tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Removed word 'checking' from several tests' and style improvements

This commit is contained in:
Michael Boelen 2016-07-31 13:53:26 +02:00
parent 6426ce68c0
commit 5e2f6d256b
1 changed files with 61 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
include/tests_authentication
View File

@ -42,9 +42,9 @@
LogText "Test: Searching accounts with UID 0"
FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Search administrator accounts" --result "${STATUS_WARNING}" --color RED
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found more than one administrator accounts"
ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file"
ReportWarning "${TEST_NO}" "Multiple users with UID 0 found in passwd file"
for I in ${FIND}; do
LogText "Administrator account: ${I}"
if [ "${I}" = "toor" ]; then
@ -53,8 +53,8 @@
ReportSuggestion ${TEST_NO} "Use vipw to delete the 'toor' user if not used."
fi
done
else
Display --indent 2 --text "- Search administrator accounts" --result "${STATUS_OK}" --color GREEN
else
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_OK}" --color GREEN
LogText "Result: No accounts found with UID 0 other than root."
fi
fi
@ -75,16 +75,16 @@
if [ -f ${PASSWD_FILE} ]; then
FIND=`grep -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for non-unique UIDs" --result "${STATUS_OK}" --color GREEN
Display --indent 2 --text "- Unique UIDs" --result "${STATUS_OK}" --color GREEN
LogText "Result: all accounts found in ${PASSWD_FILE} are unique"
else
Display --indent 2 --text "- Checking for non-unique UIDs" --result "${STATUS_WARNING}" --color RED
else
Display --indent 2 --text "- Unique UIDs" --result "${STATUS_WARNING}" --color RED
LogText "Result: found multiple accounts with same UID"
LogText "Output (non-unique UIDs): ${FIND}"
ReportWarning ${TEST_NO} "Multiple accounts found with same UID"
fi
else
Display --indent 2 --text "- Checking UIDs" --result "${STATUS_SKIPPED}" --color WHITE
Display --indent 2 --text "- Unique UIDs" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: test skipped, ${PASSWD_FILE} file not available"
fi
LogText "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake"
@ -341,16 +341,16 @@
FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus"`
if [ "${FIND}" = "" ]; then
LogText "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE
else
FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nisplus"`
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"`
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
LogText "Result: NIS+ authentication enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE
fi
fi
else
@ -368,16 +368,16 @@
FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus"`
if [ "${FIND}" = "" ]; then
LogText "Result: NIS authentication not enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE
else
FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
LogText "Result: NIS authentication enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: NIS authentication not enabled"
Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE
fi
fi
else
@ -404,10 +404,10 @@
done
if [ ${FOUND} -eq 1 ]; then
LogText "Result: sudoers file found (${SUDOERS_FILE})"
Display --indent 2 --text "- Checking sudoers file" --result "${STATUS_FOUND}" --color GREEN
Display --indent 2 --text "- sudoers file" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: sudoers file NOT found"
Display --indent 2 --text "- Checking sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW
Display --indent 2 --text "- sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
#
@ -436,15 +436,15 @@
# Description : Solaris test to check passwordless accounts
Register --test-no AUTH-9254 --os Solaris --weight L --network NO --root-only YES --category security --description "Solaris passwordless accounts"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`logins -p | awk '{ print $1 }'`
FIND=$(logins -p | awk '{ print $1 }')
if [ "${FIND}" = "" ]; then
LogText "Result: no passwordless accounts found"
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN
else
Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN
else
for I in ${FIND}; do
ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})"
ReportWarning ${TEST_NO} "Found passwordless account (${I})"
done
Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result "${STATUS_WARNING}" --color RED
Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_WARNING}" --color RED
fi
fi
#
@ -507,12 +507,12 @@
fi
if [ ${FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: no PAM modules for password strength testing found"
ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
AddHP 0 3
else
Display --indent 2 --text "- Checking PAM password strength tools" --result "${STATUS_OK}" --color GREEN
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN
LogText "Result: found at least one PAM module for password strength testing"
AddHP 3 3
fi
@ -527,7 +527,7 @@
LogText "Test: Checking file /etc/pam.conf"
if [ -f /etc/pam.conf ]; then
LogText "Result: file /etc/pam.conf exists"
Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN
Display --indent 2 --text "- PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN
LogText "Test: searching PAM configuration files"
FIND=`grep -v "^#" /etc/pam.conf | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'`
if [ "${FIND}" = "" ]; then
@ -541,7 +541,7 @@
fi
else
LogText "Result: file /etc/pam.conf could not be found"
Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "${STATUS_NOT_FOUND}" --color WHITE
Display --indent 2 --text "- PAM configuration file (pam.conf)" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -554,7 +554,7 @@
LogText "Test: Checking directory /etc/pam.d"
if [ -d /etc/pam.d ]; then
LogText "Result: directory /etc/pam.d exists"
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN
Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN
LogText "Test: searching PAM configuration files"
FIND=`find /etc/pam.d -type f -print | sort`
for I in ${FIND}; do
@ -562,7 +562,7 @@
done
else
LogText "Result: directory /etc/pam.d could not be found"
Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "${STATUS_NOT_FOUND}" --color WHITE
Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
@ -593,10 +593,10 @@
done
# Check if we found at least one module
if [ ${FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking PAM modules" --result "${STATUS_NOT_FOUND}" --color WHITE
Display --indent 2 --text "- PAM modules" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: no PAM modules found"
else
Display --indent 2 --text "- Checking PAM modules" --result "${STATUS_FOUND}" --color GREEN
Display --indent 2 --text "- PAM modules" --result "${STATUS_FOUND}" --color GREEN
fi
unset DIR; unset FILE; unset FIND
fi
@ -615,12 +615,12 @@
if [ ! "${FIND}" = "" ]; then
LogText "Result: LDAP module present"
LogText "Output: ${FIND}"
Display --indent 2 --text "- Checking LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN
Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN
LDAP_AUTH_ENABLED=1
LDAP_PAM_ENABLED=1
else
LogText "Result: LDAP module not found"
Display --indent 2 --text "- Checking LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE
Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
else
LogText "Result: file /etc/pam.d/common-auth not found, skipping test"
@ -664,13 +664,13 @@
LogText "Test: Checking Linux version and password expire date status"
if [ "${FIND}" = "" ]; then
LogText "Result: all accounts seem to have an expire date"
Display --indent 2 --text "- Checking accounts without expire date" --result "${STATUS_OK}" --color GREEN
Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found one or more accounts with expire date set"
for I in ${FIND}; do
LogText "Account without expire date: ${I}"
done
Display --indent 2 --text "- Checking accounts without expire date" --result "${STATUS_SUGGESTION}" --color YELLOW
Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts"
fi
fi
@ -681,14 +681,14 @@
LogText "Test: Checking passwordless accounts"
if [ "${FIND2}" = "" ]; then
LogText "Result: all accounts seem to have a password"
Display --indent 2 --text "- Checking accounts without password" --result "${STATUS_OK}" --color GREEN
Display --indent 2 --text "- Accounts without password" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found one or more accounts without password"
for I in ${FIND2}; do
LogText "Account without password: ${I}"
Report "account_without_password=${I}"
done
Display --indent 2 --text "- Checking accounts without password" --result "${STATUS_WARNING}" --color RED
Display --indent 2 --text "- Accounts without password" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "Found accounts without password"
fi
fi
@ -712,7 +712,7 @@
else
LogText "Result: password needs to be at least ${FIND} days old"
PASSWORD_MINIMUM_DAYS=${FIND}
Display --indent 2 --text "- Checking user password aging (minimum)" --result CONFIGURED --color GREEN
Display --indent 2 --text "- User password aging (minimum)" --result CONFIGURED --color GREEN
AddHP 3 3
fi
@ -720,13 +720,13 @@
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
LogText "Result: password aging limits are not configured"
Display --indent 2 --text "- Checking user password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW
Display --indent 2 --text "- User password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW
ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs"
AddHP 0 1
else
LogText "Result: max password age is ${FIND} days"
PASSWORD_MAXIMUM_DAYS=${FIND}
Display --indent 2 --text "- Checking user password aging (maximum)" --result CONFIGURED --color GREEN
Display --indent 2 --text "- User password aging (maximum)" --result CONFIGURED --color GREEN
AddHP 3 3
fi
fi
@ -956,17 +956,17 @@
if [ ${FOUND_UMASK} -eq 1 ]; then
if [ ${WEAK_UMASK} -eq 0 ]; then
Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_OK}" --color GREEN
Display --indent 4 --text "- umask (/etc/profile)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_SUGGESTION}" --color YELLOW
Display --indent 4 --text "- umask (/etc/profile)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/profile could be more strict like 027"
AddHP 0 2
fi
else
# Some operating systems don't have a default umask defined in /etc/profile (Debian)
LogText "Result: found no umask. Please check if this is correct"
Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_NOT_FOUND}" --color YELLOW
Display --indent 4 --text "- umask (/etc/profile)" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
else
LogText "Result: file /etc/profile does not exist"
@ -993,20 +993,20 @@
FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "Result: umask value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
AddHP 1 2
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
LogText "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_OK}" --color GREEN
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
else
LogText "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027"
AddHP 0 2
fi
else
else
LogText "Result: file /etc/login.defs does not exist"
fi
@ -1018,14 +1018,14 @@
FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "Result: umask is not configured"
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE
Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
LogText "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_OK}" --color GREEN
Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_SUGGESTION}" --color YELLOW
Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_SUGGESTION}" --color YELLOW
AddHP 0 2
fi
else
@ -1045,11 +1045,11 @@
AddHP 1 2
elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
LogText "Result: umask is ${FIND}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_OK}" --color GREEN
Display --indent 4 --text "- umask (/etc/init.d/rc)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: found umask ${FIND}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
Display --indent 4 --text "- umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027"
AddHP 0 2
fi
@ -1082,14 +1082,14 @@
fi
if [ ${FOUND} -eq 1 ]; then
if [ ${WEAK_UMASK} -eq 0 ]; then
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "${STATUS_OK}" --color GREEN
Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_OK}" --color GREEN
else
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result WEAK --color YELLOW
Display --indent 4 --text "- umask (/etc/login.conf)" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027"
fi
else
LogText "Result: no umask setting found in /etc/login.conf, which is unexpected"
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "${STATUS_NONE}" --color YELLOW
Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_NONE}" --color YELLOW
fi
fi
@ -1108,11 +1108,11 @@
AddHP 1 2
elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then
LogText "Result: umask is ${FIND2}, which is fine"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_OK}" --color GREEN
Display --indent 4 --text "- umask (/etc/init.d/rcS)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: found umask ${FIND2}, which could be improved"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
Display --indent 4 --text "- umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027"
AddHP 0 2
fi
@ -1184,16 +1184,16 @@
Register --test-no AUTH-9402 --weight L --network NO --category security --description "Query LDAP authentication support"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then
FIND=`egrep "^passwd" /etc/nsswitch.conf | grep "ldap"`
FIND=$(egrep "^passwd" /etc/nsswitch.conf | grep "ldap")
if [ "${FIND}" = "" ]; then
LogText "Result: LDAP authentication not enabled"
Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE
else
Display --indent 2 --text "- LDAP authentication support" --result "NOT ENABLED" --color WHITE
else
LogText "Result: LDAP authentication enabled"
Display --indent 2 --text "- Checking LDAP authentication support" --result "${STATUS_ENABLED}" --color GREEN
Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_ENABLED}" --color GREEN
LDAP_AUTH_ENABLED=1
fi
else
else
LogText "Result: /etc/nsswitch.conf not found"
fi
fi