tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use detected binaries

This commit is contained in:
Michael Boelen 2016-08-25 15:31:33 +02:00
parent a6b04a3ace
commit 679e8c628e
36 changed files with 400 additions and 400 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
include/tests_accounting
View File

@ -104,7 +104,7 @@
LogText "Test: check /etc/default/sysstat presence"
if [ -f ${ROOTDIR}etc/default/sysstat ]; then
LogText "Result: ${ROOTDIR}etc/default/sysstat found"
FIND=`grep "^ENABLED" ${ROOTDIR}etc/default/sysstat | grep -i true`
FIND=`${GREPBINARY} "^ENABLED" ${ROOTDIR}etc/default/sysstat | ${GREPBINARY} -i true`
if [ ! "${FIND}" = "" ]; then
LogText "Result: sysstat enabled via ${ROOTDIR}etc/default/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
@ -114,7 +114,7 @@
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)"
fi
elif [ -f ${ROOTDIR}etc/cron.d/sysstat ]; then
FIND=`grep -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat`
FIND=`${GREPBINARY} -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat`
if [ ! "${FIND}" = "" ]; then
LogText "Result: sysstat enabled via ${ROOTDIR}etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
@ -167,7 +167,7 @@
Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for auditd rules"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking auditd rules"
FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"`
FIND=`${AUDITCTLBINARY} -l | ${GREPBINARY} -v "No rules"`
if [ "${FIND}" = "" ]; then
LogText "Result: auditd rules empty"
Display --indent 4 --text "- Checking audit rules" --result "${STATUS_SUGGESTION}" --color YELLOW
@ -219,7 +219,7 @@
Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd log file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking auditd log file"
FIND=`grep "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }'`
FIND=`${GREPBINARY} "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: log file is defined"
LogText "Defined value: ${FIND}"
@ -251,7 +251,7 @@
Display --indent 2 --text "- Checking Snoopy" --result "${STATUS_FOUND}" --color GREEN
if [ -f ${ROOTDIR}etc/ld.so.preload ]; then
LogText "Result: found ${ROOTDIR}etc/ld.so.preload, testing if snoopy.so is listed"
FIND=`grep ${FILE} ${ROOTDIR}etc/ld.so.preload`
FIND=`${GREPBINARY} ${FILE} ${ROOTDIR}etc/ld.so.preload`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found snoopy in ld.so.preload"
LogText "Output: ${FIND}"
@ -297,7 +297,7 @@
Register --test-no ACCT-9652 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check auditd SMF status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check if auditd service is enabled and online"
FIND=`/usr/bin/svcs svc:/system/auditd:default | grep "^online"`
FIND=`/usr/bin/svcs svc:/system/auditd:default | ${GREPBINARY} "^online"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: auditd service is online"
Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN
@ -316,7 +316,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check if BSM is enabled in ${ROOTDIR}etc/system"
if [ -f ${ROOTDIR}etc/system ]; then
FIND=`grep 'set c2audit:audit_load = 1' ${ROOTDIR}etc/system`
FIND=`${GREPBINARY} 'set c2audit:audit_load = 1' ${ROOTDIR}etc/system`
if [ ! "${FIND}" = "" ]; then
LogText "Result: BSM is enabled in ${ROOTDIR}etc/system"
Display --indent 4 --text "- Checking Solaris BSM (${ROOTDIR}etc/system)" --result "${STATUS_ENABLED}" --color GREEN
@ -337,7 +337,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check if c2audit module is active"
if [ -x /usr/sbin/modinfo ]; then
FIND=`/usr/sbin/modinfo | grep c2audit`
FIND=`/usr/sbin/modinfo | ${GREPBINARY} c2audit`
if [ ! "${FIND}" = "" ]; then
LogText "Result: c2audit found in modinfo output"
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN
@ -360,7 +360,7 @@
LogText "Test: check /etc/security/audit_control for event logging location"
if [ -f ${ROOTDIR}etc/security/audit_control ]; then
LogText "Result: file ${ROOTDIR}etc/security/audit_control found"
FIND=`grep "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }'`
FIND=`${GREPBINARY} "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found location ${FIND}"
LogText "Test: Checking if location is a valid directory"

80
include/tests_authentication
View File

@ -40,7 +40,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Search accounts with UID 0
LogText "Test: Searching accounts with UID 0"
FIND=(${GREPBINARY} ':0:' /etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0')
FIND=(${GREPBINARY} ':0:' /etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | ${GREPBINARY} ':0')
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found more than one administrator accounts"
@ -74,7 +74,7 @@
fi
# Check password file
if [ -f ${PASSWD_FILE} ]; then
FIND=$(${GREPBINARY} -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d)
FIND=$(${GREPBINARY} -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | ${SORTBINARY} | uniq -d)
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Unique UIDs" --result "${STATUS_OK}" --color GREEN
LogText "Result: all accounts found in ${PASSWD_FILE} are unique"
@ -165,7 +165,7 @@
Display --indent 2 --text "- Login shells" --result "${STATUS_WARNING}" --color RED
for LINE in ${FIND}; do
LINE=$(echo ${LINE} | sed 's/!space!/ /g')
SHELL=$(echo ${LINE} | awk -F: '{ print $10 }')
SHELL=$(echo ${LINE} | ${AWKBINARY} -F: '{ print $10 }')
LogText "Output: ${LINE}"
if [ -z "${SHELL}" ]; then
LogText "Result: found no shell on line"
@ -198,7 +198,7 @@
Register --test-no AUTH-9222 --weight L --network NO --category security --description "Check unique groups (IDs)"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for non unique group ID's in /etc/group"
FIND=$(${GREPBINARY} -v '^#' /etc/group | ${GREPBINARY} -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d)
FIND=$(${GREPBINARY} -v '^#' /etc/group | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $3 }' | ${SORTBINARY} | uniq -d)
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Unique group IDs" --result "${STATUS_OK}" --color GREEN
LogText "Result: All group ID's are unique"
@ -218,7 +218,7 @@
Register --test-no AUTH-9226 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unique group names"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for non unique group names in /etc/group"
FIND=$(${GREPBINARY} -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d)
FIND=$(${GREPBINARY} -v '^#' /etc/group | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $1 }' | ${SORTBINARY} | uniq -d)
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Unique group names" --result "${STATUS_OK}" --color GREEN
LogText "Result: All group names are unique"
@ -284,33 +284,33 @@
case ${OS} in
"AIX")
LogText "AIX real users output (ID = 0, or 100+):"
FIND=`awk -F: '($3 >= 100 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
FIND=`${AWKBINARY} -F: '($3 >= 100 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
;;
"FreeBSD")
LogText "FreeBSD real users output (ID = 0, or 1000+, but not 65534):"
FIND=`awk -F: '($3 >= 1000 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
FIND=`${AWKBINARY} -F: '($3 >= 1000 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
;;
"Linux")
UID_MIN=""
if [ -f /etc/login.defs ]; then
UID_MIN=$(${GREPBINARY} "^UID_MIN" /etc/login.defs | awk '{print $2}')
UID_MIN=$(${GREPBINARY} "^UID_MIN" /etc/login.defs | ${AWKBINARY} '{print $2}')
LogText "Result: found minimal user id specified: ${UID_MIN}"
fi
if [ "${UID_MIN}" = "" ]; then UID_MIN="1000"; fi
LogText "Linux real users output (ID = 0, or ${UID_MIN}+, but not 65534):"
FIND=`awk -v UID_MIN="${UID_MIN}" -F: '($3 >= UID_MIN && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
FIND=`${AWKBINARY} -v UID_MIN="${UID_MIN}" -F: '($3 >= UID_MIN && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
;;
"OpenBSD")
LogText "OpenBSD real users output (ID = 0, or 1000-60000, but not 32767):"
FIND=`awk -F: '($3 >= 1000 && $3 <= 60000 && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd`
FIND=`${AWKBINARY} -F: '($3 >= 1000 && $3 <= 60000 && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd`
;;
"Solaris")
LogText "Solaris real users output (ID =0, or 100+, but not 60001/65534):"
FIND=`awk -F: '($3 >= 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
FIND=`${AWKBINARY} -F: '($3 >= 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
;;
*)
# Want to help improving Lynis? Determine what user IDs belong to normal user accounts
@ -339,7 +339,7 @@
Register --test-no AUTH-9240 --weight L --network NO --category security --description "Query NIS+ authentication support"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus")
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus")
if [ "${FIND}" = "" ]; then
LogText "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE
@ -366,7 +366,7 @@
Register --test-no AUTH-9242 --weight L --network NO --category security --description "Query NIS authentication support"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus")
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus")
if [ "${FIND}" = "" ]; then
LogText "Result: NIS authentication not enabled"
Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE
@ -437,7 +437,7 @@
# Description : Solaris test to check passwordless accounts
Register --test-no AUTH-9254 --os Solaris --weight L --network NO --root-only YES --category security --description "Solaris passwordless accounts"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(logins -p | awk '{ print $1 }')
FIND=$(logins -p | ${AWKBINARY} '{ print $1 }')
if [ "${FIND}" = "" ]; then
LogText "Result: no passwordless accounts found"
Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN
@ -612,7 +612,7 @@
if [ -f /etc/pam.d/common-auth ]; then
LogText "Result: file /etc/pam.d/common-auth exists"
LogText "Test: checking presence LDAP module"
FIND=`grep "^auth.*ldap" /etc/pam.d/common-auth`
FIND=`${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth`
if [ ! "${FIND}" = "" ]; then
LogText "Result: LDAP module present"
LogText "Output: ${FIND}"
@ -638,13 +638,13 @@
case ${LINUX_VERSION} in
"SuSE")
PREQS_MET="YES"
FIND=$(passwd -a -S 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }')
FIND2=$(passwd -a -S 2> /dev/null | awk '{ if ($2=="NP") print $1 }')
FIND=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
;;
*)
PREQS_MET="YES"
FIND=$(passwd --all --status 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }')
FIND2=$(passwd --all --status 2> /dev/null | awk '{ if ($2=="NP") print $1 }')
FIND=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
;;
esac
else
@ -704,7 +704,7 @@
Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking user password aging"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PASS_MIN_DAYS option in /etc/login.defs "
FIND=$(${GREPBINARY} "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }')
FIND=$(${GREPBINARY} "^PASS_MIN_DAYS" /etc/login.defs | ${AWKBINARY} '{ if ($1=="PASS_MIN_DAYS") { print $2 } }')
if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then
LogText "Result: password minimum age is not configured"
Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW
@ -718,7 +718,7 @@
fi
LogText "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
FIND=$(${GREPBINARY} "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }')
FIND=$(${GREPBINARY} "^PASS_MAX_DAYS" /etc/login.defs | ${AWKBINARY} '{ if ($1=="PASS_MAX_DAYS") { print $2 } }')
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
LogText "Result: password aging limits are not configured"
Display --indent 2 --text "- User password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW
@ -745,7 +745,7 @@
LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}"
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
FIND=$(${EGREPBINARY} -v ":[\!\*x](\*)?:" /etc/shadow | awk -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
FIND=$(${EGREPBINARY} -v ":[\!\*x](\*)?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
if [ ! "${FIND}" = "" ]; then
for ACCOUNT in ${FIND}; do
LogText "Result: password of user ${ACCOUNT} has been expired"
@ -805,7 +805,7 @@
if [ -f /tcb/files/auth/system/default ]; then
LogText "Result: file /tcb/files/auth/system/default exists"
LogText "Test: checking presence :d_boot_authenticate@:"
FIND=$(grep "^:d_boot_authenticate@" /tcb/files/auth/system/default)
FIND=$(${GREPBINARY} "^:d_boot_authenticate@" /tcb/files/auth/system/default)
if [ -z "${FIND}" ]; then
LogText "Result: option not set, password is needed at boot"
Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_OK}" --color GREEN
@ -853,7 +853,7 @@
TEST_PERFORMED=1
LogText "Result: file /etc/sysconfig/init exists"
LogText "Test: checking presence sulogin for single user mode"
FIND=`grep "^SINGLE=/sbin/sulogin" /etc/sysconfig/init`
FIND=`${GREPBINARY} "^SINGLE=/sbin/sulogin" /etc/sysconfig/init`
if [ ! "${FIND}" = "" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"
@ -875,7 +875,7 @@
# Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support)
TEST_PERFORMED=1
LogText "Result: found target ${I}"
FIND=`egrep "^ExecStart=" ${FILE} | grep "/sulogin"`
FIND=`${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "/sulogin"`
if [ "${FIND}" = "" ]; then
LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication"
else
@ -926,7 +926,7 @@
if [ ! -z "${FIND}" ]; then
LogText "Result: found /etc/profile.d, with one or more files in it"
for FILE in ${FIND}; do
HAS_MASK=$(grep umask ${FILE} | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }')
HAS_MASK=$(${GREPBINARY} umask ${FILE} | sed 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }')
for MASK in ${HAS_MASK}; do
if [ "${MASK}" = "077" -o "${MASK}" = "027" ]; then
LogText "Result: found a strong umask '${MASK}' set in ${FILE}"
@ -949,8 +949,8 @@
if [ -f /etc/profile -a ${GOOD_UMASK} -eq 0 ]; then
LogText "Result: file /etc/profile exists"
LogText "Test: Checking umask value in /etc/profile"
FIND=$(grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }')
FIND2=$(grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }' | wc -l)
FIND=$(${GREPBINARY} "umask" /etc/profile | sed 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }')
FIND2=$(${GREPBINARY} "umask" /etc/profile | sed 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }' | wc -l)
FOUND_UMASK=0
if [ "${FIND2}" = "0" ]; then
LogText "Result: did not find umask in /etc/profile"
@ -1007,7 +1007,7 @@
if [ -f /etc/passwd ]; then
LogText "Result: file /etc/passwd exists"
LogText "Test: Checking umask value in /etc/passwd"
FIND=`grep "umask=" /etc/passwd`
FIND=`${GREPBINARY} "umask=" /etc/passwd`
if [ "${FIND}" = "" ]; then
ReportManual "AUTH-9328:03"
fi
@ -1020,7 +1020,7 @@
if [ -f /etc/login.defs ]; then
LogText "Result: file /etc/login.defs exists"
LogText "Test: Checking umask value in /etc/login.defs"
FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'`
FIND=`${GREPBINARY} "^UMASK" /etc/login.defs | ${AWKBINARY} '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "Result: umask value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW
@ -1045,7 +1045,7 @@
if [ -f /etc/init.d/functions ]; then
LogText "Result: file /etc/init.d/functions exists"
LogText "Test: Checking umask value in /etc/init.d/functions"
FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'`
FIND=`${GREPBINARY} "^umask" /etc/init.d/functions | ${AWKBINARY} '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "Result: umask is not configured"
Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE
@ -1067,7 +1067,7 @@
if [ -f /etc/init.d/rc ]; then
LogText "Result: file /etc/init.d/rc exists"
LogText "Test: Checking UMASK value in /etc/init.d/rc"
FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'`
FIND=`${GREPBINARY} -i "^UMASK" /etc/init.d/rc | ${AWKBINARY} '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
@ -1092,7 +1092,7 @@
FOUND=0
WEAK_UMASK=0
LogText "Result: file /etc/login.conf exists"
FIND=`grep "umask" /etc/login.conf | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'`
FIND=`${GREPBINARY} "umask" /etc/login.conf | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $2}' | ${AWKBINARY} -F= '{ if ($1=="umask") { print $2 }}'`
if [ ! "${FIND}" = "" ]; then
for UMASK_VALUE in ${FIND}; do
case ${UMASK_VALUE} in
@ -1128,9 +1128,9 @@
if [ -f /etc/init.d/rcS ]; then
LogText "Result: file /etc/init.d/rcS exists"
LogText "Test: Checking if script runs another script."
FIND=`grep -i "^exec " /etc/init.d/rcS | awk '{ print $2 }'`
FIND=`${GREPBINARY} -i "^exec " /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }'`
if [ "${FIND}" = "" ]; then
FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'`
FIND2=`${GREPBINARY} -i "^UMASK" /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }'`
if [ "${FIND2}" = "" ]; then
LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)"
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
@ -1166,7 +1166,7 @@
FOUND=0
if [ -f /etc/security/policy.conf ]; then
LogText "Result: found /etc/security/policy.conf"
FIND=`grep "^LOCK_AFTER_RETRIES" /etc/security/policy.conf`
FIND=`${GREPBINARY} "^LOCK_AFTER_RETRIES" /etc/security/policy.conf`
if [ ! "${FIND}" = "" ]; then
FOUND=1
LogText "Result: account locking option set"
@ -1186,7 +1186,7 @@
LogText "Test: checking /etc/default/login"
if [ -f /etc/default/login ]; then
LogText "Result: file /etc/default/login exists"
FIND=`grep "^RETRIES" /etc/default/login`
FIND=`${GREPBINARY} "^RETRIES" /etc/default/login`
if [ ! "${FIND}" = "" ]; then
FOUND=1
LogText "Result: retries option configured"
@ -1214,7 +1214,7 @@
Register --test-no AUTH-9402 --weight L --network NO --category security --description "Query LDAP authentication support"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then
FIND=$(egrep "^passwd" /etc/nsswitch.conf | grep "ldap")
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "ldap")
if [ "${FIND}" = "" ]; then
LogText "Result: LDAP authentication not enabled"
Display --indent 2 --text "- LDAP authentication support" --result "NOT ENABLED" --color WHITE
@ -1242,7 +1242,7 @@
LogText "Result: file ${FILE} exists, LDAP being used"
LDAP_CLIENT_CONFIG_FILE="${FILE}"
LogText "Test: checking LDAP servers in file ${FILE}"
FIND=$(egrep "^host " ${FILE} | awk '{ print $2 }')
FIND=$(${EGREPBINARY} "^host " ${FILE} | ${AWKBINARY} '{ print $2 }')
for SERVER in ${FIND}; do
Display --indent 6 --text "LDAP server: ${SERVER}"
LogText "Result: found LDAP server ${SERVER}"
@ -1263,7 +1263,7 @@
Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Logging of failed login attempts via /etc/login.defs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking FAILLOG_ENAB option in /etc/login.defs "
FIND=`grep "^FAILLOG_ENAB" /etc/login.defs | awk '{ if ($1=="FAILLOG_ENAB") { print $2 } }'`
FIND=`${GREPBINARY} "^FAILLOG_ENAB" /etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }'`
# Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value)
if [ "${FIND}" = "yes" ]; then
AUTH_FAILED_LOGINS_LOGGED=1

6
include/tests_banners
View File

@ -100,7 +100,7 @@
# N=0
# LogText "Test: Checking file /etc/motd contents for legal key words"
# for I in ${LEGAL_BANNER_STRINGS}; do
# FIND=`grep -i "${I}" /etc/motd`
# FIND=`${GREPBINARY} -i "${I}" /etc/motd`
# if [ ! "${FIND}" = "" ]; then
# LogText "Result: found string '${I}'"
# N=$((N + 1))
@ -151,7 +151,7 @@
N=0
LogText "Test: Checking file /etc/issue contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do
FIND=`grep -i "${I}" /etc/issue`
FIND=`${GREPBINARY} -i "${I}" /etc/issue`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found string '${I}'"
N=$((N + 1))
@ -203,7 +203,7 @@
N=0
LogText "Test: Checking file /etc/issue.net contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do
FIND=`grep -i "${I}" /etc/issue.net`
FIND=`${GREPBINARY} -i "${I}" /etc/issue.net`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found string '${I}'"
N=$((N + 1))

44
include/tests_boot_services
View File

@ -70,9 +70,9 @@
case ${OS} in
"Linux")
if [ -f /proc/1/cmdline ]; then
FILENAME=`awk '/(^\/|init)/ { print $1 }' /proc/1/cmdline`
FILENAME=`${AWKBINARY} '/(^\/|init)/ { print $1 }' /proc/1/cmdline`
LogText "Result: cmdline found = ${FILENAME}"
ISFILE=`echo ${FILENAME} | grep "^/"`
ISFILE=`echo ${FILENAME} | ${GREPBINARY} "^/"`
if [ ! "${ISFILE}" = "" ]; then
if [ -L ${ISFILE} ]; then
ShowSymlinkPath ${ISFILE}
@ -84,7 +84,7 @@
fi
fi
if [ ! "${FILENAME}" = "" ]; then
SHORTNAME=`echo ${FILENAME} | awk -F/ '{ print $NF }'`
SHORTNAME=`echo ${FILENAME} | ${AWKBINARY} -F/ '{ print $NF }'`
LogText "Found: ${SHORTNAME}"
case ${SHORTNAME} in
"init")
@ -97,7 +97,7 @@
SERVICE_MANAGER="upstart"
;;
*)
CONTAINS_SYSTEMD=`echo ${SHORTNAME} | grep "systemd"`
CONTAINS_SYSTEMD=`echo ${SHORTNAME} | ${GREPBINARY} "systemd"`
if [ ! "${CONTAINS_SYSTEMD}" = "" ]; then
SERVICE_MANAGER="systemd"
else
@ -186,7 +186,7 @@
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
LogText "Test: checking file ${I}"
J=`od -An -t u1 ${I} | awk '{ print $5 }'`
J=`od -An -t u1 ${I} | ${AWKBINARY} '{ print $5 }'`
if [ "${J}" = "1" ]; then
LogText "Result: found SecureBoot file with enabled status"
UEFI_BOOTED_SECURE=1
@ -200,7 +200,7 @@
fi
;;
#MacOS)
# Mac OS ioreg -l -p IODeviceTree | grep firmware-abi
# Mac OS ioreg -l -p IODeviceTree | ${GREPBINARY} firmware-abi
#;;
*)
LogText "Result: no test implemented yet to test for UEFI on this platform"
@ -279,11 +279,11 @@
LogText "Found file ${GRUBCONFFILE}, proceeding with tests."
FileIsReadable ${GRUBCONFFILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=`grep 'password --md5' ${GRUBCONFFILE} | grep -v '^#'`
FIND2=`grep 'password --encrypted' ${GRUBCONFFILE} | grep -v '^#'`
FIND3=`grep 'set superusers' ${GRUBCONFFILE} | grep -v '^#'`
FIND4=`grep 'password_pbkdf2' ${GRUBCONFFILE} | grep -v '^#'`
FIND5=`grep 'grub.pbkdf2' ${GRUBCONFFILE} | grep -v '^#'`
FIND=`${GREPBINARY} 'password --md5' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'`
FIND2=`${GREPBINARY} 'password --encrypted' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'`
FIND3=`${GREPBINARY} 'set superusers' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'`
FIND4=`${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'`
FIND5=`${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'`
# GRUB1: Password should be set (MD5 or SHA1)
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
@ -358,7 +358,7 @@
BOOT_LOADER_FOUND=1
Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN
LogText "Checking password option LILO"
FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | grep -v "^#"`
FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#"`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED
LogText "Result: no password set for LILO. Bootloader is unprotected to"
@ -404,7 +404,7 @@
# Register --test-no BOOT-5144 --weight L --network NO --category security --description "Check SPARC Improved boot loader (SILO)"
# if [ ${SKIPTEST} -eq 0 ]; then
# if [ -f /etc/silo.conf -a -x /sbin/silo ]; then
# FIND=`/sbin/silo | grep "appears to be valid"`
# FIND=`/sbin/silo | ${GREPBINARY} "appears to be valid"`
# if [ ! "${FIND}" = "" ]; then
# LogText "Result: Found SILO configuration file (/etc/silo.conf)"
# Display --indent 6 --text "- Checking SILO consistency" --result "${STATUS_OK}" --color GREEN
@ -453,7 +453,7 @@
if [ -f /etc/boot.conf ]; then
FOUND=1
Display --indent 2 --text "- Checking /etc/boot.conf" --result "${STATUS_FOUND}" --color GREEN
FIND=`grep '^boot' /etc/boot.conf`
FIND=`${GREPBINARY} '^boot' /etc/boot.conf`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking boot option" --result "${STATUS_WARNING}" --color RED
#ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
@ -498,7 +498,7 @@
else
# FreeBSD (Read /etc/rc.conf file for enabled services)
LogText "Searching for services at startup (rc.conf)"
FIND=`egrep -v -i '^#|none' /etc/rc.conf | egrep -i '_enable.*(yes|on|1)' | sort | awk -F= '{ print $1 }' | sed 's/_enable//'`
FIND=`${EGREPBINARY} -v -i '^#|none' /etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | sed 's/_enable//'`
fi
N=0
for I in ${FIND}; do
@ -525,7 +525,7 @@
LogText "Result: systemctl binary found, trying that to discover information"
# Running services
LogText "Searching for running services (systemctl services only)"
FIND=`${SYSTEMCTLBINARY} --full --type=service | awk '{ if ($4=="running") { print $1 } }' | awk -F. '{ print $1 }'`
FIND=`${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }'`
N=0
Report "running_service_tool=systemctl"
for I in ${FIND}; do
@ -540,7 +540,7 @@
# Services at boot
LogText "Searching for enabled services (systemctl services only)"
FIND=`${SYSTEMCTLBINARY} list-unit-files --type=service | awk '{ if ($2=="enabled") { print $1 } }' | awk -F. '{ print $1 }'`
FIND=`${SYSTEMCTLBINARY} list-unit-files --type=service | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }'`
N=0
Report "boot_service_tool=systemctl"
for I in ${FIND}; do
@ -558,7 +558,7 @@
if [ ! "${CHKCONFIGBINARY}" = "" ]; then
LogText "Result: chkconfig binary found, trying that to discover information"
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
FIND=`${CHKCONFIGBINARY} --list | egrep '3:on|5:on' | awk '{ print $1 }'`
FIND=`${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }'`
N=0
Report "boot_service_tool=chkconfig"
for I in ${FIND}; do
@ -585,7 +585,7 @@
Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for Linux boot services (Debian style)"
if [ ${SKIPTEST} -eq 0 ]; then
# Runlevel check
sRUNLEVEL=`${RUNLEVELBINARY} | grep "N [0-9]" | awk '{ print $2} '`
sRUNLEVEL=`${RUNLEVELBINARY} | ${GREPBINARY} "N [0-9]" | ${AWKBINARY} '{ print $2} '`
LogText "Result: found runlevel ${sRUNLEVEL}"
if [ "${sRUNLEVEL}" = "2" ]; then
LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found"
@ -713,7 +713,7 @@
DragonFly|FreeBSD|MacOS)
if [ ! "${SYSCTLBINARY}" = "" ]; then
FIND=`${SYSCTLBINARY} kern.boottime | awk '{ print $5 }' | sed -e 's/,//' | grep "[0-9]"`
FIND=`${SYSCTLBINARY} kern.boottime | ${AWKBINARY} '{ print $5 }' | sed -e 's/,//' | ${GREPBINARY} "[0-9]"`
else
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)"
@ -739,7 +739,7 @@
Solaris)
if [ ! "${KSTATBINARY}" = "" ]; then
FIND=`${KSTATBINARY} -p unix:0:system_misc:snaptime | grep "^unix" | awk '{print $2}' | cut -d "." -f1`
FIND=`${KSTATBINARY} -p unix:0:system_misc:snaptime | ${GREPBINARY} "^unix" | ${AWKBINARY} '{print $2}' | cut -d "." -f1`
else
Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW
ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)"
@ -776,7 +776,7 @@
if [ -f /usr/lib/systemd/system/rescue.service ]; then
LogText "Result: file /usr/lib/systemd/system/rescue.service"
LogText "Test: checking presence sulogin for single user mode"
FIND=`egrep "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service`
FIND=`${EGREPBINARY} "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service`
if [ ! "${FIND}" = "" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"

12
include/tests_containers
View File

@ -37,7 +37,7 @@
Register --test-no CONT-8004 --os Solaris --weight L --network NO --category security --description "Query running Solaris zones"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: query zoneadm to list all running zones"
FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
FIND=`/usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
@ -63,7 +63,7 @@
#Register --test-no CONT-1906 --weight L --network NO --category security --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests
#FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
#FIND=`xm list | ${AWKBINARY} '$1 != "Name|Domain-0" {print $1","$2}'`
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
#XENGUESTID=`echo ${I} | cut -d ':' -f2`
@ -104,7 +104,7 @@
LogText "Result: disabling further Docker tests as docker version gave exit code other than zero (0)"
RUN_DOCKER_TESTS=0
fi
FIND=`${DOCKERBINARY} info 2>&1 | grep "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'`
FIND=`${DOCKERBINARY} info 2>&1 | ${GREPBINARY} "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found warning(s) in output"
for I in ${FIND}; do
@ -134,12 +134,12 @@
# Check total of containers
LogText "Test: checking total amount of Docker containers"
DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'`
DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | ${GREPBINARY} "^Containers: " | ${AWKBINARY} '{ print $2 }'`
if [ "${DOCKER_CONTAINERS_TOTAL}" = "" ]; then
DOCKER_CONTAINERS_TOTAL=0
fi
LogText "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers"
DOCKER_CONTAINERS_TOTAL2=$(${DOCKERBINARY} ps -a 2> /dev/null | grep -c -v "CONTAINER")
DOCKER_CONTAINERS_TOTAL2=$(${DOCKERBINARY} ps -a 2> /dev/null | ${GREPBINARY} -c -v "CONTAINER")
LogText "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers"
if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then
LogText "Result: difference detected, which is unexpected"
@ -150,7 +150,7 @@
fi
# Check running instances
DOCKER_CONTAINERS_RUNNING=$(${DOCKERBINARY} ps 2> /dev/null | grep -c -v "CONTAINER")
DOCKER_CONTAINERS_RUNNING=$(${DOCKERBINARY} ps 2> /dev/null | ${GREPBINARY} -c -v "CONTAINER")
if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then
Display --indent 10 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN
LogText "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active"

2
include/tests_crypto
View File

@ -33,7 +33,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUNDPROBLEM=0
sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | sed 's/:/ /g')
sSSL_PATHS=`echo ${sSSL_PATHS} | sed 's/^ //' | tr " " "\n" | sort | uniq | tr "\n" " "`
sSSL_PATHS=`echo ${sSSL_PATHS} | sed 's/^ //' | tr " " "\n" | ${SORTBINARY} | uniq | tr "\n" " "`
LogText "Result after sorting: ${sSSL_PATHS}"
for I in ${sSSL_PATHS}; do

12
include/tests_databases
View File

@ -37,7 +37,7 @@
# Description : Check if MySQL is being used
Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"`
FIND=`${PSBINARY} ax | ${EGREPBINARY} "mysqld|mysqld_safe" | ${GREPBINARY} -v "grep"`
if [ "${FIND}" = "" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: MySQL process not active"
@ -122,7 +122,7 @@
# reco: recovery (optional)
Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"`
FIND=`${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep"`
if [ "${FIND}" = "" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: Oracle process(es) not active"
@ -142,7 +142,7 @@
#Register --test-no DBS-1842 --weight L --network NO --category security --description "Checking Oracle home paths"
#if [ ${SKIPTEST} -eq 0 ]; then
# if [ -f /etc/oratab ]; then
# FIND=`grep -v "#" /etc/oratab | awk -F: "{ print $2 }"`
# FIND=`${GREPBINARY} -v "#" /etc/oratab | ${AWKBINARY} -F: "{ print $2 }"`
# fi
#fi
#
@ -199,12 +199,12 @@
if FileIsReadable ${CONFFILE}; then
LogText "Action: checking if ${CONFFILE} is a Sentinel configuration file"
# Exclude Sentinel configuration file
FIND=$(grep "^sentinel " ${CONFFILE})
FIND=$(${GREPBINARY} "^sentinel " ${CONFFILE})
if [ ! -z "${FIND}" ]; then
LogText "Result: file is a Sentinel configuration file, skipping it"
else
LogText "Result: file is NOT a Sentinel configuration file. Now scanning if it is a Redis configuration file"
FIND=$(grep "Redis" ${CONFFILE})
FIND=$(${GREPBINARY} "Redis" ${CONFFILE})
if [ ! -z "${FIND}" ]; then
REDIS_CONFIGURATION_FILES="${REDIS_CONFIGURATION_FILES} ${CONFFILE}"
REDIS_CONFIGURATION_FOUND=1
@ -222,7 +222,7 @@
fi
done
# Sort the list of discovered configuration files so we can make them unique
REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | sed 's/^ //' | tr ' ' '\n' | sort | uniq | tr '\n' ' ')
REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | sed 's/^ //' | tr ' ' '\n' | ${SORTBINARY} | uniq | tr '\n' ' ')
for FILE in ${REDIS_CONFIGURATION_FILES}; do
if IsWorldReadable ${FILE}; then
LogText "Result: configuration file ${FILE} is world readable, this might leak sensitive information!"

6
include/tests_file_integrity
View File

@ -219,7 +219,7 @@
Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd configuration status"
if [ ${SKIPTEST} -eq 0 ]; then
# LFD configuration parameters
ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}`
ENABLED=`${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG}`
if [ ! "${ENABLED}" = "" ]; then
LogText "Result: lfd service is configured to run"
Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN
@ -227,7 +227,7 @@
LogText "Result: lfd service is configured NOT to run"
Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
ENABLED=`${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN
@ -235,7 +235,7 @@
LogText "Result: lfd directory watching is disabled"
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
ENABLED=`${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN
else

2
include/tests_file_permissions
View File

@ -34,7 +34,7 @@
LogText "Test: Checking file permissions"
for PROFILE in ${PROFILES}; do
LogText "Using profile ${PROFILE} for baseline."
FIND=`egrep '^permfile:|^permdir:' ${PROFILE} | cut -d: -f2`
FIND=`${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | cut -d: -f2`
for I in ${FIND}; do
LogText "Checking ${I}"
CheckFilePermissions ${I}

58
include/tests_filesystems
View File

@ -48,7 +48,7 @@
Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE
elif [ -d ${I} ]; then
LogText "Result: directory ${I} exists"
FIND=`mount | grep "${I}"`
FIND=`mount | ${GREPBINARY} "${I}"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found ${I} as a separated mount point"
Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_OK}" --color GREEN
@ -79,7 +79,7 @@
FIND=`${LSVGBINARY} -o`
;;
Linux)
FIND=`${VGDISPLAYBINARY} 2> /dev/null | grep -v "No volume groups found" | grep "VG Name" | awk '{ print $3 }' | sort`
FIND=`${VGDISPLAYBINARY} 2> /dev/null | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "VG Name" | ${AWKBINARY} '{ print $3 }' | sort`
;;
*)
ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found"
@ -110,10 +110,10 @@
case ${OS} in
AIX)
ACTIVE_VG_LIST=`${LSVGBINARY} -o`
FIND=`for I in ${ACTIVE_VG_LIST}; do ${LSVGBINARY} -l ${I} | awk 'NR>2 { print $1 }'; done`
FIND=`for I in ${ACTIVE_VG_LIST}; do ${LSVGBINARY} -l ${I} | ${AWKBINARY} 'NR>2 { print $1 }'; done`
;;
Linux)
FIND=`${LVDISPLAYBINARY} | grep -v "No volume groups found" | grep "LV Name" | awk '{ print $3 }' | sort`
FIND=`${LVDISPLAYBINARY} | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "LV Name" | ${AWKBINARY} '{ print $3 }' | sort`
;;
*)
ReportException "${TEST_NO}:1" "Need specific test for gathering volume manager data"
@ -147,7 +147,7 @@
Register --test-no FILE-6323 --os Linux --weight L --network NO --category security --description "Checking EXT file systems"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for Linux EXT file systems"
FIND=`mount -t ext2,ext3,ext4 | awk '{ print $3","$5 }'`
FIND=`mount -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found one or more EXT file systems"
for I in ${FIND}; do
@ -170,7 +170,7 @@
Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking FFS/UFS file systems"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Query /etc/fstab for available FFS/UFS mount points"
FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab`
FIND=`${AWKBINARY} '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab`
if [ "${FIND}" = "" ]; then
if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_NONE}" --color WHITE; fi
LogText "Result: unable to find any single mount point (FFS/UFS)"
@ -191,7 +191,7 @@
Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Query /etc/fstab for available ZFS mount points"
FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'`
FIND=`mount -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE
LogText "Result: unable to find any single mount point (ZFS)"
@ -215,7 +215,7 @@
FOUND=0
LogText "Test: query swap partitions from /etc/fstab file"
# Check if third field contains 'swap'
FIND=`awk '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | grep -v "^#"`
FIND=`${AWKBINARY} '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | ${GREPBINARY} -v "^#"`
for I in ${FIND}; do
FOUND=1
REAL=""
@ -226,12 +226,12 @@
# Can be ^/dev/partition
# Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>)
HAS_UUID=`echo ${I} | grep "^UUID="`
HAS_UUID=`echo ${I} | ${GREPBINARY} "^UUID="`
if [ ! "${HAS_UUID}" = "" ]; then
UUID=`echo ${HAS_UUID} | awk -F= '{ print $2 }'`
UUID=`echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }'`
LogText "Result: Using ${UUID} as UUID"
if [ ! "${BLKIDBINARY}" = "" ]; then
FIND2=$(${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//')
FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//')
if [ ! "${FIND2}" = "" ]; then
REAL="${FIND2}"
fi
@ -275,8 +275,8 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Swap partitions should be mounted with 'sw' or 'swap'
LogText "Test: check swap partitions with incorrect mount options"
#FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab`
FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab`
#FIND=`${AWKBINARY} '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab`
FIND=`${AWKBINARY} '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Testing swap partitions" --result "${STATUS_OK}" --color GREEN
LogText "Result: all swap partitions have correct options (sw or swap)"
@ -296,8 +296,8 @@
# Examples : proc /proc proc defaults,hidepid=2 0 0
# Goal : Users should not be able to see processes of other users
if [ "${OS}" = "Linux" -a -f /proc/version ]; then
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | awk -F. '{print $1}')
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | awk -F. '{print $2}')
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
if [ ! -z "${LINUX_KERNEL_MAJOR}" -a ! -z "${LINUX_KERNEL_MINOR}" ]; then
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
else
@ -392,7 +392,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Test: Checking acl option on ext[2-4] root file system"
FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | grep acl`
FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found ACL option"
FOUND=1
@ -405,14 +405,14 @@
FIND1="/dev/root"
else
# Only determine device if it is EXT2/3/4
#FIND1=`mount | grep "on / " | awk '{ if ($5~/ext[2-4]/) { print $1 }}'`
FIND1=`mount -t ext2,ext3,ext4 | grep "on / " | awk '{ print $1 }'`
#FIND1=`mount | ${GREPBINARY} "on / " | ${AWKBINARY} '{ if ($5~/ext[2-4]/) { print $1 }}'`
FIND1=`mount -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }'`
fi
# Trying to determine default mount options from EXT2/EXT3/EXT4 file systems
if [ ! "${FIND1}" = "" ]; then
LogText "Result: found ${FIND1}"
LogText "Test: Checking default options on ${FIND1}"
FIND2=`${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | grep "^Default mount options" | grep "acl"`
FIND2=`${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl"`
if [ ! "${FIND2}" = "" ]; then
LogText "Result: found ACL option in default mount options"
FOUND=1
@ -425,7 +425,7 @@
fi
LogText "Test: Checking acl option on xfs root file system"
FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | egrep 'no_acl|no_user_xattr'`
FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr'`
if [ "${FIND}" = "" ]; then
FOUND=1
# some other tests to do ?
@ -452,10 +452,10 @@
Register --test-no FILE-6372 --os Linux --weight L --network NO --category security --description "Checking / mount options"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/fstab ]; then
FIND=$(awk '{ if ($2=="/") { print $4 } }' /etc/fstab | grep -v "^#")
NODEV=$(echo ${FIND} | awk '{ if ($1 ~ "nodev") { print "YES" } else { print "NO" } }')
NOEXEC=$(echo ${FIND} | awk '{ if ($1 ~ "noexec") { print "YES" } else { print "NO" } }')
NOSUID=$(echo ${FIND} | awk '{ if ($1 ~ "nosuid") { print "YES" } else { print "NO" } }')
FIND=$(${AWKBINARY} '{ if ($2=="/") { print $4 } }' /etc/fstab | ${GREPBINARY} -v "^#")
NODEV=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "nodev") { print "YES" } else { print "NO" } }')
NOEXEC=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "noexec") { print "YES" } else { print "NO" } }')
NOSUID=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "nosuid") { print "YES" } else { print "NO" } }')
if [ ! "${FIND}" = "" ]; then
LogText "Result: mount system / is configured with options: ${FIND}"
@ -499,16 +499,16 @@
for I in ${FILESYSTEMS_TO_CHECK}; do
FILESYSTEM=$(echo ${I} | cut -d: -f1)
EXPECTED_FLAGS=$(echo ${I} | cut -d: -f2 | sed 's/,/ /g')
IN_FSTAB=$(awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print "FOUND" } }' /etc/fstab)
IN_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print "FOUND" } }' /etc/fstab)
if [ ! "${IN_FSTAB}" = "" ]; then
FOUND_FLAGS=$(awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | sed 's/,/ /g' | tr '\n' ' ')
FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | sed 's/,/ /g' | tr '\n' ' ')
LogText "File system: ${FILESYSTEM}"
LogText "Expected flags: ${EXPECTED_FLAGS}"
LogText "Found flags: ${FOUND_FLAGS}"
PARTIALLY_HARDENED=0
FULLY_HARDENED=1
for FLAG in ${EXPECTED_FLAGS}; do
FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | grep ${FLAG}`
FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG}`
if [ "${FLAG_AVAILABLE}" = "" ]; then
LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
FULLY_HARDENED=0
@ -550,8 +550,8 @@
Register --test-no FILE-6376 --os Linux --weight L --network NO --category security --description "Determine if /var/tmp is bound to /tmp"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/fstab ]; then
FIND=$(awk '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab)
BIND=$(echo ${FIND} | awk '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab)
BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
if [ ! "${FIND}" = "" ]; then
LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
if [ "${BIND}" = "YES" ]; then

32
include/tests_firewalls
View File

@ -40,7 +40,7 @@
# Description : Check iptables kernel module
Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${LSMODBINARY} | awk '{ print $1 }' | grep "^ip*_tables"`
FIND=`${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables"`
if [ ! "${FIND}" = "" ]; then
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="iptables"
@ -69,7 +69,7 @@
if [ ! "${LINUXCONFIGFILE}" = "" ]; then
if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then
LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})"
FIND=`${tCATCMD} ${LINUXCONFIGFILE} | grep -v '^#' | grep "CONFIG_IP_NF_IPTABLES" | head -n 1`
FIND=`${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1`
if [ ! "${FIND}" = "" ]; then
HAVEMOD=`echo ${FIND} | cut -d '=' -f2`
# Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
@ -106,13 +106,13 @@
TABLES="filter"
for TABLE in ${TABLES}; do
LogText "Test: gathering information from table ${TABLE}"
FIND="$FIND""\n"`${IPTABLESBINARY} -t ${TABLE} --numeric --list | egrep -z -o -w '[A-Z]+' | awk -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1'`
FIND="$FIND""\n"`${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1'`
done
echo "${FIND}" | while read line; do
table=`echo ${line} | awk '{ print $1 }'`
chainname=`echo ${line} | awk '{ print $2 }'`
policy=`echo ${line} | awk '{ print $3 }'`
table=`echo ${line} | ${AWKBINARY} '{ print $1 }'`
chainname=`echo ${line} | ${AWKBINARY} '{ print $2 }'`
policy=`echo ${line} | ${AWKBINARY} '{ print $3 }'`
LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}."
LogText "Result: ${policy}"
@ -148,7 +148,7 @@
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | egrep -v "^(Chain|target|$)" | wc -l | tr -d ' '`
FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | wc -l | tr -d ' '`
if [ ! "${FIND}" = "" ]; then
FIREWALL_ACTIVE=1
if [ ${FIND} -le 10 ]; then
@ -171,7 +171,7 @@
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs`
FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | xargs`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN
LogText "Result: There are no unused rules present"
@ -199,7 +199,7 @@
# Check status with pfctl
LogText "Test: checking pf status via pfctl"
if [ ! "${PFCTLBINARY}" = "" ]; then
FIND=`${PFCTLBINARY} -sa 2>&1 | grep "^Status" | head -1 | awk '{ print $2 }'`
FIND=`${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | head -1 | ${AWKBINARY} '{ print $2 }'`
if [ "${FIND}" = "Enabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_ENABLED}" --color GREEN
LogText "Result: pf is enabled"
@ -222,7 +222,7 @@
# Check for pf kernel module (FreeBSD and similar)
LogText "Test: searching for pf kernel module"
if [ ! "${KLDSTATBINARY}" = "" ]; then
FIND=`${KLDSTATBINARY} | grep 'pf.ko'`
FIND=`${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko'`
if [ "${FIND}" = "" ]; then
LogText "Result: Can not find pf KLD"
else
@ -265,7 +265,7 @@
if [ -f /etc/pf.conf ]; then
LogText "Result: /etc/pf.conf exists"
# Check results from pfctl
PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | grep -i 'warning'`
PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | ${GREPBINARY} -i 'warning'`
if [ "${PFWARNINGS}" = "" ]; then
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN
LogText "Result: no pf filter warnings found"
@ -311,7 +311,7 @@
if [ ! "${IPFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check ipf status"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'`
FIND=`${IPFBINARY} -n -V | ${GREPBINARY} "^Running" | ${AWKBINARY} '{ print $2 }'`
if [ "${FIND}" = "yes" ]; then
Display --indent 4 --text "- Checking ipf status" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: ipf is enabled and running"
@ -332,14 +332,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${SYSCTLBINARY}" = "" ]; then
# For now, only check for IPv4.
FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'`
FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | ${AWKBINARY} '{ print $2 }'`
if [ "${FIND}" = "1" ]; then
Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: IPFW is running for IPv4"
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipfw"
Report "firewall_software[]=ipfw"
IPFW_ENABLED=`service -e | grep -o ipfw`
IPFW_ENABLED=`service -e | ${GREPBINARY} -o ipfw`
if [ "${IPFW_ENABLED}" = "ipfw" ]; then
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN
LogText "Result: IPFW is enabled at start-up for IPv4"
@ -364,7 +364,7 @@
if [ -x /usr/libexec/ApplicationFirewall/socketfilterfw ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4532 --weight L --os "MacOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check Mac OS X application firewall"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | grep "Firewall is enabled"`
FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled"`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3
@ -385,7 +385,7 @@
if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${LSMODBINARY} | awk '{ print $1 }' | grep "^nf*_tables"`
FIND=`${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables"`
if [ ! "${FIND}" = "" ]; then
FIREWALL_SOFTWARE="nftables"
NFTABLES_ACTIVE=1

2
include/tests_hardening
View File

@ -36,7 +36,7 @@
Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 3 3
else
LogText "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'"
LogText "Result: found installed compiler. See top of logfile which compilers have been found or use ${GREPBINARY} to filter on 'compiler'"
Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
AddHP 1 3
fi

4
include/tests_homedirs
View File

@ -38,7 +38,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Read sixth field of /etc/passwd
LogText "Test: query /etc/passwd to obtain home directories"
FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | sort -u`
FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | ${SORTBINARY} -u`
for I in ${FIND}; do
if [ -d ${I} ]; then
LogText "Result: found home directory: ${I} (directory exists)"
@ -96,7 +96,7 @@
if [ ! "${REPORTFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories"
if [ ${SKIPTEST} -eq 0 ]; then
IGNORE_HOME_DIRS=`grep "^config:ignore_home_dir:" ${PROFILE} | awk -F: '{ print $3 }'`
IGNORE_HOME_DIRS=`${GREPBINARY} "^config:ignore_home_dir:" ${PROFILE} | ${AWKBINARY} -F: '{ print $3 }'`
if [ "${IGNORE_HOME_DIRS}" = "" ]; then
LogText "Result: IGNORE_HOME_DIRS empty, no paths excluded"
else

4
include/tests_insecure_services
View File

@ -75,7 +75,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002)
LogText "Test: check if all services are disabled if inetd is disabled"
FIND=`grep -v "^#" ${INETD_CONFIG_FILE} | grep -v "^$"`
FIND=`${GREPBINARY} -v "^#" ${INETD_CONFIG_FILE} | ${GREPBINARY} -v "^$"`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_OK}" --color GREEN
else
@ -92,7 +92,7 @@
Register --test-no INSE-8016 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for telnet via inetd"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking telnet presence in inetd configuration"
FIND=`grep "^telnet" ${INETD_CONFIG_FILE}`
FIND=`${GREPBINARY} "^telnet" ${INETD_CONFIG_FILE}`
if [ "${FIND}" = "" ]; then
LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_NOT_FOUND}" --color GREEN

48
include/tests_kernel
View File

@ -48,7 +48,7 @@
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
ReportException "${TEST_NO}:01"
else
FIND2=`echo ${FIND} | egrep "runlevel5|graphical"`
FIND2=`echo ${FIND} | ${EGREPBINARY} "runlevel5|graphical"`
if [ ! "${FIND2}" = "" ]; then
LogText "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
@ -69,7 +69,7 @@
if [ -f /etc/inittab ]; then
LogText "Result: file /etc/inittab found"
LogText "Test: Checking default Linux run level"
FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1`
FIND=`${AWKBINARY} -F: '/^id/ { print $2; }' /etc/inittab | head -n 1`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: Can't determine default run level from /etc/inittab"
@ -82,7 +82,7 @@
LogText "Result: file /etc/inittab not found"
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then
LogText "Test: Checking run level with who -r, for Debian based systems"
FIND=`who -r | awk '{ if ($1=="run-level") { print $2 } }'`
FIND=`who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: Found default run level '${FIND}'"
Report "linux_default_runlevel=${FIND}"
@ -109,9 +109,9 @@
if [ -f /proc/cpuinfo ]; then
LogText "Result: found /proc/cpuinfo"
LogText "Test: Checking CPU options (XD/NX/PAE)"
FIND_PAE_NX=`grep " pae " /proc/cpuinfo | grep " nx "`
FIND_PAE=`grep " pae " /proc/cpuinfo`
FIND_NX=`grep " nx " /proc/cpuinfo`
FIND_PAE_NX=`${GREPBINARY} " pae " /proc/cpuinfo | ${GREPBINARY} " nx "`
FIND_PAE=`${GREPBINARY} " pae " /proc/cpuinfo`
FIND_NX=`${GREPBINARY} " nx " /proc/cpuinfo`
FOUND=0
if [ ! "${FIND_PAE_NX}" = "" ]; then
LogText "PAE: Yes"
@ -184,7 +184,7 @@
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
LogText "Test: checking if kernel is monolithic or modular"
# Checking if any modules are loaded
FIND=`${LSMODBINARY} | grep -v "^Module" | wc -l | tr -s ' ' | tr -d ' '`
FIND=`${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | tr -s ' ' | tr -d ' '`
Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN
if [ "${FIND}" = "0" ]; then
LogText "Result: Found monolithic kernel"
@ -207,7 +207,7 @@
Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
FIND=`${LSMODBINARY} | awk '{ if ($1!="Module") print $1 }' | sort`
FIND=`${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort`
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
if [ ! "${FIND}" = "" ]; then
LogText "Loaded modules according lsmod:"
@ -267,7 +267,7 @@
if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi
if [ ! "${GREPTOOL}" = "" ]; then
LogText "Test: Checking the default I/O kernel scheduler"
LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | awk -F= '{ print $2 }' | sed s/\"//g`
LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | sed s/\"//g`
if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then
LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN
@ -277,7 +277,7 @@
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
else
ReportException "${TEST_NO}" "No valid grep tool found to search kernel settings"
ReportException "${TEST_NO}" "No valid ${GREPBINARY} tool found to search kernel settings"
fi
fi
#
@ -292,7 +292,7 @@
LogText "Description: View all active kernel modules (including kernel)"
LogText "Test: Checking modules"
if [ -f /sbin/kldstat ]; then
FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6`
FIND=`kldstat | ${GREPBINARY} -v 'Name' | tr -s ' ' | cut -d ' ' -f6`
if [ $? -eq 0 ]; then
LogText "Loaded modules according kldstat:"
N=0
@ -319,7 +319,7 @@
Register --test-no KRNL-5770 --os Solaris --weight L --network NO --category security --description "Checking active kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching loaded kernel modules"
FIND=`modinfo -c -w | grep -v "UNLOADED" | grep LOADED | awk '{ print $3 }' | sort`
FIND=`modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
LogText "Found module: ${I}"
@ -347,7 +347,7 @@
FINDKERNFILE=`readlink -f /vmlinuz`
LogText "Output: readlink reported file ${FINDKERNFILE}"
LogText "Test: checking package from dpkg -S"
FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | awk -F : '{print $1}'`
FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}'`
LogText "Output: dpkg -S reported package ${FINDKERNEL}"
elif [ -e /dev/grsec ]; then
FINDKERNEL=linux-image-`uname -r`
@ -358,8 +358,8 @@
ReportSuggestion ${TEST_NO} "Discover why /vmlinuz is missing. Consider manually re-linking."
fi
LogText "Test: Using apt-cache policy to determine if there is an update available"
FINDINST=`apt-cache policy ${FINDKERNEL} | egrep 'Installed' | cut -d ':' -f2 | tr -d ' '`
FINDCAND=`apt-cache policy ${FINDKERNEL} | egrep 'Candidate' | cut -d ':' -f2 | tr -d ' '`
FINDINST=`apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | cut -d ':' -f2 | tr -d ' '`
FINDCAND=`apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | cut -d ':' -f2 | tr -d ' '`
LogText "Kernel installed: ${FINDINST}"
LogText "Kernel candidate: ${FINDCAND}"
if [ "${FINDINST}" = "" ]; then
@ -399,8 +399,8 @@
if [ -f /etc/security/limits.conf ]; then
LogText "Result: file /etc/security/limits.conf exists"
LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf"
FIND1=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'`
FIND2=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'`
FIND1=`${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'`
FIND2=`${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'`
if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
LogText "Result: core dumps (soft or hard) are enabled"
Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW
@ -415,7 +415,7 @@
# Sysctl option
LogText "Test: Checking sysctl value of fs.suid_dumpable"
FIND=`${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | awk '{ if ($1=="fs.suid_dumpable") { print $3 } }'`
FIND=`${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }'`
if [ "${FIND}" = "" ]; then
LogText "Result: sysctl key fs.suid_dumpable not found"
else
@ -504,7 +504,7 @@
elif [ -f /boot/vmlinuz-linux ]; then
LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)"
LogText "Test: checking kernel version on disk"
VERSION_ON_DISK=`file -b /boot/vmlinuz-linux | awk '{ if ($1=="Linux" && $7=="version") { print $8 }}'`
VERSION_ON_DISK=`file -b /boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}'`
if [ ! "${VERSION_ON_DISK}" = "" ]; then
LogText "Result: found version ${VERSION_ON_DISK}"
ACTIVE_KERNEL=`uname -r`
@ -526,7 +526,7 @@
else
LogText "Result: /boot/vmlinuz not on disk, trying to find /boot/vmlinuz*"
fi
# Extra current kernel version and replace dashes to allow numeric sort later on
# Extra current kernel version and replace dashes to allow numeric ${SORTBINARY} later on
MYKERNEL=`uname -r | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's/-/./g'`
LogText "Result: using ${MYKERNEL} as my kernel version (stripped)"
FIND=$(ls /boot/vmlinuz* 2> /dev/null)
@ -534,18 +534,18 @@
for ITEM in ${FIND}; do
LogText "Result: found ${ITEM}"
done
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
# Ignore rescue images. Remove generic. and huge. for Slackware machines
LogText "Action: checking relevant kernels"
KERNELS=`ls /boot/vmlinuz* | grep -v rescue | sed 's/vmlinuz-//' | sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
KERNELS=`ls /boot/vmlinuz* | ${GREPBINARY} -v rescue | sed 's/vmlinuz-//' | sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
KERNELS_ONE_LINE=$(echo ${KERNELS} | tr '\n' ' ')
LogText "Output: ${KERNELS_ONE_LINE}"
elif [ ! "$(ls /boot/kernel* 2> /dev/null)" = "" ]; then
LogText "Output: Found a kernel file in /boot"
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
# Examples:
# /boot/kernel-genkernel-x86_64-3.14.14-gentoo
KERNELS=`ls /boot/kernel* | awk -F- '{ if ($2=="genkernel") { print $4 }}' | grep "^[0-9]" | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
KERNELS=`ls /boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
LogText "Output: ${KERNELS}"
else
ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected"

20
include/tests_kernel_hardening
View File

@ -39,18 +39,18 @@
# First scan optional profiles only (ignore default and custom)
for PROFILE in ${PROFILES}; do
FILE=$(echo ${PROFILE} | awk -F/ '{print $NF}')
FILE=$(echo ${PROFILE} | ${AWKBINARY} -F/ '{print $NF}')
if [ ! "${FILE}" = "default.prf" -a ! "${FILE}" = "custom.prf" ]; then
FIND=$(grep "^config-data=sysctl;" ${PROFILE} | sed 's/ /-space-/g')
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${PROFILE} | sed 's/ /-space-/g')
DATA_TO_SCAN="${DATA_TO_SCAN} ${FIND}"
fi
done
# Scan custom profile
if [ ! -z "${CUSTOM_PROFILE}" ]; then
FIND=$(grep "^config-data=sysctl;" ${CUSTOM_PROFILE} | sed 's/ /-space-/g')
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} | sed 's/ /-space-/g')
for LINE in ${FIND}; do
SYSCTLKEY=$(echo ${LINE} | awk -F\; '{ print $2 }')
SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};")
if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi
done
@ -58,9 +58,9 @@
# Last, use data from default profile
if [ ! -z "${DEFAULT_PROFILE}" ]; then
FIND=$(grep "^config-data=sysctl;" ${DEFAULT_PROFILE} | sed 's/ /-space-/g')
FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} | sed 's/ /-space-/g')
for LINE in ${FIND}; do
SYSCTLKEY=$(echo ${LINE} | awk -F\; '{ print $2 }')
SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }')
HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};")
if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi
done
@ -70,10 +70,10 @@
DATA_TO_SCAN=$(echo ${DATA_TO_SCAN} | tr ' ' '\n' | sort)
for I in ${DATA_TO_SCAN}; do
tFINDkey=$(echo ${I} | awk -F\; '{ print $2 }')
tFINDexpvalue=$(echo ${I} | awk -F\; '{ print $3 }')
tFINDhp=$(echo ${I} | awk -F\; '{ print $4 }' | grep "[0-9]")
tFINDdesc=$(echo ${I} | awk -F\; '{ print $5 }' | sed 's/-space-/ /g')
tFINDkey=$(echo ${I} | ${AWKBINARY} -F\; '{ print $2 }')
tFINDexpvalue=$(echo ${I} | ${AWKBINARY} -F\; '{ print $3 }')
tFINDhp=$(echo ${I} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]")
tFINDdesc=$(echo ${I} | ${AWKBINARY} -F\; '{ print $5 }' | sed 's/-space-/ /g')
tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null)
if [ ! "${tFINDcurvalue}" = "" ]; then
if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then

30
include/tests_logging
View File

@ -43,7 +43,7 @@
Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for a logging daemon"
FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"`
FIND=`${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
@ -183,7 +183,7 @@
LogText "Test: Searching kernel logger daemon (klogd)"
if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then
# Search for klogd, but ignore other lines related to klogd (like dd with input/output file)
#FIND=`${PSBINARY} ax | grep "klogd" | grep -v "dd" | grep -v "grep"`
#FIND=`${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep"`
IsRunning klogd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: klogd running"
@ -258,7 +258,7 @@
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which files are rotated with logrotate and if they exist"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort -u | awk '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'`
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'`
if [ "${FIND}" = "" ]; then
LogText "Result: nothing found"
else
@ -277,7 +277,7 @@
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which directories can be found in logrotate configuration"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort -u | awk '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | sort -u`
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | ${SORTBINARY} -u`
if [ "${FIND}" = "" ]; then
LogText "Result: nothing found"
else
@ -302,7 +302,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Try local hosts file
LogText "Result: Checking for loghost in /etc/inet/hosts"
FIND=`grep loghost /etc/inet/hosts | grep -v "^#"`
FIND=`${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#"`
if [ ! "${FIND}" = "" ]; then
SOLARIS_LOGHOST_FOUND=1
LogText "Result: Found loghost entry in /etc/inet/hosts"
@ -311,7 +311,7 @@
# Try name resolving if no entry is present in local host file
LogText "Result: Checking for loghost via name resolving"
FIND=`getent hosts loghost | grep loghost`
FIND=`getent hosts loghost | ${GREPBINARY} loghost`
if [ ! "${FIND}" = "" ]; then
SOLARIS_LOGHOST_FOUND=1
LogText "Result: name resolving was succesful"
@ -347,15 +347,15 @@
fi
if [ -f ${SYSLOGD_CONF} ]; then
LogText "Test: check if logs are also logged to a remote logging host"
FIND=`egrep "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"`
FIND=`${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: remote logging enabled"
REMOTE_LOGGING_ENABLED=1
else
# Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
DESTINATIONS=`grep "^destination" ${SYSLOGD_CONF} | egrep "(udp|tcp)" | grep "port" | awk '{print $2}'`
DESTINATIONS=`${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}'`
for DESTINATION in ${DESTINATIONS}; do
FIND2=`grep "log" | grep "source" | egrep "destination\(${DESTINATION}\)"`
FIND2=`${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)"`
if [ ! "${FIND2}" = "" ]; then
LogText "Result: found destination ${DESTINATION} configured for remote logging"
REMOTE_LOGGING_ENABLED=1
@ -397,7 +397,7 @@
Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking directories in /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: parsing directories from /etc/newsyslog.conf file"
FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sed 's/\/*[a-zA-Z_.-]*$//g' | sort -u`
FIND=`${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | sed 's/\/*[a-zA-Z_.-]*$//g' | ${SORTBINARY} -u`
for I in ${FIND}; do
if [ -d ${I} ]; then
LogText "Result: Directory ${I} found and exists"
@ -417,7 +417,7 @@
Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking files specified /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: parsing files from /etc/newsyslog.conf file"
FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sort -u`
FIND=`${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SORTBINARY} -u`
for I in ${FIND}; do
if [ -f ${I} ]; then
LogText "Result: File ${I} found and exists"
@ -454,7 +454,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking open log files with lsof"
if [ ! "${LSOFBINARY}" = "" ]; then
FIND=`${LSOFBINARY} -n 2>&1 | grep "log$" | egrep -v "WARNING|Output information" | awk '{ if ($5=="REG") { print $9 } }' | sort -u | grep -v "^$"`
FIND=`${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$"`
for I in ${FIND}; do
LogText "Found logfile: ${I}"
Report "open_logfile[]=${I}"
@ -480,7 +480,7 @@
LSOF_GREP="WARNING|Output information"
# MySQL versions prior to 5.6 leave lots of deleted in-use files in /tmp, ignoring those
if [ ! -z "${DPKGBINARY}" ]; then EARLY_MYSQL=$(${DPKGBINARY} -l | egrep mysql-server-5.[0-5]); fi
if [ ! -z "${DPKGBINARY}" ]; then EARLY_MYSQL=$(${DPKGBINARY} -l | ${EGREPBINARY} mysql-server-5.[0-5]); fi
if [ ! -z "${EARLY_MYSQL}" ]; then LSOF_GREP="${LSOF_GREP}|mysqld"; fi
# grsecurity causes Fail2Ban to hold onto deleted in-use files in /var/tmp
@ -490,7 +490,7 @@
LSOF_GREP="${LSOF_GREP}|anacron|awk|run-parts"
fi
FIND=$(${LSOFBINARY} -n +L 1 2>&1 | egrep -vw "${LSOF_GREP}" | awk '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | grep -v "^$" | sort -u)
FIND=$(${LSOFBINARY} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
if [ ! "${FIND}" = "" ]; then
LogText "Result: found one or more files which are deleted, but still in use"
for I in ${FIND}; do
@ -512,7 +512,7 @@
if [ ! "${LSOFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2192 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for open log files that are empty"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${LSOFBINARY} -n -w | awk '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | sort | uniq)
FIND=$(${LSOFBINARY} -n -w | ${AWKBINARY} '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | ${SORTBINARY} | uniq)
if [ ! -z "${FIND}" ]; then
for I in ${FIND}; do
LogText "Found an opened logfile that is empty: ${I}"

6
include/tests_mac_frameworks
View File

@ -110,16 +110,16 @@
Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status"
if [ ${SKIPTEST} -eq 0 ]; then
# Status: Enabled/Disabled
FIND=`${SESTATUSBINARY} | grep "^SELinux status" | awk '{ print $3 }'`
FIND=`${SESTATUSBINARY} | ${GREPBINARY} "^SELinux status" | ${AWKBINARY} '{ print $3 }'`
if [ "${FIND}" = "enabled" ]; then
MAC_FRAMEWORK_ACTIVE=1
LogText "Result: SELinux framework is enabled"
Report "selinux_status=1"
SELINUXFOUND=1
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN
FIND=`${SESTATUSBINARY} | grep "^Current mode" | awk '{ print $3 }'`
FIND=`${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }'`
Report "selinux_mode=${FIND}"
FIND2=`${SESTATUSBINARY} | grep "^Mode from config file" | awk '{ print $5 }'`
FIND2=`${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }'`
LogText "Result: current SELinux mode is ${FIND}"
LogText "Result: mode configured in config file is ${FIND2}"
if [ "${FIND}" = "${FIND2}" ]; then

18
include/tests_mail_messaging
View File

@ -62,9 +62,9 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check Postfix status"
# Some other processes also use master, therefore it should include both master and postfix
FIND1=`${PSBINARY} ax | grep "master" | grep "postfix" | grep -v "grep"`
#FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"`
#FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"`
FIND1=`${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"`
#FIND2=`${PSBINARY} ax | ${GREPBINARY} "qmgr" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"`
#FIND3=`${PSBINARY} ax | ${GREPBINARY} "pickup" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"`
if [ ! "${FIND1}" = "" ]; then
LogText "Result: found running Postfix process"
Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_RUNNING}" --color GREEN
@ -84,7 +84,7 @@
Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking Postfix configuration" --result "${STATUS_FOUND}" --color GREEN
POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | grep '^config_directory' | awk '{ print $3 }'`
POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^config_directory' | ${AWKBINARY} '{ print $3 }'`
POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf"
LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
LogText "Postfix configuration file: ${POSTFIX_CONFIGFILE}"
@ -98,11 +98,11 @@
Register --test-no MAIL-8818 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration: banner"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Postfix banner"
FIND1=$(${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | grep 'postfix')
FIND2=$(${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | grep '$mail_name')
FIND3=$(${POSTCONFBINARY} 2> /dev/null | grep '^mail_name' | grep -i 'postfix')
FIND1=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} 'postfix')
FIND2=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} '$mail_name')
FIND3=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^mail_name' | ${GREPBINARY} -i 'postfix')
#TODO Check if OS name shows up in banner
#FIND4=`${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | egrep "${OS}|${LINUX_VERSION}`
#FIND4=`${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${EGREPBINARY} "${OS}|${LINUX_VERSION}`
SHOWWARNING=0
if [ ! "${FIND1}" = "" ]; then
SHOWWARNING=1
@ -187,7 +187,7 @@
Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check smtpd status"
FIND=`${PSBINARY} ax | egrep "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | grep -v "grep"`
FIND=`${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found running smtpd process"
Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN

2
include/tests_malware
View File

@ -218,7 +218,7 @@
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan'`
if [ ! "${CLAMSCANBINARY}" = "" ]; then
LogText "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN

18
include/tests_memory_processes
View File

@ -33,9 +33,9 @@
if [ -f /proc/meminfo ]; then
LogText "Result: found /proc/meminfo"
Display --indent 2 --text "- Checking /proc/meminfo" --result "${STATUS_FOUND}" --color GREEN
FIND=`awk '/^MemTotal/ { print $2, $3 }' /proc/meminfo`
MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'`
MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'`
FIND=`${AWKBINARY} '/^MemTotal/ { print $2, $3 }' /proc/meminfo`
MEMORY_SIZE=`echo ${FIND} | ${AWKBINARY} '{ print $1 }'`
MEMORY_UNITS=`echo ${FIND} | ${AWKBINARY} '{ print $2 }'`
LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
Report "memory_size=${MEMORY_SIZE}"
Report "memory_units=${MEMORY_UNITS}"
@ -53,8 +53,8 @@
LogText "Test: Searching /usr/sbin/prtconf"
if [ -x /usr/sbin/prtconf ]; then
Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_DONE}" --color GREEN
MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3`
MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4`
MEMORY_SIZE=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | cut -d ' ' -f3`
MEMORY_UNITS=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | cut -d ' ' -f4`
LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
Report "memory_size=${MEMORY_SIZE}"
Report "memory_units=${MEMORY_UNITS}"
@ -73,9 +73,9 @@
Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check dead or zombie processes"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "AIX" ]; then
FIND=`${PSBINARY} -Ae -o pid,stat,comm | awk '{ if ($2 ~ /Z|X/) print $1 }' | xargs`
FIND=`${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | xargs`
else
FIND=`${PSBINARY} x -o pid,stat,comm | awk '{ if ($2 ~ /Z|X/) print $1 }' | xargs`
FIND=`${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | xargs`
fi
if [ "${FIND}" = "" ]; then
LogText "Result: no zombie processes found"
@ -97,9 +97,9 @@
Register --test-no PROC-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check heavy IO waiting based processes"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "AIX" ]; then
FIND=`${PSBINARY} -Ae -o pid,stat,comm | awk '{ if ($2=="D") print $1 }' | xargs`
FIND=`${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | xargs`
else
FIND=`${PSBINARY} x -o pid,stat,comm | awk '{ if ($2=="D") print $1 }' | xargs`
FIND=`${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | xargs`
fi
if [ "${FIND}" = "" ]; then
LogText "Result: No processes were waiting for IO requests to be handled first"

30
include/tests_nameservices
View File

@ -46,7 +46,7 @@
LogText "Test: check /etc/resolv.conf for default domain"
if [ -f /etc/resolv.conf ]; then
LogText "Result: /etc/resolv.conf found"
FIND=`awk '/^domain/ { print $2 }' /etc/resolv.conf`
FIND=`${AWKBINARY} '/^domain/ { print $2 }' /etc/resolv.conf`
if [ "${FIND}" = "" ]; then
LogText "Result: no default domain found"
if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_NONE}" --color WHITE; fi
@ -71,7 +71,7 @@
LogText "Test: check /etc/resolv.conf for search domains"
if [ -f /etc/resolv.conf ]; then
LogText "Result: /etc/resolv.conf found"
FIND=`awk '/^search/ { print $2 }' /etc/resolv.conf`
FIND=`${AWKBINARY} '/^search/ { print $2 }' /etc/resolv.conf`
if [ "${FIND}" = "" ]; then
LogText "Result: no search domains found, default domain is being used"
else
@ -96,7 +96,7 @@
fi
# Check amount of search domains (max 1)
FIND=`grep -c "^search" /etc/resolv.conf`
FIND=`${GREPBINARY} -c "^search" /etc/resolv.conf`
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
@ -115,7 +115,7 @@
LogText "Test: check /etc/resolv.conf for non default options"
if [ -f /etc/resolv.conf ]; then
LogText "Result: /etc/resolv.conf found"
FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'`
FIND=`${GREPBINARY} "^options" /etc/resolv.conf | ${AWKBINARY} '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "Result: no specific other options configured in /etc/resolv.conf"
if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi
@ -168,7 +168,7 @@
#
# Test : NAME-4028
# Description : Check DNS domain name
# To Do : grep ^DOMAINNAME /etc/conf.d/domainname (remove "'s)
# To Do : ${GREPBINARY} ^DOMAINNAME /etc/conf.d/domainname (remove "'s)
Register --test-no NAME-4028 --weight L --network NO --category security --description "Check domain name"
if [ ${SKIPTEST} -eq 0 ]; then
DOMAINNAME=""
@ -365,7 +365,7 @@
Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Trying to determine version from banner"
FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"`
FIND=`${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*"`
if [ "${FIND}" = "" ]; then
LogText "Result: no useful information in banner found"
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN
@ -456,7 +456,7 @@
Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS backends"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for PowerDNS backends"
FIND=`awk -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}`
FIND=`${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
LogText "Found backend: ${I}"
@ -476,7 +476,7 @@
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritive status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for PowerDNS master status"
FIND=`grep "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}`
FIND=`${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}`
if [ ! "${FIND}" = "" ]; then
LogText "Found master=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive master: YES"
@ -486,7 +486,7 @@
Display --indent 4 --text "- PowerDNS authoritive master: NO"
fi
LogText "Test: Checking for PowerDNS slave status"
FIND=`grep "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}`
FIND=`${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}`
if [ ! "${FIND}" = "" ]; then
LogText "Found slave=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive slave: YES"
@ -531,7 +531,7 @@
Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NIS domain"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking `domainname` for NIS domain value"
FIND=`${DOMAINNAMEBINARY} | grep -v "(none)"`
FIND=`${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)"`
if [ ! "${FIND}" = "" ]; then
LogText "Value: ${FIND}"
NISDOMAIN="${FIND}"
@ -555,7 +555,7 @@
if [ -f /etc/sysconfig/network ]; then
LogText "Result: file /etc/sysconfig/network exists"
LogText "Test: checking NISDOMAIN value in file"
FIND3=`grep "^NISDOMAIN" /etc/sysconfig/network | awk -F= '{ print $2 }' | sed 's/"//g'`
FIND3=`${GREPBINARY} "^NISDOMAIN" /etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | sed 's/"//g'`
if [ ! "${FIND3}" = "" ]; then
LogText "Found NIS domain: ${FIND3}"
NISDOMAIN="${FIND3}"
@ -569,7 +569,7 @@
if [ ! "${SYSCTLBINARY}" = "" ]; then
# Check sysctl (e.g. FreeBSD)
LogText "Test: checking sysctl for kern.domainname"
FIND=`${SYSCTLBINARY} -a 2>&1 | grep "^kern.domainname" | awk -F: '{ print $2 }' | sed 's/ //g' | grep -v "^$"`
FIND=`${SYSCTLBINARY} -a 2>&1 | ${GREPBINARY} "^kern.domainname" | ${AWKBINARY} -F: '{ print $2 }' | sed 's/ //g' | ${GREPBINARY} -v "^$"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found NIS domain via sysctl"
NISDOMAIN="${FIND}"
@ -598,7 +598,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check duplicate line in /etc/hosts"
if [ -f /etc/hosts ]; then
sFIND=`egrep -v '^(#|$)' /etc/hosts | awk '{ print $1, $2 }' | sort | uniq -d`
sFIND=`${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${AWKBINARY} '{ print $1, $2 }' | ${SORTBINARY} | uniq -d`
if [ "${sFIND}" = "" ]; then
LogText "Result: OK, no duplicate lines found"
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN
@ -623,7 +623,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check /etc/hosts contains an entry for this server name"
if [ -f /etc/hosts ]; then
sFIND=`egrep -v '^(#|$|^::1\s|localhost)' /etc/hosts | grep -i ${HOSTNAME}`
sFIND=`${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' /etc/hosts | ${GREPBINARY} -i ${HOSTNAME}`
if [ "${sFIND}" != "" ]; then
LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN
@ -644,7 +644,7 @@
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check server hostname not locally mapped in /etc/hosts"
sFIND=`egrep -v '^(#|$)' /etc/hosts | egrep '^(localhost|::1)\s' | grep -w ${HOSTNAME}`
sFIND=`${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}`
if [ ! "${sFIND}" = "" ]; then
LogText "Result: Found this server hostname mapped to a local address"
LogText "Output: ${sFIND}"

80
include/tests_networking
View File

@ -45,12 +45,12 @@
IPV6_ONLY=255
IPV6_MISCONFIGURED=0
IPV6_MISCONFIGURED_MTU=0
FIND=`sysctl -a 2> /dev/null | grep "^net.ipv6" | sed "s/ = /=/"`
FIND=`sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | sed "s/ = /=/"`
if [ ! "${FIND}" = "" ]; then
IPV6_CONFIGURED=1
for I in ${FIND}; do
SYSCTL_KEY=`echo ${I} | awk -F= '{ print $1 }'`
SYSCTL_VALUE=`echo ${I} | awk -F= '{ print $2 }'`
SYSCTL_KEY=`echo ${I} | ${AWKBINARY} -F= '{ print $1 }'`
SYSCTL_VALUE=`echo ${I} | ${AWKBINARY} -F= '{ print $2 }'`
case ${SYSCTL_KEY} in
"net.ipv6.conf.default.accept_ra")
if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_RA=1; else IPV6_ACCEPT_RA=0; fi
@ -122,7 +122,7 @@
LogText "Test: Checking /etc/resolv.conf file"
if [ -f /etc/resolv.conf ]; then
LogText "Result: Found /etc/resolv.conf file"
FIND=`grep '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g' | uniq`
FIND=`${GREPBINARY} '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g' | uniq`
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Testing nameservers"
LogText "Test: Querying nameservers"
@ -195,7 +195,7 @@
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
if [ $SKIPTEST -eq 0 ]; then
LogText "Test: Searching default gateway(s)"
FIND=`${NETSTATBINARY} -rn | egrep "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2`
FIND=`${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
LogText "Result: Found default gateway ${I}"
@ -259,14 +259,14 @@
FIND=""
case ${OS} in
AIX)
FIND=`lscfg -vl ent* | fgrep "Network Address" | cut -d"." -f14 | awk '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }'`
FIND=`lscfg -vl ent* | f${GREPBINARY} "Network Address" | cut -d"." -f14 | ${AWKBINARY} '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }'`
;;
DragonFly|FreeBSD)
FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | sort -u`
FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u`
;;
Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then
FIND=`${IFCONFIGBINARY} -a | ${GREPBINARY} "HWaddr" | awk '{ if ($4=="HWaddr") print $5 }' | sort -u`
FIND=`${IFCONFIGBINARY} -a | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u`
else
if [ ! "${IPBINARY}" = "" ]; then
LogText "Test: Using ip binary to gather hardware addresses"
@ -277,16 +277,16 @@
fi
;;
MacOS)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="lladdr" || $1=="ether") print $2 }' | sort -u`
FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="lladdr" || $1=="ether") print $2 }' | ${SORTBINARY} -u`
;;
NetBSD)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="address:") print $2 }' | sort -u`
FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="address:") print $2 }' | ${SORTBINARY} -u`
;;
OpenBSD)
FIND=`${IFCONFIGBINARY} -A | awk '{ if ($1=="lladdr") print $2 }' | sort -u`
FIND=`${IFCONFIGBINARY} -A | ${AWKBINARY} '{ if ($1=="lladdr") print $2 }' | ${SORTBINARY} -u`
;;
Solaris)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="ether") print $2 }' | sort -u`
FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u`
;;
*)
# Having a system currently unsupported? Share your details to determine MAC information
@ -310,18 +310,18 @@
FIND=""; FIND2=""
case ${OS} in
AIX)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'`
;;
DragonFly|FreeBSD|NetBSD)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'`
;;
Linux)
if [ ! "${IFCONFIGBINARY}" = "" ]; then
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }' | cut -d ':' -f2`
FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | cut -d ':' -f2`
# Version which works for multiple types of ifconfig (e.g. Slackware)
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'`
FIND2=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'`
else
if [ ! "${IPBINARY}" = "" ]; then
LogText "Test: Using ip binary to gather IP addresses"
@ -333,16 +333,16 @@
fi
;;
MacOS)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'`
;;
OpenBSD)
FIND=`${IFCONFIGBINARY} -A | awk '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -A | awk '{ if ($1=="inet6") print $2 }'`
FIND=`${IFCONFIGBINARY} -A | ${AWKBINARY} '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -A | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'`
;;
Solaris)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'`
;;
*)
LogText "Result: no support yet for this OS (${OS}) to find IP address information. You can help improving this test by submitting your details."
@ -376,7 +376,7 @@
case ${OS} in
DragonFly|FreeBSD)
if [ ! "${SOCKSTATBINARY}" = "" ]; then
FIND=`${SOCKSTATBINARY} | awk '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | sort -u`
FIND=`${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u`
# To strip off IP's: sed 's/|.*:/|/'
else
FIND=""
@ -386,15 +386,15 @@
Linux)
if [ ! "${NETSTATBINARY}" = "" ]; then
# UDP
FIND=`${NETSTATBINARY} -nlp 2> /dev/null | grep "^udp" | awk '{ print $4"|"$1"|"$6"|" }' | sed 's:|[0-9]*/:|:'`
FIND=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | sed 's:|[0-9]*/:|:'`
# TCP
FIND2=`${NETSTATBINARY} -nlp 2> /dev/null | grep "^tcp" | awk '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | sed 's:|[0-9]*/:|:'`
FIND2=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | sed 's:|[0-9]*/:|:'`
else
if [ ! "${SSBINARY}" = "" ]; then
# UDP
FIND=`${SSBINARY} -u -a -n | awk '{ print $4 }' | grep -v Local`
FIND=`${SSBINARY} -u -a -n | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local`
# TCP
FIND2=`${SSBINARY} -t -a -n | awk '{ print $4 }' | grep -v Local`
FIND2=`${SSBINARY} -t -a -n | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local`
else
ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports"
fi
@ -404,7 +404,7 @@
MacOS)
if [ ! "${LSOFBINARY}" = "" ]; then
# UDP and TCP combined
FIND=`${LSOFBINARY} -i -P | awk '{ print $9"|"$8"|"$1"|" }' | sed 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | sed 's/\*/'$IP'/' | sort -u | grep -v "NAME"`
FIND=`${LSOFBINARY} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | sed 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | sed 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME"`
else
FIND=""
fi
@ -415,7 +415,7 @@
NetBSD)
if [ ! "${SOCKSTATBINARY}" = "" ]; then
FIND=`${SOCKSTATBINARY} | awk '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | sort -u`
FIND=`${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u`
else
FIND=""
fi
@ -424,9 +424,9 @@
OpenBSD)
if [ ! "${NETSTATBINARY}" = "" ]; then
# UDP
FIND=`${NETSTATBINARY} -an 2> /dev/null | grep "^udp" | awk '{ print $4"|"$1"||" }'`
FIND=`${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"||" }'`
# TCP
FIND2=`${NETSTATBINARY} -an 2> /dev/null | grep "^tcp" | awk '{ if($6=="LISTEN") { print $4"|"$1"||" }}'`
FIND2=`${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"||" }}'`
else
ReportException "${TEST_NO}:3" "netstat missing to gather listening ports"
fi
@ -471,14 +471,14 @@
Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (BSD)"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking promiscuous interfaces (FreeBSD)"
FIND=`${IFCONFIGBINARY} | grep PROMISC | cut -d ':' -f1`
FIND=`${IFCONFIGBINARY} | ${GREPBINARY} PROMISC | cut -d ':' -f1`
if [ ! "${FIND}" = "" ]; then
LogText "Result: Promiscuous interfaces: ${FIND}"
for I in ${FIND}; do
WHITELISTED=0
for PROFILE in ${PROFILES}; do
Debug "Checking if interface ${I} is whitelisted in profile ${PROFILE}"
ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}`
ISWHITELISTED=`${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}`
if [ ! "${ISWHITELISTED}" = "" ]; then
WHITELISTED=1
LogText "Result: this interface was whitelisted in profile (${PROFILE})"
@ -513,13 +513,13 @@
Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking promiscuous interfaces (Linux)"
NETWORK=`${IFCONFIGBINARY} | grep Link | tr -s ' ' | cut -d ' ' -f1`
NETWORK=`${IFCONFIGBINARY} | ${GREPBINARY} Link | tr -s ' ' | cut -d ' ' -f1`
if [ ! "${NETWORK}" = "" ]; then
for I in ${NETWORK}; do
FIND=`${IFCONFIGBINARY} ${I} | grep PROMISC`
FIND=`${IFCONFIGBINARY} ${I} | ${GREPBINARY} PROMISC`
if [ ! "${FIND}" = "" ]; then
LogText "Result: Promiscuous interface: ${I}"
ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}`
ISWHITELISTED=`${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}`
if [ "${ISWHITELISTED}" = "" ]; then
FOUNDPROMISC=1
ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
@ -551,7 +551,7 @@
# Description : Netstat/socktstat compare (FreeBSD)
# echo -n " - Comparing output sockstat and netstat"
# LogText "Comparing output of sockstat and netstat"
# NETSTATOUTPUT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort -u`
# NETSTATOUTPUT=`netstat -an | ${GREPBINARY} -v 'TIME_WAIT' | ${GREPBINARY} -v 'ESTABLISHED' | ${GREPBINARY} -v 'SYN_SENT' | ${GREPBINARY} -v 'CLOSE_WAIT' | ${GREPBINARY} -v 'LAST_ACK' | ${GREPBINARY} -v 'SYN_RECV' | ${GREPBINARY} -v 'CLOSING' | cut -c 1-44 | ${GREPBINARY} '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | ${GREPBINARY} -v '*' | ${SORTBINARY} -u`
#
# if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then
# ShowResult OK
@ -572,7 +572,7 @@
Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking connections in WAIT state"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Using netstat for check for connections in WAIT state"
FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'`
FIND=`${NETSTATBINARY} -an | ${GREPBINARY} WAIT | wc -l | ${AWKBINARY} '{ print $1 }'`
if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then

14
include/tests_php
View File

@ -99,7 +99,7 @@
FOUND=0
for I in ${PHPINI_ALLFILES}; do
LogText "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}"
FIND=`grep "^disable_functions.*=" ${I}`
FIND=`${GREPBINARY} "^disable_functions.*=" ${I}`
if [ "${FIND}" = "" ]; then
LogText "Result: ${I}: disabled_functions not found"
else
@ -107,7 +107,7 @@
FOUND=1
fi
FIND=`grep "^suhosin.executor.func.blacklist=" ${I}`
FIND=`${GREPBINARY} "^suhosin.executor.func.blacklist=" ${I}`
if [ "${FIND}" = "" ]; then
LogText "Result: ${I}: suhosin.executor.func.blacklist not found"
else
@ -153,7 +153,7 @@
Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP register_globals option"
FIND=`egrep -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;'`
FIND=`${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'`
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
@ -177,7 +177,7 @@
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking expose_php option"
FIND=`egrep -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
FIND=`${EGREPBINARY} -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED
ReportWarning ${TEST_NO} "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
@ -201,7 +201,7 @@
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP enable_dl option"
FIND=$(egrep -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;')
FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ ! -z "${FIND}" ]; then
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
@ -223,7 +223,7 @@
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_fopen option"
FIND=`egrep -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
FIND=`${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
LogText "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
@ -246,7 +246,7 @@
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_include option"
FIND=`egrep -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
FIND=`${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"

66
include/tests_ports_packages
View File

@ -73,7 +73,7 @@
LogText "Test: Querying pkg_info to get package list"
Display --indent 6 --text "- Querying pkg_info for installed packages"
LogText "Output:"; LogText "-----"
SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
SPACKAGES=`/usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
for J in ${SPACKAGES}; do
N=$((N + 1))
sPKG_NAME=`echo ${J} | cut -d ',' -f1`
@ -176,8 +176,8 @@
else
for J in ${SPACKAGES}; do
N=$((N + 1))
PACKAGE_NAME=`echo ${J} | awk -F, '{print $1}'`
PACKAGE_VERSION=`echo ${J} | awk -F, '{print $2}'`
PACKAGE_NAME=`echo ${J} | ${AWKBINARY} -F, '{print $1}'`
PACKAGE_VERSION=`echo ${J} | ${AWKBINARY} -F, '{print $2}'`
LogText "Found package: ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION},"
done
@ -201,15 +201,15 @@
LogText "Test: Querying 'pacman -Q' to get package list"
Display --indent 6 --text "- Querying pacman package manager"
LogText "Output:"; LogText "--------"
SPACKAGES=`${PACMANBINARY} -Q | sort | sed 's/ /,/g'`
SPACKAGES=`${PACMANBINARY} -Q | ${SORTBINARY} | sed 's/ /,/g'`
if [ "${SPACKAGES}" = "" ]; then
LogText "Result: pacman binary available, but package list seems to be empty"
LogText "Info: looks like the pacman binary is installed, but not used for package installation"
else
for J in ${SPACKAGES}; do
N=$((N + 1))
PACKAGE_NAME=`echo ${J} | awk -F, '{ print $1 }'`
PACKAGE_VERSION=`echo ${J} | awk -F, '{ print $2 }'`
PACKAGE_NAME=`echo ${J} | ${AWKBINARY} -F, '{ print $1 }'`
PACKAGE_VERSION=`echo ${J} | ${AWKBINARY} -F, '{ print $2 }'`
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
done
@ -257,7 +257,7 @@
COUNT=0
# Check configuration options (options start with a capital)
LogText "Test: searching configured options in ${PACMANCONF}"
FIND=`grep "^[A-Z]" ${PACMANCONF} | sort -u | sed 's/ /:space:/g'`
FIND=`${GREPBINARY} "^[A-Z]" ${PACMANCONF} | ${SORTBINARY} -u | sed 's/ /:space:/g'`
for I in ${FIND}; do
PMOPTION=`echo ${I} | sed 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }'`
PMVALUE=`echo ${I} | sed 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }'`
@ -267,7 +267,7 @@
# Check software repositories
LogText "Test: checking available repositories"
FIND=`grep "^\[.*\]$" ${PACMANCONF} | tr -d '[]'`
FIND=`${GREPBINARY} "^\[.*\]$" ${PACMANCONF} | tr -d '[]'`
for I in ${FIND}; do
COUNT=$((COUNT + 1))
Report "package_repository[]=${I}"
@ -285,7 +285,7 @@
N=0
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="zypper"
FIND=`${ZYPPERBINARY} -n se -t package -i | awk '{ if ($1=="i") { print $3 } }'`
FIND=`${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }'`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
N=$((N + 1))
@ -306,7 +306,7 @@
if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${ZYPPERBINARY} -n pchk | grep "(0 security patches)"`
FIND=`${ZYPPERBINARY} -n pchk | ${GREPBINARY} "(0 security patches)"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: No security updates found with Zypper"
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
@ -315,7 +315,7 @@
LogText "Result: Zypper found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed"
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
FIND=`${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | sed 's/:$//' | grep -v "^$" | sort -u`
FIND=`${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | sed 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u`
LogText "List of vulnerable packages/version:"
for I in ${FIND}; do
VULNERABLE_PACKAGES_FOUND=1
@ -341,7 +341,7 @@
LogText "Test: Querying dpkg -l to get package list"
Display --indent 6 --text "- Querying package manager"
LogText "Output:"
SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' ',' | sort`
SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | tr -s ' ' | tr ' ' ',' | sort`
for J in ${SPACKAGES}; do
N=$((N + 1))
PACKAGE_NAME=`echo ${J} | cut -d ',' -f2`
@ -358,13 +358,13 @@
#
# Test : PKGS-7346
# Description : Check packages which are removed, but still own configuration files, cron jobs etc
# Notes : Cleanup: for pkg in `dpkg -l | grep "^rc" | cut -d' ' -f3`; do aptitude purge ${pkg}; done
# Notes : Cleanup: for pkg in `dpkg -l | ${GREPBINARY} "^rc" | cut -d' ' -f3`; do aptitude purge ${pkg}; done
if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: Querying dpkg -l to get unpurged packages"
SPACKAGES=`dpkg -l 2>/dev/null | grep "^rc" | cut -d ' ' -f3 | sort`
SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | cut -d ' ' -f3 | sort`
if [ "${SPACKAGES}" = "" ]; then
Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN
LogText "Result: no packages found with left overs"
@ -392,7 +392,7 @@
Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/local/sbin/portsclean ]; then
FIND=`/usr/local/sbin/portsclean -n -DD | grep 'Delete' | wc -l | tr -d ' '`
FIND=`/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | tr -d ' '`
if [ ${FIND} -eq 0 ]; then
Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN
LogText "Result: no unused distfiles found"
@ -419,7 +419,7 @@
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="dnf"
SPACKAGES=`${DNFBINARY} -q list installed 2> /dev/null | awk '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}'`
SPACKAGES=`${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}'`
for J in ${SPACKAGES}; do
N=$((N + 1))
PACKAGE_NAME=`echo ${J} | cut -d ',' -f1`
@ -437,7 +437,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Check for security updates
LogText "Action: checking updateinfo for security updates"
FIND=`${DNFBINARY} -q updateinfo list sec 2> /dev/null | awk '{ if ($2=="security") { print $3 }}'`
FIND=`${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}'`
if [ ! "${FIND}" = "" ]; then
VULNERABLE_PACKAGES_FOUND=1
LogText "Result: found vulnerable packages, upgrade of system needed."
@ -463,7 +463,7 @@
Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if repoquery plugin is available
FIND=`${DNFBINARY} 2>&1 | grep "^repoquery"`
FIND=`${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery"`
if [ ! "${FIND}" = "" ]; then
LogText "Action: checking integrity of package database"
FIND=`${DNFBINARY} -q repoquery --duplicated`
@ -553,7 +553,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: Querying portmaster for possible port upgrades"
UPACKAGES=`/usr/local/sbin/portmaster -L | grep "version available" | awk '{ print $5 }'`
UPACKAGES=`/usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }'`
for J in ${UPACKAGES}; do
N=$((N + 1))
LogText "Upgrade available (new version): ${J}"
@ -588,7 +588,7 @@
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
LogText "List of vulnerable packages/version:"
for I in `/usr/sbin/pkg_admin audit | awk '{ print $2 }' | sort -u`; do
for I in `/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u`; do
VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
@ -615,7 +615,7 @@
Register --test-no PKGS-7381 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with pkg"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/sbin/pkg ]; then
FIND=`/usr/sbin/pkg audit 2> /dev/null | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'`
FIND=`/usr/sbin/pkg audit 2> /dev/null | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found'`
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="pkg audit"
if [ "${FIND}" = "" ]; then
@ -631,7 +631,7 @@
#ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
#ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
#LogText "List of vulnerable packages/version:"
#for I in `/usr/sbin/pkg audit -F | grep "Affected package" | cut -d ' ' -f3 | sort -u`; do
#for I in `/usr/sbin/pkg audit -F | ${GREPBINARY} "Affected package" | cut -d ' ' -f3 | ${SORTBINARY} -u`; do
# Report "vulnerable_package[]=${I}"
# LogText "Vulnerable package: ${I}"
# # Decrease hardening points for every found vulnerable package
@ -653,7 +653,7 @@
Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit"
if [ ${SKIPTEST} -eq 0 ]; then
PACKAGE_AUDIT_TOOL_FOUND=1
FIND=`/usr/local/sbin/portaudit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'`
FIND=`/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found'`
if [ "${FIND}" = "" ]; then
LogText "Result: Portaudit results are clean"
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
@ -663,7 +663,7 @@
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
LogText "List of vulnerable packages/version:"
for I in `/usr/local/sbin/portaudit | grep "Affected package" | cut -d ' ' -f3 | sort -u`; do
for I in `/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | cut -d ' ' -f3 | ${SORTBINARY} -u`; do
VULNERABLE_PACKAGES_FOUND=1
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
@ -682,7 +682,7 @@
Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: YUM package update management"
FIND=$(${YUMBINARY} repolist 2>/dev/null | grep repolist | sed 's/ //g' | sed 's/[,.]//g' | awk -F ":" '{print $2}' | egrep "^[0-9]+$")
FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | sed 's/ //g' | sed 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$")
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
LogText "Result: YUM package update management failed"
Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED
@ -777,7 +777,7 @@
# Check if it's installed as package (this is old style)
if [ ${DO_TEST} -eq 0 ]; then
FIND=`rpm -q yum-security yum-plugin-security | grep -v "not installed"`
FIND=`rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found yum-plugin-security package"
DO_TEST=1
@ -789,7 +789,7 @@
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="yum-security"
LogText "Test: Checking for vulnerable packages"
FIND2=`/usr/bin/yum list-sec security | awk '{ if($2=="security" || $2~"Sec") print $3","$5 }'`
FIND2=`/usr/bin/yum list-sec security | ${AWKBINARY} '{ if($2=="security" || $2~"Sec") print $3","$5 }'`
if [ "${FIND2}" = "" ]; then
LogText "Result: no vulnerable packages found"
Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_OK}" --color GREEN
@ -845,7 +845,7 @@
if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then
if [ -f /etc/apt/sources.list ]; then
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
FIND=$(egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | grep -v '#' | sed 's/ /!space!/g')
FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | ${GREPBINARY} -v '#' | sed 's/ /!space!/g')
if [ ! "${FIND}" = "" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
@ -858,7 +858,7 @@
fi
if [ -d /etc/apt/sources.list.d ]; then
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
FIND=$(egrep -r "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d | grep -v '#' | sed 's/ /!space!/g')
FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | sed 's/ /!space!/g')
if [ ! -z "${FIND}" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
@ -926,7 +926,7 @@
LogText "Result: found /usr/lib/update-notifier/apt-check"
LogText "Test: checking if any of the updates contain security updates"
# apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only
FIND=`/usr/lib/update-notifier/apt-check 2>&1 | awk -F\; '{ print $2 }'`
FIND=`/usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }'`
# Check if we get the proper line back and amount of security patches available
if [ "${FIND}" = "" ]; then
LogText "Result: did not find security updates line"
@ -949,7 +949,7 @@
# Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
# Show packages which would be upgraded and match 'security' in repository name
FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort -u`
FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | cut -d ' ' -f2 | ${SORTBINARY} -u`
if [ ! "${FIND}" = "" ]; then
VULNERABLE_PACKAGES_FOUND=1
SCAN_PERFORMED=1
@ -1003,7 +1003,7 @@
LogText "Result: found /usr/bin/glsa-check"
LogText "Test: checking if there are any vulnerable packages"
# glsa-check reports the GLSA date/ID string, not the vulnerable package.
FIND=`/usr/bin/glsa-check -t all 2>&1 | grep -v "This system is affected by the following GLSAs:" | grep -v "This system is not affected by any of the listed GLSAs" | wc -l`
FIND=`/usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | wc -l`
if [ "${FIND}" = "" ]; then
LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found."
LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result"
@ -1081,7 +1081,7 @@
#################################################################################
#
# Description : HP-UX packages
# Notes : swlist -l fileset (|grep patch) / print_manifest
# Notes : swlist -l fileset (|${GREPBINARY} patch) / print_manifest
#
#################################################################################
#

8
include/tests_printers_spools
View File

@ -69,7 +69,7 @@
Register --test-no PRNT-2304 --weight L --network NO --category security --description "Check cupsd status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking cupsd status"
#FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd`
#FIND=`${PSBINARY} ax | ${GREPBINARY} "cupsd" | ${GREPBINARY} -v "grep" | ${GREPBINARY} -v apcupsd`
IsRunning cupsd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN
@ -139,7 +139,7 @@
FOUND=0
# Checking network addresses
LogText "Test: Checking CUPS daemon listening network addresses"
FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep -v "/" | awk '{ print $2 }'`
FIND=`${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }'`
N=0
for I in ${FIND}; do
LogText "Found network address: ${I}"
@ -168,7 +168,7 @@
# Checking sockets
LogText "Test: Checking cups daemon listening sockets"
FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep "/" | awk '{ print $2 }'`
FIND=`${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }'`
for I in ${FIND}; do
LogText "Found socket address: ${I}"
N=$((N + 1))
@ -224,7 +224,7 @@
QDAEMON_CONFIG_FILE="/etc/qconfig"
FileIsReadable ${QDAEMON_CONFIG_FILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=`grep -v "^\*" ${QDAEMON_CONFIG_FILE} | egrep "backend|device"`
FIND=`${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN

14
include/tests_scheduling
View File

@ -55,7 +55,7 @@
BAD_FILE_PERMISSIONS=0
BAD_FILE_OWNERSHIP=0
FindCronJob() {
sCRONJOBS=$(egrep '^([0-9*])' $1 | tr '\t' ' ' | tr -s ' ' | tr ' ' ',')
sCRONJOBS=$(${EGREPBINARY} '^([0-9*])' $1 | tr '\t' ' ' | tr -s ' ' | tr ' ' ',')
}
CRONTAB_FILE="/etc/crontab"
@ -77,7 +77,7 @@
if [ ${CANREAD} -eq 1 ]; then
LogText "Result: found directory ${I}"
LogText "Test: searching files in ${I}"
FIND=$(find ${I} -type f -print | grep -v ".placeholder")
FIND=$(find ${I} -type f -print | ${GREPBINARY} -v ".placeholder")
if [ "${FIND}" = "" ]; then
LogText "Result: no files found in ${I}"
else
@ -109,7 +109,7 @@
if [ -d ${I} ]; then
LogText "Result: found directory ${I}"
LogText "Test: searching files in ${I}"
FIND=$(find ${I} -type f -print | grep -v ".placeholder")
FIND=$(find ${I} -type f -print | ${GREPBINARY} -v ".placeholder")
if [ "${FIND}" = "" ]; then
LogText "Result: no files found in ${I}"
else
@ -186,7 +186,7 @@
Register --test-no SCHD-7718 --weight L --network NO --category security --description "Check at users"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking atd status"
FIND=$(${PSBINARY} ax | grep "/atd" | grep -v "grep")
FIND=$(${PSBINARY} ax | ${GREPBINARY} "/atd" | ${GREPBINARY} -v "grep")
if [ ! "${FIND}" = "" ]; then
LogText "Result: at daemon active"
Display --indent 2 --text "- Checking atd status" --result "${STATUS_RUNNING}" --color GREEN
@ -224,7 +224,7 @@
FileIsReadable ${AT_ALLOW}
if [ ${CANREAD} -eq 1 ]; then
LogText "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
FIND=$(sort ${AT_ALLOW})
FIND=$(${SORTBINARY} ${AT_ALLOW})
if [ "${FIND}" = "" ]; then
LogText "Result: File empty, no users are allowed to schedule at jobs"
else
@ -242,7 +242,7 @@
FileIsReadable ${AT_DENY}
if [ ${CANREAD} -eq 1 ]; then
LogText "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs"
FIND=$(sort ${AT_DENY})
FIND=$(${SORTBINARY} ${AT_DENY})
if [ "${FIND}" = "" ]; then
LogText "Result: file is empty, no users are denied access to schedule jobs"
else
@ -273,7 +273,7 @@
Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check at jobs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check scheduled at jobs"
FIND=$(atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g')
FIND=$(atq | ${GREPBINARY} -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g')
if [ ! "${FIND}" = "" ]; then
LogText "Result: found one or more jobs"
for I in ${FIND}; do

28
include/tests_shells
View File

@ -51,7 +51,7 @@
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking console TTYs"
FIND=`egrep '^console' /etc/ttys | grep -v 'insecure'`
FIND=`${EGREPBINARY} '^console' /etc/ttys | ${GREPBINARY} -v 'insecure'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN
LogText "Result: console is secured against single user mode without password."
@ -75,7 +75,7 @@
if [ -f /etc/shells ]; then
LogText "Result: Found /etc/shells file"
LogText "Test: Reading available shells from /etc/shells"
SSHELLS=`grep "^/" /etc/shells`
SSHELLS=`${GREPBINARY} "^/" /etc/shells`
CSSHELLS=0; CSSHELLS_ALL=0
Display --indent 2 --text "- Checking shells from /etc/shells"
for I in ${SSHELLS}; do
@ -117,9 +117,9 @@
if [ -f /etc/profile ]; then
# Determine if we can find a TMOUT value
FIND=`grep 'TMOUT=' /etc/profile | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//' | awk -F= '{ print $2 }'`
FIND=`${GREPBINARY} 'TMOUT=' /etc/profile | tr -d ' ' | tr -d '\t' | ${GREPBINARY} -v "^#" | sed 's/export//' | sed 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'`
# Determine if the value is exported (with export, readonly, or typeset)
FIND2=`grep '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | grep -v "^#" | sed 's/#.*//' | awk '{ print $1 }'`
FIND2=`${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | ${GREPBINARY} -v "^#" | sed 's/#.*//' | ${AWKBINARY} '{ print $1 }'`
if [ ! "${FIND}" = "" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
@ -163,9 +163,9 @@
FIND=`ls /etc/profile.d/*.sh 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
# Determine if we can find a TMOUT value
FIND=`cat /etc/profile.d/*.sh 2> /dev/null | grep 'TMOUT=' | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//' | awk -F= '{ print $2 }'`
FIND=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} 'TMOUT=' | tr -d ' ' | tr -d '\t' | ${GREPBINARY} -v "^#" | sed 's/export//' | sed 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'`
# Determine if the value is exported (with export, readonly, or typeset)
FIND2=`cat /etc/profile.d/*.sh 2> /dev/null | grep '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | grep -v "^#" | sed 's/#.*//' | awk '{ print $1 }'`
FIND2=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | sed 's/#.*//' | ${AWKBINARY} '{ print $1 }'`
if [ ! "${FIND}" = "" ]; then
N=0; IDLE_TIMEOUT=1
@ -231,7 +231,7 @@
if [ -f ${FILE} ]; then
LogText "Result: file ${FILE} exists"
FOUND=1
FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'`
FIND=`${GREPBINARY} umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "Result: did not find umask configured in ${FILE}"
Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW
@ -280,7 +280,7 @@
LogText "Test: Check if bash is in the list of shells."
if [ -f /etc/shells ]; then
LogText "Test: checking for bash shell in /etc/shells"
FIND=`egrep '(/usr)?(/local)?/bin/bash' /etc/shells | grep -v "^#" | head -1`
FIND=`${EGREPBINARY} '(/usr)?(/local)?/bin/bash' /etc/shells | ${GREPBINARY} -v "^#" | head -1`
else
LogText "Test: checking if bash is available via which command"
FIND=`which bash 2> /dev/null | head -1`
@ -295,7 +295,7 @@
# CVE-2014-6271
LogText "Test: Check for first exploit (CVE-2014-6271)"
echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
@ -312,7 +312,7 @@
# CVE-2014-6278
LogText "Test: Check for CVE-2014-6278"
echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
@ -327,7 +327,7 @@
# CVE-2014-7169
LogText "Test: Check for taviso bug CVE-2014-7169"
echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | grep ' vulnerable'" > ${SHELLSHOCK_TMP}
echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | ${GREPBINARY} ' vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
@ -342,7 +342,7 @@
# CVE-2014-7186
LogText "Test: Check for CVE-2014-7186"
echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
@ -357,7 +357,7 @@
# CVE-2014-7187
LogText "Test: Check for CVE-2014-7187"
echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
@ -372,7 +372,7 @@
# CVE-2014-////
LogText "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)"
echo "env X=' () { }; echo hello' bash -c 'date'| grep 'hello'" > ${SHELLSHOCK_TMP}
echo "env X=' () { }; echo hello' bash -c 'date'| ${GREPBINARY} 'hello'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then

4
include/tests_solaris
View File

@ -32,7 +32,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then
# LogText "Test: Searching for a SSH daemon"
# # Check running processes
# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"`
# FIND=`${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep"`
# if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1
# LogText "Result: Stop-A is disabled"
@ -51,7 +51,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then
# LogText "Test: Searching for a SSH daemon"
# # Check running processes
# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"`
# FIND=`${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep"`
# if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1
# LogText "Result: Stop-A is disabled"

22
include/tests_squid
View File

@ -42,7 +42,7 @@
LogText "Test: Searching for a Squid daemon"
FOUND=0
# Check running processes
FIND=`${PSBINARY} ax | egrep "(squid|squid3) " | grep -v "grep"`
FIND=`${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep"`
if [ ! "${FIND}" = "" ]; then
SQUID_DAEMON_RUNNING=1
LogText "Result: Squid daemon is running"
@ -94,7 +94,7 @@
# Skip check if a setuid/setgid bit is found
FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print`
if [ "${FIND}" = "" ]; then
FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'`
FIND2=`${SQUIDBINARY} -v | ${AWKBINARY} '{ if ($3=="Version") { print $4 } }'`
Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN
SQUID_VERSION="${FIND2}"
else
@ -114,7 +114,7 @@
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
FIND=`grep -v "^#" ${SQUID_DAEMON_CONFIG} | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
FIND=`${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
LogText "Found Squid option: ${I}"
@ -159,7 +159,7 @@
Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check auth_param option for authentication methods"
FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'`
FIND=`${GREPBINARY} "^auth_param" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }'`
if [ "${FIND}" = "" ]; then
LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW
@ -180,7 +180,7 @@
Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check external_acl_type option for external authentication helpers"
FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}`
FIND=`${GREPBINARY} "^external_acl_type" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND}" = "" ]; then
LogText "No external_acl_type found"
Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW
@ -203,7 +203,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: checking ACLs"
FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
FIND=`${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
LogText "Result: No ACLs found"
Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED
@ -228,14 +228,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: checking ACL Safe_ports http_access option"
FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"`
FIND=`${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports"`
if [ "${FIND}" = "" ]; then
LogText "Result: no Safe_ports found"
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
else
LogText "Result: checking ACL safe ports"
FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'`
FIND2=`${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }'`
if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
@ -251,7 +251,7 @@
#SQUID_DAEMON_UNSAFE_PORTS_LIST
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
LogText "Test: Checking port ${I} in Safe_ports list"
FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
FIND2=`${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 1 1
@ -279,7 +279,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: checking option reply_body_max_size"
FIND=`grep "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
FIND=`${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
LogText "Result: option reply_body_max_size not configured"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
@ -306,7 +306,7 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppresion"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`grep "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | grep " on"`
FIND=`${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on"`
if [ "${FIND}" = "" ]; then
LogText "Result: option httpd_suppress_version_string not configured"
Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW

8
include/tests_ssh
View File

@ -137,7 +137,7 @@
# Go through our list of options
for I in ${SSHOPS}; do
OPTIONNAME=`echo ${I} | cut -d ':' -f1`
OPTIONNAME_LOWER=`echo ${I} | cut -d ':' -f1 | awk '{ print tolower($1) }'`
OPTIONNAME_LOWER=`echo ${I} | cut -d ':' -f1 | ${AWKBINARY} '{ print tolower($1) }'`
EXPECTEDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f1`
MEDIUMSCOREDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f2`
WEAKVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f3`
@ -147,7 +147,7 @@
if ! SkipAtomicTest "${TEST_NO}:${OPTIONNAME_LOWER}"; then
# Get value and use the last occurrence
FOUNDVALUE=`awk -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1`
FOUNDVALUE=`${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1`
LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}"
if [ ! "${FOUNDVALUE}" = "" ]; then
@ -241,7 +241,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# AllowUsers
FIND=`egrep -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'`
FIND=`${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
@ -252,7 +252,7 @@
fi
# AllowGroups
FIND=`egrep -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'`
FIND=`${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
LogText "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN

14
include/tests_storage
View File

@ -37,8 +37,8 @@
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
FIND=`egrep -r "install usb[-_]storage /bin/(false|true)" /etc/modprobe.d/* | grep -v "#"`
FIND2=`egrep -r "^blacklist usb[-_]storage" /etc/modprobe.d/*`
FIND=`${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"`
FIND2=`${EGREPBINARY} -r "^blacklist usb[-_]storage" /etc/modprobe.d/*`
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
@ -48,7 +48,7 @@
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND=`egrep "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
FIND=`${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#"`
if [ ! "${FIND}" = "" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state"
@ -114,8 +114,8 @@
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
FIND1=`egrep "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.d/* | grep -v "#"`
FIND2=`egrep "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | grep -v "#"`
FIND1=`${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"`
FIND2=`${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"
@ -125,8 +125,8 @@
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND1=`egrep -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.conf | grep -v "#"`
FIND2=`egrep -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | grep -v "#"`
FIND1=`${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.conf | ${GREPBINARY} -v "#"`
FIND2=`${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"

6
include/tests_storage_nfs
View File

@ -94,7 +94,7 @@
Register --test-no STRG-1920 --weight L --network NO --category security --description "Checking NFS daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking running NFS daemon"
FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"`
FIND=`${PSBINARY} ax | ${GREPBINARY} "nfsd" | ${GREPBINARY} -v "grep"`
if [ "${FIND}" = "" ]; then
LogText "Output: NFS daemon is not running"
Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
@ -122,7 +122,7 @@
LogText "Test: check /etc/exports"
if [ -f /etc/exports ]; then
LogText "Result: /etc/exports exists"
FIND=`grep -v "^$" /etc/exports | grep -v "^#" | sed 's/ /!space!/g'`
FIND=`${GREPBINARY} -v "^$" /etc/exports | ${GREPBINARY} -v "^#" | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
@ -161,7 +161,7 @@
Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share"
if [ ${SKIPTEST} -eq 0 ]; then
#LogText "Test: "
sFIND=`${SHOWMOUNTBINARY} -e | awk '{ print $2 }' | sed '1d'| grep "\*"`
sFIND=`${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | sed '1d'| ${GREPBINARY} "\*"`
if [ "${sFIND}" != "" ]; then
LogText "Result: all client are allowed to access a NFS share in /etc/exports"
Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW

32
include/tests_time
View File

@ -70,7 +70,7 @@
fi
# Check running processes
FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"`
FIND=`${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "grep"`
if [ ! "${FIND}" = "" ]; then
FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
NTP_DAEMON="ntpd"
@ -87,7 +87,7 @@
# Check timedate daemon (systemd)
if [ ! "${TIMEDATECTL}" = "" ]; then
FIND=`${TIMEDATECTL} status | grep "NTP enabled: yes"`
FIND=`${TIMEDATECTL} status | ${GREPBINARY} "NTP enabled: yes"`
if [ ! "${FIND}" = "" ]; then
# Check for systemd-timesyncd
if [ -f /etc/systemd/timesyncd.conf ]; then
@ -106,7 +106,7 @@
for I in ${CRONTAB_FILES}; do
if [ -f ${I} ]; then
LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
FIND=`${EGREPBINARY} "ntpdate|rdate" ${I} | grep -v '^#'`
FIND=`${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#'`
if [ ! "${FIND}" = "" ]; then
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
@ -127,11 +127,11 @@
# Check cron jobs
for I in ${CRON_DIRS}; do
if [ -d ${I} ]; then
FIND=`ls ${I} | grep -v FIFO`
FIND=`ls ${I} | ${GREPBINARY} -v FIFO`
if [ ! "${FIND}" = "" ]; then
for J in ${FIND}; do
LogText "Test: checking for ntpdate or rdate in ${I}/${J}"
FIND2=`${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | grep -v "^#"`
FIND2=`${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#"`
if [ ! "${FIND2}" = "" ]; then
LogText "Positive match found: ${FIND2}"
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
@ -165,7 +165,7 @@
# Configuration file for *BSD
if [ -f /etc/rc.conf ]; then
LogText "Test: Checking if ntpdate is enabled at startup in *BSD"
FIND=`grep 'ntpdate_enable="YES"' /etc/rc.conf`
FIND=`${GREPBINARY} 'ntpdate_enable="YES"' /etc/rc.conf`
if [ ! "${FIND}" = "" ]; then
LogText "Result: ntpdate is enabled in rc.conf"
FOUND=1
@ -203,7 +203,7 @@
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check the status of time synchronization via timedatectl"
FIND=`${TIMEDATECTL} status | grep "NTP synchronized: yes"`
FIND=`${TIMEDATECTL} status | ${GREPBINARY} "NTP synchronized: yes"`
if [ "${FIND}" = "" ]; then
LogText "Result: time not synchronized via NTP"
ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized"
@ -218,7 +218,7 @@
Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check active NTP associations ID's"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for NTP association ID's from ntpq peers list"
FIND=`${NTPQBINARY} -p -n | grep "No association ID's returned"`
FIND=`${NTPQBINARY} -p -n | ${GREPBINARY} "No association ID's returned"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking valid association ID's" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found one or more association ID's"
@ -237,14 +237,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
N=0
LogText "Test: Checking stratum 16 sources from ntpq peers list"
FIND=`${NTPQBINARY} -p -n | awk '{ if ($3=="16") { print $1 } }'`
FIND=`${NTPQBINARY} -p -n | ${AWKBINARY} '{ if ($3=="16") { print $1 } }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN
LogText "Result: All peers are lower than stratum 16"
else
for I in ${FIND}; do
LogText "Found stratum 16 peer: ${I}"
FIND2=`egrep "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE}`
FIND2=`${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE}`
if [ "${FIND2}" = "" ]; then
N=$((N + 1))
else
@ -274,7 +274,7 @@
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking unreliable ntp peers"
FIND=`${NTPQBINARY} -p -n | egrep "^(-|#)" | awk '{ print $1 }' | sed 's/^-//g'`
FIND=`${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | sed 's/^-//g'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN
LogText "Result: No unreliable peers found"
@ -297,8 +297,8 @@
Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check selected time source"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking selected time source"
FIND=`${NTPQBINARY} -p -n | grep '^*' | awk '{ if ($4=="l") { print $1 } }'`
FIND2=`${NTPQBINARY} -p -n | grep '^*' | awk '{ print $1 }'`
FIND=`${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ if ($4=="l") { print $1 } }'`
FIND2=`${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }'`
if [ "${FIND}" = "" -a ! "${FIND2}" = "" ]; then
Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN
FIND2=`echo ${FIND2} | sed 's/*//g'`
@ -319,7 +319,7 @@
Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check preffered time source"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'`
FIND=`${NTPQBINARY} -p -n | ${GREPBINARY} '^+' | ${AWKBINARY} '{ print $1 }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_NONE}" --color YELLOW
LogText "Result: No other time source candidates found"
@ -342,7 +342,7 @@
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^x'`
FIND=`${NTPQBINARY} -p -n | ${GREPBINARY} '^x'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN
LogText "Result: No falsetickers found (items preceeding with an 'x')"
@ -366,7 +366,7 @@
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP protocol version"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)"
FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'`
FIND=`${NTPQBINARY} -c ntpversion | ${AWKBINARY} '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking NTP version" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: No NTP version found"

8
include/tests_tooling
View File

@ -195,7 +195,7 @@
if [ ${PERFORM_FAIL2BAN_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TOOL-5104 --weight L --network NO --preqs-met ${PREQS_MET} --category security --description "Enabled tests in Fail2ban"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${FAIL2BANCLIENT} -d | tr -d '[]' | tr -d "'" | awk -F, '{ if ($1=="add") { print $2 }}' | tr -d ' ')
FIND=$(${FAIL2BANCLIENT} -d | tr -d '[]' | tr -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | tr -d ' ')
if [ ! "${FIND}" = "" ]; then
for F2BSERVICE in ${FIND}; do
LogText "Result: service '${F2BSERVICE}' enabled"
@ -221,8 +221,8 @@
# # Check email alert configuration
# LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}"
#
# FIND=`egrep "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}`
# FIND2=`egrep "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}`
# FIND=`${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}`
# FIND2=`${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}`
#
# if [ ! "${FIND}" = "" ]; then
# FAIL2BAN_EMAIL=1
@ -271,7 +271,7 @@
# LogText "Checking for fail2ban iptables chains"
#
# if [ ! "${IPTABLESBINARY}" = "" ]; then
# CHECK_CHAINS=`${IPTABLESBINARY} -L 2>&1 | grep fail2ban`
# CHECK_CHAINS=`${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban`
# if [ ! "${CHECK_CHAINS}" = "" ]; then
# LogText "Result: found at least one iptables chain for fail2ban"
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN

42
include/tests_webservers
View File

@ -61,7 +61,7 @@
Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE
else
LogText "Test: Scanning for Apache binary"
IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | egrep '[aA]pache'`
IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache'`
if [ "${IS_APACHE}" = "" ]; then
LogText "Result: ${HTTPDBINARY} is not Apache"
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
@ -69,7 +69,7 @@
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon"
APACHE_INSTALLED=1
APACHE_VERSION=`${HTTPDBINARY} -v 2> /dev/null | grep "^Server version:" | awk '{ print $3 }' | awk -F/ '{ print $2 }'`
APACHE_VERSION=`${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} "^Server version:" | ${AWKBINARY} '{ print $3 }' | ${AWKBINARY} -F/ '{ print $2 }'`
LogText "Apache version: ${APACHE_VERSION}"
Report "apache_version=${APACHE_VERSION}"
fi
@ -93,7 +93,7 @@
Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing main Apache configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
APACHE_CONFIGFILE=""
APACHE_TEST=`${HTTPDBINARY} -V 2> /dev/null | grep "\-D SERVER_CONFIG_FILE=" | sed 's/[ ]-D SERVER_CONFIG_FILE=//' | tr -d '"' | tr -d ' ' | tr -d '[:cntrl:]'`
APACHE_TEST=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | sed 's/[ ]-D SERVER_CONFIG_FILE=//' | tr -d '"' | tr -d ' ' | tr -d '[:cntrl:]'`
if [ "${APACHE_TEST}" = "" ]; then
LogText "Result: Can't find the configuration file, so skipping some Apache related tests"
@ -104,7 +104,7 @@
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
else
# Probably the prefix is missing, so we are going to search that
APACHE_HTTPDROOT=`${HTTPDBINARY} -V 2> /dev/null | grep "\-D HTTPD_ROOT=" | sed 's/[ ]-D HTTPD_ROOT=//' | tr -d '"' | tr -d ' '`
APACHE_HTTPDROOT=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | sed 's/[ ]-D HTTPD_ROOT=//' | tr -d '"' | tr -d ' '`
#echo "Apache root prefix: ${APACHE_HTTPDROOT}"
#echo "Complete path to configuration file: ${APACHE_HTTPDROOT}/${APACHE_TEST}"
APACHE_TESTFILE="${APACHE_HTTPDROOT}/${APACHE_TEST}"
@ -137,7 +137,7 @@
# Sort unsorted list, save it in temp file and then remove unsorted list
if [ -f ${TMPFILE2} ]; then
sort -u ${TMPFILE2} >> ${TMPFILE}
${SORTBINARY} -u ${TMPFILE2} >> ${TMPFILE}
rm -f ${TMPFILE2}
fi
cVHOSTS=0; tVHOSTS=""
@ -149,14 +149,14 @@
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
# Search Virtual Hosts
for J in `grep "ServerName" ${I} | grep -v "^#" | awk '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'`; do
for J in `${GREPBINARY} "ServerName" ${I} | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'`; do
if [ ! -z ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=$((cVHOSTS + 1))
fi
done
# Search Server aliases
for J in `grep "ServerAlias" ${I} | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do
for J in `${GREPBINARY} "ServerAlias" ${I} | ${GREPBINARY} -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do
if [ ! -z ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=$((cVHOSTS + 1))
@ -205,12 +205,12 @@
# for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do
# if [ -f ${APACHE_CONFIGFILE} ]; then
# # Check if option ServerTokens is configured
# SERVERTOKENSTEST=`grep ServerTokens ${APACHE_CONFIGFILE} | grep -v '^#'`
# SERVERTOKENSTEST=`${GREPBINARY} ServerTokens ${APACHE_CONFIGFILE} | ${GREPBINARY} -v '^#'`
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then
# Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_FOUND}" --color WHITE
# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '`
# LogText "Option ServerTokens found: ${SERVERTOKENSTEST}"
# SERVERTOKENSEXPECTED=`grep 'apache' ${PROFILE} | grep 'ServerTokens' | cut -d ':' -f3`
# SERVERTOKENSEXPECTED=`${GREPBINARY} 'apache' ${PROFILE} | ${GREPBINARY} 'ServerTokens' | cut -d ':' -f3`
# if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then
# LogText "Result: Value from configuration file yielded the same output as in template"
# SERVERTOKENSFOUND=1
@ -250,11 +250,11 @@
#if [ ${SKIPTEST} -eq 0 ]; then
# Testing Debian style
#LogText "Test: searching loaded/enabled Apache modules"
#apachectl -t -D DUMP_MODULES 2>&1 | egrep -v "(Loaded Modules|Syntax OK)" | sed 's/(\(shared\|static\))//' | sed 's/ //'
#apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | sed 's/(\(shared\|static\))//' | sed 's/ //'
#for I in ${APACHE_MODULES_ENABLED_LOCS}; do
#LogText "Test: checking ${I}"
#if [ -d ${I} ]; then
#FIND=`grep -r LoadModule ${I}/* | grep -v "^#" | awk '{ print $2":"$3 }'`
#FIND=`${GREPBINARY} -r LoadModule ${I}/* | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2":"$3 }'`
#else
#LogText "Result: ${I} does not exist"
#fi
@ -380,7 +380,7 @@
Register --test-no HTTP-6702 --weight L --network NO --category security --description "Check nginx process"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: searching running nginx process"
FIND=`${PSBINARY} ax | grep "/nginx" | grep "master" | grep -v "grep"`
FIND=`${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep"`
if [ ! "${FIND}" = "" ]; then
LogText "Result: found running nginx process(es)"
Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN
@ -428,9 +428,9 @@
# Remove temp file
if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
N=0
sed -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}
sed -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}
# Search for included configuration files (may include directories and wild cards)
FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'`
FIND=`${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'`
for I in ${FIND}; do
FIND2=`${LSBINARY} ${I} 2>/dev/null`
for J in ${FIND2}; do
@ -442,7 +442,7 @@
FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then
NGINX_CONF_FILES="${NGINX_CONF_FILES} ${J}"
FIND3=`sed -e 's/^[ ]*//' ${J} | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}`
FIND3=`sed -e 's/^[ ]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}`
else
ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
fi
@ -451,7 +451,7 @@
done
# Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
SORTFILE=`sort -u ${TMPFILE} | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"`
SORTFILE=`${SORTBINARY} -u ${TMPFILE} | sed 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})"`
for I in ${SORTFILE}; do
I=`echo ${I} | sed 's/:space:/ /g'`
Report "nginx_config_option[]=${I}";
@ -478,7 +478,7 @@
LogText "Test: start parsing all discovered nginx options"
Display --indent 4 --text "- Parsing configuration options"
for I in ${NGINX_CONF_FILES}; do
FILENAME=$(echo ${I} | awk -F/ '{print $NF}')
FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}')
if [ ! "${FILENAME}" = "mime.types" ]; then
if FileIsReadable ${I}; then
Display --indent 8 --text "- ${I}"
@ -492,7 +492,7 @@
done
if [ ! -z "${NGINX_CONF_FILES_ADDITIONS}" ]; then
for I in ${NGINX_CONF_FILES_ADDITIONS}; do
FILENAME=$(echo ${I} | awk -F/ '{print $NF}')
FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}')
if [ ! "${FILENAME}" = "mime.types" ]; then
if FileIsReadable ${I}; then
Display --indent 8 --text "- ${I}"
@ -651,7 +651,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# LogText "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}"
# FIND=`grep "proxy_pass" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/proxy_pass//g' | tr -d ';'`
# FIND=`${GREPBINARY} "proxy_pass" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | sed 's/proxy_pass//g' | tr -d ';'`
# for I in ${FIND}; do
# LogText "Found reverse proxy configuration for: ${I}"
# N=$((N + 1))
@ -675,7 +675,7 @@
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# LogText "Test: searching nginx virtual hosts"
# FIND=`grep "server_name" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/server_name//g' | tr -d ';'`
# FIND=`${GREPBINARY} "server_name" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | sed 's/server_name//g' | tr -d ';'`
# for I in ${FIND}; do
# if [ "${I}" = "_" ]; then I="Default virtual host"; fi
# LogText "Found virtual host: ${I}"
@ -703,7 +703,7 @@
LogText "Test: Checking ${DIR}"
if [ -d ${DIR} ]; then
LogText "Result: Directory ${DIR} exists, so will be used as search path"
FIND=$(find ${DIR} -type f -exec grep access_log \{\} \; | grep -v "#" | awk '{ if($1=="access_log") { print $2 } }' | sed 's/;$//g' | sort -u)
FIND=$(find ${DIR} -type f -exec ${GREPBINARY} access_log \{\} \; | ${GREPBINARY} -v "#" | ${AWKBINARY} '{ if($1=="access_log") { print $2 } }' | sed 's/;$//g' | ${SORTBINARY} -u)
if [ -z "${FIND}" ]; then
LogText "Result: no log files found"
else