENABLED=1; fi
else

84
include/tests_filesystems
View File

@ -350,29 +350,29 @@
#
# Test : FILE-6354
# Description : Search files within /tmp which are older than 3 months
if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -d ${ROOTDIR}tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Searching for old files in /tmp"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for old files in /tmp"
# Search for files only in /tmp, with an access time older than X days
FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} | ${SEDBINARY} 's/ /!space!/g')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN
LogText "Result: no files found in /tmp which are older than 3 months"
LogText "Test: Searching for old files in ${ROOTDIR}tmp"
# Search for files only in ${ROOTDIR}tmp, with an access time older than X days
FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
if IsEmpty "${FIND}"; then
Display --indent 2 --text "- Checking for old files in ${ROOTDIR}tmp" --result "${STATUS_OK}" --color GREEN
LogText "Result: no files found in ${ROOTDIR}tmp which are older than 3 months"
else
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED
N=0
for I in ${FIND}; do
FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
Display --indent 2 --text "- Checking for old files in ${ROOTDIR}tmp" --result "${STATUS_FOUND}" --color RED
COUNT=0
for ITEM in ${FIND}; do
FILE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
LogText "Old temporary file: ${FILE}"
N=$((N + 1))
COUNT=$((COUNT + 1))
done
LogText "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
LogText "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain"
LogText "Result: found old files in ${ROOTDIR}tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
LogText "Advice: check and clean up unused files in ${ROOTDIR}tmp. Old files can fill up a disk or contain"
LogText "private information and should be deleted it not being used actively. Use a tool like lsof to"
LogText "see which programs possibly are using a particular file. Some systems can cleanup temporary"
LogText "directories by setting a boot option."
ReportSuggestion ${TEST_NO} "Check ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days"
ReportSuggestion ${TEST_NO} "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days"
fi
fi
#
@ -380,18 +380,18 @@
#
# Test : FILE-6362
# Description : Check for sticky bit on /tmp
if [ -d /tmp -a ! -L /tmp ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No /tmp or /tmp is symlinked"; fi
if [ -d ${ROOTDIR}tmp -a ! -L ${ROOTDIR}tmp ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No /tmp or /tmp is symlinked"; fi
Register --test-no FILE-6362 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking /tmp sticky bit"
if [ ${SKIPTEST} -eq 0 ]; then
# Depending on OS, number of field with 'tmp' differs
FIND=$(${LSBINARY} -ld /tmp | ${AWKBINARY} '$1 ~ /[tT]/ { print 1 }')
FIND=$(${LSBINARY} -ld ${ROOTDIR}tmp | ${AWKBINARY} '$1 ~ /[tT]/ { print 1 }')
if [ "${FIND}" = "1" ]; then
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_OK}" --color GREEN
LogText "Result: sticky bit found on /tmp directory"
Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_OK}" --color GREEN
LogText "Result: sticky bit found on ${ROOTDIR}tmp directory"
AddHP 3 3
else
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Set the sticky bit on /tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
AddHP 0 3
fi
unset FIND
@ -579,8 +579,8 @@
# Description : Bind mount the /var/tmp directory to /tmp
Register --test-no FILE-6376 --os Linux --weight L --network NO --category security --description "Determine if /var/tmp is bound to /tmp"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/fstab ]; then
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab)
if [ -f ${ROOTDIR}etc/fstab ]; then
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' ${ROOTDIR}etc/fstab)
BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
if [ ! -z "${FIND}" ]; then
LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
@ -600,7 +600,7 @@
#
#################################################################################
#
# Test : FILE-6378
# Test : FILE-6378 TODO
# Description : Check for nodirtime option
# Want to contribute to Lynis? Create this test
@ -608,7 +608,7 @@
#
#################################################################################
#
# Test : FILE-6380
# Test : FILE-6380 TODO
# Description : Check for relatime
# Want to contribute to Lynis? Create this test
@ -616,7 +616,7 @@
#
#################################################################################
#
# Test : FILE-6390
# Test : FILE-6390 TODO
# Description : Check writeback/journalling mode (ext3)
# More info : data=writeback | data=ordered | data=journal
@ -625,7 +625,7 @@
#
#################################################################################
#
# Test : FILE-6394
# Test : FILE-6394 TODO
# Description : Check vm.swappiness (Linux)
# Want to contribute to Lynis? Create this test
@ -633,7 +633,7 @@
#
#################################################################################
#
# Test : FILE-6398
# Test : FILE-6398 TODO
# Description : Check if JBD (Journal Block Device) driver is loaded
# Want to contribute to Lynis? Create this test
@ -651,14 +651,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking locate database"
FOUND=0
LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locate/locatedb /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database"
for I in ${LOCATE_DBS}; do
if [ -f ${I} ]; then
LogText "Result: locate database found (${I})"
LOCATE_DBS="${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/slocate/slocate.db ${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database"
for FILE in ${LOCATE_DBS}; do
if [ -f ${FILE} ]; then
LogText "Result: locate database found (${FILE})"
FOUND=1
LOCATE_DB="${I}"
LOCATE_DB="${FILE}"
else
LogText "Result: file ${I} not found"
LogText "Result: file ${FILE} not found"
fi
done
if [ ${FOUND} -eq 1 ]; then
@ -673,7 +673,7 @@
#
#################################################################################
#
# Test : FILE-6420
# Test : FILE-6420 TODO
# Description : Check automount process
# Want to contribute to Lynis? Create this test
@ -681,7 +681,7 @@
#
#################################################################################
#
# Test : FILE-6422
# Test : FILE-6422 TODO
# Description : Check automount maps (files or for example LDAP based)
# Notes : Warn when automounter is running
@ -690,7 +690,7 @@
#
#################################################################################
#
# Test : FILE-6424
# Test : FILE-6424 TODO
# Description : Check automount map files
# Want to contribute to Lynis? Create this test
@ -698,7 +698,7 @@
#
#################################################################################
#
# Test : FILE-6425
# Test : FILE-6425 TODO
# Description : Check mounted files systems via automounter
# Notes : Warn when no systems are mounted?
@ -728,11 +728,11 @@
LogText "Test: Checking if ${FS} is active"
# Check if FS is present in lsmod output
FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: module ${FS} is not loaded in the kernel"
AddHP 2 3
#Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN
# Tip to disable a particular module if it is not loaded
if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi
# Tip to disable a particular module if it is not loaded TODO
#ReportSuggestion ${TEST_NO} "The modprobe.d directory should contain a file with the entry 'install ${FS} /bin/true'"
FOUND=1
AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} "
@ -742,7 +742,7 @@
fi
else
AddHP 3 3
#Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN
if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi
fi
done
if [ ${FOUND} -eq 1 ]; then

20
include/tests_firewalls
View File

@ -181,7 +181,7 @@
Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY})
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN
LogText "Result: There are no unused rules present"
else
@ -418,7 +418,7 @@
#
# Test : FIRE-4536
# Description : Check nftables kernel module
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables")
@ -437,7 +437,7 @@
#
# Test : FIRE-4538
# Description : Check nftables configuration
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4538 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables basic configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Retrieve nft version
@ -450,7 +450,7 @@
#
# Test : FIRE-4540
# Description : Check nftables configuration
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for empty nftables configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Check for empty ruleset
@ -464,12 +464,6 @@
fi
#
#################################################################################
#
# Ideas:
# Suggestion to disable iptables if nftables is enabled
# Check for specific features in nftables releases
#
#################################################################################
#
# Test : FIRE-4586
# Description : Check firewall logging
@ -520,6 +514,12 @@ Report "firewall_software=${FIREWALL_SOFTWARE}"
WaitForKeyPress
#
#################################################################################
#
# TODO
# Suggestion to disable iptables if nftables is enabled
# Check for specific features in nftables releases
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com

76
include/tests_kernel
View File

@ -40,10 +40,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Checking if we can find the systemd default target
LogText "Test: Checking for systemd default.target"
if [ -L /etc/systemd/system/default.target ]; then
if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then
LogText "Result: symlink found"
if HasData "${READLINKBINARY}"; then
FIND=$(${READLINKBINARY} /etc/systemd/system/default.target)
FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target)
if ! HasData "${FIND}"; then
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
ReportException "${TEST_NO}:01"
@ -65,9 +65,9 @@
fi
else
LogText "Result: no systemd found, so trying inittab"
LogText "Test: Checking /etc/inittab"
if [ -f /etc/inittab ]; then
LogText "Result: file /etc/inittab found"
LogText "Test: Checking ${ROOTDIR}etc/inittab"
if [ -f ${ROOTDIR}etc/inittab ]; then
LogText "Result: file ${ROOTDIR}etc/inittab found"
LogText "Test: Checking default Linux run level"
FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' ${ROOTDIR}etc/inittab | head -n 1)
if IsEmpty "${FIND}"; then
@ -211,13 +211,13 @@
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
if HasData "${FIND}"; then
LogText "Loaded modules according lsmod:"
N=0
for I in ${FIND}; do
LogText "Loaded module: ${I}"
Report "loaded_kernel_module[]=${I}"
N=$((N + 1))
COUNT=0
for ITEM in ${FIND}; do
LogText "Loaded module: ${ITEM}"
Report "loaded_kernel_module[]=${ITEM}"
COUNT=$((COUNT + 1))
done
Display --indent 6 --text "Found ${N} active modules"
Display --indent 6 --text "Found ${COUNT} active modules"
else
LogText "Result: no loaded modules found"
LogText "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel"
@ -295,13 +295,13 @@
FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ $? -eq 0 ]; then
LogText "Loaded modules according kldstat:"
N=0
for I in ${FIND}; do
LogText "Loaded module: ${I}"
Report "loaded_kernel_module[]=${I}"
N=$((N + 1))
COUNT=0
for ITEM in ${FIND}; do
LogText "Loaded module: ${ITEM}"
Report "loaded_kernel_module[]=${ITEM}"
COUNT=$((COUNT + 1))
done
Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN
Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN
else
Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
LogText "Result: Problem with executing kldstat"
@ -321,24 +321,24 @@
LogText "Test: Active kernel modules (KLDs)"
LogText "Description: View all active kernel modules (including kernel)"
LogText "Test: Checking modules"
if [ -f /sbin/kldstat ]; then
FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ -f ${ROOTDIR}sbin/kldstat ]; then
FIND=$(${ROOTDIR}sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6)
if [ $? -eq 0 ]; then
LogText "Loaded modules according kldstat:"
N=0
for I in ${FIND}; do
LogText "Loaded module: ${I}"
Report "loaded_kernel_module[]=${I}"
N=$((N + 1))
COUNT=0
for ITEM in ${FIND}; do
LogText "Loaded module: ${ITEM}"
Report "loaded_kernel_module[]=${ITEM}"
COUNT=$((COUNT + 1))
done
Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN
Display --indent 4 --text "Found ${COUNT} kernel modules" --result "${STATUS_DONE}" --color GREEN
else
Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
LogText "Result: Problem with executing kldstat"
fi
else
echo "[ ${WHITE}SKIPPED${NORMAL} ]"
LogText "Result: no results, can't find /sbin/kldstat"
LogText "Result: no results, can NOT find ${ROOTDIR}sbin/kldstat"
fi
fi
#
@ -351,9 +351,9 @@
LogText "Test: searching loaded kernel modules"
FIND=$(/usr/sbin/modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort)
if HasData "${FIND}"; then
for I in ${FIND}; do
LogText "Found module: ${I}"
Report "loaded_kernel_module[]=${I}"
for ITEM in ${FIND}; do
LogText "Found module: ${ITEM}"
Report "loaded_kernel_module[]=${ITEM}"
done
Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_DONE}" --color GREEN
else
@ -370,21 +370,21 @@
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x /usr/bin/apt-cache ]; then
LogText "Result: found /usr/bin/apt-cache"
LogText "Test: checking readlink location of /vmlinuz"
if [ -f /vmlinuz ]; then
FINDKERNFILE=$(readlink -f /vmlinuz)
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
LogText "Result: found ${ROOTDIR}usr/bin/apt-cache"
LogText "Test: checking readlink location of ${ROOTDIR}vmlinuz"
if [ -f ${ROOTDIR}vmlinuz ]; then
FINDKERNFILE=$(readlink -f ${ROOTDIR}vmlinuz)
LogText "Output: readlink reported file ${FINDKERNFILE}"
LogText "Test: checking package from dpkg -S"
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}')
LogText "Output: dpkg -S reported package ${FINDKERNEL}"
elif [ -e /dev/grsec ]; then
elif [ -e ${ROOTDIR}dev/grsec ]; then
FINDKERNEL=linux-image-$(uname -r)
LogText "/vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
else
LogText "This system is missing /vmlinuz. Unable to check whether kernel is up-to-date."
ReportSuggestion ${TEST_NO} "Determine why /vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz"
LogText "This system is missing ${ROOTDIR}vmlinuz. Unable to check whether kernel is up-to-date."
ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz"
fi
LogText "Test: Using apt-cache policy to determine if there is an update available"
FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')

16
include/tests_logging
View File

@ -281,21 +281,21 @@
#
# Test : LOGG-2150
# Description : Checking log directories rotated with logrotate
if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${LOGROTATEBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which directories can be found in logrotate configuration"
FIND=$(${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
if [ "${FIND}" = "" ]; then
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
if IsEmpty "${FIND}" ]; then
LogText "Result: nothing found"
else
LogText "Result: found one or more directories (via logrotate configuration)"
for I in ${FIND}; do
if [ -d ${I} ]; then
LogText "Directory found: ${I}"
Report "log_directory[]=${I}"
for DIR in ${FIND}; do
if [ -d ${DIR} ]; then
LogText "Directory found: ${DIR}"
Report "log_directory[]=${DIR}"
else
LogText "Directory could not be found: ${I}"
LogText "Result: Directory could not be found: ${DIR}"
fi
done
fi

4
include/tests_mac_frameworks
View File

@ -126,7 +126,7 @@
#
# Test : MACF-6234
# Description : Check SELINUX status
if [ ! "${SESTATUSBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${SESTATUSBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status"
if [ ${SKIPTEST} -eq 0 ]; then
# Status: Enabled/Disabled
@ -180,7 +180,7 @@
else
Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
if [ ! -z "${GRADMBINARY}" ]; then
if HasData "${GRADMBINARY}"; then
FIND=$(${GRADMBINARY} --status)
if [ "${FIND}" = "The RBAC system is currently enabled." ]; then
MAC_FRAMEWORK_ACTIVE=1

2
include/tests_malware
View File

@ -36,7 +36,7 @@
MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0
SOPHOS_SCANNER_RUNNING=0
SYMANTEC_SCANNER_RUNNING=
SYMANTEC_SCANNER_RUNNING=0
#
#################################################################################
#

79
include/tests_nameservices
View File

@ -67,26 +67,26 @@
# Notes : Maximum of one search keyword is allowed in /etc/resolv.conf
Register --test-no NAME-4018 --weight L --network NO --category security --description "Check /etc/resolv.conf search domains"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
LogText "Test: check ${ROOTDIR}etc/resolv.conf for search domains"
if [ -f ${ROOTDIR}etc/resolv.conf ]; then
LogText "Result: ${ROOTDIR}etc/resolv.conf found"
FIND=$(${AWKBINARY} '/^search/ { print $2 }' ${ROOTDIR}etc/resolv.conf)
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: no search domains found, default domain is being used"
else
for I in ${FIND}; do
LogText "Found search domain: ${I}"
Report "resolv_conf_search_domain[]=${I}"
N=$((N + 1))
for ITEM in ${FIND}; do
LogText "Found search domain: ${ITEM}"
Report "resolv_conf_search_domain[]=${ITEM}"
COUNT=$((COUNT + 1))
done
# Warn if we have more than 6 search domains, which is maximum in most resolvers
if [ ${N} -gt 6 ]; then
LogText "Result: Found ${N} search domains"
if [ ${COUNT} -gt 6 ]; then
LogText "Result: Found ${COUNT} search domains"
Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW
ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
else
LogText "Result: Found ${N} search domains"
LogText "Result: Found ${COUNT} search domains"
Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN
fi
fi
@ -115,15 +115,16 @@
if [ -f ${ROOTDIR}etc/resolv.conf ]; then
LogText "Result: ${ROOTDIR}etc/resolv.conf found"
FIND=$(${GREPBINARY} "^options" ${ROOTDIR}etc/resolv.conf | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: no specific other options configured in /etc/resolv.conf"
if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi
else
for I in ${FIND}; do
LogText "Found option: ${I}"
Report "resolv_conf_option[]=${I}"
#rotate --> add performance tune point
#timeout <3 --> add performe tune point
for ITEM in ${FIND}; do
LogText "Found option: ${ITEM}"
Report "resolv_conf_option[]=${ITEM}"
# TODO add suggestions for the related options
# rotate --> add performance tune point
# timeout --> add performe tune point when smaller than 3 seconds
done
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN
fi
@ -171,25 +172,10 @@
Register --test-no NAME-4028 --weight L --network NO --category security --description "Check domain name"
if [ ${SKIPTEST} -eq 0 ]; then
DOMAINNAME=""
# NIS
#LogText "Test: Checking file /etc/domainname"
#if [ -f /etc/domainname ]; then
# LogText "Result: file /etc/domainname exists"
# FIND2=$(cat /etc/domainname)
# if [ ! "${FIND}" = "" ]; then
# LogText "Found domain name: ${FIND}"
# DOMAINNAME="${FIND}"
# else
# LogText "Result: no domain name found in file"
# fi
# else
# LogText "Result: file /etc/domainname does not exist"
#fi
LogText "Test: Checking if dnsdomainname command is available"
if [ ! -z "${DNSDOMAINNAMEBINARY}" ]; then
if HasData "${DNSDOMAINNAMEBINARY}"; then
FIND2=$(${DNSDOMAINNAMEBINARY} 2> /dev/null)
if [ ! "${FIND2}" = "" ]; then
if HasData "${FIND2}"; then
LogText "Result: dnsdomainname command returned a value"
LogText "Found domain name: ${FIND2}"
DOMAINNAME="${FIND2}"
@ -349,13 +335,6 @@
fi
#
#################################################################################
#
# Test : NAME-4208
# Description : Check DNS server type (master, slave, caching, forwarding)
#Register --test-no NAME-4050 --weight L --network NO --category security --description "Check nscd status"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : NAME-4210
# Description : Check if we can determine useful information from banner
@ -379,21 +358,21 @@
#
#################################################################################
#
# Test : NAME-4212
# Test : NAME-4212 TODO
# Description : Check version option in BIND configuration
#if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no NAME-4212 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check version setting in configuration"
#
#################################################################################
#
# Test : NAME-4220
# Test : NAME-4220 TODO
# Description : Check if we can perform a zone transfer of primary domain
#Register --test-no NAME-4220 --weight L --network NO --category security --description "Check zone transfer"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : NAME-4222
# Test : NAME-4222 TODO
# Description : Check if we can perform a zone transfer of PTR (of primary domain)
#Register --test-no NAME-4222 --weight L --network NO --category security --description "Check zone transfer"
#if [ ${SKIPTEST} -eq 0 ]; then
@ -424,13 +403,13 @@
Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search PowerDNS configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Search PowerDNS configuration file"
for I in ${POWERDNS_CONFIG_LOCS}; do
if [ -f ${I}/pdns.conf ]; then
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
for DIR in ${POWERDNS_CONFIG_LOCS}; do
if [ -f ${DIR}/pdns.conf ]; then
POWERDNS_AUTH_CONFIG_LOCATION="${DIR}/pdns.conf"
LogText "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})"
fi
done
if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then
if HasData "${POWERDNS_AUTH_CONFIG_LOCATION}"; then
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
@ -455,9 +434,9 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for PowerDNS backends"
FIND=$(${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! -z "${FIND}" ]; then
for I in ${FIND}; do
LogText "Found backend: ${I}"
if HasData "${FIND}"; then
for ITEM in ${FIND}; do
LogText "Found backend: ${ITEM}"
done
Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_FOUND}" --color GREEN
else
@ -636,7 +615,7 @@
#
# Test : NAME-4406
# Description : Check server hostname mapping
if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if HasData "${HOSTNAME}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check server hostname not locally mapped in /etc/hosts"

77
include/tests_networking
View File

@ -216,7 +216,6 @@
Register --test-no NETW-3004 --weight L --network NO --category security --description "Search for available network interfaces"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""
N=0
case ${OS} in
AIX)
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }')
@ -239,12 +238,11 @@
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find available network interfaces"
;;
esac
if [ ! -z "${FIND}" ]; then
for I in ${FIND}; do
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${I}"
LogText "Found network interface: ${I}"
N=$((N + 1))
Report "network_interface[]=${I}"
if HasData "${FIND}"; then
for ITEM in ${FIND}; do
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${ITEM}"
LogText "Found network interface: ${ITEM}"
Report "network_interface[]=${ITEM}"
done
else
ReportException "${TEST_NO}:1" "No interfaces found on this system (OS=${OS})"
@ -294,11 +292,9 @@
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find MAC information"
;;
esac
N=0
for I in ${FIND}; do
LogText "Found MAC address: ${I}"
N=$((N + 1))
Report "network_mac_address[]=${I}"
for ITEM in ${FIND}; do
LogText "Found MAC address: ${ITEM}"
Report "network_mac_address[]=${ITEM}"
done
fi
#
@ -350,20 +346,17 @@
ReportException "${TEST_NO}:1" "IP address information test not implemented for this operating system"
;;
esac
N=0
# IPv4
for I in ${FIND}; do
LogText "Found IPv4 address: ${I}"
N=$((N + 1))
Report "network_ipv4_address[]=${I}"
for ITEM in ${FIND}; do
LogText "Found IPv4 address: ${ITEM}"
Report "network_ipv4_address[]=${ITEM}"
done
# IPv6
for I in ${FIND2}; do
LogText "Found IPv6 address: ${I}"
N=$((N + 1))
Report "network_ipv6_address[]=${I}"
for ITEM in ${FIND2}; do
LogText "Found IPv6 address: ${ITEM}"
Report "network_ipv6_address[]=${ITEM}"
done
fi
#
#################################################################################
@ -373,7 +366,7 @@
Register --test-no NETW-3012 --weight L --network NO --category security --description "Check listening ports"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""; FIND2=""
N=0
COUNT=0
case ${OS} in
DragonFly|FreeBSD)
if [ ! -z "${SOCKSTATBINARY}" ]; then
@ -440,26 +433,26 @@
# Retrieve information from sockstat, when available
LogText "Test: Retrieving sockstat information to find listening ports"
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
N=$((N + 1))
LogText "Found listening info: ${I}"
Report "network_listen_port[]=${I}"
if HasData "${FIND}"; then
for ITEM in ${FIND}; do
COUNT=$((COUNT + 1))
LogText "Found listening info: ${ITEM}"
Report "network_listen_port[]=${ITEM}"
done
fi
if [ ! "${FIND2}" = "" ]; then
for I in ${FIND2}; do
N=$((N + 1))
LogText "Found listening info: ${I}"
Report "network_listen_port[]=${I}"
for ITEM in ${FIND2}; do
COUNT=$((COUNT + 1))
LogText "Found listening info: ${ITEM}"
Report "network_listen_port[]=${ITEM}"
done
fi
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW
else
Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN
Display --indent 6 --text "* Found ${N} ports"
Display --indent 6 --text "* Found ${COUNT} ports"
fi
fi
#
@ -473,14 +466,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking promiscuous interfaces (FreeBSD)"
FIND=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} PROMISC | ${CUTBINARY} -d ':' -f1)
if [ ! "${FIND}" = "" ]; then
if HasData "${FIND}"; then
LogText "Result: Promiscuous interfaces: ${FIND}"
for I in ${FIND}; do
for ITEM in ${FIND}; do
WHITELISTED=0
for PROFILE in ${PROFILES}; do
Debug "Checking if interface ${I} is whitelisted in profile ${PROFILE}"
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
if [ ! "${ISWHITELISTED}" = "" ]; then
Debug "Checking if interface ${ITEM} is whitelisted in profile ${PROFILE}"
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${ITEM}:" ${PROFILE})
if HasData "${ISWHITELISTED}"; then
WHITELISTED=1
LogText "Result: this interface was whitelisted in profile (${PROFILE})"
fi
@ -543,8 +536,10 @@
#
#################################################################################
#
# Test : NETW-3020
# Description : Checking multipath configuration (Solaris)
# Do you have a multipath configuration on Linux or other OS? Create a related test and send in a pull request on GitHub
# Test : NETW-3020 TODO
# Description : Checking multipath configuration
#
#################################################################################
#
@ -557,7 +552,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Using netstat for check for connections in WAIT state"
FIND=$(${NETSTATBINARY} -an | ${GREPBINARY} WAIT | ${WCBINARY} -l | ${AWKBINARY} '{ print $1 }')
if [ -z "${OPTIONS_CONN_MAX_WAIT_STATE}" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
if IsEmpty "${OPTIONS_CONN_MAX_WAIT_STATE}"; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW

255
include/tests_ports_packages
View File

@ -62,10 +62,10 @@
#
# Test : PKGS-7302
# Description : Query FreeBSD/NetBSD pkg_info
if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD/NetBSD pkg_info"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
Display --indent 4 --text "- Checking pkg_info" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found pkg_info"
Report "package_manager[]=pkg_info"
@ -74,13 +74,13 @@
LogText "Output:"; LogText "-----"
SPACKAGES=$(${ROOTDIR}usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1 | ${SEDBINARY} -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g')
for ITEM in ${SPACKAGES}; do
N=$((N + 1))
COUNT=$((COUNT + 1))
sPKG_NAME=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f1)
sPKG_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f2)
LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${ITEM}"
done
Report "installed_packages=${N}"
Report "installed_packages=${COUNT}"
fi
#
#################################################################################
@ -93,6 +93,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found brew"
PACKAGE_MGR_PKG=1
Report "package_manager[]=brew"
LogText "Test: Querying brew to get package list"
Display --indent 4 --text "- Querying brew for installed packages"
@ -120,9 +121,9 @@
Display --indent 4 --text "- Querying portage for installed packages"
LogText "Output:"; LogText "-----"
GPACKAGES=$(equery l '*' | ${SEDBINARY} -e 's/[.*]//g')
for J in ${GPACKAGES}; do
LogText "Found package ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
for PKG in ${GPACKAGES}; do
LogText "Found package ${PKG}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0,"
done
else
LogText "Result: emerge can NOT be found on this system"
@ -139,6 +140,7 @@
Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found Solaris pkginfo"
Report "package_manager[]=pkginfo"
PACKAGE_MGR_PKG=1
LogText "Test: Querying pkginfo to get package list"
Display --indent 4 --text "- Querying pkginfo for installed packages"
LogText "Output:"; LogText "-----"
@ -159,7 +161,7 @@
if [ ! -z "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
Display --indent 4 --text "- Searching RPM package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found rpm binary (${RPMBINARY})"
Report "package_manager[]=rpm"
@ -172,14 +174,14 @@
LogText "Info: looks like the rpm binary is installed, but not used for package installation"
ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages"
else
for J in ${SPACKAGES}; do
N=$((N + 1))
PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{print $1}')
PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{print $2}')
LogText "Found package: ${J}"
for PKG in ${SPACKAGES}; do
COUNT=$((COUNT + 1))
PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{print $1}')
PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{print $2}')
LogText "Found package: ${PKG}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION},"
done
Report "installed_packages=${N}"
Report "installed_packages=${COUNT}"
fi
else
LogText "Result: RPM binary NOT found on this system, test skipped"
@ -192,10 +194,11 @@
if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
Display --indent 4 --text "- Searching pacman package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found pacman binary (${PACMANBINARY})"
Report "package_manager[]=pacman"
PACKAGE_MGR_PKG=1
LogText "Test: Querying 'pacman -Q' to get package list"
Display --indent 6 --text "- Querying pacman package manager"
LogText "Output:"; LogText "--------"
@ -204,14 +207,14 @@
LogText "Result: pacman binary available, but package list seems to be empty"
LogText "Info: looks like the pacman binary is installed, but not used for package installation"
else
for J in ${SPACKAGES}; do
N=$((N + 1))
PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{ print $1 }')
PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{ print $2 }')
for PKG in ${SPACKAGES}; do
COUNT=$((COUNT + 1))
PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $1 }')
PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $2 }')
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG}"
done
Report "installed_packages=${N}"
Report "installed_packages=${COUNT}"
fi
fi
#
@ -322,20 +325,20 @@
if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="zypper"
FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
if [ ! -z "${FIND}" ]; then
for I in ${FIND}; do
N=$((N + 1))
LogText "Installed package: ${I}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
for PKG in ${FIND}; do
COUNT=$((COUNT + 1))
LogText "Installed package: ${PKG}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0,"
done
Report "installed_packages=${N}"
Report "installed_packages=${COUNT}"
else
# Could not find any installed packages
ReportException ${TEST_NO} "No installed packages found with Zypper"
ReportException "${TEST_NO}" "No installed packages found with Zypper"
fi
fi
#
@ -357,10 +360,10 @@
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
LogText "List of vulnerable packages/version:"
for I in ${FIND}; do
for PKG in ${FIND}; do
VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
Report "vulnerable_package[]=${PKG}"
LogText "Vulnerable package: ${PKG}"
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
@ -368,28 +371,80 @@
fi
#
#################################################################################
#
# Test : PKGS-7332
# Description : Query macOS ports
if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7332 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --description "Query macOS ports"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${ROOTDIR}opt/local/bin/port installed 2>&1 | ${GREPBINARY} active | ${SORTBINARY}; ${ROOTDIR}bin/echo $?)
if [ "${FIND}" = "0" ]; then
Display --indent 4 --text "- Searching packages with port" --result "{STATUS_FOUND}" --color GREEN
Report "package_manager[]=port"
PACKAGE_MGR_PKG=1
LogText "Result: Found port utility"
LogText "Test: Querying port to get package list"
Display --indent 6 --text "- Querying port for installed packages"
LogText "Output:"; LogText "-----"
SPACKAGES=$(${ROOTDIR}opt/local/bin/port installed | ${GREPBINARY} active)
for ITEM in ${SPACKAGES}; do
SPORT_NAME=$(echo ${ITEM} | ${CUTBINARY} -d@ -f1)
SPORT_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d@ -f2 | ${CUTBINARY} -d' ' -f1)
LogText "Installed package: ${SPORT_NAME} (version: ${SPORT_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PORTS}|${ITEM}"
done
fi
fi
#
#################################################################################
#
# Test : PKGS-7334
# Description : Query macOS ports for available port upgrades
if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7334 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query port for port upgrades"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
LogText "Test: Querying ports for possible port upgrades"
UPACKAGES=$(${ROOTDIR}opt/local/bin/port outdated 2> /dev/null | ${CUTBINARY} -d' ' -f1)
for J in ${UPACKAGES}; do
COUNT=$((COUNT + 1))
LogText "Upgrade available (new version): ${J}"
Report "upgrade_available[]=${J}"
done
Report "upgrade_available_count=${COUNT}"
if [ ${COUNT} -eq 0 ]; then
LogText "Result: no upgrades found"
Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_NONE}" --color GREEN
AddHP 2 2
else
Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_FOUND}" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : PKGS-7345
# Description : Debian package based systems (dpkg)
if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying dpkg"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
Display --indent 4 --text "- Searching dpkg package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found dpkg binary"
Report "package_manager[]=dpkg"
PACKAGE_MGR_PKG=1
LogText "Test: Querying dpkg -l to get package list"
Display --indent 6 --text "- Querying package manager"
LogText "Output:"
SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort)
for J in ${SPACKAGES}; do
N=$((N + 1))
COUNT=$((COUNT + 1))
PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f3)
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done
Report "installed_packages=${N}"
Report "installed_packages=${COUNT}"
else
LogText "Result: dpkg can NOT be found on this system, test skipped"
fi
@ -399,12 +454,12 @@
# Test : PKGS-7346
# Description : Check packages which are removed, but still own configuration files, cron jobs etc
# Notes : Cleanup: for pkg in $(dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3); do aptitude purge ${pkg}; done
if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
LogText "Test: Querying dpkg -l to get unpurged packages"
SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort)
SPACKAGES=$(${ROOTDIR}usr/bin/dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort)
if [ -z "${SPACKAGES}" ]; then
Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN
LogText "Result: no packages found with left overs"
@ -413,10 +468,10 @@
LogText "Result: found one or more packages with left over configuration files, cron jobs etc"
LogText "Output:"
for J in ${SPACKAGES}; do
N=$((N + 1))
COUNT=$((COUNT + 1))
LogText "Found unpurged package: ${J}"
done
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
fi
else
LogText "Result: dpkg can NOT be found on this system, test skipped"
@ -431,8 +486,8 @@
# Add portmaster --clean-distfiles-all
Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/local/sbin/portsclean ]; then
FIND=$(/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ')
if [ -x ${ROOTDIR}usr/local/sbin/portsclean ]; then
FIND=$(${ROOTDIR}usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ')
if [ ${FIND} -eq 0 ]; then
Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN
LogText "Result: no unused distfiles found"
@ -452,6 +507,7 @@
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
Display --indent 4 --text "- Searching DNF package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found DNF (Dandified YUM) utility (binary: ${DNFBINARY})"
Report "package_manager[]=dnf"
@ -460,14 +516,14 @@
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="dnf"
SPACKAGES=$(${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}')
for J in ${SPACKAGES}; do
N=$((N + 1))
PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1)
PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
for PKG in ${SPACKAGES}; do
COUNT=$((COUNT + 1))
PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ',' -f1)
PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ',' -f2)
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done
Report "installed_packages=${N}"
Report "installed_packages=${COUNT}"
fi
#
#################################################################################
@ -594,19 +650,20 @@
if [ -x ${ROOTDIR}usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query portmaster for port upgrades"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
LogText "Test: Querying portmaster for possible port upgrades"
UPACKAGES=$(${ROOTDIR}usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }')
for J in ${UPACKAGES}; do
N=$((N + 1))
LogText "Upgrade available (new version): ${J}"
Report "upgrade_available[]=${J}"
for PKG in ${UPACKAGES}; do
COUNT=$((COUNT + 1))
LogText "Upgrade available (new version): ${PKG}"
Report "upgrade_available[]=${PKG}"
done
Report "upgrade_available_count=${N}"
if [ ${N} -eq 0 ]; then
LogText "Result: no upgrades found"
Report "upgrade_available_count=${COUNT}"
if [ ${COUNT} -eq 0 ]; then
LogText "Result: no updates found"
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_NONE}" --color GREEN
else
LogText "Result: found ${COUNT} updates"
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_FOUND}" --color YELLOW
fi
fi
@ -617,11 +674,11 @@
# Description : Check for vulnerable NetBSD packages (with pkg_admin)
Register --test-no PKGS-7380 --os NetBSD --weight L --network NO --category security --description "Check for vulnerable NetBSD packages"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/sbin/pkg_admin ]; then
if [ -x ${ROOTDIR}usr/sbin/pkg_admin ]; then
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="pkg_admin audit"
if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then
FIND=$(/usr/sbin/pkg_admin audit)
if [ -f ${ROOTDIR}var/db/pkg/pkgs-vulnerabilities ]; then
FIND=$(${ROOTDIR}usr/sbin/pkg_admin audit)
if [ -z "${FIND}" ]; then
LogText "Result: pkg_admin audit results are clean"
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
@ -631,7 +688,7 @@
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
LogText "List of vulnerable packages/version:"
for I in $(/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
for I in $(${ROOTDIR}usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
@ -701,11 +758,11 @@
# Test : PKGS-7382
# Description : Check for vulnerable FreeBSD packages
# Notes : Newer machines should use pkg audit instead of portaudit
if [ -x /usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit"
if [ ${SKIPTEST} -eq 0 ]; then
PACKAGE_AUDIT_TOOL_FOUND=1
FIND=$(/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found')
FIND=$(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found')
if [ -z "${FIND}" ]; then
LogText "Result: Portaudit results are clean"
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
@ -716,10 +773,10 @@
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
LogText "List of vulnerable packages/version:"
for I in $(/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
for PKG in $(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
Report "vulnerable_package[]=${PKG}"
LogText "Vulnerable package: ${PKG}"
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
@ -753,11 +810,11 @@
if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/bin/package-cleanup ]; then
LogText "Result: found YUM utils package (/usr/bin/package-cleanup)"
if [ -x ${ROOTDIR}usr/bin/package-cleanup ]; then
LogText "Result: found YUM utils package (${ROOTDIR}usr/bin/package-cleanup)"
# Check for duplicates
LogText "Test: Checking for duplicate packages"
FIND=$(/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?)
FIND=$(${ROOTDIR}usr/bin/package-cleanup -q --dupes > /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: No duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN
@ -770,7 +827,7 @@
# Check for package database problems
LogText "Test: Checking for database problems"
FIND=$(/usr/bin/package-cleanup --problems > /dev/null; echo $?)
FIND=$(${ROOTDIR}usr/bin/package-cleanup --problems > /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: No package database problems found"
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN
@ -869,7 +926,7 @@
#
# Test : PKGS-7387
# Description : Search for YUM GPG check
if [ -x /usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! -z "${PYTHONBINARY}" ]; then
@ -892,16 +949,18 @@
done
fi
FOUND=0
FileExists /etc/yum.conf
FileExists ${ROOTDIR}etc/yum.conf
if [ ${FILE_FOUND} -eq 1 ]; then
SearchItem "^gpgenabled\s*=\s*1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
SearchItem "^gpgcheck\s*=\s*1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
SearchItem "^gpgenabled\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
SearchItem "^gpgcheck\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
if [ ${FOUND} -eq 1 ]; then
LogText "Result: GPG check is enabled"
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
else
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED
ReportWarning ${TEST_NO} "No GPG signing option found in yum.conf"
AddHP 2 3
fi
fi
fi
@ -959,11 +1018,11 @@
#
# Test : PKGS-7390
# Description : Check Ubuntu database consistency
if [ "${LINUX_VERSION}" = "Ubuntu" -a -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ "${LINUX_VERSION}" = "Ubuntu" -a -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Package database consistency by running apt-get check"
FIND=$(/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?)
FIND=$(${ROOTDIR}usr/bin/apt-get -q=2 check 2> /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN
LogText "Result: package database seems to be consistent."
@ -979,7 +1038,7 @@
#
# Test : PKGS-7392
# Description : Check Debian/Ubuntu vulnerable packages
if [ -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --category security --description "Check for Debian/Ubuntu security updates"
if [ ${SKIPTEST} -eq 0 ]; then
VULNERABLE_PACKAGES_FOUND=0
@ -989,16 +1048,20 @@
PACKAGE_AUDIT_TOOL="apt-get"
PACKAGE_AUDIT_TOOL_FOUND=1
# Update the repository, outdated repositories don't give much information
LogText "Action: updating repository with apt-get"
/usr/bin/apt-get -q=2 update
if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
LogText "Action: updating package repository with apt-get"
${ROOTDIR}usr/bin/apt-get -q=2 update
LogText "Result: apt-get finished"
LogText "Test: Checking if /usr/lib/update-notifier/apt-check exists"
if [ -x /usr/lib/update-notifier/apt-check ]; then
else
LogText "Result: using a possibly outdated repository, as updating is disabled via configuration"
fi
LogText "Test: Checking if ${ROOTDIR}usr/lib/update-notifier/apt-check exists"
if [ -x ${ROOTDIR}usr/lib/update-notifier/apt-check ]; then
PACKAGE_AUDIT_TOOL="apt-check"
LogText "Result: found /usr/lib/update-notifier/apt-check"
LogText "Result: found ${ROOTDIR}usr/lib/update-notifier/apt-check"
LogText "Test: checking if any of the updates contain security updates"
# apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only
FIND=$(/usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }')
FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }')
# Check if we get the proper line back and amount of security patches available
if [ -z "${FIND}" ]; then
LogText "Result: did not find security updates line"
@ -1028,9 +1091,9 @@
LogText "Result: found vulnerable package(s) via apt-get (-security channel)"
PACKAGE_AUDIT_TOOL="apt-get"
PACKAGE_AUDIT_TOOL_FOUND=1
for I in ${FIND}; do
LogText "Found vulnerable package: ${I}"
Report "vulnerable_package[]=${I}"
for PKG in ${FIND}; do
LogText "Found vulnerable package: ${PKG}"
Report "vulnerable_package[]=${PKG}"
done
fi
if [ ${SCAN_PERFORMED} -eq 1 ]; then
@ -1052,7 +1115,7 @@
#
# Test : PKGS-7393
# Description : Check Gentoo vulnerable packages
if [ -x /usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ -x ${ROOTDIR}usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7393 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Gentoo vulnerable packages"
if [ ${SKIPTEST} -eq 0 ]; then
VULNERABLE_PACKAGES_FOUND=0
@ -1063,19 +1126,19 @@
# "most friendly" way.
if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
LogText "Action: updating portage with emerge-webrsync"
/usr/bin/emerge-webrsync --quiet 2> /dev/null
${ROOTDIR}usr/bin/emerge-webrsync --quiet 2> /dev/null
LogText "Result: emerge-webrsync finished"
else
LogText "Result: using a possibly outdated repository, as updating is disabled"
fi
LogText "Test: checking if /usr/bin/glsa-check exists"
if [ -x /usr/bin/glsa-check ]; then
LogText "Test: checking if ${ROOTDIR}usr/bin/glsa-check exists"
if [ -x ${ROOTDIR}usr/bin/glsa-check ]; then
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="glsa-check"
LogText "Result: found /usr/bin/glsa-check"
LogText "Result: found ${ROOTDIR}usr/bin/glsa-check"
LogText "Test: checking if there are any vulnerable packages"
# glsa-check reports the GLSA date/ID string, not the vulnerable package.
FIND=$(/usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l)
FIND=$(${ROOTDIR}usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l)
if [ -z "${FIND}" ]; then
LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found."
LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result"
@ -1106,11 +1169,11 @@
if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking /usr/bin/apt-show-versions"
if [ -x /usr/bin/apt-show-versions ]; then
LogText "Result: found /usr/bin/apt-show-versions"
LogText "Test: checking ${ROOTDIR}usr/bin/apt-show-versions"
if [ -x ${ROOTDIR}usr/bin/apt-show-versions ]; then
LogText "Result: found ${ROOTDIR}usr/bin/apt-show-versions"
LogText "Test: Checking packages which can be upgraded via apt-show-versions"
FIND=$(/usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g')
FIND=$(${ROOTDIR}usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g')
if [ -z "${FIND}" ]; then
LogText "Result: no packages found which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN
@ -1125,7 +1188,7 @@
done
fi
else
LogText "Result: /usr/bin/apt-show-versions not found"
LogText "Result: ${ROOTDIR}usr/bin/apt-show-versions not found"
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE
ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
fi
@ -1158,7 +1221,7 @@
#################################################################################
#
# Description : AIX patches
# Notes : /usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1
# Notes : ${ROOTDIR}usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1
#
#################################################################################
#

48
include/tests_printers_spools
View File

@ -88,15 +88,15 @@
Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching cupsd configuration file"
for I in ${CUPSD_CONFIG_LOCS}; do
if [ -f ${I}/cupsd.conf ]; then
if FileIsReadable ${I}/cupsd.conf; then
CUPSD_CONFIG_FILE="${I}/cupsd.conf"
for DIR in ${CUPSD_CONFIG_LOCS}; do
if [ -f ${DIR}/cupsd.conf ]; then
if FileIsReadable ${DIR}/cupsd.conf; then
CUPSD_CONFIG_FILE="${DIR}/cupsd.conf"
LogText "Result: found ${CUPSD_CONFIG_FILE}"
fi
fi
done
if [ ! -z "${CUPSD_CONFIG_FILE}" ]; then
if HasData "${CUPSD_CONFIG_FILE}"; then
Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_OK}" --color GREEN
LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})"
CUPSD_FOUND=1
@ -111,12 +111,12 @@
#
# Test : PRNT-2307
# Description : Check CUPSd configuration file permissions
# To Do : Add function
# TODO : Add function
if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd configuration file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking CUPS configuration file permissions"
FIND=$(ls -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
FIND=$(${LSBINARY} -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: found ${FIND}"
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
@ -139,17 +139,17 @@
# Checking network addresses
LogText "Test: Checking CUPS daemon listening network addresses"
FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
N=0
for I in ${FIND}; do
LogText "Found network address: ${I}"
N=$((N + 1))
COUNT=0
for ITEM in ${FIND}; do
LogText "Found network address: ${ITEM}"
COUNT=$((COUNT + 1))
FOUND=1
done
# Check if daemon is only running on localhost
if [ ${FOUND} -eq 0 ]; then
LogText "Result: no listen statement found in CUPS configuration file"
elif [ ${N} -eq 1 ]; then
elif [ ${COUNT} -eq 1 ]; then
if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
LogText "Result: CUPS daemon only running on localhost"
AddHP 2 2
@ -167,12 +167,12 @@
# Checking sockets
LogText "Test: Checking cups daemon listening sockets"
FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }')
for I in ${FIND}; do
LogText "Found socket address: ${I}"
N=$((N + 1))
for ITEM in ${FIND}; do
LogText "Found socket address: ${ITEM}"
COUNT=$((COUNT + 1))
done
if [ ${N} -eq 0 ]; then
if [ ${COUNT} -eq 0 ]; then
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_NONE}" --color WHITE
LogText "Result: no addresses found on which CUPS daemon is listening"
else
@ -255,17 +255,17 @@
Register --test-no PRNT-2420 --os AIX --weight L --network NO --category security --description "Checking old print jobs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking old print jobs"
DirectoryExists /var/spool/lpd/qdir
DirectoryExists ${ROOTDIR}var/spool/lpd/qdir
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
FIND=$(find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
if [ ! -z "${FIND}" ]; then
N=0
for I in ${FIND}; do
FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
FIND=$(find ${ROOTDIR}var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
if HasData "${FIND}"; then
COUNT=0
for ITEM in ${FIND}; do
FILE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found old print job: ${FILE}"
N=$((N + 1))
COUNT=$((COUNT + 1))
done
LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir"
LogText "Result: Found ${COUNT} old print jobs in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"

75
include/tests_scheduling
View File

@ -36,8 +36,9 @@
Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )")
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: no cron daemon found"
AddHP 3 3
else
LogText "Result: cron daemon running"
CROND_RUNNING=1
@ -63,42 +64,42 @@
if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FindCronJob ${CRONTAB_FILE}
for I in ${sCRONJOBS}; do
LogText "Found cronjob (${CRONTAB_FILE}): ${I}"
Report "cronjob[]=${I}"
for ITEM in ${sCRONJOBS}; do
LogText "Found cronjob (${CRONTAB_FILE}): ${ITEM}"
Report "cronjob[]=${ITEM}"
done
fi
CRON_DIRS="${ROOTDIR}etc/cron.d"
for I in ${CRON_DIRS}; do
LogText "Test: checking directory ${I}"
if [ -d ${I} ]; then
if FileIsReadable ${I}; then
LogText "Result: found directory ${I}"
LogText "Test: searching files in ${I}"
FIND=$(${FINDBINARY} ${I} -type f -print | ${GREPBINARY} -v ".placeholder")
if [ -z "${FIND}" ]; then
LogText "Result: no files found in ${I}"
for DIR in ${CRON_DIRS}; do
LogText "Test: checking directory ${DIR}"
if [ -d ${DIR} ]; then
if FileIsReadable ${DIR}; then
LogText "Result: found directory ${DIR}"
LogText "Test: searching files in ${DIR}"
FIND=$(${FINDBINARY} ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder")
if IsEmpty "${FIND}"; then
LogText "Result: no files found in ${DIR}"
else
LogText "Result: found one or more files in ${I}. Analyzing files.."
for J in ${FIND}; do
if IsWorldWritable ${J}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${J}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FindCronJob ${J}
if [ ! -z "${sCRONJOBS}" ]; then
LogText "Result: found one or more files in ${DIR}. Analyzing files.."
for FILE in ${FIND}; do
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FindCronJob ${FILE}
if HasData "${sCRONJOBS}"; then
for K in ${sCRONJOBS}; do
LogText "Result: Found cronjob (${J}): ${K}"
Report "cronjob[]=${J}"
LogText "Result: Found cronjob (${FILE}): ${K}"
Report "cronjob[]=${FILE}"
done
fi
done
LogText "Result: done with analyzing files in ${I}"
LogText "Result: done with analyzing files in ${DIR}"
fi
else
LogText "Result: can not read file or directory ${I}"
LogText "Result: can not read file or directory ${DIR}"
fi
else
LogText "Result: directory ${I} does not exist"
LogText "Result: directory ${DIR} does not exist"
fi
done
@ -218,11 +219,11 @@
if [ ${SKIPTEST} -eq 0 ]; then
AT_UNKNOWN=0
case ${OS} in
FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;;
HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;;
Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;;
OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;;
SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;;
FreeBSD) AT_ALLOW="${ROOTDIR}var/at/at.allow"; AT_DENY="${ROOTDIR}var/at/at.deny" ;;
HPUX) AT_ALLOW="${ROOTDIR}usr/lib/cron/at.allow"; AT_DENY="${ROOTDIR}usr/lib/cron/at.deny" ;;
Linux) AT_ALLOW="${ROOTDIR}etc/at.allow"; AT_DENY="${ROOTDIR}etc/at.deny" ;;
OpenBSD) AT_ALLOW="${ROOTDIR}var/cron/at.allow"; AT_DENY="${ROOTDIR}var/cron/at.deny" ;;
SunOS) AT_ALLOW="${ROOTDIR}etc/cron.d/at.allow"; AT_DENY="${ROOTDIR}etc/cron.d/at.deny" ;;
*) AT_UNKNOWN=1; LogText "Test skipped, files for at unknown" ;;
esac
if [ ${AT_UNKNOWN} -eq 0 ]; then
@ -232,11 +233,11 @@
if [ ${CANREAD} -eq 1 ]; then
LogText "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
FIND=$(${SORTBINARY} ${AT_ALLOW})
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: File empty, no users are allowed to schedule at jobs"
else
for I in ${FIND}; do
LogText "Allowed at user: ${I}"
for ITEM in ${FIND}; do
LogText "Allowed at user: ${ITEM}"
done
fi
else
@ -253,8 +254,8 @@
if [ -z "${FIND}" ]; then
LogText "Result: file is empty, no users are denied access to schedule jobs"
else
for I in ${FIND}; do
LogText "Denied at user: ${I}"
for ITEM in ${FIND}; do
LogText "Denied at user: ${ITEM}"
done
fi
else
@ -281,10 +282,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check scheduled at jobs"
FIND=$(atq | ${GREPBINARY} -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g')
if [ ! -z "${FIND}" ]; then
if HasData "${FIND}"; then
LogText "Result: found one or more jobs"
for I in ${FIND}; do
VALUE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
for ITEM in ${FIND}; do
VALUE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found at job: ${VALUE}"
done
Display --indent 4 --text "- Checking at jobs" --result "${STATUS_FOUND}" --color GREEN

46
include/tests_squid
View File

@ -201,63 +201,62 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid access control lists"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
LogText "Test: checking ACLs"
FIND=$(${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
if [ "${FIND}" = "" ]; then
LogText "Result: No ACLs found"
Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED
else
for I in ${FIND}; do
N=$((N + 1))
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found ACL: ${I}"
#Report "squid_acl=${I}"
for ITEM in ${FIND}; do
COUNT=$((COUNT + 1))
ITEM=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
LogText "Found ACL: ${ITEM}"
#Report "squid_acl=${ITEM}" # TODO
done
LogText "Result: Found ${N} ACLs"
Display --indent 6 --text "- Checking Access Control Lists" --result "${N} ACLs FOUND" --color GREEN
LogText "Result: Found ${COUNT} ACLs"
Display --indent 6 --text "- Checking Access Control Lists" --result "${COUNT} ACLs FOUND" --color GREEN
fi
fi
#
#################################################################################
#
# Test : SQD-3624 [T]
# Test : SQD-3624
# Description : Check unsecure ports in Safe_ports list
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid safe ports"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: checking ACL Safe_ports http_access option"
FIND=$(${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports")
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: no Safe_ports found"
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
else
LogText "Result: checking ACL safe ports"
FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }')
if [ -z "${FIND2}" ]; then
if IsEmpty "${FIND2}"; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
AddHP 0 1
else
LogText "Result: Safe_ports found"
for I in ${FIND}; do
LogText "Found safe port: ${I}"
for ITEM in ${FIND}; do
LogText "Found safe port: ${ITEM}"
done
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1
fi
#SQUID_DAEMON_UNSAFE_PORTS_LIST
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
LogText "Test: Checking port ${I} in Safe_ports list"
FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG})
if [ -z "${FIND2}" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN
for ITEM in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
LogText "Test: Checking port ${ITEM} in Safe_ports list"
FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${ITEM}" ${SQUID_DAEMON_CONFIG})
if IsEmpty "${FIND2}"; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 1 1
else
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_FOUND}" --color RED
ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${ITEM})" --result "${STATUS_FOUND}" --color RED
ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${ITEM}"
AddHP 0 1
fi
done
@ -277,10 +276,9 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: checking option reply_body_max_size"
FIND=$(${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
if [ -z "${FIND}" ]; then
if IsEmpty "${FIND}"; then
LogText "Result: option reply_body_max_size not configured"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
AddHP 1 2

20
include/tests_time
View File

@ -250,30 +250,30 @@
if [ ${NTPD_RUNNING} -eq 1 -a ! -z "${NTPQBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check peers with stratum value of 16"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
COUNT=0
LogText "Test: Checking stratum 16 sources from ntpq peers list"
FIND=$(${NTPQBINARY} -p -n | ${AWKBINARY} '{ if ($2!=".POOL." && $3=="16") { print $1 }}')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
LogText "Result: All peers are lower than stratum 16"
else
for I in ${FIND}; do
LogText "Found stratum 16 peer: ${I}"
FIND2=$(${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE})
if [ -z "${FIND2}" ]; then
N=$((N + 1))
Report "ntp_stratum_16_peer[]=${I}"
for ITEM in ${FIND}; do
LogText "Found stratum 16 peer: ${ITEM}"
FIND2=$(${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${ITEM}:" ${PROFILE})
if IsEmpty "${FIND2}"; then
COUNT=$((COUNT + 1))
Report "ntp_stratum_16_peer[]=${ITEM}"
else
LogText "Output: host ${I} ignored by profile"
LogText "Output: host ${ITEM} ignored by profile"
fi
done
# Check if one or more high stratum time servers are found
if [ ${N} -eq 0 ]; then
if [ ${COUNT} -eq 0 ]; then
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
LogText "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile"
else
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found one or more high stratum (16) peers)"
LogText "Result: Found ${COUNT} high stratum (16) peers)"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for stratum 16 peers"
fi
fi

50
include/tests_tooling
View File

@ -31,6 +31,8 @@
FAIL2BAN_EMAIL=0
FAIL2BAN_SILENT=0
PERFORM_FAIL2BAN_TESTS=0
SNORT_FOUND=0
SNORT_RUNNING=0
#
#################################################################################
#
@ -160,7 +162,7 @@
#
#################################################################################
#
# Intrusion Prevention tools
# Intrusion Detection and Prevention tools
#
#################################################################################
#
@ -299,6 +301,52 @@
# fi
#
#################################################################################
#
# Test : TOOL-5120
# Description : Check for Snort
Register --test-no TOOL-5120 --weight L --network NO --category security --description "Check for presence of Snort"
if [ ${SKIPTEST} -eq 0 ]; then
# Snort presence
if [ -n "${SNORTBINARY}" ]; then
SNORT_FOUND=1
IDS_IPS_TOOL_FOUND=1
LogText "Result: Snort is installed (${SNORTBINARY})"
Report "ids_ips_tooling[]=snort"
Display --indent 2 --text "- Checking presence of Snort" --result "${STATUS_FOUND}" --color GREEN
fi
IsRunning snort
if [ ${SNORT_RUNNING} -eq 1 ]; then
SNORT_FOUND=1
SNORT_RUNNING=1
SNORT_LOG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $4}' | ${HEADBINARY} -1)
else
LogText "Result: Snort not present (Snort not running)"
fi
fi
#
#################################################################################
#
# Test : TOOL-5122
# Description : Check for Snort configuration
Register --test-no TOOL-5122 --weight L --network NO --category security --description "Check Snort configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
# Continue if tooling is available and snort is running
if [ -n ${SNORT_FOUND} ] || [ -n ${SNORT_RUNNING} ]; then
if [ ${SNORT_FOUND} -eq 1 ] && [ ${SNORT_RUNNING} -eq 1 ]; then
SNORT_CONFIG=$(${PSBINARY} | ${AWKBINARY} -F-.. '/snort/ {print $3}' | ${HEADBINARY} -1)
if HasData "${SNORT_CONFIG}"; then
LogText "Result: found Snort configuration file: ${SNORT_CONFIG}"
Report "snort_config=${SNORT_CONFIG}"
fi
SNORT=$(which snort 2> /dev/null)
fi
fi
fi
#
#################################################################################
#
# Test : TOOL-5190
# Description : Check for an IDS/IPS tool

59
include/tests_webservers
View File

@ -193,6 +193,9 @@
#
#################################################################################
#
# TODO
# Do you have Apache running and want to contribute? Help us testing this control and send in a pull request
# Test : HTTP-6630
# Description : Search for all loaded modules
#if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@ -219,24 +222,24 @@
Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining all available Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching available Apache modules"
N=0
for I in ${APACHE_MODULES_LOCS}; do
DirectoryExists ${I}
COUNT=0
for DIR in ${APACHE_MODULES_LOCS}; do
DirectoryExists ${DIR}
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
FIND=$(find ${I} -name "mod_*" -print | sort)
for J in ${FIND}; do
Report "apache_module[]=${J}"
LogText "Result: found Apache module ${J}"
N=$((N + 1))
FIND=$(${FINDBINARY} ${DIR} -name "mod_*" -print | ${SORTBINARY})
for ITEM in ${FIND}; do
Report "apache_module[]=${ITEM}"
LogText "Result: found Apache module ${ITEM}"
COUNT=$((COUNT + 1))
done
fi
done
if [ ${N} -eq 0 ]; then
if [ ${COUNT} -eq 0 ]; then
Display --indent 4 --text "* Loadable modules" --result "${STATUS_NONE}" --color WHITE
ReportException "${TEST_NO}:1" "No loadable Apache modules found"
else
Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND}" --color GREEN
Display --indent 8 --text "- Found ${N} loadable modules"
Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND} (${COUNT})" --color GREEN
Display --indent 8 --text "- Found ${COUNT} loadable modules"
fi
fi
#
@ -300,7 +303,7 @@
#
#################################################################################
#
# Test : HTTP-6660
# Test : HTTP-6660 TODO
# Description : Search for "TraceEnable off" in configuration files
#
#################################################################################
@ -311,7 +314,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching running nginx process"
FIND=$(${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep")
if [ ! -z "${FIND}" ]; then
if HasData "${FIND}"; then
LogText "Result: found running nginx process(es)"
Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN
NGINX_RUNNING=1
@ -330,14 +333,14 @@
Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching nginx configuration file"
for I in ${NGINX_CONF_LOCS}; do
if [ -f ${I}/nginx.conf ]; then
NGINX_CONF_LOCATION="${I}/nginx.conf"
for DIR in ${NGINX_CONF_LOCS}; do
if [ -f ${DIR}/nginx.conf ]; then
NGINX_CONF_LOCATION="${DIR}/nginx.conf"
LogText "Found file ${NGINX_CONF_LOCATION}"
NGINX_CONF_FILES="${I}/nginx.conf"
NGINX_CONF_FILES="${DIR}/nginx.conf"
fi
done
if [ ! -z "${NGINX_CONF_LOCATION}" ]; then
if HasData "${NGINX_CONF_LOCATION}"; then
LogText "Result: found nginx configuration file"
Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
Display --indent 4 --text "- Searching nginx configuration file" --result "${STATUS_FOUND}" --color GREEN
@ -357,7 +360,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Remove temp file
if [ ! -z "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
N=0
COUNT=0
${SEDBINARY} -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}
# Search for included configuration files (may include directories and wild cards)
FIND=$(${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | ${SEDBINARY} 's/;$//g')
@ -366,7 +369,7 @@
for J in ${FIND2}; do
# Ensure that we are parsing normal files
if [ -f ${J} ]; then
N=$((N + 1))
COUNT=$((COUNT + 1))
LogText "Result: found Nginx configuration file ${J}"
Report "nginx_sub_conf_file[]=${J}"
FileIsReadable ${J}
@ -390,10 +393,10 @@
# Remove unsorted file for next tests
if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi
if [ ${N} -eq 0 ]; then
if [ ${COUNT} -eq 0 ]; then
LogText "Result: no nginx include statements found"
else
Display --indent 6 --text "- Found nginx includes" --result "${N} FOUND" --color GREEN
Display --indent 6 --text "- Found nginx includes" --result "${COUNT} FOUND" --color GREEN
fi
fi
#
@ -407,14 +410,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: start parsing all discovered nginx options"
Display --indent 4 --text "- Parsing configuration options"
for I in ${NGINX_CONF_FILES}; do
FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}')
for FILE in ${NGINX_CONF_FILES}; do
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
if [ ! "${FILENAME}" = "mime.types" ]; then
if FileIsReadable ${I}; then
Display --indent 8 --text "- ${I}"
ParseNginx ${I}
if FileIsReadable ${FILE}; then
Display --indent 8 --text "- ${FILE}"
ParseNginx ${FILE}
else
Display --indent 8 --text "- ${I}" --result "SKIPPED (NOT READABLE)" --color YELLOW
Display --indent 8 --text "- ${FILE}" --result "SKIPPED (NOT READABLE)" --color YELLOW
fi
else
LogText "Result: this configuration file is skipped, as it contains usually no interesting details"

12
lynis
View File

@ -34,7 +34,7 @@
PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com"
# Version details
PROGRAM_RELEASE_DATE="2017-04-23"
PROGRAM_RELEASE_DATE="2017-04-30"
PROGRAM_RELEASE_TIMESTAMP=1490800090
PROGRAM_RELEASE_TYPE="dev" # dev or final
PROGRAM_VERSION="2.5.0"
@ -572,9 +572,9 @@ ${NORMAL}
if [ -z "${PLUGINDIR}" ]; then
#LogText "Result: Searching for plugindir"
tPLUGIN_TARGETS="/usr/local/lynis/plugins /usr/local/share/lynis/plugins /usr/share/lynis/plugins /etc/lynis/plugins ./plugins"
for I in ${tPLUGIN_TARGETS}; do
if [ -d ${I} -a -z "${PLUGINDIR}" ]; then
PLUGINDIR=${I}
for DIR in ${tPLUGIN_TARGETS}; do
if [ -d ${DIR} -a -z "${PLUGINDIR}" ]; then
PLUGINDIR=${DIR}
Debug "Result: found plugindir ${PLUGINDIR}"
fi
done
@ -706,7 +706,7 @@ ${NORMAL}
fi
# Test for older releases, without testing via update mechanism
if [ "$OS" = "Solaris" ]; then
if [ "${OS}" = "Solaris" ]; then
NOW=$(nawk 'BEGIN{print srand()}')
else
NOW=$(date "+%s")
@ -780,7 +780,7 @@ ${NORMAL}
#################################################################################
#
# Check for systemd presence
if [ -d /lib/systemd/system -a -f /usr/lib/systemd/systemd ]; then
if [ -d ${ROOTDIR}lib/systemd/system -a -f ${ROOTDIR}usr/lib/systemd/systemd ]; then
LogText "Result: systemd is using systemd"
HAS_SYSTEMD=1
Report "systemd=1"

21
plugins/plugin_pam_phase1
View File

@ -6,12 +6,12 @@
#-----------------------------------------------------
# PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
# PLUGIN_CATEGORY=authentication
# PLUGIN_DATE=2017-03-01
# PLUGIN_DATE=2017-04-30
# PLUGIN_DESC=PAM
# PLUGIN_NAME=pam
# PLUGIN_PACKAGE=all
# PLUGIN_REQUIRED_TESTS=
# PLUGIN_VERSION=1.0.1
# PLUGIN_VERSION=1.0.2
#-----------------------------------------------------
#########################################################################
#
@ -27,8 +27,8 @@
if [ ${SKIPTEST} -eq 0 ]; then
for LINE in $(${GREPBINARY} -v "^#" ${FILE} | ${TRBINARY} -d " "); do
for I in ${LINE}; do
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
OPTION=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
VALUE=$(echo ${I} | ${AWKBINARY} -F= '{ print $2 }')
case ${OPTION} in
minlen)
DigitsOnly ${VALUE}
@ -69,8 +69,7 @@
if [ -d ${PAM_DIRECTORY} ]; then
LogText "Result: /etc/pam.d exists"
FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print)
# First check /etc/pam.conf if it exists.
#if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi
for PAM_FILE in ${FIND_FILES}; do
LogText "Now checking PAM file ${PAM_FILE}"
while read line; do
@ -370,7 +369,7 @@ Report "authentication_two_factor_required=${PAM_2F_AUTH_ENABLED}"
if [ ! "${AUTH_UNLOCK_TIME}" = "-1" ]; then
LogText "[PAM] Authentication unlock time: ${AUTH_UNLOCK_TIME}"
Report "authentication_unlock_time=${AUTH_UNLOCK_TIME}"
else
else
LogText "[PAM] Authentication unlock time: not configured"
fi
@ -383,7 +382,7 @@ fi
if [ ! "${MIN_PASSWORD_LENGTH}" = "-1" ]; then
LogText "[PAM] Minimum password length: ${MIN_PASSWORD_LENGTH}"
Report "minimum_password_length=${MIN_PASSWORD_LENGTH}"
else
else
LogText "[PAM] Minimum password length: not configured"
fi
@ -445,7 +444,7 @@ fi
if [ ! -z "${MAX_PASSWORD_RETRY}" ]; then
LogText "[PAM] Password maximum retry: ${MAX_PASSWORD_RETRY}"
Report "max_password_retry=${MAX_PASSWORD_RETRY}"
else
else
LogText "[PAM] Password maximum retry: Not configured"
fi
@ -460,7 +459,7 @@ if [ ${PAM_PASSWORD_PWHISTORY_ENABLED} -eq 1 ]; then
LogText "[PAM] Password history with pam_pwhistory enabled: ${PAM_PASSWORD_PWHISTORY_ENABLED}"
LogText "[PAM] Password history with pam_pwhistory amount: ${PAM_PASSWORD_PWHISTORY_AMOUNT}"
Report "password_history_amount=${PAM_PASSWORD_PWHISTORY_AMOUNT}"
else
else
LogText "[PAM] Password history with pam_pwhistory IS NOT enabled"
fi
@ -468,7 +467,7 @@ if [ ${PAM_PASSWORD_UXHISTORY_ENABLED} -eq 1 ]; then
LogText "[PAM] Password history with pam_unix enabled: ${PAM_PASSWORD_UXHISTORY_ENABLED}"
LogText "[PAM] Password history with pam_unix amount: ${PAM_PASSWORD_UXHISTORY_AMOUNT}"
Report "password_history_amount=${PAM_PASSWORD_UXHISTORY_AMOUNT}"
else
else
LogText "[PAM] Password history with pam_unix IS NOT enabled"
fi

24
plugins/plugin_systemd_phase1
View File

@ -16,12 +16,12 @@
#-----------------------------------------------------
# PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
# PLUGIN_CATEGORY=essentials
# PLUGIN_DATE=2016-04-28
# PLUGIN_DATE=2017-04-30
# PLUGIN_DESC=Tests related to systemd tooling
# PLUGIN_NAME=systemd
# PLUGIN_PACKAGE=community
# PLUGIN_REQUIRED_TESTS=
# PLUGIN_VERSION=1.0.1
# PLUGIN_VERSION=1.0.2
#-----------------------------------------------------
#
#########################################################################
@ -63,7 +63,7 @@
Report "systemd_version=${FIND}"
LogText "Result: found systemd version ${FIND}"
fi
FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1)
FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1`
if [ ! "${FIND}" = "" ]; then
Report "systemd_builtin_components=${FIND}"
LogText "Result: found builtin components list"
@ -77,7 +77,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }')
FIND=`${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found systemd unit files via systemctl list-unit-files"
for I in ${FIND}; do
@ -94,7 +94,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }')
FIND=`${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found systemd unit files via systemctl list-unit-files"
for I in ${FIND}; do
@ -125,7 +125,7 @@
if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(find /usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
FIND=$(${FINDBINARY} ${ROOTDIR}usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
if [ ! "${FIND}" = "" ]; then
Report "systemd_binaries=${FIND}"
LogText "Result: found systemd binaries in /usr/lib/systemd"
@ -160,7 +160,7 @@
if [ ! "${FIND}" = "" ]; then
Report "journal_contains_errors=1"
for I in ${FIND}; do
LINE=$(echo ${I} | sed 's/:space:/ /g')
LINE=`echo ${I} | sed 's/:space:/ /g'`
LogText "Output (fails): ${LINE}"
done
else
@ -176,7 +176,7 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}')
FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}'`
Report "journal_disk_size=${FIND}"
LogText "Result: journals are ${FIND} in size"
fi
@ -188,7 +188,7 @@
if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g')
FIND=`${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g'`
Report "journal_meta_data=${FIND}"
fi
#
@ -228,7 +228,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }')
FIND=`${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }'`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
Report "systemd_unit_not_found[]=${I}"
@ -243,7 +243,7 @@
if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}')
FIND=`${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found one or more services with faulty state"
for I in ${FIND}; do
@ -261,7 +261,7 @@
Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress
if [ ${SKIPTEST} -eq 0 ]; then
SYSTEMD_COREDUMP_USED=1
FIND=$(cat /proc/sys/kernel/core_pattern | grep systemd-coredump)
FIND=`cat /proc/sys/kernel/core_pattern | grep systemd-coredump`
if [ ! "${FIND}" = "" ]; then
LogText "Result: systemd uses systemd-coredump to handle coredumps"
Report "systemd_coredump_used=1"