tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Extended detection for service manager and NetBSD uptime support

This commit is contained in:
mboelen 2014-12-03 14:22:58 +01:00
parent 1759f66181
commit 639fd1d96a
1 changed files with 35 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
include/tests_boot_services
View File

@ -22,7 +22,6 @@
#
#################################################################################
#
Display --indent 2 --text "- Checking boot loaders"
BOOT_LOADER="unknown"
BOOT_LOADER_FOUND=0
GRUB_VERSION=0
@ -40,7 +39,7 @@
FIND=`/usr/sbin/bootinfo -b`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found boot device ${FIND}"
Display --indent 4 --text "- Checking boot device (bootinfo)" --result FOUND --color GREEN
Display --indent 2 --text "- Checking boot device (bootinfo)" --result FOUND --color GREEN
BOOT_LOADER="ROS"
BOOT_LOADER_FOUND=1
else
@ -56,15 +55,19 @@
#
# Test : BOOT-5104
# Description : Determine service manager
# Notes :
# initscripts - Used by Arch before
# systemd - Common option with more Linux distros implementing it
# upstart - Used by Debian/Ubuntu
Register --test-no BOOT-5104 --weight L --network NO --description "Determine service manager"
if [ ${SKIPTEST} -eq 0 ]; then
case ${OS} in
linux)
Linux)
if [ -f /proc/1/cmdline ]; then
FILE=`cat /proc/1/cmdline`
if [ -L ${FILE} ]; then
ShowSymlinkPath ${FILE}
if [ -f ${sFILE} ]; then
FILE=`cat /proc/1/cmdline`
if [ -L ${FILE} ]; then
ShowSymlinkPath ${FILE}
if [ -f ${sFILE} ]; then
SHORTNAME=`echo ${sFILE} | awk -F/ '{ print $NF }'`
case ${SHORTNAME} in
upstart)
@ -79,10 +82,23 @@
esac
else
logtext "Result: Could not find linked file ${sFILE}"
fi
fi
else
FIND=`echo ${FILE} | grep "/systemd"`
if [ ! "${FIND}" = "" ]; then
SERVICE_MANAGER="systemd"
fi
fi
fi
# Continue testing if we didn't find it yet
if [ "${SERVICE_MANAGER}" = "unknown" ]; then
if [ -f /usr/bin/init-openrc ]; then SERVICE_MANAGER="openrc"; fi
fi
;;
NetBSD)
if [ -x /sbin/init -a -d /etc/rc.d -a -f /etc/rc ]; then
SERVICE_MANAGER="bsdrc"
fi
;;
*)
logtext "Result: unknown service manager"
@ -134,7 +150,7 @@
if [ "`ls /boot/* 2> /dev/null`" = "" -a ! "${GRUB2INSTALLBINARY}" = "" ]; then
BOOT_LOADER_FOUND=1
logtext "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
Display --indent 4 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW
Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW
ReportManual "${TEST_NO}:01"
fi
fi
@ -167,11 +183,11 @@
FOUND=1
fi
if [ ${FOUND} -eq 1 ]; then
Display --indent 6 --text "- Checking for password protection" --result OK --color GREEN
Display --indent 4 --text "- Checking for password protection" --result OK --color GREEN
logtext "Result: GRUB has password protection."
AddHP 4 4
else
Display --indent 6 --text "- Checking for password protection" --result WARNING --color RED
Display --indent 4 --text "- Checking for password protection" --result WARNING --color RED
logtext "Result: Didn't find hashed password line in GRUB boot file!"
ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
AddHP 0 2
@ -189,7 +205,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then
logtext "Result: found boot1, boot2 and loader files in /boot"
Display --indent 4 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN
Display --indent 2 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN
BOOT_LOADER="FreeBSD"
BOOT_LOADER_FOUND=1
else
@ -205,7 +221,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then
logtext "Result: found NetBSD secondary bootstrap"
Display --indent 4 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN
Display --indent 2 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN
BOOT_LOADER="NetBSD"
BOOT_LOADER_FOUND=1
else
@ -228,18 +244,18 @@
if [ ${CANREAD} -eq 1 ]; then
BOOT_LOADER="LILO"
BOOT_LOADER_FOUND=1
Display --indent 4 --text "- Checking presence LILO" --result "OK" --color GREEN
Display --indent 2 --text "- Checking presence LILO" --result "OK" --color GREEN
logtext "Checking password option LILO"
FIND=`cat ${LILOCONFFILE} | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"`
if [ "${FIND}" = "" ]; then
Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED
Display --indent 4 --text "- Password option presence " --result "WARNING" --color RED
logtext "Result: no password set for LILO. Bootloader is unprotected to"
logtext "dropping to single user mode or unauthorized access to devices/data."
ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader"
AddHP 0 2
else
Display --indent 6 --text "- Password option presence " --result "OK" --color GREEN
Display --indent 4 --text "- Password option presence " --result "OK" --color GREEN
logtext "Result: LILO password option set"
AddHP 4 4
fi
@ -260,7 +276,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/silo.conf ]; then
logtext "Result: Found SILO configuration file (/etc/silo.conf)"
Display --indent 4 --text "- Checking boot loader SILO" --result FOUND --color GREEN
Display --indent 2 --text "- Checking boot loader SILO" --result FOUND --color GREEN
BOOT_LOADER="SILO"
BOOT_LOADER_FOUND=1
else
@ -627,7 +643,7 @@
fi
;;
OpenBSD)
NetBSD|OpenBSD)
if [ ! "${SYSCTLBINARY}" = "" ]; then
TIME_BOOT=`${SYSCTLBINARY} -n kern.boottime`
TIME_NOW=`date "+%s"`