diff --git a/include/tests_accounting b/include/tests_accounting index 0b324131..0e522800 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -104,7 +104,7 @@ LogText "Test: check /etc/default/sysstat presence" if [ -f ${ROOTDIR}etc/default/sysstat ]; then LogText "Result: ${ROOTDIR}etc/default/sysstat found" - FIND=`grep "^ENABLED" ${ROOTDIR}etc/default/sysstat | grep -i true` + FIND=`${GREPBINARY} "^ENABLED" ${ROOTDIR}etc/default/sysstat | ${GREPBINARY} -i true` if [ ! "${FIND}" = "" ]; then LogText "Result: sysstat enabled via ${ROOTDIR}etc/default/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN @@ -114,7 +114,7 @@ ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)" fi elif [ -f ${ROOTDIR}etc/cron.d/sysstat ]; then - FIND=`grep -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat` + FIND=`${GREPBINARY} -v '^[[:space:]]*\(#\|$\)' ${ROOTDIR}etc/cron.d/sysstat` if [ ! "${FIND}" = "" ]; then LogText "Result: sysstat enabled via ${ROOTDIR}etc/cron.d/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN @@ -167,7 +167,7 @@ Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for auditd rules" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking auditd rules" - FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"` + FIND=`${AUDITCTLBINARY} -l | ${GREPBINARY} -v "No rules"` if [ "${FIND}" = "" ]; then LogText "Result: auditd rules empty" Display --indent 4 --text "- Checking audit rules" --result "${STATUS_SUGGESTION}" --color YELLOW @@ -219,7 +219,7 @@ Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd log file" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking auditd log file" - FIND=`grep "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }'` + FIND=`${GREPBINARY} "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }'` if [ ! "${FIND}" = "" ]; then LogText "Result: log file is defined" LogText "Defined value: ${FIND}" @@ -251,7 +251,7 @@ Display --indent 2 --text "- Checking Snoopy" --result "${STATUS_FOUND}" --color GREEN if [ -f ${ROOTDIR}etc/ld.so.preload ]; then LogText "Result: found ${ROOTDIR}etc/ld.so.preload, testing if snoopy.so is listed" - FIND=`grep ${FILE} ${ROOTDIR}etc/ld.so.preload` + FIND=`${GREPBINARY} ${FILE} ${ROOTDIR}etc/ld.so.preload` if [ ! "${FIND}" = "" ]; then LogText "Result: found snoopy in ld.so.preload" LogText "Output: ${FIND}" @@ -297,7 +297,7 @@ Register --test-no ACCT-9652 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check auditd SMF status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check if auditd service is enabled and online" - FIND=`/usr/bin/svcs svc:/system/auditd:default | grep "^online"` + FIND=`/usr/bin/svcs svc:/system/auditd:default | ${GREPBINARY} "^online"` if [ ! "${FIND}" = "" ]; then LogText "Result: auditd service is online" Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN @@ -316,7 +316,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check if BSM is enabled in ${ROOTDIR}etc/system" if [ -f ${ROOTDIR}etc/system ]; then - FIND=`grep 'set c2audit:audit_load = 1' ${ROOTDIR}etc/system` + FIND=`${GREPBINARY} 'set c2audit:audit_load = 1' ${ROOTDIR}etc/system` if [ ! "${FIND}" = "" ]; then LogText "Result: BSM is enabled in ${ROOTDIR}etc/system" Display --indent 4 --text "- Checking Solaris BSM (${ROOTDIR}etc/system)" --result "${STATUS_ENABLED}" --color GREEN @@ -337,7 +337,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check if c2audit module is active" if [ -x /usr/sbin/modinfo ]; then - FIND=`/usr/sbin/modinfo | grep c2audit` + FIND=`/usr/sbin/modinfo | ${GREPBINARY} c2audit` if [ ! "${FIND}" = "" ]; then LogText "Result: c2audit found in modinfo output" Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN @@ -360,7 +360,7 @@ LogText "Test: check /etc/security/audit_control for event logging location" if [ -f ${ROOTDIR}etc/security/audit_control ]; then LogText "Result: file ${ROOTDIR}etc/security/audit_control found" - FIND=`grep "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }'` + FIND=`${GREPBINARY} "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }'` if [ ! "${FIND}" = "" ]; then LogText "Result: found location ${FIND}" LogText "Test: Checking if location is a valid directory" diff --git a/include/tests_authentication b/include/tests_authentication index b6fb8f19..26bc17c0 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -40,7 +40,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Search accounts with UID 0 LogText "Test: Searching accounts with UID 0" - FIND=(${GREPBINARY} ':0:' /etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0') + FIND=(${GREPBINARY} ':0:' /etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | ${GREPBINARY} ':0') if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED LogText "Result: Found more than one administrator accounts" @@ -74,7 +74,7 @@ fi # Check password file if [ -f ${PASSWD_FILE} ]; then - FIND=$(${GREPBINARY} -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d) + FIND=$(${GREPBINARY} -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | ${SORTBINARY} | uniq -d) if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Unique UIDs" --result "${STATUS_OK}" --color GREEN LogText "Result: all accounts found in ${PASSWD_FILE} are unique" @@ -165,7 +165,7 @@ Display --indent 2 --text "- Login shells" --result "${STATUS_WARNING}" --color RED for LINE in ${FIND}; do LINE=$(echo ${LINE} | sed 's/!space!/ /g') - SHELL=$(echo ${LINE} | awk -F: '{ print $10 }') + SHELL=$(echo ${LINE} | ${AWKBINARY} -F: '{ print $10 }') LogText "Output: ${LINE}" if [ -z "${SHELL}" ]; then LogText "Result: found no shell on line" @@ -198,7 +198,7 @@ Register --test-no AUTH-9222 --weight L --network NO --category security --description "Check unique groups (IDs)" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for non unique group ID's in /etc/group" - FIND=$(${GREPBINARY} -v '^#' /etc/group | ${GREPBINARY} -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d) + FIND=$(${GREPBINARY} -v '^#' /etc/group | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $3 }' | ${SORTBINARY} | uniq -d) if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Unique group IDs" --result "${STATUS_OK}" --color GREEN LogText "Result: All group ID's are unique" @@ -218,7 +218,7 @@ Register --test-no AUTH-9226 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unique group names" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for non unique group names in /etc/group" - FIND=$(${GREPBINARY} -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d) + FIND=$(${GREPBINARY} -v '^#' /etc/group | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $1 }' | ${SORTBINARY} | uniq -d) if [ -z "${FIND}" ]; then Display --indent 2 --text "- Unique group names" --result "${STATUS_OK}" --color GREEN LogText "Result: All group names are unique" @@ -284,33 +284,33 @@ case ${OS} in "AIX") LogText "AIX real users output (ID = 0, or 100+):" - FIND=`awk -F: '($3 >= 100 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` + FIND=`${AWKBINARY} -F: '($3 >= 100 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` ;; "FreeBSD") LogText "FreeBSD real users output (ID = 0, or 1000+, but not 65534):" - FIND=`awk -F: '($3 >= 1000 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` + FIND=`${AWKBINARY} -F: '($3 >= 1000 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` ;; "Linux") UID_MIN="" if [ -f /etc/login.defs ]; then - UID_MIN=$(${GREPBINARY} "^UID_MIN" /etc/login.defs | awk '{print $2}') + UID_MIN=$(${GREPBINARY} "^UID_MIN" /etc/login.defs | ${AWKBINARY} '{print $2}') LogText "Result: found minimal user id specified: ${UID_MIN}" fi if [ "${UID_MIN}" = "" ]; then UID_MIN="1000"; fi LogText "Linux real users output (ID = 0, or ${UID_MIN}+, but not 65534):" - FIND=`awk -v UID_MIN="${UID_MIN}" -F: '($3 >= UID_MIN && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` + FIND=`${AWKBINARY} -v UID_MIN="${UID_MIN}" -F: '($3 >= UID_MIN && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` ;; "OpenBSD") LogText "OpenBSD real users output (ID = 0, or 1000-60000, but not 32767):" - FIND=`awk -F: '($3 >= 1000 && $3 <= 60000 && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd` + FIND=`${AWKBINARY} -F: '($3 >= 1000 && $3 <= 60000 && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd` ;; "Solaris") LogText "Solaris real users output (ID =0, or 100+, but not 60001/65534):" - FIND=`awk -F: '($3 >= 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` + FIND=`${AWKBINARY} -F: '($3 >= 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd` ;; *) # Want to help improving Lynis? Determine what user IDs belong to normal user accounts @@ -339,7 +339,7 @@ Register --test-no AUTH-9240 --weight L --network NO --category security --description "Query NIS+ authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/nsswitch.conf ]; then - FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus") + FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus") if [ "${FIND}" = "" ]; then LogText "Result: NIS+ authentication not enabled" Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE @@ -366,7 +366,7 @@ Register --test-no AUTH-9242 --weight L --network NO --category security --description "Query NIS authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/nsswitch.conf ]; then - FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus") + FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus") if [ "${FIND}" = "" ]; then LogText "Result: NIS authentication not enabled" Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE @@ -437,7 +437,7 @@ # Description : Solaris test to check passwordless accounts Register --test-no AUTH-9254 --os Solaris --weight L --network NO --root-only YES --category security --description "Solaris passwordless accounts" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(logins -p | awk '{ print $1 }') + FIND=$(logins -p | ${AWKBINARY} '{ print $1 }') if [ "${FIND}" = "" ]; then LogText "Result: no passwordless accounts found" Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN @@ -612,7 +612,7 @@ if [ -f /etc/pam.d/common-auth ]; then LogText "Result: file /etc/pam.d/common-auth exists" LogText "Test: checking presence LDAP module" - FIND=`grep "^auth.*ldap" /etc/pam.d/common-auth` + FIND=`${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth` if [ ! "${FIND}" = "" ]; then LogText "Result: LDAP module present" LogText "Output: ${FIND}" @@ -638,13 +638,13 @@ case ${LINUX_VERSION} in "SuSE") PREQS_MET="YES" - FIND=$(passwd -a -S 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }') - FIND2=$(passwd -a -S 2> /dev/null | awk '{ if ($2=="NP") print $1 }') + FIND=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }') + FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }') ;; *) PREQS_MET="YES" - FIND=$(passwd --all --status 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }') - FIND2=$(passwd --all --status 2> /dev/null | awk '{ if ($2=="NP") print $1 }') + FIND=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }') + FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }') ;; esac else @@ -704,7 +704,7 @@ Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking user password aging" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PASS_MIN_DAYS option in /etc/login.defs " - FIND=$(${GREPBINARY} "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }') + FIND=$(${GREPBINARY} "^PASS_MIN_DAYS" /etc/login.defs | ${AWKBINARY} '{ if ($1=="PASS_MIN_DAYS") { print $2 } }') if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then LogText "Result: password minimum age is not configured" Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW @@ -718,7 +718,7 @@ fi LogText "Test: Checking PASS_MAX_DAYS option in /etc/login.defs " - FIND=$(${GREPBINARY} "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }') + FIND=$(${GREPBINARY} "^PASS_MAX_DAYS" /etc/login.defs | ${AWKBINARY} '{ if ($1=="PASS_MAX_DAYS") { print $2 } }') if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then LogText "Result: password aging limits are not configured" Display --indent 2 --text "- User password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW @@ -745,7 +745,7 @@ LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}" LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)" # Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed) - FIND=$(${EGREPBINARY} -v ":[\!\*x](\*)?:" /etc/shadow | awk -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}') + FIND=$(${EGREPBINARY} -v ":[\!\*x](\*)?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}') if [ ! "${FIND}" = "" ]; then for ACCOUNT in ${FIND}; do LogText "Result: password of user ${ACCOUNT} has been expired" @@ -805,7 +805,7 @@ if [ -f /tcb/files/auth/system/default ]; then LogText "Result: file /tcb/files/auth/system/default exists" LogText "Test: checking presence :d_boot_authenticate@:" - FIND=$(grep "^:d_boot_authenticate@" /tcb/files/auth/system/default) + FIND=$(${GREPBINARY} "^:d_boot_authenticate@" /tcb/files/auth/system/default) if [ -z "${FIND}" ]; then LogText "Result: option not set, password is needed at boot" Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_OK}" --color GREEN @@ -853,7 +853,7 @@ TEST_PERFORMED=1 LogText "Result: file /etc/sysconfig/init exists" LogText "Test: checking presence sulogin for single user mode" - FIND=`grep "^SINGLE=/sbin/sulogin" /etc/sysconfig/init` + FIND=`${GREPBINARY} "^SINGLE=/sbin/sulogin" /etc/sysconfig/init` if [ ! "${FIND}" = "" ]; then FOUND=1 LogText "Result: found sulogin, so single user is protected" @@ -875,7 +875,7 @@ # Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support) TEST_PERFORMED=1 LogText "Result: found target ${I}" - FIND=`egrep "^ExecStart=" ${FILE} | grep "/sulogin"` + FIND=`${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "/sulogin"` if [ "${FIND}" = "" ]; then LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication" else @@ -926,7 +926,7 @@ if [ ! -z "${FIND}" ]; then LogText "Result: found /etc/profile.d, with one or more files in it" for FILE in ${FIND}; do - HAS_MASK=$(grep umask ${FILE} | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }') + HAS_MASK=$(${GREPBINARY} umask ${FILE} | sed 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }') for MASK in ${HAS_MASK}; do if [ "${MASK}" = "077" -o "${MASK}" = "027" ]; then LogText "Result: found a strong umask '${MASK}' set in ${FILE}" @@ -949,8 +949,8 @@ if [ -f /etc/profile -a ${GOOD_UMASK} -eq 0 ]; then LogText "Result: file /etc/profile exists" LogText "Test: Checking umask value in /etc/profile" - FIND=$(grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }') - FIND2=$(grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }' | wc -l) + FIND=$(${GREPBINARY} "umask" /etc/profile | sed 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }') + FIND2=$(${GREPBINARY} "umask" /etc/profile | sed 's/^[ \t]*//' | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2 }' | wc -l) FOUND_UMASK=0 if [ "${FIND2}" = "0" ]; then LogText "Result: did not find umask in /etc/profile" @@ -1007,7 +1007,7 @@ if [ -f /etc/passwd ]; then LogText "Result: file /etc/passwd exists" LogText "Test: Checking umask value in /etc/passwd" - FIND=`grep "umask=" /etc/passwd` + FIND=`${GREPBINARY} "umask=" /etc/passwd` if [ "${FIND}" = "" ]; then ReportManual "AUTH-9328:03" fi @@ -1020,7 +1020,7 @@ if [ -f /etc/login.defs ]; then LogText "Result: file /etc/login.defs exists" LogText "Test: Checking umask value in /etc/login.defs" - FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'` + FIND=`${GREPBINARY} "^UMASK" /etc/login.defs | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: umask value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW @@ -1045,7 +1045,7 @@ if [ -f /etc/init.d/functions ]; then LogText "Result: file /etc/init.d/functions exists" LogText "Test: Checking umask value in /etc/init.d/functions" - FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'` + FIND=`${GREPBINARY} "^umask" /etc/init.d/functions | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: umask is not configured" Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE @@ -1067,7 +1067,7 @@ if [ -f /etc/init.d/rc ]; then LogText "Result: file /etc/init.d/rc exists" LogText "Test: Checking UMASK value in /etc/init.d/rc" - FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'` + FIND=`${GREPBINARY} -i "^UMASK" /etc/init.d/rc | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW @@ -1092,7 +1092,7 @@ FOUND=0 WEAK_UMASK=0 LogText "Result: file /etc/login.conf exists" - FIND=`grep "umask" /etc/login.conf | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'` + FIND=`${GREPBINARY} "umask" /etc/login.conf | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $2}' | ${AWKBINARY} -F= '{ if ($1=="umask") { print $2 }}'` if [ ! "${FIND}" = "" ]; then for UMASK_VALUE in ${FIND}; do case ${UMASK_VALUE} in @@ -1128,9 +1128,9 @@ if [ -f /etc/init.d/rcS ]; then LogText "Result: file /etc/init.d/rcS exists" LogText "Test: Checking if script runs another script." - FIND=`grep -i "^exec " /etc/init.d/rcS | awk '{ print $2 }'` + FIND=`${GREPBINARY} -i "^exec " /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "" ]; then - FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'` + FIND2=`${GREPBINARY} -i "^UMASK" /etc/init.d/rcS | ${AWKBINARY} '{ print $2 }'` if [ "${FIND2}" = "" ]; then LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW @@ -1166,7 +1166,7 @@ FOUND=0 if [ -f /etc/security/policy.conf ]; then LogText "Result: found /etc/security/policy.conf" - FIND=`grep "^LOCK_AFTER_RETRIES" /etc/security/policy.conf` + FIND=`${GREPBINARY} "^LOCK_AFTER_RETRIES" /etc/security/policy.conf` if [ ! "${FIND}" = "" ]; then FOUND=1 LogText "Result: account locking option set" @@ -1186,7 +1186,7 @@ LogText "Test: checking /etc/default/login" if [ -f /etc/default/login ]; then LogText "Result: file /etc/default/login exists" - FIND=`grep "^RETRIES" /etc/default/login` + FIND=`${GREPBINARY} "^RETRIES" /etc/default/login` if [ ! "${FIND}" = "" ]; then FOUND=1 LogText "Result: retries option configured" @@ -1214,7 +1214,7 @@ Register --test-no AUTH-9402 --weight L --network NO --category security --description "Query LDAP authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/nsswitch.conf ]; then - FIND=$(egrep "^passwd" /etc/nsswitch.conf | grep "ldap") + FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "ldap") if [ "${FIND}" = "" ]; then LogText "Result: LDAP authentication not enabled" Display --indent 2 --text "- LDAP authentication support" --result "NOT ENABLED" --color WHITE @@ -1242,7 +1242,7 @@ LogText "Result: file ${FILE} exists, LDAP being used" LDAP_CLIENT_CONFIG_FILE="${FILE}" LogText "Test: checking LDAP servers in file ${FILE}" - FIND=$(egrep "^host " ${FILE} | awk '{ print $2 }') + FIND=$(${EGREPBINARY} "^host " ${FILE} | ${AWKBINARY} '{ print $2 }') for SERVER in ${FIND}; do Display --indent 6 --text "LDAP server: ${SERVER}" LogText "Result: found LDAP server ${SERVER}" @@ -1263,7 +1263,7 @@ Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Logging of failed login attempts via /etc/login.defs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking FAILLOG_ENAB option in /etc/login.defs " - FIND=`grep "^FAILLOG_ENAB" /etc/login.defs | awk '{ if ($1=="FAILLOG_ENAB") { print $2 } }'` + FIND=`${GREPBINARY} "^FAILLOG_ENAB" /etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }'` # Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value) if [ "${FIND}" = "yes" ]; then AUTH_FAILED_LOGINS_LOGGED=1 diff --git a/include/tests_banners b/include/tests_banners index 398fe28a..d200b343 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -100,7 +100,7 @@ # N=0 # LogText "Test: Checking file /etc/motd contents for legal key words" # for I in ${LEGAL_BANNER_STRINGS}; do - # FIND=`grep -i "${I}" /etc/motd` + # FIND=`${GREPBINARY} -i "${I}" /etc/motd` # if [ ! "${FIND}" = "" ]; then # LogText "Result: found string '${I}'" # N=$((N + 1)) @@ -151,7 +151,7 @@ N=0 LogText "Test: Checking file /etc/issue contents for legal key words" for I in ${LEGAL_BANNER_STRINGS}; do - FIND=`grep -i "${I}" /etc/issue` + FIND=`${GREPBINARY} -i "${I}" /etc/issue` if [ ! "${FIND}" = "" ]; then LogText "Result: found string '${I}'" N=$((N + 1)) @@ -203,7 +203,7 @@ N=0 LogText "Test: Checking file /etc/issue.net contents for legal key words" for I in ${LEGAL_BANNER_STRINGS}; do - FIND=`grep -i "${I}" /etc/issue.net` + FIND=`${GREPBINARY} -i "${I}" /etc/issue.net` if [ ! "${FIND}" = "" ]; then LogText "Result: found string '${I}'" N=$((N + 1)) diff --git a/include/tests_boot_services b/include/tests_boot_services index 16eb31db..c246e4ae 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -70,9 +70,9 @@ case ${OS} in "Linux") if [ -f /proc/1/cmdline ]; then - FILENAME=`awk '/(^\/|init)/ { print $1 }' /proc/1/cmdline` + FILENAME=`${AWKBINARY} '/(^\/|init)/ { print $1 }' /proc/1/cmdline` LogText "Result: cmdline found = ${FILENAME}" - ISFILE=`echo ${FILENAME} | grep "^/"` + ISFILE=`echo ${FILENAME} | ${GREPBINARY} "^/"` if [ ! "${ISFILE}" = "" ]; then if [ -L ${ISFILE} ]; then ShowSymlinkPath ${ISFILE} @@ -84,7 +84,7 @@ fi fi if [ ! "${FILENAME}" = "" ]; then - SHORTNAME=`echo ${FILENAME} | awk -F/ '{ print $NF }'` + SHORTNAME=`echo ${FILENAME} | ${AWKBINARY} -F/ '{ print $NF }'` LogText "Found: ${SHORTNAME}" case ${SHORTNAME} in "init") @@ -97,7 +97,7 @@ SERVICE_MANAGER="upstart" ;; *) - CONTAINS_SYSTEMD=`echo ${SHORTNAME} | grep "systemd"` + CONTAINS_SYSTEMD=`echo ${SHORTNAME} | ${GREPBINARY} "systemd"` if [ ! "${CONTAINS_SYSTEMD}" = "" ]; then SERVICE_MANAGER="systemd" else @@ -186,7 +186,7 @@ if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do LogText "Test: checking file ${I}" - J=`od -An -t u1 ${I} | awk '{ print $5 }'` + J=`od -An -t u1 ${I} | ${AWKBINARY} '{ print $5 }'` if [ "${J}" = "1" ]; then LogText "Result: found SecureBoot file with enabled status" UEFI_BOOTED_SECURE=1 @@ -200,7 +200,7 @@ fi ;; #MacOS) - # Mac OS ioreg -l -p IODeviceTree | grep firmware-abi + # Mac OS ioreg -l -p IODeviceTree | ${GREPBINARY} firmware-abi #;; *) LogText "Result: no test implemented yet to test for UEFI on this platform" @@ -279,11 +279,11 @@ LogText "Found file ${GRUBCONFFILE}, proceeding with tests." FileIsReadable ${GRUBCONFFILE} if [ ${CANREAD} -eq 1 ]; then - FIND=`grep 'password --md5' ${GRUBCONFFILE} | grep -v '^#'` - FIND2=`grep 'password --encrypted' ${GRUBCONFFILE} | grep -v '^#'` - FIND3=`grep 'set superusers' ${GRUBCONFFILE} | grep -v '^#'` - FIND4=`grep 'password_pbkdf2' ${GRUBCONFFILE} | grep -v '^#'` - FIND5=`grep 'grub.pbkdf2' ${GRUBCONFFILE} | grep -v '^#'` + FIND=`${GREPBINARY} 'password --md5' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` + FIND2=`${GREPBINARY} 'password --encrypted' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` + FIND3=`${GREPBINARY} 'set superusers' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` + FIND4=`${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` + FIND5=`${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#'` # GRUB1: Password should be set (MD5 or SHA1) if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 @@ -358,7 +358,7 @@ BOOT_LOADER_FOUND=1 Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN LogText "Checking password option LILO" - FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | grep -v "^#"` + FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#"` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED LogText "Result: no password set for LILO. Bootloader is unprotected to" @@ -404,7 +404,7 @@ # Register --test-no BOOT-5144 --weight L --network NO --category security --description "Check SPARC Improved boot loader (SILO)" # if [ ${SKIPTEST} -eq 0 ]; then # if [ -f /etc/silo.conf -a -x /sbin/silo ]; then -# FIND=`/sbin/silo | grep "appears to be valid"` +# FIND=`/sbin/silo | ${GREPBINARY} "appears to be valid"` # if [ ! "${FIND}" = "" ]; then # LogText "Result: Found SILO configuration file (/etc/silo.conf)" # Display --indent 6 --text "- Checking SILO consistency" --result "${STATUS_OK}" --color GREEN @@ -453,7 +453,7 @@ if [ -f /etc/boot.conf ]; then FOUND=1 Display --indent 2 --text "- Checking /etc/boot.conf" --result "${STATUS_FOUND}" --color GREEN - FIND=`grep '^boot' /etc/boot.conf` + FIND=`${GREPBINARY} '^boot' /etc/boot.conf` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking boot option" --result "${STATUS_WARNING}" --color RED #ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode." @@ -498,7 +498,7 @@ else # FreeBSD (Read /etc/rc.conf file for enabled services) LogText "Searching for services at startup (rc.conf)" - FIND=`egrep -v -i '^#|none' /etc/rc.conf | egrep -i '_enable.*(yes|on|1)' | sort | awk -F= '{ print $1 }' | sed 's/_enable//'` + FIND=`${EGREPBINARY} -v -i '^#|none' /etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | sed 's/_enable//'` fi N=0 for I in ${FIND}; do @@ -525,7 +525,7 @@ LogText "Result: systemctl binary found, trying that to discover information" # Running services LogText "Searching for running services (systemctl services only)" - FIND=`${SYSTEMCTLBINARY} --full --type=service | awk '{ if ($4=="running") { print $1 } }' | awk -F. '{ print $1 }'` + FIND=`${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }'` N=0 Report "running_service_tool=systemctl" for I in ${FIND}; do @@ -540,7 +540,7 @@ # Services at boot LogText "Searching for enabled services (systemctl services only)" - FIND=`${SYSTEMCTLBINARY} list-unit-files --type=service | awk '{ if ($2=="enabled") { print $1 } }' | awk -F. '{ print $1 }'` + FIND=`${SYSTEMCTLBINARY} list-unit-files --type=service | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }'` N=0 Report "boot_service_tool=systemctl" for I in ${FIND}; do @@ -558,7 +558,7 @@ if [ ! "${CHKCONFIGBINARY}" = "" ]; then LogText "Result: chkconfig binary found, trying that to discover information" LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)" - FIND=`${CHKCONFIGBINARY} --list | egrep '3:on|5:on' | awk '{ print $1 }'` + FIND=`${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }'` N=0 Report "boot_service_tool=chkconfig" for I in ${FIND}; do @@ -585,7 +585,7 @@ Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for Linux boot services (Debian style)" if [ ${SKIPTEST} -eq 0 ]; then # Runlevel check - sRUNLEVEL=`${RUNLEVELBINARY} | grep "N [0-9]" | awk '{ print $2} '` + sRUNLEVEL=`${RUNLEVELBINARY} | ${GREPBINARY} "N [0-9]" | ${AWKBINARY} '{ print $2} '` LogText "Result: found runlevel ${sRUNLEVEL}" if [ "${sRUNLEVEL}" = "2" ]; then LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found" @@ -713,7 +713,7 @@ DragonFly|FreeBSD|MacOS) if [ ! "${SYSCTLBINARY}" = "" ]; then - FIND=`${SYSCTLBINARY} kern.boottime | awk '{ print $5 }' | sed -e 's/,//' | grep "[0-9]"` + FIND=`${SYSCTLBINARY} kern.boottime | ${AWKBINARY} '{ print $5 }' | sed -e 's/,//' | ${GREPBINARY} "[0-9]"` else Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)" @@ -739,7 +739,7 @@ Solaris) if [ ! "${KSTATBINARY}" = "" ]; then - FIND=`${KSTATBINARY} -p unix:0:system_misc:snaptime | grep "^unix" | awk '{print $2}' | cut -d "." -f1` + FIND=`${KSTATBINARY} -p unix:0:system_misc:snaptime | ${GREPBINARY} "^unix" | ${AWKBINARY} '{print $2}' | cut -d "." -f1` else Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)" @@ -776,7 +776,7 @@ if [ -f /usr/lib/systemd/system/rescue.service ]; then LogText "Result: file /usr/lib/systemd/system/rescue.service" LogText "Test: checking presence sulogin for single user mode" - FIND=`egrep "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service` + FIND=`${EGREPBINARY} "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service` if [ ! "${FIND}" = "" ]; then FOUND=1 LogText "Result: found sulogin, so single user is protected" diff --git a/include/tests_containers b/include/tests_containers index 11764afe..1c6db59f 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -37,7 +37,7 @@ Register --test-no CONT-8004 --os Solaris --weight L --network NO --category security --description "Query running Solaris zones" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: query zoneadm to list all running zones" - FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'` + FIND=`/usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }'` if [ ! "${FIND}" = "" ]; then N=0 for I in ${FIND}; do @@ -63,7 +63,7 @@ #Register --test-no CONT-1906 --weight L --network NO --category security --description "Query Xen guests" #if [ ${SKIPTEST} -eq 0 ]; then # Show Xen guests - #FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'` + #FIND=`xm list | ${AWKBINARY} '$1 != "Name|Domain-0" {print $1","$2}'` #for I in ${FIND}; do #XENGUESTNAME=`echo ${I} | cut -d ':' -f1` #XENGUESTID=`echo ${I} | cut -d ':' -f2` @@ -104,7 +104,7 @@ LogText "Result: disabling further Docker tests as docker version gave exit code other than zero (0)" RUN_DOCKER_TESTS=0 fi - FIND=`${DOCKERBINARY} info 2>&1 | grep "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'` + FIND=`${DOCKERBINARY} info 2>&1 | ${GREPBINARY} "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'` if [ ! "${FIND}" = "" ]; then LogText "Result: found warning(s) in output" for I in ${FIND}; do @@ -134,12 +134,12 @@ # Check total of containers LogText "Test: checking total amount of Docker containers" - DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'` + DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | ${GREPBINARY} "^Containers: " | ${AWKBINARY} '{ print $2 }'` if [ "${DOCKER_CONTAINERS_TOTAL}" = "" ]; then DOCKER_CONTAINERS_TOTAL=0 fi LogText "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers" - DOCKER_CONTAINERS_TOTAL2=$(${DOCKERBINARY} ps -a 2> /dev/null | grep -c -v "CONTAINER") + DOCKER_CONTAINERS_TOTAL2=$(${DOCKERBINARY} ps -a 2> /dev/null | ${GREPBINARY} -c -v "CONTAINER") LogText "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers" if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then LogText "Result: difference detected, which is unexpected" @@ -150,7 +150,7 @@ fi # Check running instances - DOCKER_CONTAINERS_RUNNING=$(${DOCKERBINARY} ps 2> /dev/null | grep -c -v "CONTAINER") + DOCKER_CONTAINERS_RUNNING=$(${DOCKERBINARY} ps 2> /dev/null | ${GREPBINARY} -c -v "CONTAINER") if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then Display --indent 10 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN LogText "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active" diff --git a/include/tests_crypto b/include/tests_crypto index 8e22049f..0fb1d35e 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -33,7 +33,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUNDPROBLEM=0 sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | sed 's/:/ /g') - sSSL_PATHS=`echo ${sSSL_PATHS} | sed 's/^ //' | tr " " "\n" | sort | uniq | tr "\n" " "` + sSSL_PATHS=`echo ${sSSL_PATHS} | sed 's/^ //' | tr " " "\n" | ${SORTBINARY} | uniq | tr "\n" " "` LogText "Result after sorting: ${sSSL_PATHS}" for I in ${sSSL_PATHS}; do diff --git a/include/tests_databases b/include/tests_databases index 8c27cefd..11ac7d7d 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -37,7 +37,7 @@ # Description : Check if MySQL is being used Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"` + FIND=`${PSBINARY} ax | ${EGREPBINARY} "mysqld|mysqld_safe" | ${GREPBINARY} -v "grep"` if [ "${FIND}" = "" ]; then if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: MySQL process not active" @@ -122,7 +122,7 @@ # reco: recovery (optional) Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"` + FIND=`${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep"` if [ "${FIND}" = "" ]; then if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: Oracle process(es) not active" @@ -142,7 +142,7 @@ #Register --test-no DBS-1842 --weight L --network NO --category security --description "Checking Oracle home paths" #if [ ${SKIPTEST} -eq 0 ]; then # if [ -f /etc/oratab ]; then - # FIND=`grep -v "#" /etc/oratab | awk -F: "{ print $2 }"` + # FIND=`${GREPBINARY} -v "#" /etc/oratab | ${AWKBINARY} -F: "{ print $2 }"` # fi #fi # @@ -199,12 +199,12 @@ if FileIsReadable ${CONFFILE}; then LogText "Action: checking if ${CONFFILE} is a Sentinel configuration file" # Exclude Sentinel configuration file - FIND=$(grep "^sentinel " ${CONFFILE}) + FIND=$(${GREPBINARY} "^sentinel " ${CONFFILE}) if [ ! -z "${FIND}" ]; then LogText "Result: file is a Sentinel configuration file, skipping it" else LogText "Result: file is NOT a Sentinel configuration file. Now scanning if it is a Redis configuration file" - FIND=$(grep "Redis" ${CONFFILE}) + FIND=$(${GREPBINARY} "Redis" ${CONFFILE}) if [ ! -z "${FIND}" ]; then REDIS_CONFIGURATION_FILES="${REDIS_CONFIGURATION_FILES} ${CONFFILE}" REDIS_CONFIGURATION_FOUND=1 @@ -222,7 +222,7 @@ fi done # Sort the list of discovered configuration files so we can make them unique - REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | sed 's/^ //' | tr ' ' '\n' | sort | uniq | tr '\n' ' ') + REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | sed 's/^ //' | tr ' ' '\n' | ${SORTBINARY} | uniq | tr '\n' ' ') for FILE in ${REDIS_CONFIGURATION_FILES}; do if IsWorldReadable ${FILE}; then LogText "Result: configuration file ${FILE} is world readable, this might leak sensitive information!" diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 0cb65bc5..b1cdf316 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -219,7 +219,7 @@ Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd configuration status" if [ ${SKIPTEST} -eq 0 ]; then # LFD configuration parameters - ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}` + ENABLED=`${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG}` if [ ! "${ENABLED}" = "" ]; then LogText "Result: lfd service is configured to run" Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN @@ -227,7 +227,7 @@ LogText "Result: lfd service is configured NOT to run" Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW fi - ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` + ENABLED=`${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | sed 's/\"//g'` if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then LogText "Result: lfd directory watching is enabled (value: ${ENABLED})" Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN @@ -235,7 +235,7 @@ LogText "Result: lfd directory watching is disabled" Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW fi - ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` + ENABLED=`${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | sed 's/\"//g'` if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN else diff --git a/include/tests_file_permissions b/include/tests_file_permissions index 829dd378..8a3134c5 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -34,7 +34,7 @@ LogText "Test: Checking file permissions" for PROFILE in ${PROFILES}; do LogText "Using profile ${PROFILE} for baseline." - FIND=`egrep '^permfile:|^permdir:' ${PROFILE} | cut -d: -f2` + FIND=`${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | cut -d: -f2` for I in ${FIND}; do LogText "Checking ${I}" CheckFilePermissions ${I} diff --git a/include/tests_filesystems b/include/tests_filesystems index 9dab3624..21986d2a 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -48,7 +48,7 @@ Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE elif [ -d ${I} ]; then LogText "Result: directory ${I} exists" - FIND=`mount | grep "${I}"` + FIND=`mount | ${GREPBINARY} "${I}"` if [ ! "${FIND}" = "" ]; then LogText "Result: found ${I} as a separated mount point" Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_OK}" --color GREEN @@ -79,7 +79,7 @@ FIND=`${LSVGBINARY} -o` ;; Linux) - FIND=`${VGDISPLAYBINARY} 2> /dev/null | grep -v "No volume groups found" | grep "VG Name" | awk '{ print $3 }' | sort` + FIND=`${VGDISPLAYBINARY} 2> /dev/null | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "VG Name" | ${AWKBINARY} '{ print $3 }' | sort` ;; *) ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found" @@ -110,10 +110,10 @@ case ${OS} in AIX) ACTIVE_VG_LIST=`${LSVGBINARY} -o` - FIND=`for I in ${ACTIVE_VG_LIST}; do ${LSVGBINARY} -l ${I} | awk 'NR>2 { print $1 }'; done` + FIND=`for I in ${ACTIVE_VG_LIST}; do ${LSVGBINARY} -l ${I} | ${AWKBINARY} 'NR>2 { print $1 }'; done` ;; Linux) - FIND=`${LVDISPLAYBINARY} | grep -v "No volume groups found" | grep "LV Name" | awk '{ print $3 }' | sort` + FIND=`${LVDISPLAYBINARY} | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "LV Name" | ${AWKBINARY} '{ print $3 }' | sort` ;; *) ReportException "${TEST_NO}:1" "Need specific test for gathering volume manager data" @@ -147,7 +147,7 @@ Register --test-no FILE-6323 --os Linux --weight L --network NO --category security --description "Checking EXT file systems" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for Linux EXT file systems" - FIND=`mount -t ext2,ext3,ext4 | awk '{ print $3","$5 }'` + FIND=`mount -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }'` if [ ! "${FIND}" = "" ]; then LogText "Result: found one or more EXT file systems" for I in ${FIND}; do @@ -170,7 +170,7 @@ Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking FFS/UFS file systems" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Query /etc/fstab for available FFS/UFS mount points" - FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab` + FIND=`${AWKBINARY} '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab` if [ "${FIND}" = "" ]; then if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_NONE}" --color WHITE; fi LogText "Result: unable to find any single mount point (FFS/UFS)" @@ -191,7 +191,7 @@ Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Query /etc/fstab for available ZFS mount points" - FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'` + FIND=`mount -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE LogText "Result: unable to find any single mount point (ZFS)" @@ -215,7 +215,7 @@ FOUND=0 LogText "Test: query swap partitions from /etc/fstab file" # Check if third field contains 'swap' - FIND=`awk '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | grep -v "^#"` + FIND=`${AWKBINARY} '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | ${GREPBINARY} -v "^#"` for I in ${FIND}; do FOUND=1 REAL="" @@ -226,12 +226,12 @@ # Can be ^/dev/partition # Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/) - HAS_UUID=`echo ${I} | grep "^UUID="` + HAS_UUID=`echo ${I} | ${GREPBINARY} "^UUID="` if [ ! "${HAS_UUID}" = "" ]; then - UUID=`echo ${HAS_UUID} | awk -F= '{ print $2 }'` + UUID=`echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }'` LogText "Result: Using ${UUID} as UUID" if [ ! "${BLKIDBINARY}" = "" ]; then - FIND2=$(${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//') + FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//') if [ ! "${FIND2}" = "" ]; then REAL="${FIND2}" fi @@ -275,8 +275,8 @@ if [ ${SKIPTEST} -eq 0 ]; then # Swap partitions should be mounted with 'sw' or 'swap' LogText "Test: check swap partitions with incorrect mount options" - #FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` - FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab` + #FIND=`${AWKBINARY} '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` + FIND=`${AWKBINARY} '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab` if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Testing swap partitions" --result "${STATUS_OK}" --color GREEN LogText "Result: all swap partitions have correct options (sw or swap)" @@ -296,8 +296,8 @@ # Examples : proc /proc proc defaults,hidepid=2 0 0 # Goal : Users should not be able to see processes of other users if [ "${OS}" = "Linux" -a -f /proc/version ]; then - LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | awk -F. '{print $1}') - LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | awk -F. '{print $2}') + LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}') + LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}') if [ ! -z "${LINUX_KERNEL_MAJOR}" -a ! -z "${LINUX_KERNEL_MINOR}" ]; then if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi else @@ -392,7 +392,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Test: Checking acl option on ext[2-4] root file system" - FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | grep acl` + FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl` if [ ! "${FIND}" = "" ]; then LogText "Result: found ACL option" FOUND=1 @@ -405,14 +405,14 @@ FIND1="/dev/root" else # Only determine device if it is EXT2/3/4 - #FIND1=`mount | grep "on / " | awk '{ if ($5~/ext[2-4]/) { print $1 }}'` - FIND1=`mount -t ext2,ext3,ext4 | grep "on / " | awk '{ print $1 }'` + #FIND1=`mount | ${GREPBINARY} "on / " | ${AWKBINARY} '{ if ($5~/ext[2-4]/) { print $1 }}'` + FIND1=`mount -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }'` fi # Trying to determine default mount options from EXT2/EXT3/EXT4 file systems if [ ! "${FIND1}" = "" ]; then LogText "Result: found ${FIND1}" LogText "Test: Checking default options on ${FIND1}" - FIND2=`${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | grep "^Default mount options" | grep "acl"` + FIND2=`${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl"` if [ ! "${FIND2}" = "" ]; then LogText "Result: found ACL option in default mount options" FOUND=1 @@ -425,7 +425,7 @@ fi LogText "Test: Checking acl option on xfs root file system" - FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | egrep 'no_acl|no_user_xattr'` + FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr'` if [ "${FIND}" = "" ]; then FOUND=1 # some other tests to do ? @@ -452,10 +452,10 @@ Register --test-no FILE-6372 --os Linux --weight L --network NO --category security --description "Checking / mount options" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/fstab ]; then - FIND=$(awk '{ if ($2=="/") { print $4 } }' /etc/fstab | grep -v "^#") - NODEV=$(echo ${FIND} | awk '{ if ($1 ~ "nodev") { print "YES" } else { print "NO" } }') - NOEXEC=$(echo ${FIND} | awk '{ if ($1 ~ "noexec") { print "YES" } else { print "NO" } }') - NOSUID=$(echo ${FIND} | awk '{ if ($1 ~ "nosuid") { print "YES" } else { print "NO" } }') + FIND=$(${AWKBINARY} '{ if ($2=="/") { print $4 } }' /etc/fstab | ${GREPBINARY} -v "^#") + NODEV=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "nodev") { print "YES" } else { print "NO" } }') + NOEXEC=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "noexec") { print "YES" } else { print "NO" } }') + NOSUID=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "nosuid") { print "YES" } else { print "NO" } }') if [ ! "${FIND}" = "" ]; then LogText "Result: mount system / is configured with options: ${FIND}" @@ -499,16 +499,16 @@ for I in ${FILESYSTEMS_TO_CHECK}; do FILESYSTEM=$(echo ${I} | cut -d: -f1) EXPECTED_FLAGS=$(echo ${I} | cut -d: -f2 | sed 's/,/ /g') - IN_FSTAB=$(awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print "FOUND" } }' /etc/fstab) + IN_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print "FOUND" } }' /etc/fstab) if [ ! "${IN_FSTAB}" = "" ]; then - FOUND_FLAGS=$(awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | sed 's/,/ /g' | tr '\n' ' ') + FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | sed 's/,/ /g' | tr '\n' ' ') LogText "File system: ${FILESYSTEM}" LogText "Expected flags: ${EXPECTED_FLAGS}" LogText "Found flags: ${FOUND_FLAGS}" PARTIALLY_HARDENED=0 FULLY_HARDENED=1 for FLAG in ${EXPECTED_FLAGS}; do - FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | grep ${FLAG}` + FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG}` if [ "${FLAG_AVAILABLE}" = "" ]; then LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}" FULLY_HARDENED=0 @@ -550,8 +550,8 @@ Register --test-no FILE-6376 --os Linux --weight L --network NO --category security --description "Determine if /var/tmp is bound to /tmp" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/fstab ]; then - FIND=$(awk '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab) - BIND=$(echo ${FIND} | awk '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }') + FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab) + BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }') if [ ! "${FIND}" = "" ]; then LogText "Result: mount system /var/tmp is configured with options: ${FIND}" if [ "${BIND}" = "YES" ]; then diff --git a/include/tests_firewalls b/include/tests_firewalls index a7420852..50f9431d 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -40,7 +40,7 @@ # Description : Check iptables kernel module Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${LSMODBINARY} | awk '{ print $1 }' | grep "^ip*_tables"` + FIND=`${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables"` if [ ! "${FIND}" = "" ]; then FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="iptables" @@ -69,7 +69,7 @@ if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})" - FIND=`${tCATCMD} ${LINUXCONFIGFILE} | grep -v '^#' | grep "CONFIG_IP_NF_IPTABLES" | head -n 1` + FIND=`${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1` if [ ! "${FIND}" = "" ]; then HAVEMOD=`echo ${FIND} | cut -d '=' -f2` # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the @@ -106,13 +106,13 @@ TABLES="filter" for TABLE in ${TABLES}; do LogText "Test: gathering information from table ${TABLE}" - FIND="$FIND""\n"`${IPTABLESBINARY} -t ${TABLE} --numeric --list | egrep -z -o -w '[A-Z]+' | awk -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1'` + FIND="$FIND""\n"`${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1'` done echo "${FIND}" | while read line; do - table=`echo ${line} | awk '{ print $1 }'` - chainname=`echo ${line} | awk '{ print $2 }'` - policy=`echo ${line} | awk '{ print $3 }'` + table=`echo ${line} | ${AWKBINARY} '{ print $1 }'` + chainname=`echo ${line} | ${AWKBINARY} '{ print $2 }'` + policy=`echo ${line} | ${AWKBINARY} '{ print $3 }'` LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}." LogText "Result: ${policy}" @@ -148,7 +148,7 @@ if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | egrep -v "^(Chain|target|$)" | wc -l | tr -d ' '` + FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | wc -l | tr -d ' '` if [ ! "${FIND}" = "" ]; then FIREWALL_ACTIVE=1 if [ ${FIND} -le 10 ]; then @@ -171,7 +171,7 @@ if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs` + FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | xargs` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN LogText "Result: There are no unused rules present" @@ -199,7 +199,7 @@ # Check status with pfctl LogText "Test: checking pf status via pfctl" if [ ! "${PFCTLBINARY}" = "" ]; then - FIND=`${PFCTLBINARY} -sa 2>&1 | grep "^Status" | head -1 | awk '{ print $2 }'` + FIND=`${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | head -1 | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "Enabled" ]; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_ENABLED}" --color GREEN LogText "Result: pf is enabled" @@ -222,7 +222,7 @@ # Check for pf kernel module (FreeBSD and similar) LogText "Test: searching for pf kernel module" if [ ! "${KLDSTATBINARY}" = "" ]; then - FIND=`${KLDSTATBINARY} | grep 'pf.ko'` + FIND=`${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko'` if [ "${FIND}" = "" ]; then LogText "Result: Can not find pf KLD" else @@ -265,7 +265,7 @@ if [ -f /etc/pf.conf ]; then LogText "Result: /etc/pf.conf exists" # Check results from pfctl - PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | grep -i 'warning'` + PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | ${GREPBINARY} -i 'warning'` if [ "${PFWARNINGS}" = "" ]; then Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN LogText "Result: no pf filter warnings found" @@ -311,7 +311,7 @@ if [ ! "${IPFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check ipf status" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'` + FIND=`${IPFBINARY} -n -V | ${GREPBINARY} "^Running" | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "yes" ]; then Display --indent 4 --text "- Checking ipf status" --result "${STATUS_RUNNING}" --color GREEN LogText "Result: ipf is enabled and running" @@ -332,14 +332,14 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${SYSCTLBINARY}" = "" ]; then # For now, only check for IPv4. - FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` + FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "1" ]; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_RUNNING}" --color GREEN LogText "Result: IPFW is running for IPv4" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipfw" Report "firewall_software[]=ipfw" - IPFW_ENABLED=`service -e | grep -o ipfw` + IPFW_ENABLED=`service -e | ${GREPBINARY} -o ipfw` if [ "${IPFW_ENABLED}" = "ipfw" ]; then Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN LogText "Result: IPFW is enabled at start-up for IPv4" @@ -364,7 +364,7 @@ if [ -x /usr/libexec/ApplicationFirewall/socketfilterfw ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4532 --weight L --os "MacOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check Mac OS X application firewall" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | grep "Firewall is enabled"` + FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled"` if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN AddHP 3 3 @@ -385,7 +385,7 @@ if [ ! "${NFTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4536 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nftables status" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${LSMODBINARY} | awk '{ print $1 }' | grep "^nf*_tables"` + FIND=`${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^nf*_tables"` if [ ! "${FIND}" = "" ]; then FIREWALL_SOFTWARE="nftables" NFTABLES_ACTIVE=1 diff --git a/include/tests_hardening b/include/tests_hardening index ab4c61f0..91838818 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -36,7 +36,7 @@ Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_NOT_FOUND}" --color GREEN AddHP 3 3 else - LogText "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'" + LogText "Result: found installed compiler. See top of logfile which compilers have been found or use ${GREPBINARY} to filter on 'compiler'" Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED AddHP 1 3 fi diff --git a/include/tests_homedirs b/include/tests_homedirs index c33d8366..5d9dc927 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -38,7 +38,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Read sixth field of /etc/passwd LogText "Test: query /etc/passwd to obtain home directories" - FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | sort -u` + FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | ${SORTBINARY} -u` for I in ${FIND}; do if [ -d ${I} ]; then LogText "Result: found home directory: ${I} (directory exists)" @@ -96,7 +96,7 @@ if [ ! "${REPORTFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories" if [ ${SKIPTEST} -eq 0 ]; then - IGNORE_HOME_DIRS=`grep "^config:ignore_home_dir:" ${PROFILE} | awk -F: '{ print $3 }'` + IGNORE_HOME_DIRS=`${GREPBINARY} "^config:ignore_home_dir:" ${PROFILE} | ${AWKBINARY} -F: '{ print $3 }'` if [ "${IGNORE_HOME_DIRS}" = "" ]; then LogText "Result: IGNORE_HOME_DIRS empty, no paths excluded" else diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 5812cfae..a506825e 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -75,7 +75,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002) LogText "Test: check if all services are disabled if inetd is disabled" - FIND=`grep -v "^#" ${INETD_CONFIG_FILE} | grep -v "^$"` + FIND=`${GREPBINARY} -v "^#" ${INETD_CONFIG_FILE} | ${GREPBINARY} -v "^$"` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_OK}" --color GREEN else @@ -92,7 +92,7 @@ Register --test-no INSE-8016 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for telnet via inetd" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking telnet presence in inetd configuration" - FIND=`grep "^telnet" ${INETD_CONFIG_FILE}` + FIND=`${GREPBINARY} "^telnet" ${INETD_CONFIG_FILE}` if [ "${FIND}" = "" ]; then LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}" Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_NOT_FOUND}" --color GREEN diff --git a/include/tests_kernel b/include/tests_kernel index a1ab1d42..269c6cd1 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -48,7 +48,7 @@ LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target" ReportException "${TEST_NO}:01" else - FIND2=`echo ${FIND} | egrep "runlevel5|graphical"` + FIND2=`echo ${FIND} | ${EGREPBINARY} "runlevel5|graphical"` if [ ! "${FIND2}" = "" ]; then LogText "Result: Found match on runlevel5/graphical" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN @@ -69,7 +69,7 @@ if [ -f /etc/inittab ]; then LogText "Result: file /etc/inittab found" LogText "Test: Checking default Linux run level" - FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1` + FIND=`${AWKBINARY} -F: '/^id/ { print $2; }' /etc/inittab | head -n 1` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW LogText "Result: Can't determine default run level from /etc/inittab" @@ -82,7 +82,7 @@ LogText "Result: file /etc/inittab not found" if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then LogText "Test: Checking run level with who -r, for Debian based systems" - FIND=`who -r | awk '{ if ($1=="run-level") { print $2 } }'` + FIND=`who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }'` if [ ! "${FIND}" = "" ]; then LogText "Result: Found default run level '${FIND}'" Report "linux_default_runlevel=${FIND}" @@ -109,9 +109,9 @@ if [ -f /proc/cpuinfo ]; then LogText "Result: found /proc/cpuinfo" LogText "Test: Checking CPU options (XD/NX/PAE)" - FIND_PAE_NX=`grep " pae " /proc/cpuinfo | grep " nx "` - FIND_PAE=`grep " pae " /proc/cpuinfo` - FIND_NX=`grep " nx " /proc/cpuinfo` + FIND_PAE_NX=`${GREPBINARY} " pae " /proc/cpuinfo | ${GREPBINARY} " nx "` + FIND_PAE=`${GREPBINARY} " pae " /proc/cpuinfo` + FIND_NX=`${GREPBINARY} " nx " /proc/cpuinfo` FOUND=0 if [ ! "${FIND_PAE_NX}" = "" ]; then LogText "PAE: Yes" @@ -184,7 +184,7 @@ if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then LogText "Test: checking if kernel is monolithic or modular" # Checking if any modules are loaded - FIND=`${LSMODBINARY} | grep -v "^Module" | wc -l | tr -s ' ' | tr -d ' '` + FIND=`${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | tr -s ' ' | tr -d ' '` Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN if [ "${FIND}" = "0" ]; then LogText "Result: Found monolithic kernel" @@ -207,7 +207,7 @@ Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then - FIND=`${LSMODBINARY} | awk '{ if ($1!="Module") print $1 }' | sort` + FIND=`${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort` Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN if [ ! "${FIND}" = "" ]; then LogText "Loaded modules according lsmod:" @@ -267,7 +267,7 @@ if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi if [ ! "${GREPTOOL}" = "" ]; then LogText "Test: Checking the default I/O kernel scheduler" - LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | awk -F= '{ print $2 }' | sed s/\"//g` + LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | sed s/\"//g` if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'" Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN @@ -277,7 +277,7 @@ Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE fi else - ReportException "${TEST_NO}" "No valid grep tool found to search kernel settings" + ReportException "${TEST_NO}" "No valid ${GREPBINARY} tool found to search kernel settings" fi fi # @@ -292,7 +292,7 @@ LogText "Description: View all active kernel modules (including kernel)" LogText "Test: Checking modules" if [ -f /sbin/kldstat ]; then - FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6` + FIND=`kldstat | ${GREPBINARY} -v 'Name' | tr -s ' ' | cut -d ' ' -f6` if [ $? -eq 0 ]; then LogText "Loaded modules according kldstat:" N=0 @@ -319,7 +319,7 @@ Register --test-no KRNL-5770 --os Solaris --weight L --network NO --category security --description "Checking active kernel modules" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching loaded kernel modules" - FIND=`modinfo -c -w | grep -v "UNLOADED" | grep LOADED | awk '{ print $3 }' | sort` + FIND=`modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do LogText "Found module: ${I}" @@ -347,7 +347,7 @@ FINDKERNFILE=`readlink -f /vmlinuz` LogText "Output: readlink reported file ${FINDKERNFILE}" LogText "Test: checking package from dpkg -S" - FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | awk -F : '{print $1}'` + FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}'` LogText "Output: dpkg -S reported package ${FINDKERNEL}" elif [ -e /dev/grsec ]; then FINDKERNEL=linux-image-`uname -r` @@ -358,8 +358,8 @@ ReportSuggestion ${TEST_NO} "Discover why /vmlinuz is missing. Consider manually re-linking." fi LogText "Test: Using apt-cache policy to determine if there is an update available" - FINDINST=`apt-cache policy ${FINDKERNEL} | egrep 'Installed' | cut -d ':' -f2 | tr -d ' '` - FINDCAND=`apt-cache policy ${FINDKERNEL} | egrep 'Candidate' | cut -d ':' -f2 | tr -d ' '` + FINDINST=`apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | cut -d ':' -f2 | tr -d ' '` + FINDCAND=`apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | cut -d ':' -f2 | tr -d ' '` LogText "Kernel installed: ${FINDINST}" LogText "Kernel candidate: ${FINDCAND}" if [ "${FINDINST}" = "" ]; then @@ -399,8 +399,8 @@ if [ -f /etc/security/limits.conf ]; then LogText "Result: file /etc/security/limits.conf exists" LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf" - FIND1=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'` - FIND2=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'` + FIND1=`${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'` + FIND2=`${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'` if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then LogText "Result: core dumps (soft or hard) are enabled" Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW @@ -415,7 +415,7 @@ # Sysctl option LogText "Test: Checking sysctl value of fs.suid_dumpable" - FIND=`${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | awk '{ if ($1=="fs.suid_dumpable") { print $3 } }'` + FIND=`${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }'` if [ "${FIND}" = "" ]; then LogText "Result: sysctl key fs.suid_dumpable not found" else @@ -504,7 +504,7 @@ elif [ -f /boot/vmlinuz-linux ]; then LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)" LogText "Test: checking kernel version on disk" - VERSION_ON_DISK=`file -b /boot/vmlinuz-linux | awk '{ if ($1=="Linux" && $7=="version") { print $8 }}'` + VERSION_ON_DISK=`file -b /boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}'` if [ ! "${VERSION_ON_DISK}" = "" ]; then LogText "Result: found version ${VERSION_ON_DISK}" ACTIVE_KERNEL=`uname -r` @@ -526,7 +526,7 @@ else LogText "Result: /boot/vmlinuz not on disk, trying to find /boot/vmlinuz*" fi - # Extra current kernel version and replace dashes to allow numeric sort later on + # Extra current kernel version and replace dashes to allow numeric ${SORTBINARY} later on MYKERNEL=`uname -r | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's/-/./g'` LogText "Result: using ${MYKERNEL} as my kernel version (stripped)" FIND=$(ls /boot/vmlinuz* 2> /dev/null) @@ -534,18 +534,18 @@ for ITEM in ${FIND}; do LogText "Result: found ${ITEM}" done - # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) + # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) # Ignore rescue images. Remove generic. and huge. for Slackware machines LogText "Action: checking relevant kernels" - KERNELS=`ls /boot/vmlinuz* | grep -v rescue | sed 's/vmlinuz-//' | sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` + KERNELS=`ls /boot/vmlinuz* | ${GREPBINARY} -v rescue | sed 's/vmlinuz-//' | sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` KERNELS_ONE_LINE=$(echo ${KERNELS} | tr '\n' ' ') LogText "Output: ${KERNELS_ONE_LINE}" elif [ ! "$(ls /boot/kernel* 2> /dev/null)" = "" ]; then LogText "Output: Found a kernel file in /boot" - # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) + # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) # Examples: # /boot/kernel-genkernel-x86_64-3.14.14-gentoo - KERNELS=`ls /boot/kernel* | awk -F- '{ if ($2=="genkernel") { print $4 }}' | grep "^[0-9]" | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` + KERNELS=`ls /boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` LogText "Output: ${KERNELS}" else ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected" diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index dde871d2..47163628 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -39,18 +39,18 @@ # First scan optional profiles only (ignore default and custom) for PROFILE in ${PROFILES}; do - FILE=$(echo ${PROFILE} | awk -F/ '{print $NF}') + FILE=$(echo ${PROFILE} | ${AWKBINARY} -F/ '{print $NF}') if [ ! "${FILE}" = "default.prf" -a ! "${FILE}" = "custom.prf" ]; then - FIND=$(grep "^config-data=sysctl;" ${PROFILE} | sed 's/ /-space-/g') + FIND=$(${GREPBINARY} "^config-data=sysctl;" ${PROFILE} | sed 's/ /-space-/g') DATA_TO_SCAN="${DATA_TO_SCAN} ${FIND}" fi done # Scan custom profile if [ ! -z "${CUSTOM_PROFILE}" ]; then - FIND=$(grep "^config-data=sysctl;" ${CUSTOM_PROFILE} | sed 's/ /-space-/g') + FIND=$(${GREPBINARY} "^config-data=sysctl;" ${CUSTOM_PROFILE} | sed 's/ /-space-/g') for LINE in ${FIND}; do - SYSCTLKEY=$(echo ${LINE} | awk -F\; '{ print $2 }') + SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }') HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};") if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi done @@ -58,9 +58,9 @@ # Last, use data from default profile if [ ! -z "${DEFAULT_PROFILE}" ]; then - FIND=$(grep "^config-data=sysctl;" ${DEFAULT_PROFILE} | sed 's/ /-space-/g') + FIND=$(${GREPBINARY} "^config-data=sysctl;" ${DEFAULT_PROFILE} | sed 's/ /-space-/g') for LINE in ${FIND}; do - SYSCTLKEY=$(echo ${LINE} | awk -F\; '{ print $2 }') + SYSCTLKEY=$(echo ${LINE} | ${AWKBINARY} -F\; '{ print $2 }') HAS_KEY=$(echo ${DATA_TO_SCAN} | ${GREPBINARY} ";${SYSCTLKEY};") if [ $? -gt 0 ]; then DATA_TO_SCAN="${DATA_TO_SCAN} ${LINE}"; fi done @@ -70,10 +70,10 @@ DATA_TO_SCAN=$(echo ${DATA_TO_SCAN} | tr ' ' '\n' | sort) for I in ${DATA_TO_SCAN}; do - tFINDkey=$(echo ${I} | awk -F\; '{ print $2 }') - tFINDexpvalue=$(echo ${I} | awk -F\; '{ print $3 }') - tFINDhp=$(echo ${I} | awk -F\; '{ print $4 }' | grep "[0-9]") - tFINDdesc=$(echo ${I} | awk -F\; '{ print $5 }' | sed 's/-space-/ /g') + tFINDkey=$(echo ${I} | ${AWKBINARY} -F\; '{ print $2 }') + tFINDexpvalue=$(echo ${I} | ${AWKBINARY} -F\; '{ print $3 }') + tFINDhp=$(echo ${I} | ${AWKBINARY} -F\; '{ print $4 }' | ${GREPBINARY} "[0-9]") + tFINDdesc=$(echo ${I} | ${AWKBINARY} -F\; '{ print $5 }' | sed 's/-space-/ /g') tFINDcurvalue=$(${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null) if [ ! "${tFINDcurvalue}" = "" ]; then if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then diff --git a/include/tests_logging b/include/tests_logging index be84fb41..3e15cd9c 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -43,7 +43,7 @@ Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for a logging daemon" - FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"` + FIND=`${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep"` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" @@ -183,7 +183,7 @@ LogText "Test: Searching kernel logger daemon (klogd)" if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then # Search for klogd, but ignore other lines related to klogd (like dd with input/output file) - #FIND=`${PSBINARY} ax | grep "klogd" | grep -v "dd" | grep -v "grep"` + #FIND=`${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep"` IsRunning klogd if [ ${RUNNING} -eq 1 ]; then LogText "Result: klogd running" @@ -258,7 +258,7 @@ Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which files are rotated with logrotate and if they exist" - FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort -u | awk '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'` + FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'` if [ "${FIND}" = "" ]; then LogText "Result: nothing found" else @@ -277,7 +277,7 @@ Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which directories can be found in logrotate configuration" - FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort -u | awk '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | sort -u` + FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | ${SORTBINARY} -u` if [ "${FIND}" = "" ]; then LogText "Result: nothing found" else @@ -302,7 +302,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Try local hosts file LogText "Result: Checking for loghost in /etc/inet/hosts" - FIND=`grep loghost /etc/inet/hosts | grep -v "^#"` + FIND=`${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#"` if [ ! "${FIND}" = "" ]; then SOLARIS_LOGHOST_FOUND=1 LogText "Result: Found loghost entry in /etc/inet/hosts" @@ -311,7 +311,7 @@ # Try name resolving if no entry is present in local host file LogText "Result: Checking for loghost via name resolving" - FIND=`getent hosts loghost | grep loghost` + FIND=`getent hosts loghost | ${GREPBINARY} loghost` if [ ! "${FIND}" = "" ]; then SOLARIS_LOGHOST_FOUND=1 LogText "Result: name resolving was succesful" @@ -347,15 +347,15 @@ fi if [ -f ${SYSLOGD_CONF} ]; then LogText "Test: check if logs are also logged to a remote logging host" - FIND=`egrep "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"` + FIND=`${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@"` if [ ! "${FIND}" = "" ]; then LogText "Result: remote logging enabled" REMOTE_LOGGING_ENABLED=1 else # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination - DESTINATIONS=`grep "^destination" ${SYSLOGD_CONF} | egrep "(udp|tcp)" | grep "port" | awk '{print $2}'` + DESTINATIONS=`${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}'` for DESTINATION in ${DESTINATIONS}; do - FIND2=`grep "log" | grep "source" | egrep "destination\(${DESTINATION}\)"` + FIND2=`${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)"` if [ ! "${FIND2}" = "" ]; then LogText "Result: found destination ${DESTINATION} configured for remote logging" REMOTE_LOGGING_ENABLED=1 @@ -397,7 +397,7 @@ Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking directories in /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: parsing directories from /etc/newsyslog.conf file" - FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sed 's/\/*[a-zA-Z_.-]*$//g' | sort -u` + FIND=`${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | sed 's/\/*[a-zA-Z_.-]*$//g' | ${SORTBINARY} -u` for I in ${FIND}; do if [ -d ${I} ]; then LogText "Result: Directory ${I} found and exists" @@ -417,7 +417,7 @@ Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking files specified /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: parsing files from /etc/newsyslog.conf file" - FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sort -u` + FIND=`${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SORTBINARY} -u` for I in ${FIND}; do if [ -f ${I} ]; then LogText "Result: File ${I} found and exists" @@ -454,7 +454,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking open log files with lsof" if [ ! "${LSOFBINARY}" = "" ]; then - FIND=`${LSOFBINARY} -n 2>&1 | grep "log$" | egrep -v "WARNING|Output information" | awk '{ if ($5=="REG") { print $9 } }' | sort -u | grep -v "^$"` + FIND=`${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$"` for I in ${FIND}; do LogText "Found logfile: ${I}" Report "open_logfile[]=${I}" @@ -480,7 +480,7 @@ LSOF_GREP="WARNING|Output information" # MySQL versions prior to 5.6 leave lots of deleted in-use files in /tmp, ignoring those - if [ ! -z "${DPKGBINARY}" ]; then EARLY_MYSQL=$(${DPKGBINARY} -l | egrep mysql-server-5.[0-5]); fi + if [ ! -z "${DPKGBINARY}" ]; then EARLY_MYSQL=$(${DPKGBINARY} -l | ${EGREPBINARY} mysql-server-5.[0-5]); fi if [ ! -z "${EARLY_MYSQL}" ]; then LSOF_GREP="${LSOF_GREP}|mysqld"; fi # grsecurity causes Fail2Ban to hold onto deleted in-use files in /var/tmp @@ -490,7 +490,7 @@ LSOF_GREP="${LSOF_GREP}|anacron|awk|run-parts" fi - FIND=$(${LSOFBINARY} -n +L 1 2>&1 | egrep -vw "${LSOF_GREP}" | awk '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | grep -v "^$" | sort -u) + FIND=$(${LSOFBINARY} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) if [ ! "${FIND}" = "" ]; then LogText "Result: found one or more files which are deleted, but still in use" for I in ${FIND}; do @@ -512,7 +512,7 @@ if [ ! "${LSOFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2192 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for open log files that are empty" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${LSOFBINARY} -n -w | awk '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | sort | uniq) + FIND=$(${LSOFBINARY} -n -w | ${AWKBINARY} '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | ${SORTBINARY} | uniq) if [ ! -z "${FIND}" ]; then for I in ${FIND}; do LogText "Found an opened logfile that is empty: ${I}" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index f955984a..dbe833d9 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -110,16 +110,16 @@ Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status" if [ ${SKIPTEST} -eq 0 ]; then # Status: Enabled/Disabled - FIND=`${SESTATUSBINARY} | grep "^SELinux status" | awk '{ print $3 }'` + FIND=`${SESTATUSBINARY} | ${GREPBINARY} "^SELinux status" | ${AWKBINARY} '{ print $3 }'` if [ "${FIND}" = "enabled" ]; then MAC_FRAMEWORK_ACTIVE=1 LogText "Result: SELinux framework is enabled" Report "selinux_status=1" SELINUXFOUND=1 Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN - FIND=`${SESTATUSBINARY} | grep "^Current mode" | awk '{ print $3 }'` + FIND=`${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }'` Report "selinux_mode=${FIND}" - FIND2=`${SESTATUSBINARY} | grep "^Mode from config file" | awk '{ print $5 }'` + FIND2=`${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }'` LogText "Result: current SELinux mode is ${FIND}" LogText "Result: mode configured in config file is ${FIND2}" if [ "${FIND}" = "${FIND2}" ]; then diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index 1363be9c..827c580b 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -62,9 +62,9 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check Postfix status" # Some other processes also use master, therefore it should include both master and postfix - FIND1=`${PSBINARY} ax | grep "master" | grep "postfix" | grep -v "grep"` - #FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"` - #FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"` + FIND1=`${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"` + #FIND2=`${PSBINARY} ax | ${GREPBINARY} "qmgr" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"` + #FIND3=`${PSBINARY} ax | ${GREPBINARY} "pickup" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"` if [ ! "${FIND1}" = "" ]; then LogText "Result: found running Postfix process" Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_RUNNING}" --color GREEN @@ -84,7 +84,7 @@ Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking Postfix configuration" --result "${STATUS_FOUND}" --color GREEN - POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | grep '^config_directory' | awk '{ print $3 }'` + POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^config_directory' | ${AWKBINARY} '{ print $3 }'` POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf" LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}" LogText "Postfix configuration file: ${POSTFIX_CONFIGFILE}" @@ -98,11 +98,11 @@ Register --test-no MAIL-8818 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration: banner" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Postfix banner" - FIND1=$(${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | grep 'postfix') - FIND2=$(${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | grep '$mail_name') - FIND3=$(${POSTCONFBINARY} 2> /dev/null | grep '^mail_name' | grep -i 'postfix') + FIND1=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} 'postfix') + FIND2=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} '$mail_name') + FIND3=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^mail_name' | ${GREPBINARY} -i 'postfix') #TODO Check if OS name shows up in banner - #FIND4=`${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | egrep "${OS}|${LINUX_VERSION}` + #FIND4=`${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${EGREPBINARY} "${OS}|${LINUX_VERSION}` SHOWWARNING=0 if [ ! "${FIND1}" = "" ]; then SHOWWARNING=1 @@ -187,7 +187,7 @@ Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check smtpd status" - FIND=`${PSBINARY} ax | egrep "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | grep -v "grep"` + FIND=`${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep"` if [ ! "${FIND}" = "" ]; then LogText "Result: found running smtpd process" Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN diff --git a/include/tests_malware b/include/tests_malware index 685eca9b..19523931 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -218,7 +218,7 @@ if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav" if [ ${SKIPTEST} -eq 0 ]; then - CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'` + CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan'` if [ ! "${CLAMSCANBINARY}" = "" ]; then LogText "Result: Found ClamXav clamscan installed" Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN diff --git a/include/tests_memory_processes b/include/tests_memory_processes index b1eaf994..f753a773 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -33,9 +33,9 @@ if [ -f /proc/meminfo ]; then LogText "Result: found /proc/meminfo" Display --indent 2 --text "- Checking /proc/meminfo" --result "${STATUS_FOUND}" --color GREEN - FIND=`awk '/^MemTotal/ { print $2, $3 }' /proc/meminfo` - MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'` - MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'` + FIND=`${AWKBINARY} '/^MemTotal/ { print $2, $3 }' /proc/meminfo` + MEMORY_SIZE=`echo ${FIND} | ${AWKBINARY} '{ print $1 }'` + MEMORY_UNITS=`echo ${FIND} | ${AWKBINARY} '{ print $2 }'` LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" Report "memory_size=${MEMORY_SIZE}" Report "memory_units=${MEMORY_UNITS}" @@ -53,8 +53,8 @@ LogText "Test: Searching /usr/sbin/prtconf" if [ -x /usr/sbin/prtconf ]; then Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_DONE}" --color GREEN - MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3` - MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4` + MEMORY_SIZE=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | cut -d ' ' -f3` + MEMORY_UNITS=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | cut -d ' ' -f4` LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" Report "memory_size=${MEMORY_SIZE}" Report "memory_units=${MEMORY_UNITS}" @@ -73,9 +73,9 @@ Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check dead or zombie processes" if [ ${SKIPTEST} -eq 0 ]; then if [ "${OS}" = "AIX" ]; then - FIND=`${PSBINARY} -Ae -o pid,stat,comm | awk '{ if ($2 ~ /Z|X/) print $1 }' | xargs` + FIND=`${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | xargs` else - FIND=`${PSBINARY} x -o pid,stat,comm | awk '{ if ($2 ~ /Z|X/) print $1 }' | xargs` + FIND=`${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | xargs` fi if [ "${FIND}" = "" ]; then LogText "Result: no zombie processes found" @@ -97,9 +97,9 @@ Register --test-no PROC-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check heavy IO waiting based processes" if [ ${SKIPTEST} -eq 0 ]; then if [ "${OS}" = "AIX" ]; then - FIND=`${PSBINARY} -Ae -o pid,stat,comm | awk '{ if ($2=="D") print $1 }' | xargs` + FIND=`${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | xargs` else - FIND=`${PSBINARY} x -o pid,stat,comm | awk '{ if ($2=="D") print $1 }' | xargs` + FIND=`${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | xargs` fi if [ "${FIND}" = "" ]; then LogText "Result: No processes were waiting for IO requests to be handled first" diff --git a/include/tests_nameservices b/include/tests_nameservices index edeefc6a..8f8fed96 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -46,7 +46,7 @@ LogText "Test: check /etc/resolv.conf for default domain" if [ -f /etc/resolv.conf ]; then LogText "Result: /etc/resolv.conf found" - FIND=`awk '/^domain/ { print $2 }' /etc/resolv.conf` + FIND=`${AWKBINARY} '/^domain/ { print $2 }' /etc/resolv.conf` if [ "${FIND}" = "" ]; then LogText "Result: no default domain found" if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_NONE}" --color WHITE; fi @@ -71,7 +71,7 @@ LogText "Test: check /etc/resolv.conf for search domains" if [ -f /etc/resolv.conf ]; then LogText "Result: /etc/resolv.conf found" - FIND=`awk '/^search/ { print $2 }' /etc/resolv.conf` + FIND=`${AWKBINARY} '/^search/ { print $2 }' /etc/resolv.conf` if [ "${FIND}" = "" ]; then LogText "Result: no search domains found, default domain is being used" else @@ -96,7 +96,7 @@ fi # Check amount of search domains (max 1) - FIND=`grep -c "^search" /etc/resolv.conf` + FIND=`${GREPBINARY} -c "^search" /etc/resolv.conf` if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW @@ -115,7 +115,7 @@ LogText "Test: check /etc/resolv.conf for non default options" if [ -f /etc/resolv.conf ]; then LogText "Result: /etc/resolv.conf found" - FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'` + FIND=`${GREPBINARY} "^options" /etc/resolv.conf | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: no specific other options configured in /etc/resolv.conf" if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi @@ -168,7 +168,7 @@ # # Test : NAME-4028 # Description : Check DNS domain name - # To Do : grep ^DOMAINNAME /etc/conf.d/domainname (remove "'s) + # To Do : ${GREPBINARY} ^DOMAINNAME /etc/conf.d/domainname (remove "'s) Register --test-no NAME-4028 --weight L --network NO --category security --description "Check domain name" if [ ${SKIPTEST} -eq 0 ]; then DOMAINNAME="" @@ -365,7 +365,7 @@ Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Trying to determine version from banner" - FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"` + FIND=`${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*"` if [ "${FIND}" = "" ]; then LogText "Result: no useful information in banner found" Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN @@ -456,7 +456,7 @@ Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS backends" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for PowerDNS backends" - FIND=`awk -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}` + FIND=`${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do LogText "Found backend: ${I}" @@ -476,7 +476,7 @@ Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritive status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for PowerDNS master status" - FIND=`grep "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}` + FIND=`${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}` if [ ! "${FIND}" = "" ]; then LogText "Found master=yes in configuration file" Display --indent 4 --text "- PowerDNS authoritive master: YES" @@ -486,7 +486,7 @@ Display --indent 4 --text "- PowerDNS authoritive master: NO" fi LogText "Test: Checking for PowerDNS slave status" - FIND=`grep "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}` + FIND=`${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}` if [ ! "${FIND}" = "" ]; then LogText "Found slave=yes in configuration file" Display --indent 4 --text "- PowerDNS authoritive slave: YES" @@ -531,7 +531,7 @@ Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NIS domain" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking `domainname` for NIS domain value" - FIND=`${DOMAINNAMEBINARY} | grep -v "(none)"` + FIND=`${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)"` if [ ! "${FIND}" = "" ]; then LogText "Value: ${FIND}" NISDOMAIN="${FIND}" @@ -555,7 +555,7 @@ if [ -f /etc/sysconfig/network ]; then LogText "Result: file /etc/sysconfig/network exists" LogText "Test: checking NISDOMAIN value in file" - FIND3=`grep "^NISDOMAIN" /etc/sysconfig/network | awk -F= '{ print $2 }' | sed 's/"//g'` + FIND3=`${GREPBINARY} "^NISDOMAIN" /etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | sed 's/"//g'` if [ ! "${FIND3}" = "" ]; then LogText "Found NIS domain: ${FIND3}" NISDOMAIN="${FIND3}" @@ -569,7 +569,7 @@ if [ ! "${SYSCTLBINARY}" = "" ]; then # Check sysctl (e.g. FreeBSD) LogText "Test: checking sysctl for kern.domainname" - FIND=`${SYSCTLBINARY} -a 2>&1 | grep "^kern.domainname" | awk -F: '{ print $2 }' | sed 's/ //g' | grep -v "^$"` + FIND=`${SYSCTLBINARY} -a 2>&1 | ${GREPBINARY} "^kern.domainname" | ${AWKBINARY} -F: '{ print $2 }' | sed 's/ //g' | ${GREPBINARY} -v "^$"` if [ ! "${FIND}" = "" ]; then LogText "Result: found NIS domain via sysctl" NISDOMAIN="${FIND}" @@ -598,7 +598,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check duplicate line in /etc/hosts" if [ -f /etc/hosts ]; then - sFIND=`egrep -v '^(#|$)' /etc/hosts | awk '{ print $1, $2 }' | sort | uniq -d` + sFIND=`${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${AWKBINARY} '{ print $1, $2 }' | ${SORTBINARY} | uniq -d` if [ "${sFIND}" = "" ]; then LogText "Result: OK, no duplicate lines found" Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN @@ -623,7 +623,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check /etc/hosts contains an entry for this server name" if [ -f /etc/hosts ]; then - sFIND=`egrep -v '^(#|$|^::1\s|localhost)' /etc/hosts | grep -i ${HOSTNAME}` + sFIND=`${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' /etc/hosts | ${GREPBINARY} -i ${HOSTNAME}` if [ "${sFIND}" != "" ]; then LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts" Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN @@ -644,7 +644,7 @@ Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check server hostname not locally mapped in /etc/hosts" - sFIND=`egrep -v '^(#|$)' /etc/hosts | egrep '^(localhost|::1)\s' | grep -w ${HOSTNAME}` + sFIND=`${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}` if [ ! "${sFIND}" = "" ]; then LogText "Result: Found this server hostname mapped to a local address" LogText "Output: ${sFIND}" diff --git a/include/tests_networking b/include/tests_networking index eddf945a..34a3d842 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -45,12 +45,12 @@ IPV6_ONLY=255 IPV6_MISCONFIGURED=0 IPV6_MISCONFIGURED_MTU=0 - FIND=`sysctl -a 2> /dev/null | grep "^net.ipv6" | sed "s/ = /=/"` + FIND=`sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | sed "s/ = /=/"` if [ ! "${FIND}" = "" ]; then IPV6_CONFIGURED=1 for I in ${FIND}; do - SYSCTL_KEY=`echo ${I} | awk -F= '{ print $1 }'` - SYSCTL_VALUE=`echo ${I} | awk -F= '{ print $2 }'` + SYSCTL_KEY=`echo ${I} | ${AWKBINARY} -F= '{ print $1 }'` + SYSCTL_VALUE=`echo ${I} | ${AWKBINARY} -F= '{ print $2 }'` case ${SYSCTL_KEY} in "net.ipv6.conf.default.accept_ra") if [ "${SYSCTL_VALUE}" = "1" ]; then IPV6_ACCEPT_RA=1; else IPV6_ACCEPT_RA=0; fi @@ -122,7 +122,7 @@ LogText "Test: Checking /etc/resolv.conf file" if [ -f /etc/resolv.conf ]; then LogText "Result: Found /etc/resolv.conf file" - FIND=`grep '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g' | uniq` + FIND=`${GREPBINARY} '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g' | uniq` if [ ! "${FIND}" = "" ]; then Display --indent 4 --text "- Testing nameservers" LogText "Test: Querying nameservers" @@ -195,7 +195,7 @@ Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)" if [ $SKIPTEST -eq 0 ]; then LogText "Test: Searching default gateway(s)" - FIND=`${NETSTATBINARY} -rn | egrep "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2` + FIND=`${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do LogText "Result: Found default gateway ${I}" @@ -259,14 +259,14 @@ FIND="" case ${OS} in AIX) - FIND=`lscfg -vl ent* | fgrep "Network Address" | cut -d"." -f14 | awk '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }'` + FIND=`lscfg -vl ent* | f${GREPBINARY} "Network Address" | cut -d"." -f14 | ${AWKBINARY} '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }'` ;; DragonFly|FreeBSD) - FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | sort -u` + FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u` ;; Linux) if [ ! "${IFCONFIGBINARY}" = "" ]; then - FIND=`${IFCONFIGBINARY} -a | ${GREPBINARY} "HWaddr" | awk '{ if ($4=="HWaddr") print $5 }' | sort -u` + FIND=`${IFCONFIGBINARY} -a | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u` else if [ ! "${IPBINARY}" = "" ]; then LogText "Test: Using ip binary to gather hardware addresses" @@ -277,16 +277,16 @@ fi ;; MacOS) - FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="lladdr" || $1=="ether") print $2 }' | sort -u` + FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="lladdr" || $1=="ether") print $2 }' | ${SORTBINARY} -u` ;; NetBSD) - FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="address:") print $2 }' | sort -u` + FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="address:") print $2 }' | ${SORTBINARY} -u` ;; OpenBSD) - FIND=`${IFCONFIGBINARY} -A | awk '{ if ($1=="lladdr") print $2 }' | sort -u` + FIND=`${IFCONFIGBINARY} -A | ${AWKBINARY} '{ if ($1=="lladdr") print $2 }' | ${SORTBINARY} -u` ;; Solaris) - FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="ether") print $2 }' | sort -u` + FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u` ;; *) # Having a system currently unsupported? Share your details to determine MAC information @@ -310,18 +310,18 @@ FIND=""; FIND2="" case ${OS} in AIX) - FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'` - FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'` + FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` + FIND2=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` ;; DragonFly|FreeBSD|NetBSD) - FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'` - FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'` + FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` + FIND2=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` ;; Linux) if [ ! "${IFCONFIGBINARY}" = "" ]; then - FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }' | cut -d ':' -f2` + FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | cut -d ':' -f2` # Version which works for multiple types of ifconfig (e.g. Slackware) - FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'` + FIND2=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'` else if [ ! "${IPBINARY}" = "" ]; then LogText "Test: Using ip binary to gather IP addresses" @@ -333,16 +333,16 @@ fi ;; MacOS) - FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'` - FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'` + FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` + FIND2=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` ;; OpenBSD) - FIND=`${IFCONFIGBINARY} -A | awk '{ if ($1=="inet") print $2 }'` - FIND2=`${IFCONFIGBINARY} -A | awk '{ if ($1=="inet6") print $2 }'` + FIND=`${IFCONFIGBINARY} -A | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` + FIND2=`${IFCONFIGBINARY} -A | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` ;; Solaris) - FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'` - FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'` + FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }'` + FIND2=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet6") print $2 }'` ;; *) LogText "Result: no support yet for this OS (${OS}) to find IP address information. You can help improving this test by submitting your details." @@ -376,7 +376,7 @@ case ${OS} in DragonFly|FreeBSD) if [ ! "${SOCKSTATBINARY}" = "" ]; then - FIND=`${SOCKSTATBINARY} | awk '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | sort -u` + FIND=`${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u` # To strip off IP's: sed 's/|.*:/|/' else FIND="" @@ -386,15 +386,15 @@ Linux) if [ ! "${NETSTATBINARY}" = "" ]; then # UDP - FIND=`${NETSTATBINARY} -nlp 2> /dev/null | grep "^udp" | awk '{ print $4"|"$1"|"$6"|" }' | sed 's:|[0-9]*/:|:'` + FIND=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | sed 's:|[0-9]*/:|:'` # TCP - FIND2=`${NETSTATBINARY} -nlp 2> /dev/null | grep "^tcp" | awk '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | sed 's:|[0-9]*/:|:'` + FIND2=`${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | sed 's:|[0-9]*/:|:'` else if [ ! "${SSBINARY}" = "" ]; then # UDP - FIND=`${SSBINARY} -u -a -n | awk '{ print $4 }' | grep -v Local` + FIND=`${SSBINARY} -u -a -n | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local` # TCP - FIND2=`${SSBINARY} -t -a -n | awk '{ print $4 }' | grep -v Local` + FIND2=`${SSBINARY} -t -a -n | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local` else ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports" fi @@ -404,7 +404,7 @@ MacOS) if [ ! "${LSOFBINARY}" = "" ]; then # UDP and TCP combined - FIND=`${LSOFBINARY} -i -P | awk '{ print $9"|"$8"|"$1"|" }' | sed 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | sed 's/\*/'$IP'/' | sort -u | grep -v "NAME"` + FIND=`${LSOFBINARY} -i -P | ${AWKBINARY} '{ print $9"|"$8"|"$1"|" }' | sed 's/\(.*\)\-\>.*\(\|.*\)/\1\2/' | sed 's/\*/'$IP'/' | ${SORTBINARY} -u | ${GREPBINARY} -v "NAME"` else FIND="" fi @@ -415,7 +415,7 @@ NetBSD) if [ ! "${SOCKSTATBINARY}" = "" ]; then - FIND=`${SOCKSTATBINARY} | awk '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | sort -u` + FIND=`${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u` else FIND="" fi @@ -424,9 +424,9 @@ OpenBSD) if [ ! "${NETSTATBINARY}" = "" ]; then # UDP - FIND=`${NETSTATBINARY} -an 2> /dev/null | grep "^udp" | awk '{ print $4"|"$1"||" }'` + FIND=`${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"||" }'` # TCP - FIND2=`${NETSTATBINARY} -an 2> /dev/null | grep "^tcp" | awk '{ if($6=="LISTEN") { print $4"|"$1"||" }}'` + FIND2=`${NETSTATBINARY} -an 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"||" }}'` else ReportException "${TEST_NO}:3" "netstat missing to gather listening ports" fi @@ -471,14 +471,14 @@ Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (BSD)" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking promiscuous interfaces (FreeBSD)" - FIND=`${IFCONFIGBINARY} | grep PROMISC | cut -d ':' -f1` + FIND=`${IFCONFIGBINARY} | ${GREPBINARY} PROMISC | cut -d ':' -f1` if [ ! "${FIND}" = "" ]; then LogText "Result: Promiscuous interfaces: ${FIND}" for I in ${FIND}; do WHITELISTED=0 for PROFILE in ${PROFILES}; do Debug "Checking if interface ${I} is whitelisted in profile ${PROFILE}" - ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}` + ISWHITELISTED=`${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}` if [ ! "${ISWHITELISTED}" = "" ]; then WHITELISTED=1 LogText "Result: this interface was whitelisted in profile (${PROFILE})" @@ -513,13 +513,13 @@ Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking promiscuous interfaces (Linux)" - NETWORK=`${IFCONFIGBINARY} | grep Link | tr -s ' ' | cut -d ' ' -f1` + NETWORK=`${IFCONFIGBINARY} | ${GREPBINARY} Link | tr -s ' ' | cut -d ' ' -f1` if [ ! "${NETWORK}" = "" ]; then for I in ${NETWORK}; do - FIND=`${IFCONFIGBINARY} ${I} | grep PROMISC` + FIND=`${IFCONFIGBINARY} ${I} | ${GREPBINARY} PROMISC` if [ ! "${FIND}" = "" ]; then LogText "Result: Promiscuous interface: ${I}" - ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}` + ISWHITELISTED=`${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}` if [ "${ISWHITELISTED}" = "" ]; then FOUNDPROMISC=1 ReportWarning ${TEST_NO} "Found promiscuous interface (${I})" @@ -551,7 +551,7 @@ # Description : Netstat/socktstat compare (FreeBSD) # echo -n " - Comparing output sockstat and netstat" # LogText "Comparing output of sockstat and netstat" - # NETSTATOUTPUT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort -u` + # NETSTATOUTPUT=`netstat -an | ${GREPBINARY} -v 'TIME_WAIT' | ${GREPBINARY} -v 'ESTABLISHED' | ${GREPBINARY} -v 'SYN_SENT' | ${GREPBINARY} -v 'CLOSE_WAIT' | ${GREPBINARY} -v 'LAST_ACK' | ${GREPBINARY} -v 'SYN_RECV' | ${GREPBINARY} -v 'CLOSING' | cut -c 1-44 | ${GREPBINARY} '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | ${GREPBINARY} -v '*' | ${SORTBINARY} -u` # # if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then # ShowResult OK @@ -572,7 +572,7 @@ Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking connections in WAIT state" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Using netstat for check for connections in WAIT state" - FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'` + FIND=`${NETSTATBINARY} -an | ${GREPBINARY} WAIT | wc -l | ${AWKBINARY} '{ print $1 }'` if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})." if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then diff --git a/include/tests_php b/include/tests_php index bdba203c..7e6c548b 100644 --- a/include/tests_php +++ b/include/tests_php @@ -99,7 +99,7 @@ FOUND=0 for I in ${PHPINI_ALLFILES}; do LogText "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}" - FIND=`grep "^disable_functions.*=" ${I}` + FIND=`${GREPBINARY} "^disable_functions.*=" ${I}` if [ "${FIND}" = "" ]; then LogText "Result: ${I}: disabled_functions not found" else @@ -107,7 +107,7 @@ FOUND=1 fi - FIND=`grep "^suhosin.executor.func.blacklist=" ${I}` + FIND=`${GREPBINARY} "^suhosin.executor.func.blacklist=" ${I}` if [ "${FIND}" = "" ]; then LogText "Result: ${I}: suhosin.executor.func.blacklist not found" else @@ -153,7 +153,7 @@ Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP register_globals option" - FIND=`egrep -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;'` + FIND=`${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'` if [ ! "${FIND}" = "" ]; then Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" @@ -177,7 +177,7 @@ Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking expose_php option" - FIND=`egrep -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` + FIND=`${EGREPBINARY} -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED ReportWarning ${TEST_NO} "PHP option expose_php is possibly turned on, which can reveal useful information for attackers." @@ -201,7 +201,7 @@ Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP enable_dl option" - FIND=$(egrep -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;') + FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ ! -z "${FIND}" ]; then Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls" @@ -223,7 +223,7 @@ Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_fopen option" - FIND=`egrep -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` + FIND=`${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW LogText "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP" @@ -246,7 +246,7 @@ Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_include option" - FIND=`egrep -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` + FIND=`${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP" diff --git a/include/tests_ports_packages b/include/tests_ports_packages index fa986c21..4228a45d 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -73,7 +73,7 @@ LogText "Test: Querying pkg_info to get package list" Display --indent 6 --text "- Querying pkg_info for installed packages" LogText "Output:"; LogText "-----" - SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'` + SPACKAGES=`/usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'` for J in ${SPACKAGES}; do N=$((N + 1)) sPKG_NAME=`echo ${J} | cut -d ',' -f1` @@ -176,8 +176,8 @@ else for J in ${SPACKAGES}; do N=$((N + 1)) - PACKAGE_NAME=`echo ${J} | awk -F, '{print $1}'` - PACKAGE_VERSION=`echo ${J} | awk -F, '{print $2}'` + PACKAGE_NAME=`echo ${J} | ${AWKBINARY} -F, '{print $1}'` + PACKAGE_VERSION=`echo ${J} | ${AWKBINARY} -F, '{print $2}'` LogText "Found package: ${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}," done @@ -201,15 +201,15 @@ LogText "Test: Querying 'pacman -Q' to get package list" Display --indent 6 --text "- Querying pacman package manager" LogText "Output:"; LogText "--------" - SPACKAGES=`${PACMANBINARY} -Q | sort | sed 's/ /,/g'` + SPACKAGES=`${PACMANBINARY} -Q | ${SORTBINARY} | sed 's/ /,/g'` if [ "${SPACKAGES}" = "" ]; then LogText "Result: pacman binary available, but package list seems to be empty" LogText "Info: looks like the pacman binary is installed, but not used for package installation" else for J in ${SPACKAGES}; do N=$((N + 1)) - PACKAGE_NAME=`echo ${J} | awk -F, '{ print $1 }'` - PACKAGE_VERSION=`echo ${J} | awk -F, '{ print $2 }'` + PACKAGE_NAME=`echo ${J} | ${AWKBINARY} -F, '{ print $1 }'` + PACKAGE_VERSION=`echo ${J} | ${AWKBINARY} -F, '{ print $2 }'` LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" done @@ -257,7 +257,7 @@ COUNT=0 # Check configuration options (options start with a capital) LogText "Test: searching configured options in ${PACMANCONF}" - FIND=`grep "^[A-Z]" ${PACMANCONF} | sort -u | sed 's/ /:space:/g'` + FIND=`${GREPBINARY} "^[A-Z]" ${PACMANCONF} | ${SORTBINARY} -u | sed 's/ /:space:/g'` for I in ${FIND}; do PMOPTION=`echo ${I} | sed 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }'` PMVALUE=`echo ${I} | sed 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }'` @@ -267,7 +267,7 @@ # Check software repositories LogText "Test: checking available repositories" - FIND=`grep "^\[.*\]$" ${PACMANCONF} | tr -d '[]'` + FIND=`${GREPBINARY} "^\[.*\]$" ${PACMANCONF} | tr -d '[]'` for I in ${FIND}; do COUNT=$((COUNT + 1)) Report "package_repository[]=${I}" @@ -285,7 +285,7 @@ N=0 PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="zypper" - FIND=`${ZYPPERBINARY} -n se -t package -i | awk '{ if ($1=="i") { print $3 } }'` + FIND=`${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }'` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do N=$((N + 1)) @@ -306,7 +306,7 @@ if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${ZYPPERBINARY} -n pchk | grep "(0 security patches)"` + FIND=`${ZYPPERBINARY} -n pchk | ${GREPBINARY} "(0 security patches)"` if [ ! "${FIND}" = "" ]; then LogText "Result: No security updates found with Zypper" Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN @@ -315,7 +315,7 @@ LogText "Result: Zypper found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed" # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line - FIND=`${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | sed 's/:$//' | grep -v "^$" | sort -u` + FIND=`${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | sed 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u` LogText "List of vulnerable packages/version:" for I in ${FIND}; do VULNERABLE_PACKAGES_FOUND=1 @@ -341,7 +341,7 @@ LogText "Test: Querying dpkg -l to get package list" Display --indent 6 --text "- Querying package manager" LogText "Output:" - SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' ',' | sort` + SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | tr -s ' ' | tr ' ' ',' | sort` for J in ${SPACKAGES}; do N=$((N + 1)) PACKAGE_NAME=`echo ${J} | cut -d ',' -f2` @@ -358,13 +358,13 @@ # # Test : PKGS-7346 # Description : Check packages which are removed, but still own configuration files, cron jobs etc - # Notes : Cleanup: for pkg in `dpkg -l | grep "^rc" | cut -d' ' -f3`; do aptitude purge ${pkg}; done + # Notes : Cleanup: for pkg in `dpkg -l | ${GREPBINARY} "^rc" | cut -d' ' -f3`; do aptitude purge ${pkg}; done if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system" if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: Querying dpkg -l to get unpurged packages" - SPACKAGES=`dpkg -l 2>/dev/null | grep "^rc" | cut -d ' ' -f3 | sort` + SPACKAGES=`dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | cut -d ' ' -f3 | sort` if [ "${SPACKAGES}" = "" ]; then Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN LogText "Result: no packages found with left overs" @@ -392,7 +392,7 @@ Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles" if [ ${SKIPTEST} -eq 0 ]; then if [ -x /usr/local/sbin/portsclean ]; then - FIND=`/usr/local/sbin/portsclean -n -DD | grep 'Delete' | wc -l | tr -d ' '` + FIND=`/usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | tr -d ' '` if [ ${FIND} -eq 0 ]; then Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN LogText "Result: no unused distfiles found" @@ -419,7 +419,7 @@ PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="dnf" - SPACKAGES=`${DNFBINARY} -q list installed 2> /dev/null | awk '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}'` + SPACKAGES=`${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}'` for J in ${SPACKAGES}; do N=$((N + 1)) PACKAGE_NAME=`echo ${J} | cut -d ',' -f1` @@ -437,7 +437,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check for security updates LogText "Action: checking updateinfo for security updates" - FIND=`${DNFBINARY} -q updateinfo list sec 2> /dev/null | awk '{ if ($2=="security") { print $3 }}'` + FIND=`${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}'` if [ ! "${FIND}" = "" ]; then VULNERABLE_PACKAGES_FOUND=1 LogText "Result: found vulnerable packages, upgrade of system needed." @@ -463,7 +463,7 @@ Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity" if [ ${SKIPTEST} -eq 0 ]; then # Check if repoquery plugin is available - FIND=`${DNFBINARY} 2>&1 | grep "^repoquery"` + FIND=`${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery"` if [ ! "${FIND}" = "" ]; then LogText "Action: checking integrity of package database" FIND=`${DNFBINARY} -q repoquery --duplicated` @@ -553,7 +553,7 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: Querying portmaster for possible port upgrades" - UPACKAGES=`/usr/local/sbin/portmaster -L | grep "version available" | awk '{ print $5 }'` + UPACKAGES=`/usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }'` for J in ${UPACKAGES}; do N=$((N + 1)) LogText "Upgrade available (new version): ${J}" @@ -588,7 +588,7 @@ LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "Found one or more vulnerable packages." LogText "List of vulnerable packages/version:" - for I in `/usr/sbin/pkg_admin audit | awk '{ print $2 }' | sort -u`; do + for I in `/usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u`; do VULNERABLE_PACKAGES_FOUND=1 Report "vulnerable_package[]=${I}" LogText "Vulnerable package: ${I}" @@ -615,7 +615,7 @@ Register --test-no PKGS-7381 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with pkg" if [ ${SKIPTEST} -eq 0 ]; then if [ -x /usr/sbin/pkg ]; then - FIND=`/usr/sbin/pkg audit 2> /dev/null | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'` + FIND=`/usr/sbin/pkg audit 2> /dev/null | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found'` PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="pkg audit" if [ "${FIND}" = "" ]; then @@ -631,7 +631,7 @@ #ReportWarning ${TEST_NO} "Found one or more vulnerable packages." #ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" #LogText "List of vulnerable packages/version:" - #for I in `/usr/sbin/pkg audit -F | grep "Affected package" | cut -d ' ' -f3 | sort -u`; do + #for I in `/usr/sbin/pkg audit -F | ${GREPBINARY} "Affected package" | cut -d ' ' -f3 | ${SORTBINARY} -u`; do # Report "vulnerable_package[]=${I}" # LogText "Vulnerable package: ${I}" # # Decrease hardening points for every found vulnerable package @@ -653,7 +653,7 @@ Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit" if [ ${SKIPTEST} -eq 0 ]; then PACKAGE_AUDIT_TOOL_FOUND=1 - FIND=`/usr/local/sbin/portaudit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'` + FIND=`/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found'` if [ "${FIND}" = "" ]; then LogText "Result: Portaudit results are clean" Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN @@ -663,7 +663,7 @@ ReportWarning ${TEST_NO} "Found one or more vulnerable packages." ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" LogText "List of vulnerable packages/version:" - for I in `/usr/local/sbin/portaudit | grep "Affected package" | cut -d ' ' -f3 | sort -u`; do + for I in `/usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | cut -d ' ' -f3 | ${SORTBINARY} -u`; do VULNERABLE_PACKAGES_FOUND=1 Report "vulnerable_package[]=${I}" LogText "Vulnerable package: ${I}" @@ -682,7 +682,7 @@ Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: YUM package update management" - FIND=$(${YUMBINARY} repolist 2>/dev/null | grep repolist | sed 's/ //g' | sed 's/[,.]//g' | awk -F ":" '{print $2}' | egrep "^[0-9]+$") + FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | sed 's/ //g' | sed 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$") if [ -z "${FIND}" -o "${FIND}" = "0" ]; then LogText "Result: YUM package update management failed" Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED @@ -777,7 +777,7 @@ # Check if it's installed as package (this is old style) if [ ${DO_TEST} -eq 0 ]; then - FIND=`rpm -q yum-security yum-plugin-security | grep -v "not installed"` + FIND=`rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed"` if [ ! "${FIND}" = "" ]; then LogText "Result: found yum-plugin-security package" DO_TEST=1 @@ -789,7 +789,7 @@ PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="yum-security" LogText "Test: Checking for vulnerable packages" - FIND2=`/usr/bin/yum list-sec security | awk '{ if($2=="security" || $2~"Sec") print $3","$5 }'` + FIND2=`/usr/bin/yum list-sec security | ${AWKBINARY} '{ if($2=="security" || $2~"Sec") print $3","$5 }'` if [ "${FIND2}" = "" ]; then LogText "Result: no vulnerable packages found" Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_OK}" --color GREEN @@ -845,7 +845,7 @@ if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then if [ -f /etc/apt/sources.list ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file" - FIND=$(egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | grep -v '#' | sed 's/ /!space!/g') + FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | ${GREPBINARY} -v '#' | sed 's/ /!space!/g') if [ ! "${FIND}" = "" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN @@ -858,7 +858,7 @@ fi if [ -d /etc/apt/sources.list.d ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory" - FIND=$(egrep -r "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d | grep -v '#' | sed 's/ /!space!/g') + FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | sed 's/ /!space!/g') if [ ! -z "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN @@ -926,7 +926,7 @@ LogText "Result: found /usr/lib/update-notifier/apt-check" LogText "Test: checking if any of the updates contain security updates" # apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only - FIND=`/usr/lib/update-notifier/apt-check 2>&1 | awk -F\; '{ print $2 }'` + FIND=`/usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }'` # Check if we get the proper line back and amount of security patches available if [ "${FIND}" = "" ]; then LogText "Result: did not find security updates line" @@ -949,7 +949,7 @@ # Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates) # Show packages which would be upgraded and match 'security' in repository name - FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort -u` + FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | cut -d ' ' -f2 | ${SORTBINARY} -u` if [ ! "${FIND}" = "" ]; then VULNERABLE_PACKAGES_FOUND=1 SCAN_PERFORMED=1 @@ -1003,7 +1003,7 @@ LogText "Result: found /usr/bin/glsa-check" LogText "Test: checking if there are any vulnerable packages" # glsa-check reports the GLSA date/ID string, not the vulnerable package. - FIND=`/usr/bin/glsa-check -t all 2>&1 | grep -v "This system is affected by the following GLSAs:" | grep -v "This system is not affected by any of the listed GLSAs" | wc -l` + FIND=`/usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | wc -l` if [ "${FIND}" = "" ]; then LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found." LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result" @@ -1081,7 +1081,7 @@ ################################################################################# # # Description : HP-UX packages - # Notes : swlist -l fileset (|grep patch) / print_manifest + # Notes : swlist -l fileset (|${GREPBINARY} patch) / print_manifest # ################################################################################# # diff --git a/include/tests_printers_spools b/include/tests_printers_spools index 70cf3bf3..e57d51f4 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -69,7 +69,7 @@ Register --test-no PRNT-2304 --weight L --network NO --category security --description "Check cupsd status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking cupsd status" - #FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd` + #FIND=`${PSBINARY} ax | ${GREPBINARY} "cupsd" | ${GREPBINARY} -v "grep" | ${GREPBINARY} -v apcupsd` IsRunning cupsd if [ ${RUNNING} -eq 1 ]; then Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN @@ -139,7 +139,7 @@ FOUND=0 # Checking network addresses LogText "Test: Checking CUPS daemon listening network addresses" - FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep -v "/" | awk '{ print $2 }'` + FIND=`${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }'` N=0 for I in ${FIND}; do LogText "Found network address: ${I}" @@ -168,7 +168,7 @@ # Checking sockets LogText "Test: Checking cups daemon listening sockets" - FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep "/" | awk '{ print $2 }'` + FIND=`${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} "/" | ${AWKBINARY} '{ print $2 }'` for I in ${FIND}; do LogText "Found socket address: ${I}" N=$((N + 1)) @@ -224,7 +224,7 @@ QDAEMON_CONFIG_FILE="/etc/qconfig" FileIsReadable ${QDAEMON_CONFIG_FILE} if [ ${CANREAD} -eq 1 ]; then - FIND=`grep -v "^\*" ${QDAEMON_CONFIG_FILE} | egrep "backend|device"` + FIND=`${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device"` if [ ! "${FIND}" = "" ]; then LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}" Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN diff --git a/include/tests_scheduling b/include/tests_scheduling index 0b5b4c83..9bc9f10f 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -55,7 +55,7 @@ BAD_FILE_PERMISSIONS=0 BAD_FILE_OWNERSHIP=0 FindCronJob() { - sCRONJOBS=$(egrep '^([0-9*])' $1 | tr '\t' ' ' | tr -s ' ' | tr ' ' ',') + sCRONJOBS=$(${EGREPBINARY} '^([0-9*])' $1 | tr '\t' ' ' | tr -s ' ' | tr ' ' ',') } CRONTAB_FILE="/etc/crontab" @@ -77,7 +77,7 @@ if [ ${CANREAD} -eq 1 ]; then LogText "Result: found directory ${I}" LogText "Test: searching files in ${I}" - FIND=$(find ${I} -type f -print | grep -v ".placeholder") + FIND=$(find ${I} -type f -print | ${GREPBINARY} -v ".placeholder") if [ "${FIND}" = "" ]; then LogText "Result: no files found in ${I}" else @@ -109,7 +109,7 @@ if [ -d ${I} ]; then LogText "Result: found directory ${I}" LogText "Test: searching files in ${I}" - FIND=$(find ${I} -type f -print | grep -v ".placeholder") + FIND=$(find ${I} -type f -print | ${GREPBINARY} -v ".placeholder") if [ "${FIND}" = "" ]; then LogText "Result: no files found in ${I}" else @@ -186,7 +186,7 @@ Register --test-no SCHD-7718 --weight L --network NO --category security --description "Check at users" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking atd status" - FIND=$(${PSBINARY} ax | grep "/atd" | grep -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} "/atd" | ${GREPBINARY} -v "grep") if [ ! "${FIND}" = "" ]; then LogText "Result: at daemon active" Display --indent 2 --text "- Checking atd status" --result "${STATUS_RUNNING}" --color GREEN @@ -224,7 +224,7 @@ FileIsReadable ${AT_ALLOW} if [ ${CANREAD} -eq 1 ]; then LogText "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs" - FIND=$(sort ${AT_ALLOW}) + FIND=$(${SORTBINARY} ${AT_ALLOW}) if [ "${FIND}" = "" ]; then LogText "Result: File empty, no users are allowed to schedule at jobs" else @@ -242,7 +242,7 @@ FileIsReadable ${AT_DENY} if [ ${CANREAD} -eq 1 ]; then LogText "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs" - FIND=$(sort ${AT_DENY}) + FIND=$(${SORTBINARY} ${AT_DENY}) if [ "${FIND}" = "" ]; then LogText "Result: file is empty, no users are denied access to schedule jobs" else @@ -273,7 +273,7 @@ Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check at jobs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check scheduled at jobs" - FIND=$(atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g') + FIND=$(atq | ${GREPBINARY} -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g') if [ ! "${FIND}" = "" ]; then LogText "Result: found one or more jobs" for I in ${FIND}; do diff --git a/include/tests_shells b/include/tests_shells index 4b8c3050..d87d6c13 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -51,7 +51,7 @@ Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking console TTYs" - FIND=`egrep '^console' /etc/ttys | grep -v 'insecure'` + FIND=`${EGREPBINARY} '^console' /etc/ttys | ${GREPBINARY} -v 'insecure'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN LogText "Result: console is secured against single user mode without password." @@ -75,7 +75,7 @@ if [ -f /etc/shells ]; then LogText "Result: Found /etc/shells file" LogText "Test: Reading available shells from /etc/shells" - SSHELLS=`grep "^/" /etc/shells` + SSHELLS=`${GREPBINARY} "^/" /etc/shells` CSSHELLS=0; CSSHELLS_ALL=0 Display --indent 2 --text "- Checking shells from /etc/shells" for I in ${SSHELLS}; do @@ -117,9 +117,9 @@ if [ -f /etc/profile ]; then # Determine if we can find a TMOUT value - FIND=`grep 'TMOUT=' /etc/profile | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//' | awk -F= '{ print $2 }'` + FIND=`${GREPBINARY} 'TMOUT=' /etc/profile | tr -d ' ' | tr -d '\t' | ${GREPBINARY} -v "^#" | sed 's/export//' | sed 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'` # Determine if the value is exported (with export, readonly, or typeset) - FIND2=`grep '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | grep -v "^#" | sed 's/#.*//' | awk '{ print $1 }'` + FIND2=`${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | ${GREPBINARY} -v "^#" | sed 's/#.*//' | ${AWKBINARY} '{ print $1 }'` if [ ! "${FIND}" = "" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do @@ -163,9 +163,9 @@ FIND=`ls /etc/profile.d/*.sh 2> /dev/null` if [ ! "${FIND}" = "" ]; then # Determine if we can find a TMOUT value - FIND=`cat /etc/profile.d/*.sh 2> /dev/null | grep 'TMOUT=' | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//' | awk -F= '{ print $2 }'` + FIND=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} 'TMOUT=' | tr -d ' ' | tr -d '\t' | ${GREPBINARY} -v "^#" | sed 's/export//' | sed 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }'` # Determine if the value is exported (with export, readonly, or typeset) - FIND2=`cat /etc/profile.d/*.sh 2> /dev/null | grep '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | grep -v "^#" | sed 's/#.*//' | awk '{ print $1 }'` + FIND2=`cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | sed 's/#.*//' | ${AWKBINARY} '{ print $1 }'` if [ ! "${FIND}" = "" ]; then N=0; IDLE_TIMEOUT=1 @@ -231,7 +231,7 @@ if [ -f ${FILE} ]; then LogText "Result: file ${FILE} exists" FOUND=1 - FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'` + FIND=`${GREPBINARY} umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: did not find umask configured in ${FILE}" Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW @@ -280,7 +280,7 @@ LogText "Test: Check if bash is in the list of shells." if [ -f /etc/shells ]; then LogText "Test: checking for bash shell in /etc/shells" - FIND=`egrep '(/usr)?(/local)?/bin/bash' /etc/shells | grep -v "^#" | head -1` + FIND=`${EGREPBINARY} '(/usr)?(/local)?/bin/bash' /etc/shells | ${GREPBINARY} -v "^#" | head -1` else LogText "Test: checking if bash is available via which command" FIND=`which bash 2> /dev/null | head -1` @@ -295,7 +295,7 @@ # CVE-2014-6271 LogText "Test: Check for first exploit (CVE-2014-6271)" - echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then @@ -312,7 +312,7 @@ # CVE-2014-6278 LogText "Test: Check for CVE-2014-6278" - echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then @@ -327,7 +327,7 @@ # CVE-2014-7169 LogText "Test: Check for taviso bug CVE-2014-7169" - echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | grep ' vulnerable'" > ${SHELLSHOCK_TMP} + echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | ${GREPBINARY} ' vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then @@ -342,7 +342,7 @@ # CVE-2014-7186 LogText "Test: Check for CVE-2014-7186" - echo "(bash -c 'true </dev/null || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + echo "(bash -c 'true </dev/null || echo \"vulnerable\") | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then @@ -357,7 +357,7 @@ # CVE-2014-7187 LogText "Test: Check for CVE-2014-7187" - echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP} + echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then @@ -372,7 +372,7 @@ # CVE-2014-//// LogText "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)" - echo "env X=' () { }; echo hello' bash -c 'date'| grep 'hello'" > ${SHELLSHOCK_TMP} + echo "env X=' () { }; echo hello' bash -c 'date'| ${GREPBINARY} 'hello'" > ${SHELLSHOCK_TMP} VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null` rm -f ${SHELLSHOCK_TMP} if [ ! "${VULNERABLE}" = "" ]; then diff --git a/include/tests_solaris b/include/tests_solaris index d283cef9..c6c8652d 100644 --- a/include/tests_solaris +++ b/include/tests_solaris @@ -32,7 +32,7 @@ # if [ ${SKIPTEST} -eq 0 ]; then # LogText "Test: Searching for a SSH daemon" # # Check running processes -# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"` +# FIND=`${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep"` # if [ ! "${FIND}" = "" ]; then # SSH_DAEMON_RUNNING=1 # LogText "Result: Stop-A is disabled" @@ -51,7 +51,7 @@ # if [ ${SKIPTEST} -eq 0 ]; then # LogText "Test: Searching for a SSH daemon" # # Check running processes -# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"` +# FIND=`${PSBINARY} ax | ${GREPBINARY} "sshd" | ${GREPBINARY} -v "grep"` # if [ ! "${FIND}" = "" ]; then # SSH_DAEMON_RUNNING=1 # LogText "Result: Stop-A is disabled" diff --git a/include/tests_squid b/include/tests_squid index 20a29c02..ace3f288 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -42,7 +42,7 @@ LogText "Test: Searching for a Squid daemon" FOUND=0 # Check running processes - FIND=`${PSBINARY} ax | egrep "(squid|squid3) " | grep -v "grep"` + FIND=`${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep"` if [ ! "${FIND}" = "" ]; then SQUID_DAEMON_RUNNING=1 LogText "Result: Squid daemon is running" @@ -94,7 +94,7 @@ # Skip check if a setuid/setgid bit is found FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print` if [ "${FIND}" = "" ]; then - FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'` + FIND2=`${SQUIDBINARY} -v | ${AWKBINARY} '{ if ($3=="Version") { print $4 } }'` Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN SQUID_VERSION="${FIND2}" else @@ -114,7 +114,7 @@ Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" - FIND=`grep -v "^#" ${SQUID_DAEMON_CONFIG} | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` + FIND=`${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` LogText "Found Squid option: ${I}" @@ -159,7 +159,7 @@ Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check auth_param option for authentication methods" - FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'` + FIND=`${GREPBINARY} "^auth_param" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW @@ -180,7 +180,7 @@ Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check external_acl_type option for external authentication helpers" - FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}` + FIND=`${GREPBINARY} "^external_acl_type" ${SQUID_DAEMON_CONFIG}` if [ "${FIND}" = "" ]; then LogText "No external_acl_type found" Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW @@ -203,7 +203,7 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: checking ACLs" - FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` + FIND=`${GREPBINARY} "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then LogText "Result: No ACLs found" Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED @@ -228,14 +228,14 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: checking ACL Safe_ports http_access option" - FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"` + FIND=`${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports"` if [ "${FIND}" = "" ]; then LogText "Result: no Safe_ports found" Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" else LogText "Result: checking ACL safe ports" - FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'` + FIND2=`${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }'` if [ "${FIND2}" = "" ]; then Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)" @@ -251,7 +251,7 @@ #SQUID_DAEMON_UNSAFE_PORTS_LIST for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do LogText "Test: Checking port ${I} in Safe_ports list" - FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` + FIND2=`${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` if [ "${FIND2}" = "" ]; then Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN AddHP 1 1 @@ -279,7 +279,7 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: checking option reply_body_max_size" - FIND=`grep "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` + FIND=`${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then LogText "Result: option reply_body_max_size not configured" Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED @@ -306,7 +306,7 @@ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppresion" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`grep "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | grep " on"` + FIND=`${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on"` if [ "${FIND}" = "" ]; then LogText "Result: option httpd_suppress_version_string not configured" Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW diff --git a/include/tests_ssh b/include/tests_ssh index 516fb64c..5a048319 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -137,7 +137,7 @@ # Go through our list of options for I in ${SSHOPS}; do OPTIONNAME=`echo ${I} | cut -d ':' -f1` - OPTIONNAME_LOWER=`echo ${I} | cut -d ':' -f1 | awk '{ print tolower($1) }'` + OPTIONNAME_LOWER=`echo ${I} | cut -d ':' -f1 | ${AWKBINARY} '{ print tolower($1) }'` EXPECTEDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f1` MEDIUMSCOREDVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f2` WEAKVALUE=`echo ${I} | cut -d ':' -f2 | cut -d',' -f3` @@ -147,7 +147,7 @@ if ! SkipAtomicTest "${TEST_NO}:${OPTIONNAME_LOWER}"; then # Get value and use the last occurrence - FOUNDVALUE=`awk -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1` + FOUNDVALUE=`${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1` LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}" if [ ! "${FOUNDVALUE}" = "" ]; then @@ -241,7 +241,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 # AllowUsers - FIND=`egrep -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'` + FIND=`${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }'` if [ ! "${FIND}" = "" ]; then LogText "Result: AllowUsers set, with value ${FIND}" Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN @@ -252,7 +252,7 @@ fi # AllowGroups - FIND=`egrep -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'` + FIND=`${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }'` if [ ! "${FIND}" = "" ]; then LogText "Result: AllowUsers set ${FIND}" Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN diff --git a/include/tests_storage b/include/tests_storage index ea9457d9..3363cdbb 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -37,8 +37,8 @@ if [ -d /etc/modprobe.d ]; then FIND=`ls /etc/modprobe.d/* 2> /dev/null` if [ ! "${FIND}" = "" ]; then - FIND=`egrep -r "install usb[-_]storage /bin/(false|true)" /etc/modprobe.d/* | grep -v "#"` - FIND2=`egrep -r "^blacklist usb[-_]storage" /etc/modprobe.d/*` + FIND=`${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"` + FIND2=`${EGREPBINARY} -r "^blacklist usb[-_]storage" /etc/modprobe.d/*` if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 LogText "Result: found usb-storage driver in disabled state (blacklisted)" @@ -48,7 +48,7 @@ fi fi if [ -f /etc/modprobe.conf ]; then - FIND=`egrep "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"` + FIND=`${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#"` if [ ! "${FIND}" = "" ]; then FOUND=1 LogText "Result: found usb-storage driver in disabled state" @@ -114,8 +114,8 @@ if [ -d /etc/modprobe.d ]; then FIND=`ls /etc/modprobe.d/* 2> /dev/null` if [ ! "${FIND}" = "" ]; then - FIND1=`egrep "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.d/* | grep -v "#"` - FIND2=`egrep "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | grep -v "#"` + FIND1=`${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"` + FIND2=`${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#"` if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 LogText "Result: found firewire ohci driver in disabled state" @@ -125,8 +125,8 @@ fi fi if [ -f /etc/modprobe.conf ]; then - FIND1=`egrep -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.conf | grep -v "#"` - FIND2=`egrep -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | grep -v "#"` + FIND1=`${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.conf | ${GREPBINARY} -v "#"` + FIND2=`${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} -v "#"` if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 LogText "Result: found firewire ohci driver in disabled state" diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index 593e5b35..d2adb879 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -94,7 +94,7 @@ Register --test-no STRG-1920 --weight L --network NO --category security --description "Checking NFS daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking running NFS daemon" - FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"` + FIND=`${PSBINARY} ax | ${GREPBINARY} "nfsd" | ${GREPBINARY} -v "grep"` if [ "${FIND}" = "" ]; then LogText "Output: NFS daemon is not running" Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE @@ -122,7 +122,7 @@ LogText "Test: check /etc/exports" if [ -f /etc/exports ]; then LogText "Result: /etc/exports exists" - FIND=`grep -v "^$" /etc/exports | grep -v "^#" | sed 's/ /!space!/g'` + FIND=`${GREPBINARY} -v "^$" /etc/exports | ${GREPBINARY} -v "^#" | sed 's/ /!space!/g'` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` @@ -161,7 +161,7 @@ Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share" if [ ${SKIPTEST} -eq 0 ]; then #LogText "Test: " - sFIND=`${SHOWMOUNTBINARY} -e | awk '{ print $2 }' | sed '1d'| grep "\*"` + sFIND=`${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | sed '1d'| ${GREPBINARY} "\*"` if [ "${sFIND}" != "" ]; then LogText "Result: all client are allowed to access a NFS share in /etc/exports" Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW diff --git a/include/tests_time b/include/tests_time index 3ba5e56e..910b9a5b 100644 --- a/include/tests_time +++ b/include/tests_time @@ -70,7 +70,7 @@ fi # Check running processes - FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"` + FIND=`${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "grep"` if [ ! "${FIND}" = "" ]; then FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1 NTP_DAEMON="ntpd" @@ -87,7 +87,7 @@ # Check timedate daemon (systemd) if [ ! "${TIMEDATECTL}" = "" ]; then - FIND=`${TIMEDATECTL} status | grep "NTP enabled: yes"` + FIND=`${TIMEDATECTL} status | ${GREPBINARY} "NTP enabled: yes"` if [ ! "${FIND}" = "" ]; then # Check for systemd-timesyncd if [ -f /etc/systemd/timesyncd.conf ]; then @@ -106,7 +106,7 @@ for I in ${CRONTAB_FILES}; do if [ -f ${I} ]; then LogText "Test: checking for ntpdate or rdate in crontab file ${I}" - FIND=`${EGREPBINARY} "ntpdate|rdate" ${I} | grep -v '^#'` + FIND=`${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#'` if [ ! "${FIND}" = "" ]; then FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN @@ -127,11 +127,11 @@ # Check cron jobs for I in ${CRON_DIRS}; do if [ -d ${I} ]; then - FIND=`ls ${I} | grep -v FIFO` + FIND=`ls ${I} | ${GREPBINARY} -v FIFO` if [ ! "${FIND}" = "" ]; then for J in ${FIND}; do LogText "Test: checking for ntpdate or rdate in ${I}/${J}" - FIND2=`${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | grep -v "^#"` + FIND2=`${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#"` if [ ! "${FIND2}" = "" ]; then LogText "Positive match found: ${FIND2}" FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 @@ -165,7 +165,7 @@ # Configuration file for *BSD if [ -f /etc/rc.conf ]; then LogText "Test: Checking if ntpdate is enabled at startup in *BSD" - FIND=`grep 'ntpdate_enable="YES"' /etc/rc.conf` + FIND=`${GREPBINARY} 'ntpdate_enable="YES"' /etc/rc.conf` if [ ! "${FIND}" = "" ]; then LogText "Result: ntpdate is enabled in rc.conf" FOUND=1 @@ -203,7 +203,7 @@ Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check the status of time synchronization via timedatectl" - FIND=`${TIMEDATECTL} status | grep "NTP synchronized: yes"` + FIND=`${TIMEDATECTL} status | ${GREPBINARY} "NTP synchronized: yes"` if [ "${FIND}" = "" ]; then LogText "Result: time not synchronized via NTP" ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized" @@ -218,7 +218,7 @@ Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check active NTP associations ID's" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for NTP association ID's from ntpq peers list" - FIND=`${NTPQBINARY} -p -n | grep "No association ID's returned"` + FIND=`${NTPQBINARY} -p -n | ${GREPBINARY} "No association ID's returned"` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking valid association ID's" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found one or more association ID's" @@ -237,14 +237,14 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 LogText "Test: Checking stratum 16 sources from ntpq peers list" - FIND=`${NTPQBINARY} -p -n | awk '{ if ($3=="16") { print $1 } }'` + FIND=`${NTPQBINARY} -p -n | ${AWKBINARY} '{ if ($3=="16") { print $1 } }'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN LogText "Result: All peers are lower than stratum 16" else for I in ${FIND}; do LogText "Found stratum 16 peer: ${I}" - FIND2=`egrep "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE}` + FIND2=`${EGREPBINARY} "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE}` if [ "${FIND2}" = "" ]; then N=$((N + 1)) else @@ -274,7 +274,7 @@ Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking unreliable ntp peers" - FIND=`${NTPQBINARY} -p -n | egrep "^(-|#)" | awk '{ print $1 }' | sed 's/^-//g'` + FIND=`${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | sed 's/^-//g'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN LogText "Result: No unreliable peers found" @@ -297,8 +297,8 @@ Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check selected time source" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking selected time source" - FIND=`${NTPQBINARY} -p -n | grep '^*' | awk '{ if ($4=="l") { print $1 } }'` - FIND2=`${NTPQBINARY} -p -n | grep '^*' | awk '{ print $1 }'` + FIND=`${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ if ($4=="l") { print $1 } }'` + FIND2=`${NTPQBINARY} -p -n | ${GREPBINARY} '^*' | ${AWKBINARY} '{ print $1 }'` if [ "${FIND}" = "" -a ! "${FIND2}" = "" ]; then Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN FIND2=`echo ${FIND2} | sed 's/*//g'` @@ -319,7 +319,7 @@ Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check preffered time source" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking preferred time source" - FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'` + FIND=`${NTPQBINARY} -p -n | ${GREPBINARY} '^+' | ${AWKBINARY} '{ print $1 }'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_NONE}" --color YELLOW LogText "Result: No other time source candidates found" @@ -342,7 +342,7 @@ Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking preferred time source" - FIND=`${NTPQBINARY} -p -n | grep '^x'` + FIND=`${NTPQBINARY} -p -n | ${GREPBINARY} '^x'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN LogText "Result: No falsetickers found (items preceeding with an 'x')" @@ -366,7 +366,7 @@ Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP protocol version" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)" - FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'` + FIND=`${NTPQBINARY} -c ntpversion | ${AWKBINARY} '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking NTP version" --result "${STATUS_UNKNOWN}" --color YELLOW LogText "Result: No NTP version found" diff --git a/include/tests_tooling b/include/tests_tooling index eb5c54c7..3424b36a 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -195,7 +195,7 @@ if [ ${PERFORM_FAIL2BAN_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TOOL-5104 --weight L --network NO --preqs-met ${PREQS_MET} --category security --description "Enabled tests in Fail2ban" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${FAIL2BANCLIENT} -d | tr -d '[]' | tr -d "'" | awk -F, '{ if ($1=="add") { print $2 }}' | tr -d ' ') + FIND=$(${FAIL2BANCLIENT} -d | tr -d '[]' | tr -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | tr -d ' ') if [ ! "${FIND}" = "" ]; then for F2BSERVICE in ${FIND}; do LogText "Result: service '${F2BSERVICE}' enabled" @@ -221,8 +221,8 @@ # # Check email alert configuration # LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}" # - # FIND=`egrep "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}` - # FIND2=`egrep "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}` + # FIND=`${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}` + # FIND2=`${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}` # # if [ ! "${FIND}" = "" ]; then # FAIL2BAN_EMAIL=1 @@ -271,7 +271,7 @@ # LogText "Checking for fail2ban iptables chains" # # if [ ! "${IPTABLESBINARY}" = "" ]; then - # CHECK_CHAINS=`${IPTABLESBINARY} -L 2>&1 | grep fail2ban` + # CHECK_CHAINS=`${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban` # if [ ! "${CHECK_CHAINS}" = "" ]; then # LogText "Result: found at least one iptables chain for fail2ban" # Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN diff --git a/include/tests_webservers b/include/tests_webservers index 756ae297..72972bf9 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -61,7 +61,7 @@ Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE else LogText "Test: Scanning for Apache binary" - IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | egrep '[aA]pache'` + IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache'` if [ "${IS_APACHE}" = "" ]; then LogText "Result: ${HTTPDBINARY} is not Apache" Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE @@ -69,7 +69,7 @@ Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "${STATUS_FOUND}" --color GREEN LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon" APACHE_INSTALLED=1 - APACHE_VERSION=`${HTTPDBINARY} -v 2> /dev/null | grep "^Server version:" | awk '{ print $3 }' | awk -F/ '{ print $2 }'` + APACHE_VERSION=`${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} "^Server version:" | ${AWKBINARY} '{ print $3 }' | ${AWKBINARY} -F/ '{ print $2 }'` LogText "Apache version: ${APACHE_VERSION}" Report "apache_version=${APACHE_VERSION}" fi @@ -93,7 +93,7 @@ Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing main Apache configuration file" if [ ${SKIPTEST} -eq 0 ]; then APACHE_CONFIGFILE="" - APACHE_TEST=`${HTTPDBINARY} -V 2> /dev/null | grep "\-D SERVER_CONFIG_FILE=" | sed 's/[ ]-D SERVER_CONFIG_FILE=//' | tr -d '"' | tr -d ' ' | tr -d '[:cntrl:]'` + APACHE_TEST=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | sed 's/[ ]-D SERVER_CONFIG_FILE=//' | tr -d '"' | tr -d ' ' | tr -d '[:cntrl:]'` if [ "${APACHE_TEST}" = "" ]; then LogText "Result: Can't find the configuration file, so skipping some Apache related tests" @@ -104,7 +104,7 @@ Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})" else # Probably the prefix is missing, so we are going to search that - APACHE_HTTPDROOT=`${HTTPDBINARY} -V 2> /dev/null | grep "\-D HTTPD_ROOT=" | sed 's/[ ]-D HTTPD_ROOT=//' | tr -d '"' | tr -d ' '` + APACHE_HTTPDROOT=`${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | sed 's/[ ]-D HTTPD_ROOT=//' | tr -d '"' | tr -d ' '` #echo "Apache root prefix: ${APACHE_HTTPDROOT}" #echo "Complete path to configuration file: ${APACHE_HTTPDROOT}/${APACHE_TEST}" APACHE_TESTFILE="${APACHE_HTTPDROOT}/${APACHE_TEST}" @@ -137,7 +137,7 @@ # Sort unsorted list, save it in temp file and then remove unsorted list if [ -f ${TMPFILE2} ]; then - sort -u ${TMPFILE2} >> ${TMPFILE} + ${SORTBINARY} -u ${TMPFILE2} >> ${TMPFILE} rm -f ${TMPFILE2} fi cVHOSTS=0; tVHOSTS="" @@ -149,14 +149,14 @@ FileIsReadable ${I} if [ ${CANREAD} -eq 1 ]; then # Search Virtual Hosts - for J in `grep "ServerName" ${I} | grep -v "^#" | awk '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'`; do + for J in `${GREPBINARY} "ServerName" ${I} | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ if ($1=="ServerName" && $2!="*" && $2!="default") print $2 }'`; do if [ ! -z ${J} ]; then tVHOSTS="${tVHOSTS} ${J}" cVHOSTS=$((cVHOSTS + 1)) fi done # Search Server aliases - for J in `grep "ServerAlias" ${I} | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do + for J in `${GREPBINARY} "ServerAlias" ${I} | ${GREPBINARY} -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do if [ ! -z ${J} ]; then tVHOSTS="${tVHOSTS} ${J}" cVHOSTS=$((cVHOSTS + 1)) @@ -205,12 +205,12 @@ # for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do # if [ -f ${APACHE_CONFIGFILE} ]; then # # Check if option ServerTokens is configured -# SERVERTOKENSTEST=`grep ServerTokens ${APACHE_CONFIGFILE} | grep -v '^#'` +# SERVERTOKENSTEST=`${GREPBINARY} ServerTokens ${APACHE_CONFIGFILE} | ${GREPBINARY} -v '^#'` # if [ ! "${SERVERTOKENSTEST}" = "" ]; then # Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_FOUND}" --color WHITE # SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '` # LogText "Option ServerTokens found: ${SERVERTOKENSTEST}" -# SERVERTOKENSEXPECTED=`grep 'apache' ${PROFILE} | grep 'ServerTokens' | cut -d ':' -f3` +# SERVERTOKENSEXPECTED=`${GREPBINARY} 'apache' ${PROFILE} | ${GREPBINARY} 'ServerTokens' | cut -d ':' -f3` # if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then # LogText "Result: Value from configuration file yielded the same output as in template" # SERVERTOKENSFOUND=1 @@ -250,11 +250,11 @@ #if [ ${SKIPTEST} -eq 0 ]; then # Testing Debian style #LogText "Test: searching loaded/enabled Apache modules" - #apachectl -t -D DUMP_MODULES 2>&1 | egrep -v "(Loaded Modules|Syntax OK)" | sed 's/(\(shared\|static\))//' | sed 's/ //' + #apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | sed 's/(\(shared\|static\))//' | sed 's/ //' #for I in ${APACHE_MODULES_ENABLED_LOCS}; do #LogText "Test: checking ${I}" #if [ -d ${I} ]; then - #FIND=`grep -r LoadModule ${I}/* | grep -v "^#" | awk '{ print $2":"$3 }'` + #FIND=`${GREPBINARY} -r LoadModule ${I}/* | ${GREPBINARY} -v "^#" | ${AWKBINARY} '{ print $2":"$3 }'` #else #LogText "Result: ${I} does not exist" #fi @@ -380,7 +380,7 @@ Register --test-no HTTP-6702 --weight L --network NO --category security --description "Check nginx process" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching running nginx process" - FIND=`${PSBINARY} ax | grep "/nginx" | grep "master" | grep -v "grep"` + FIND=`${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep"` if [ ! "${FIND}" = "" ]; then LogText "Result: found running nginx process(es)" Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN @@ -428,9 +428,9 @@ # Remove temp file if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi N=0 - sed -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE} + sed -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE} # Search for included configuration files (may include directories and wild cards) - FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'` + FIND=`${GREPBINARY} "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'` for I in ${FIND}; do FIND2=`${LSBINARY} ${I} 2>/dev/null` for J in ${FIND2}; do @@ -442,7 +442,7 @@ FileIsReadable ${J} if [ ${CANREAD} -eq 1 ]; then NGINX_CONF_FILES="${NGINX_CONF_FILES} ${J}" - FIND3=`sed -e 's/^[ ]*//' ${J} | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}` + FIND3=`sed -e 's/^[ ]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}` else ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable" fi @@ -451,7 +451,7 @@ done # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx - SORTFILE=`sort -u ${TMPFILE} | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"` + SORTFILE=`${SORTBINARY} -u ${TMPFILE} | sed 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})"` for I in ${SORTFILE}; do I=`echo ${I} | sed 's/:space:/ /g'` Report "nginx_config_option[]=${I}"; @@ -478,7 +478,7 @@ LogText "Test: start parsing all discovered nginx options" Display --indent 4 --text "- Parsing configuration options" for I in ${NGINX_CONF_FILES}; do - FILENAME=$(echo ${I} | awk -F/ '{print $NF}') + FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}') if [ ! "${FILENAME}" = "mime.types" ]; then if FileIsReadable ${I}; then Display --indent 8 --text "- ${I}" @@ -492,7 +492,7 @@ done if [ ! -z "${NGINX_CONF_FILES_ADDITIONS}" ]; then for I in ${NGINX_CONF_FILES_ADDITIONS}; do - FILENAME=$(echo ${I} | awk -F/ '{print $NF}') + FILENAME=$(echo ${I} | ${AWKBINARY} -F/ '{print $NF}') if [ ! "${FILENAME}" = "mime.types" ]; then if FileIsReadable ${I}; then Display --indent 8 --text "- ${I}" @@ -651,7 +651,7 @@ # if [ ${SKIPTEST} -eq 0 ]; then # N=0 # LogText "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}" -# FIND=`grep "proxy_pass" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/proxy_pass//g' | tr -d ';'` +# FIND=`${GREPBINARY} "proxy_pass" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | sed 's/proxy_pass//g' | tr -d ';'` # for I in ${FIND}; do # LogText "Found reverse proxy configuration for: ${I}" # N=$((N + 1)) @@ -675,7 +675,7 @@ # if [ ${SKIPTEST} -eq 0 ]; then # N=0 # LogText "Test: searching nginx virtual hosts" -# FIND=`grep "server_name" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/server_name//g' | tr -d ';'` +# FIND=`${GREPBINARY} "server_name" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | sed 's/server_name//g' | tr -d ';'` # for I in ${FIND}; do # if [ "${I}" = "_" ]; then I="Default virtual host"; fi # LogText "Found virtual host: ${I}" @@ -703,7 +703,7 @@ LogText "Test: Checking ${DIR}" if [ -d ${DIR} ]; then LogText "Result: Directory ${DIR} exists, so will be used as search path" - FIND=$(find ${DIR} -type f -exec grep access_log \{\} \; | grep -v "#" | awk '{ if($1=="access_log") { print $2 } }' | sed 's/;$//g' | sort -u) + FIND=$(find ${DIR} -type f -exec ${GREPBINARY} access_log \{\} \; | ${GREPBINARY} -v "#" | ${AWKBINARY} '{ if($1=="access_log") { print $2 } }' | sed 's/;$//g' | ${SORTBINARY} -u) if [ -z "${FIND}" ]; then LogText "Result: no log files found" else