tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Retrieve SSH settings from active configuration and store earlier, test with lowercase settings for other tests

This commit is contained in:
mboelen 2016-05-02 15:04:40 +02:00
parent 9208e35f20
commit 6e2640c4d5
1 changed files with 12 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
include/tests_ssh
View File

@ -26,6 +26,7 @@
SSH_DAEMON_CONFIG="" SSH_DAEMON_CONFIG=""
SSH_DAEMON_PORT="" SSH_DAEMON_PORT=""
SSH_DAEMON_RUNNING=0 SSH_DAEMON_RUNNING=0
SSH_DAEMON_OPTIONS_FILE=""
# #
################################################################################# #################################################################################
# #
@ -42,6 +43,10 @@
if [ ${RUNNING} -eq 1 ] || PortIsListening "TCP" 22; then if [ ${RUNNING} -eq 1 ] || PortIsListening "TCP" 22; then
SSH_DAEMON_RUNNING=1 SSH_DAEMON_RUNNING=1
Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN
# Store settings in a temporary file
CreateTempFile
SSH_DAEMON_OPTIONS_FILE="${TEMP_FILE}"
${SSHDBINARY} -T 2> /dev/null > ${SSH_DAEMON_OPTIONS_FILE}
else else
Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE
fi fi
@ -87,16 +92,10 @@
# Test : SSH-7408 # Test : SSH-7408
# Description : Check SSH specific defined options # Description : Check SSH specific defined options
# Notes : Instead of parsing the configuration file, we query the SSH daemon itself # Notes : Instead of parsing the configuration file, we query the SSH daemon itself
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_OPTIONS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH specific defined options" Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH specific defined options"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}"
CreateTempFile
SSH_OPTIONS_FILE="${TEMP_FILE}"
${SSHDBINARY} -T > ${SSH_OPTIONS_FILE}
LogText "Test: Checking specific defined options in ${SSH_OPTIONS_FILE}"
## SSHOPTIONS scheme: ## SSHOPTIONS scheme:
## <OptionName>:<ExpectedValue>,<MediumScoreValue>,<WeakValue>:<TestType> ## <OptionName>:<ExpectedValue>,<MediumScoreValue>,<WeakValue>:<TestType>
## ##
@ -147,8 +146,8 @@
if ! SkipAtomicTest "${TEST_NO}:${OPTIONNAME_LOWER}"; then if ! SkipAtomicTest "${TEST_NO}:${OPTIONNAME_LOWER}"; then
# Get value and use the last occurrence # Get value and use the last occurrence
FOUNDVALUE=`awk -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_OPTIONS_FILE} | tail -1` FOUNDVALUE=`awk -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1`
LogText "Test: Checking ${OPTIONNAME} in ${SSH_OPTIONS_FILE}" LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}"
if [ ! "${FOUNDVALUE}" = "" ]; then if [ ! "${FOUNDVALUE}" = "" ]; then
LogText "Result: Option ${OPTIONNAME} found" LogText "Result: Option ${OPTIONNAME} found"
@ -236,12 +235,12 @@
# Test : SSH-7440 # Test : SSH-7440
# Description : AllowUsers / AllowGroups # Description : AllowUsers / AllowGroups
# Goal : Check if only a specific amount of users/groups can log in to the system # Goal : Check if only a specific amount of users/groups can log in to the system
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_OPTIONS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups" Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
# AllowUsers # AllowUsers
FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` FIND=`egrep -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: AllowUsers set, with value ${FIND}" LogText "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers" --result FOUND --color GREEN Display --indent 4 --text "- SSH option: AllowUsers" --result FOUND --color GREEN
@ -252,7 +251,7 @@
fi fi
# AllowGroups # AllowGroups
FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'` FIND=`egrep -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: AllowUsers set ${FIND}" LogText "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups" --result FOUND --color GREEN Display --indent 4 --text "- SSH option: AllowGroups" --result FOUND --color GREEN