mirror of https://github.com/CISOfy/lynis.git
Merge pull request #899 from bginsbach/auth-9218
AUTH-9218 Improvements
This commit is contained in:
commit
5288479296
|
@ -49,7 +49,6 @@ AUTH-9406:test:security:authentication::Query LDAP servers in client configurati
|
||||||
AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs:
|
AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs:
|
||||||
AUTH-9409:test:security:authentication:OpenBSD:Check for doas file:
|
AUTH-9409:test:security:authentication:OpenBSD:Check for doas file:
|
||||||
AUTH-9410:test:security:authentication:OpenBSD:Check for doas file permissions:
|
AUTH-9410:test:security:authentication:OpenBSD:Check for doas file permissions:
|
||||||
AUTH-9489:test:security:authentication:DragonFly:Check login shells for passwordless accounts:
|
|
||||||
BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file:
|
BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file:
|
||||||
BANN-7124:test:security:banners::Check issue banner file:
|
BANN-7124:test:security:banners::Check issue banner file:
|
||||||
BANN-7126:test:security:banners::Check issue banner file contents:
|
BANN-7126:test:security:banners::Check issue banner file contents:
|
||||||
|
|
|
@ -157,51 +157,7 @@
|
||||||
# Test : AUTH-9218
|
# Test : AUTH-9218
|
||||||
# Description : Check login shells for passwordless accounts
|
# Description : Check login shells for passwordless accounts
|
||||||
# Notes : Results should be checked
|
# Notes : Results should be checked
|
||||||
Register --test-no AUTH-9218 --os FreeBSD --weight L --network NO --category security --description "Check login shells for passwordless accounts"
|
Register --test-no AUTH-9218 --os "DragonFly FreeBSD NetBSD OpenBSD" --root-only YES --weight L --network NO --category security --description "Check login shells for passwordless accounts"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
|
||||||
FOUND=0
|
|
||||||
LogText "Test: Checking login shells"
|
|
||||||
if [ -f ${ROOTDIR}etc/master.passwd ]; then
|
|
||||||
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
|
|
||||||
FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
|
|
||||||
if [ "${FIND}" = "" ]; then
|
|
||||||
Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
|
|
||||||
else
|
|
||||||
Display --indent 2 --text "- Login shells" --result "${STATUS_WARNING}" --color RED
|
|
||||||
for LINE in ${FIND}; do
|
|
||||||
LINE=$(echo ${LINE} | ${SEDBINARY} 's/!space!/ /g')
|
|
||||||
SHELL=$(echo ${LINE} | ${AWKBINARY} -F: '{ print $10 }')
|
|
||||||
LogText "Output: ${LINE}"
|
|
||||||
if [ -z "${SHELL}" ]; then
|
|
||||||
LogText "Result: found no shell on line"
|
|
||||||
else
|
|
||||||
LogText "Result: found possible harmful shell ${SHELL}"
|
|
||||||
if [ -f ${SHELL} ]; then
|
|
||||||
LogText "Result: shell ${SHELL} does exist"
|
|
||||||
FOUND=1
|
|
||||||
else
|
|
||||||
LogText "Result: shell ${SHELL} does not exist"
|
|
||||||
ReportSuggestion "${TEST_NO}" "Determine if account is needed, as shell ${SHELL} does not exist"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
if [ ${FOUND} -eq 1 ]; then
|
|
||||||
ReportWarning "${TEST_NO}" "Possible harmful shell found (for passwordless account!)"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
Display --indent 2 --text "- Login shells" --result "${STATUS_SKIPPED}" --color WHITE
|
|
||||||
LogText "Result: No /etc/master.passwd file found"
|
|
||||||
fi
|
|
||||||
unset LINE SHELL
|
|
||||||
fi
|
|
||||||
#
|
|
||||||
#################################################################################
|
|
||||||
#
|
|
||||||
# Test : AUTH-9489
|
|
||||||
# Description : Check login shells for passwordless accounts
|
|
||||||
# Notes : Results should be checked
|
|
||||||
Register --test-no AUTH-9489 --os DragonFly --weight L --network NO --category security --description "Check login shells for passwordless accounts"
|
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
FOUND=0
|
FOUND=0
|
||||||
LogText "Test: Checking login shells"
|
LogText "Test: Checking login shells"
|
||||||
|
|
Loading…
Reference in New Issue