From 6857f015000e7890a8d7f4b2a1409c8c8aaf104b Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 16 Jul 2015 17:02:15 +0200 Subject: [PATCH] Added LDAP configuration file location to report, and code cleanups --- include/tests_authentication | 220 ++--------------------------------- 1 file changed, 8 insertions(+), 212 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index d5a5c8bd..402cc1f6 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -250,27 +250,6 @@ fi # ################################################################################# -# -# # Test : AUTH-9229 -# # Description : Check AIX password file consistency -# # Notes : Read only mode? -# if [ -x /usr/bin/usrck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no AUTH-9229 --os AIX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking password file consistency (usrck)" -# FIND=`/usr/bin/usrck -n ALL 2>; echo $?` -# if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN -# logtext "Result: usrck finished didn't find problems" -# else -# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED -# logtext "Result: usrck found one or more errors/warnings in the password file." -# ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file" -# ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues." -# fi -# fi -# -################################################################################# # # Test : AUTH-9230 # Description : Check Solaris password file consistency @@ -291,47 +270,6 @@ fi # ################################################################################# -# -# # Test : AUTH-9231 -# # Description : Check HP-UX password file consistency -# # Notes : Read only mode? -# if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no AUTH-9231 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking password file consistency (pwck)" -# FIND=`/usr/sbin/pwck 2> /dev/null; echo $?` -# if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN -# logtext "Result: pwck finished didn't find problems" -# else -# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED -# logtext "Result: pwck found one or more errors/warnings in the password file." -# ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" -# ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." -# fi -# fi -# -################################################################################# -# -# # Test : AUTH-9232 -# # Description : Check HP-UX group file consistency -# if [ -x /usr/sbin/grpck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no AUTH-9232 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking group file consistency (grpck)" -# FIND=`/usr/sbin/grpck 2> /dev/null; echo $?` -# if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN -# logtext "Result: grpck finished didn't find problems" -# else -# Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED -# logtext "Result: grpck found one or more errors/warnings in the group file." -# ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file" -# ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues." -# fi -# fi -# -################################################################################# # # Test : AUTH-9234 # Description : Query user accounts @@ -434,23 +372,6 @@ fi # ################################################################################# -# - # Test : AUTH-9244 - # Description : Query NIS servers - #Register --test-no AUTH-9244 --weight L --network NO --description "Query NIS servers" - #if [ ${SKIPTEST} -eq 0 ]; then - #fi -# -################################################################################# -# - # Test : AUTH-9246 - # Description : Query NIS active - #Register --test-no AUTH-9246 --weight L --network NO --description "Query active NIS servers" - #if [ ${SKIPTEST} -eq 0 ]; then - #if - #grep '^+' /etc/passwd /etc/group -# -################################################################################# # # Test : AUTH-9250 # Description : Check for sudoers file @@ -515,65 +436,9 @@ fi # ################################################################################# -# -# # Test : AUTH-9255 -# # Description : Solaris test for unique UIDs -# Register --test-no AUTH-9255 --os Solaris --weight L --network NO --description "Solaris unique UIDs" -# if [ ${SKIPTEST} -eq 0 ]; then -# FIND=`logins -d | awk '{ print $1 }'` -# if [ "${FIND}" = "" ]; then -# logtext "Result: no duplicate accounts found, all accounts have an unique ID" -# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result OK --color GREEN -# else -# for I in ${FIND}; do -# ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})" -# done -# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result WARNING --color RED -# fi -# fi -# -################################################################################# -# - # Test : AUTH-9260 [T] - # Description : Search for account lockout on Linux - # Notes : lib directory should be fixed -# Register --test-no AUTH-9260 --os Linux --weight L --network NO --description "Checking account lockout" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: searching for /lib/security/pam_tally.so" -# if [ -f /lib/security/pam_tally.so ]; then -# logtext "Result: /lib/security/pam_tally.so found" -# AddHP 1 1 -# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result FOUND --color GREEN -# if [ -f /etc/pam.d/system-auth ]; then -# logtext "Test: search for enable pam_tally module in system-auth, with a deny value higher than zero" -# FIND=`grep "account required" /etc/pam.d/system-auth | grep "pam_tally.so" | grep "deny=" | grep -v "deny=0"` -# if [ "${FIND}" = "" ]; then -# logtext "Result: pam_tally properly configured" -# logtext "Output: ${FIND}" -# AddHP 1 1 -# Display --indent 4 --text "- Checking lockout policy" --result FOUND --color GREEN -# else -# logtext "Result: pam_tally not (properly) configured" -# logtext "Output: ${FIND}" -# Display --indent 4 --text "- Checking lockout policy" --result SUGGESTION --color YELLOW -# AddHP 0 1 -# ReportSuggestion ${TEST_NO} "Configure pam_tally in system-auth: account required /lib/security/pam_tally.so deny=3 no_magic_root reset" -# fi -# else -# logtext "Result: skipped, /etc/pam.d/system-auth not found" -# fi -# else -# logtext "Result: /lib/security/pam_tally.so not found" -# AddHP 0 1 -# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result "SUGGESTION" --color YELLOW -# ReportSuggestion ${TEST_NO} "Install a PAM module for account lockout to counter brute force attacks" -# fi -# -################################################################################# # # Test : AUTH-9262 # Description : Search for PAM password strength testing libraries - # Notes : YYY (combine with other PAM modules) Register --test-no AUTH-9262 --weight L --network NO --description "Checking presence password strength testing tools (PAM)" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 @@ -708,11 +573,6 @@ fi # ################################################################################# -# - # Test : AUTH-9270 - # Description : Audit PAM configuration files -# -################################################################################# # # Test : AUTH-9278 # Description : Search LDAP support in PAM files @@ -829,11 +689,6 @@ fi # ################################################################################# -# - # Test : AUTH-9292 - # Description : Check locked accounts (exclamation mark as first char in second column) -# -################################################################################# # # Test : AUTH-9304 # Description : Check if single user mode login is properly configured in Solaris @@ -944,12 +799,6 @@ fi # ################################################################################# -# - # Test : AUTH-9322 - # Description : Authentication time restrictions - # /etc/security/time.conf -# -################################################################################# # # Test : AUTH-9328 # Description : Check default umask in common files @@ -1027,7 +876,6 @@ logtext "Result: file /etc/passwd does not exist" fi - # /etc/login.defs logtext "Test: Checking /etc/login.defs" if [ -f /etc/login.defs ]; then @@ -1075,8 +923,7 @@ logtext "Result: file /etc/init.d/functions does not exist" fi - # /etc/init.d/rc [T] - # Always needed? (YYY) + # /etc/init.d/rc logtext "Test: Checking /etc/init.d/rc" if [ -f /etc/init.d/rc ]; then logtext "Result: file /etc/init.d/rc exists" @@ -1101,8 +948,7 @@ logtext "Result: file /etc/init.d/rc does not exist" fi - # /etc/init.d/rcS [T] - # Always needed? (YYY) + # /etc/init.d/rcS logtext "Test: Checking /etc/init.d/rcS" if [ -f /etc/init.d/rcS ]; then logtext "Result: file /etc/init.d/rcS exists" @@ -1187,36 +1033,6 @@ fi # ################################################################################# -# - # Test : AUTH-9342 [T] - # Description : AIX account locking - # Notes : /usr/sbin/lsuser -a logretries ALL - # should return ${ACCOUNT_MAX_RETRIES} or less for each user, but not 0 -# -################################################################################# -# - # Test : AUTH-9344 [T] - # Description : HP-UX account locking - # Notes : grep :u_maxtries# /tcb/files/auth/system/default - # should return ${ACCOUNT_MAX_RETRIES} or less, but not 0 -# -################################################################################# -# - # Test : AUTH-9348 [T] - # Description : Delay time after each failed login - # Notes : This control counters brute force attacking by delaying each - # attempt, while giving normal users to try typing in their - # account details after a reasonable delay - # Should return ${ACCOUNT_DELAY_TIME} or more - # (4 seconds would be good) - # AIX - # grep "logindelay" /etc/security/login.cfg - # Linux - # grep "FAIL_DELAY" /etc/login.defs - # HP-UX - # grep ":t_logdelay#" /tcb/files/auth/system/default -# -################################################################################# # # Test : AUTH-9402 # Description : Query LDAP authentication support @@ -1238,31 +1054,6 @@ fi # ################################################################################# -# - # Test : AUTH-9404 - # Description : Check LDAP client configuration -# if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no AUTH-9404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: checking ldap.conf locations" -# for I in ${LDAP_CONF_LOCATIONS}; do -# logtext "Test: checking ${I}" -# if [ -f ${I} ]; then -# logtext "Result: file ${I} exists" -# logtext "Test: checking LDAP servers in file ${I}" -# FIND2=`egrep "^host " ${I} | awk '{ print $2 }'` -# for I in ${FIND2}; do -# Display --indent 6 --text "LDAP server: ${I}" -# logtext "Result: found LDAP server ${I}" -# # YYY check if host(s) are reachable/respond to queries -# done -# else -# logtext "Result: ${I} does NOT exist" -# fi -# done -# fi -# -################################################################################# # # Test : AUTH-9406 # Description : Check LDAP servers in client configuration @@ -1273,12 +1064,14 @@ for I in ${LDAP_CONF_LOCATIONS}; do logtext "Test: checking ${I}" if [ -f ${I} ]; then - logtext "Result: file ${I} exists" + logtext "Result: file ${I} exists, LDAP being used" + LDAP_CLIENT_CONFIG_FILE="${I}" logtext "Test: checking LDAP servers in file ${I}" FIND2=`egrep "^host " ${I} | awk '{ print $2 }'` for I in ${FIND2}; do Display --indent 6 --text "LDAP server: ${I}" logtext "Result: found LDAP server ${I}" + report "ldap_server[]=${I}" # YYY check if host(s) are reachable/respond to queries done else @@ -1324,6 +1117,9 @@ report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" report "ldap_pam_enabled=${LDAP_PAM_ENABLED}" +if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then + report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}" +fi wait_for_keypress