tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added LDAP configuration file location to report, and code cleanups

This commit is contained in:
mboelen 2015-07-16 17:02:15 +02:00
parent c68d20ba2c
commit 6857f01500
1 changed files with 8 additions and 212 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

220
include/tests_authentication
View File

@ -250,27 +250,6 @@
fi
#
#################################################################################
#
# # Test : AUTH-9229
# # Description : Check AIX password file consistency
# # Notes : Read only mode?
# if [ -x /usr/bin/usrck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9229 --os AIX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking password file consistency (usrck)"
# FIND=`/usr/bin/usrck -n ALL 2>; echo $?`
# if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
# logtext "Result: usrck finished didn't find problems"
# else
# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
# logtext "Result: usrck found one or more errors/warnings in the password file."
# ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file"
# ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues."
# fi
# fi
#
#################################################################################
#
# Test : AUTH-9230
# Description : Check Solaris password file consistency
@ -291,47 +270,6 @@
fi
#
#################################################################################
#
# # Test : AUTH-9231
# # Description : Check HP-UX password file consistency
# # Notes : Read only mode?
# if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9231 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking password file consistency (pwck)"
# FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
# if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
# logtext "Result: pwck finished didn't find problems"
# else
# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
# logtext "Result: pwck found one or more errors/warnings in the password file."
# ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
# ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
# fi
# fi
#
#################################################################################
#
# # Test : AUTH-9232
# # Description : Check HP-UX group file consistency
# if [ -x /usr/sbin/grpck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9232 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking group file consistency (grpck)"
# FIND=`/usr/sbin/grpck 2> /dev/null; echo $?`
# if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN
# logtext "Result: grpck finished didn't find problems"
# else
# Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED
# logtext "Result: grpck found one or more errors/warnings in the group file."
# ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file"
# ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues."
# fi
# fi
#
#################################################################################
#
# Test : AUTH-9234
# Description : Query user accounts
@ -434,23 +372,6 @@
fi
#
#################################################################################
#
# Test : AUTH-9244
# Description : Query NIS servers
#Register --test-no AUTH-9244 --weight L --network NO --description "Query NIS servers"
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#
#################################################################################
#
# Test : AUTH-9246
# Description : Query NIS active
#Register --test-no AUTH-9246 --weight L --network NO --description "Query active NIS servers"
#if [ ${SKIPTEST} -eq 0 ]; then
#if
#grep '^+' /etc/passwd /etc/group
#
#################################################################################
#
# Test : AUTH-9250
# Description : Check for sudoers file
@ -515,65 +436,9 @@
fi
#
#################################################################################
#
# # Test : AUTH-9255
# # Description : Solaris test for unique UIDs
# Register --test-no AUTH-9255 --os Solaris --weight L --network NO --description "Solaris unique UIDs"
# if [ ${SKIPTEST} -eq 0 ]; then
# FIND=`logins -d | awk '{ print $1 }'`
# if [ "${FIND}" = "" ]; then
# logtext "Result: no duplicate accounts found, all accounts have an unique ID"
# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result OK --color GREEN
# else
# for I in ${FIND}; do
# ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})"
# done
# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result WARNING --color RED
# fi
# fi
#
#################################################################################
#
# Test : AUTH-9260 [T]
# Description : Search for account lockout on Linux
# Notes : lib directory should be fixed
# Register --test-no AUTH-9260 --os Linux --weight L --network NO --description "Checking account lockout"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: searching for /lib/security/pam_tally.so"
# if [ -f /lib/security/pam_tally.so ]; then
# logtext "Result: /lib/security/pam_tally.so found"
# AddHP 1 1
# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result FOUND --color GREEN
# if [ -f /etc/pam.d/system-auth ]; then
# logtext "Test: search for enable pam_tally module in system-auth, with a deny value higher than zero"
# FIND=`grep "account required" /etc/pam.d/system-auth | grep "pam_tally.so" | grep "deny=" | grep -v "deny=0"`
# if [ "${FIND}" = "" ]; then
# logtext "Result: pam_tally properly configured"
# logtext "Output: ${FIND}"
# AddHP 1 1
# Display --indent 4 --text "- Checking lockout policy" --result FOUND --color GREEN
# else
# logtext "Result: pam_tally not (properly) configured"
# logtext "Output: ${FIND}"
# Display --indent 4 --text "- Checking lockout policy" --result SUGGESTION --color YELLOW
# AddHP 0 1
# ReportSuggestion ${TEST_NO} "Configure pam_tally in system-auth: account required /lib/security/pam_tally.so deny=3 no_magic_root reset"
# fi
# else
# logtext "Result: skipped, /etc/pam.d/system-auth not found"
# fi
# else
# logtext "Result: /lib/security/pam_tally.so not found"
# AddHP 0 1
# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result "SUGGESTION" --color YELLOW
# ReportSuggestion ${TEST_NO} "Install a PAM module for account lockout to counter brute force attacks"
# fi
#
#################################################################################
#
# Test : AUTH-9262
# Description : Search for PAM password strength testing libraries
# Notes : YYY (combine with other PAM modules)
Register --test-no AUTH-9262 --weight L --network NO --description "Checking presence password strength testing tools (PAM)"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
@ -708,11 +573,6 @@
fi
#
#################################################################################
#
# Test : AUTH-9270
# Description : Audit PAM configuration files
#
#################################################################################
#
# Test : AUTH-9278
# Description : Search LDAP support in PAM files
@ -829,11 +689,6 @@
fi
#
#################################################################################
#
# Test : AUTH-9292
# Description : Check locked accounts (exclamation mark as first char in second column)
#
#################################################################################
#
# Test : AUTH-9304
# Description : Check if single user mode login is properly configured in Solaris
@ -944,12 +799,6 @@
fi
#
#################################################################################
#
# Test : AUTH-9322
# Description : Authentication time restrictions
# /etc/security/time.conf
#
#################################################################################
#
# Test : AUTH-9328
# Description : Check default umask in common files
@ -1027,7 +876,6 @@
logtext "Result: file /etc/passwd does not exist"
fi
# /etc/login.defs
logtext "Test: Checking /etc/login.defs"
if [ -f /etc/login.defs ]; then
@ -1075,8 +923,7 @@
logtext "Result: file /etc/init.d/functions does not exist"
fi
# /etc/init.d/rc [T]
# Always needed? (YYY)
# /etc/init.d/rc
logtext "Test: Checking /etc/init.d/rc"
if [ -f /etc/init.d/rc ]; then
logtext "Result: file /etc/init.d/rc exists"
@ -1101,8 +948,7 @@
logtext "Result: file /etc/init.d/rc does not exist"
fi
# /etc/init.d/rcS [T]
# Always needed? (YYY)
# /etc/init.d/rcS
logtext "Test: Checking /etc/init.d/rcS"
if [ -f /etc/init.d/rcS ]; then
logtext "Result: file /etc/init.d/rcS exists"
@ -1187,36 +1033,6 @@
fi
#
#################################################################################
#
# Test : AUTH-9342 [T]
# Description : AIX account locking
# Notes : /usr/sbin/lsuser -a logretries ALL
# should return ${ACCOUNT_MAX_RETRIES} or less for each user, but not 0
#
#################################################################################
#
# Test : AUTH-9344 [T]
# Description : HP-UX account locking
# Notes : grep :u_maxtries# /tcb/files/auth/system/default
# should return ${ACCOUNT_MAX_RETRIES} or less, but not 0
#
#################################################################################
#
# Test : AUTH-9348 [T]
# Description : Delay time after each failed login
# Notes : This control counters brute force attacking by delaying each
# attempt, while giving normal users to try typing in their
# account details after a reasonable delay
# Should return ${ACCOUNT_DELAY_TIME} or more
# (4 seconds would be good)
# AIX
# grep "logindelay" /etc/security/login.cfg
# Linux
# grep "FAIL_DELAY" /etc/login.defs
# HP-UX
# grep ":t_logdelay#" /tcb/files/auth/system/default
#
#################################################################################
#
# Test : AUTH-9402
# Description : Query LDAP authentication support
@ -1238,31 +1054,6 @@
fi
#
#################################################################################
#
# Test : AUTH-9404
# Description : Check LDAP client configuration
# if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: checking ldap.conf locations"
# for I in ${LDAP_CONF_LOCATIONS}; do
# logtext "Test: checking ${I}"
# if [ -f ${I} ]; then
# logtext "Result: file ${I} exists"
# logtext "Test: checking LDAP servers in file ${I}"
# FIND2=`egrep "^host " ${I} | awk '{ print $2 }'`
# for I in ${FIND2}; do
# Display --indent 6 --text "LDAP server: ${I}"
# logtext "Result: found LDAP server ${I}"
# # YYY check if host(s) are reachable/respond to queries
# done
# else
# logtext "Result: ${I} does NOT exist"
# fi
# done
# fi
#
#################################################################################
#
# Test : AUTH-9406
# Description : Check LDAP servers in client configuration
@ -1273,12 +1064,14 @@
for I in ${LDAP_CONF_LOCATIONS}; do
logtext "Test: checking ${I}"
if [ -f ${I} ]; then
logtext "Result: file ${I} exists"
logtext "Result: file ${I} exists, LDAP being used"
LDAP_CLIENT_CONFIG_FILE="${I}"
logtext "Test: checking LDAP servers in file ${I}"
FIND2=`egrep "^host " ${I} | awk '{ print $2 }'`
for I in ${FIND2}; do
Display --indent 6 --text "LDAP server: ${I}"
logtext "Result: found LDAP server ${I}"
report "ldap_server[]=${I}"
# YYY check if host(s) are reachable/respond to queries
done
else
@ -1324,6 +1117,9 @@
report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then
report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"
fi
wait_for_keypress