mirror of https://github.com/CISOfy/lynis.git
Using grep -E
This commit is contained in:
xnoguer
parent
59a3c4b536
commit
6f1797fb59
|
|
@ -169,7 +169,6 @@
|
|||
domainname) DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
|
||||
dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;;
|
||||
xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;;
|
||||
egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;;
|
||||
equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;;
|
||||
evmctl) EVMCTLBINARY=${BINARY}; LogText " Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;;
|
||||
exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;;
|
||||
|
|
@ -341,7 +340,6 @@
|
|||
[ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found"
|
||||
[ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found"
|
||||
[ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found"
|
||||
[ "${EGREPBINARY:-}" ] || ExitFatal "egrep binary not found"
|
||||
[ "${FINDBINARY:-}" ] || ExitFatal "find binary not found"
|
||||
[ "${GREPBINARY:-}" ] || ExitFatal "grep binary not found"
|
||||
[ "${HEADBINARY:-}" ] || ExitFatal "head binary not found"
|
||||
|
|
|
|||
|
|
@ -1315,7 +1315,7 @@
|
|||
return 2
|
||||
else
|
||||
for CHECK_PERMISSION in ${CHECKPERMISSION_FULL}; do
|
||||
DATA=$(echo ${CHECK_PERMISSION} | ${EGREPBINARY} "[rwx]")
|
||||
DATA=$(echo ${CHECK_PERMISSION} | ${GREPBINARY} -E "[rwx]")
|
||||
if [ $? -eq 0 ]; then
|
||||
# add a dummy character as first character so it looks like output is a normal file
|
||||
CHECK_PERMISSION=$(echo "-${CHECK_PERMISSION}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}')
|
||||
|
|
@ -1608,7 +1608,7 @@
|
|||
# This search is not foolproof
|
||||
LogText "Performing simple ps scan (busybox)"
|
||||
PSOPTIONS=" -o args="
|
||||
FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${EGREPBINARY:-egrep} "( |/)${search}" | ${GREPBINARY:-grep} -v "grep")
|
||||
FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${GREPBINARY:-grep} -E "( |/)${search}" | ${GREPBINARY:-grep} -v "grep")
|
||||
else
|
||||
if [ -n "${users}" ]; then
|
||||
for u in ${users}; do
|
||||
|
|
@ -3103,6 +3103,11 @@
|
|||
unsafe=1
|
||||
LogText "Security alert: file is not owned by active user, but can write to it"
|
||||
fi
|
||||
# File is not owned by active user, and not readable by him
|
||||
if [ ! -O "${FILE}" -a ! -r "${FILE}" ]; then
|
||||
unsafe=1
|
||||
LogText "Security alert: file is not readable by active user"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check file permissions
|
||||
|
|
|
|||
|
|
@ -42,9 +42,9 @@
|
|||
LogText "Test: Searching accounts with UID 0"
|
||||
# Check if device is a QNAP, as the root user is called admin, and not root
|
||||
if [ ${QNAP_DEVICE} -eq 1 ]; then
|
||||
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
|
||||
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
|
||||
else
|
||||
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
|
||||
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
|
||||
fi
|
||||
if [ -n "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
|
||||
|
|
@ -163,7 +163,7 @@
|
|||
LogText "Test: Checking login shells"
|
||||
if [ -f ${ROOTDIR}etc/master.passwd ]; then
|
||||
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
|
||||
FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
|
||||
FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${GREPBINARY} -E -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
|
|
@ -499,13 +499,13 @@
|
|||
Register --test-no AUTH-9240 --weight L --network NO --category security --description "Query NIS+ authentication support"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -f /etc/nsswitch.conf ]; then
|
||||
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus")
|
||||
FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nisplus")
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: NIS+ authentication not enabled"
|
||||
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
|
||||
else
|
||||
FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
|
||||
FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
|
||||
FIND2=$(${GREPBINARY} -E "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
|
||||
FIND3=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
|
||||
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
|
||||
LogText "Result: NIS+ authentication enabled"
|
||||
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
|
||||
|
|
@ -526,13 +526,13 @@
|
|||
Register --test-no AUTH-9242 --weight L --network NO --category security --description "Query NIS authentication support"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -f /etc/nsswitch.conf ]; then
|
||||
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus")
|
||||
FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nis" | ${GREPBINARY} -v "nisplus")
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: NIS authentication not enabled"
|
||||
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
|
||||
else
|
||||
FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
|
||||
FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
|
||||
FIND2=$(${GREPBINARY} -E "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
|
||||
FIND3=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
|
||||
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
|
||||
LogText "Result: NIS authentication enabled"
|
||||
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
|
||||
|
|
@ -737,7 +737,7 @@
|
|||
LogText "Result: file ${ROOTDIR}etc/pam.conf exists"
|
||||
Display --indent 2 --text "- PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Test: searching PAM configuration files"
|
||||
FIND=$(${EGREPBINARY} -v "^#" ${ROOTDIR}etc/pam.conf | ${EGREPBINARY} -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g')
|
||||
FIND=$(${GREPBINARY} -E -v "^#" ${ROOTDIR}etc/pam.conf | ${GREPBINARY} -E -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g')
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)"
|
||||
else
|
||||
|
|
@ -1017,7 +1017,7 @@
|
|||
LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}"
|
||||
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
|
||||
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
|
||||
FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
|
||||
FIND=$(${GREPBINARY} -E -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
|
||||
if [ -n "${FIND}" ]; then
|
||||
for ACCOUNT in ${FIND}; do
|
||||
LogText "Result: password of user ${ACCOUNT} has been expired"
|
||||
|
|
@ -1109,8 +1109,8 @@
|
|||
TEST_PERFORMED=1
|
||||
LogText "Result: file ${ROOTDIR}etc/inittab exists"
|
||||
LogText "Test: checking presence sulogin for single user mode"
|
||||
FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
|
||||
FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
|
||||
FIND=$(${GREPBINARY} -E "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
|
||||
FIND2=$(${GREPBINARY} -E "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
|
||||
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: found sulogin, so single user is protected"
|
||||
|
|
@ -1147,7 +1147,7 @@
|
|||
# Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support)
|
||||
TEST_PERFORMED=1
|
||||
LogText "Result: found target ${I}"
|
||||
FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin")
|
||||
FIND=$(${GREPBINARY} -E "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication"
|
||||
else
|
||||
|
|
@ -1486,7 +1486,7 @@
|
|||
Register --test-no AUTH-9402 --weight L --network NO --category security --description "Query LDAP authentication support"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -f ${ROOTDIR}etc/nsswitch.conf ]; then
|
||||
FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap")
|
||||
FIND=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
LogText "Result: LDAP authentication not enabled"
|
||||
Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
|
||||
|
|
@ -1514,7 +1514,7 @@
|
|||
LogText "Result: file ${FILE} exists, LDAP being used"
|
||||
LDAP_CLIENT_CONFIG_FILE="${FILE}"
|
||||
LogText "Test: checking LDAP servers in file ${FILE}"
|
||||
FIND=$(${EGREPBINARY} "^host " ${FILE} | ${AWKBINARY} '{ print $2 }')
|
||||
FIND=$(${GREPBINARY} -E "^host " ${FILE} | ${AWKBINARY} '{ print $2 }')
|
||||
for SERVER in ${FIND}; do
|
||||
Display --indent 6 --text "LDAP server: ${SERVER}"
|
||||
LogText "Result: found LDAP server ${SERVER}"
|
||||
|
|
|
|||
|
|
@ -460,7 +460,7 @@
|
|||
BOOT_LOADER_FOUND=1
|
||||
Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Checking password option LILO"
|
||||
FIND=$(${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#")
|
||||
FIND=$(${GREPBINARY} -E 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#")
|
||||
if [ -z "${FIND}" ]; then
|
||||
if [ "${MACHINE_ROLE}" = "server" -o "${MACHINE_ROLE}" = "workstation" ]; then
|
||||
Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED
|
||||
|
|
@ -605,7 +605,7 @@
|
|||
else
|
||||
# FreeBSD (Read /etc/rc.conf file for enabled services)
|
||||
LogText "Searching for services at startup (rc.conf)"
|
||||
FIND=$(${EGREPBINARY} -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
|
||||
FIND=$(${GREPBINARY} -E -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${GREPBINARY} -E -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
|
||||
fi
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
|
|
@ -715,7 +715,7 @@
|
|||
if [ -n "${CHKCONFIGBINARY}" ]; then
|
||||
LogText "Result: chkconfig binary found, trying that to discover information"
|
||||
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
|
||||
FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
|
||||
FIND=$(${CHKCONFIGBINARY} --list | ${GREPBINARY} -E '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
|
||||
COUNT=0
|
||||
Report "boot_service_tool=chkconfig"
|
||||
for ITEM in ${FIND}; do
|
||||
|
|
@ -947,7 +947,7 @@
|
|||
if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then
|
||||
LogText "Result: file /usr/lib/systemd/system/rescue.service"
|
||||
LogText "Test: checking presence sulogin for single user mode"
|
||||
FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
|
||||
FIND=$(${GREPBINARY} -E "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
|
||||
if [ -n "${FIND}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: found sulogin, so single user is protected"
|
||||
|
|
@ -981,14 +981,14 @@
|
|||
Report "running_service[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1 ))
|
||||
done
|
||||
LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons"
|
||||
LogText "Note: Run rcctl ls all | grep -E '^(pf|check_quotas|library_aslr)$' to see all daemons"
|
||||
Display --indent 2 --text "- Check running daemons (rcctl)" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 8 --text "Result: found ${COUNT} running daemons"
|
||||
LogText "Result: Found ${COUNT} running daemons"
|
||||
|
||||
# OpenBSD (Ask rcctl(8) for enabled daemons)
|
||||
LogText "Searching for enabled daemons (rcctl)"
|
||||
FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v '^(pf|check_quotas|library_aslr)$')
|
||||
FIND=$(${RCCTLBINARY} ls on | ${GREPBINARY} -E -v '^(pf|check_quotas|library_aslr)$')
|
||||
COUNT=0
|
||||
Report "boot_service_tool=rcctl"
|
||||
for ITEM in ${FIND}; do
|
||||
|
|
@ -996,7 +996,7 @@
|
|||
Report "boot_service[]=${ITEM}"
|
||||
COUNT=$((COUNT + 1 ))
|
||||
done
|
||||
LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons"
|
||||
LogText "Note: Run rcctl ls all | grep -E '^(pf|check_quotas|library_aslr)$' to see all daemons"
|
||||
Display --indent 2 --text "- Check enabled daemons at boot (rcctl)" --result "${STATUS_DONE}" --color GREEN
|
||||
Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot"
|
||||
LogText "Result: Found ${COUNT} enabled daemons at boot"
|
||||
|
|
|
|||
|
|
@ -137,7 +137,7 @@
|
|||
|
||||
# Check total of containers
|
||||
LogText "Test: checking total amount of Docker containers"
|
||||
DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${EGREPBINARY} "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }')
|
||||
DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${GREPBINARY} -E "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }')
|
||||
if [ -z "${DOCKER_CONTAINERS_TOTAL}" ]; then
|
||||
DOCKER_CONTAINERS_TOTAL=0
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@
|
|||
LASTSUBDIR=""
|
||||
LogText "Result: found directory ${DIR}"
|
||||
# Search for certificate files
|
||||
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
|
||||
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${GREPBINARY} -E ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
|
||||
for FILE in ${FILES}; do
|
||||
FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
|
||||
# See if we need to skip this path
|
||||
|
|
@ -80,7 +80,7 @@
|
|||
if [ ${CANREAD} -eq 1 ]; then
|
||||
# Only check the files that are not installed by a package, unless enabled by profile
|
||||
if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then
|
||||
echo ${FILE} | ${EGREPBINARY} -q ".cer$|.der$"
|
||||
echo ${FILE} | ${GREPBINARY} -E -q ".cer$|.der$"
|
||||
CER_DER=$?
|
||||
OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
|
||||
if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@
|
|||
# Description : Check if MySQL is being used
|
||||
Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep")
|
||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep")
|
||||
if [ -z "${FIND}" ]; then
|
||||
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
|
||||
LogText "Result: MySQL process not active"
|
||||
|
|
@ -244,7 +244,7 @@
|
|||
# reco: recovery (optional)
|
||||
Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep")
|
||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep")
|
||||
if [ -z "${FIND}" ]; then
|
||||
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
|
||||
LogText "Result: Oracle process(es) not active"
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@
|
|||
if [ -n "${AIDEBINARY}" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of AIDE database and size check"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
AIDE_DB=$(${EGREPBINARY} '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://")
|
||||
AIDE_DB=$(${GREPBINARY} -E '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://")
|
||||
if case ${AIDE_DB} in @@*) ;; *) false;; esac; then
|
||||
I=$(${GREPBINARY} "@@define.*DBDIR" ${AIDECONFIG} | ${AWKBINARY} '{print $3}')
|
||||
AIDE_DB=$(echo ${AIDE_DB} | ${SEDBINARY} "s#.*}#${I}#")
|
||||
|
|
@ -330,7 +330,7 @@
|
|||
ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
|
||||
for DEVICE in /dev/mapper/*; do
|
||||
if [ -e "${DEVICE}" ]; then
|
||||
FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY')
|
||||
FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*INTEGRITY')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: found dm-integrity device ${DEVICE}"
|
||||
|
|
@ -370,7 +370,7 @@
|
|||
ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
|
||||
for DEVICE in /dev/mapper/*; do
|
||||
if [ -e "${DEVICE}" ]; then
|
||||
FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY')
|
||||
FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*VERITY')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: found dm-verity device ${DEVICE}"
|
||||
|
|
@ -404,7 +404,7 @@
|
|||
if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")
|
||||
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${GREPBINARY} -E "= .*(sha256|sha512)")
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: No SHA256 or SHA512 found for creating checksums"
|
||||
Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@
|
|||
FOUND=0
|
||||
for PROFILE in ${PROFILES}; do
|
||||
LogText "Using profile ${PROFILE} for baseline."
|
||||
FILES=$(${EGREPBINARY} '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1)
|
||||
FILES=$(${GREPBINARY} -E '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1)
|
||||
for F in ${FILES}; do
|
||||
LogText "Test: checking file/directory ${F}"
|
||||
if [ -f "${F}" ]; then
|
||||
|
|
|
|||
|
|
@ -356,7 +356,7 @@
|
|||
# Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least
|
||||
# https://www.kernel.org/doc/html/latest/filesystems/proc.html#chapter-4-configuring-procfs
|
||||
LogText "Test: check proc mount with incorrect mount options"
|
||||
FIND=$(${MOUNTBINARY} | ${EGREPBINARY} "${ROOTDIR}proc " | ${EGREPBINARY} -o "hidepid=([0-9]|[a-z][a-z]*)")
|
||||
FIND=$(${MOUNTBINARY} | ${GREPBINARY} -E "${ROOTDIR}proc " | ${GREPBINARY} -E -o "hidepid=([0-9]|[a-z][a-z]*)")
|
||||
if [ "${FIND}" = "hidepid=4" -o "${FIND}" = "hidepid=ptraceable" ]; then # https://lwn.net/Articles/817137/
|
||||
Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: proc mount mounted with ${FIND}"
|
||||
|
|
@ -504,7 +504,7 @@
|
|||
fi
|
||||
|
||||
LogText "Test: Checking acl option on xfs root file system"
|
||||
FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr')
|
||||
FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${GREPBINARY} -E 'no_acl|no_user_xattr')
|
||||
if [ -z "${FIND}" ]; then
|
||||
FOUND=1
|
||||
# some other tests to do ?
|
||||
|
|
@ -638,7 +638,7 @@
|
|||
NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} -l)
|
||||
NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} -l)
|
||||
NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} -l)
|
||||
NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} -l)
|
||||
NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${GREPBINARY} -E -v '^\(ro[,)]' | ${WCBINARY} -l)
|
||||
LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}"
|
||||
Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}"
|
||||
fi
|
||||
|
|
@ -814,13 +814,13 @@
|
|||
AVAILABLE_MODPROBE_FS=""
|
||||
for FS in ${LIST_FS_NOT_SUPPORTED}; do
|
||||
# Check if filesystem is present in modprobe output
|
||||
FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | ${TAILBINARY} -1)
|
||||
FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${GREPBINARY} -E "/${FS}.ko" | ${TAILBINARY} -1)
|
||||
if [ -n "${FIND}" ]; then
|
||||
LogText "Result: found ${FS} support in the kernel (output = ${FIND})"
|
||||
Debug "Module ${FS} present in the kernel"
|
||||
LogText "Test: Checking if ${FS} is active"
|
||||
# Check if FS is present in lsmod output
|
||||
FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
|
||||
FIND=$(${LSMODBINARY} | ${GREPBINARY} -E "^${FS}")
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: module ${FS} is currently not loaded in the kernel."
|
||||
AddHP 2 3
|
||||
|
|
@ -837,8 +837,8 @@
|
|||
fi
|
||||
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
|
||||
if [ -n "${FIND}" ]; then
|
||||
FIND1=$(${EGREPBINARY} "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${EGREPBINARY} "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND1=$(${GREPBINARY} -E "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${GREPBINARY} -E "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
|
||||
Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
|
||||
LogText "Result: module ${FS} is blacklisted"
|
||||
|
|
|
|||
|
|
@ -112,7 +112,7 @@
|
|||
TABLES="filter"
|
||||
for TABLE in ${TABLES}; do
|
||||
LogText "Test: gathering information from table ${TABLE}"
|
||||
FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1')
|
||||
FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1')
|
||||
done
|
||||
|
||||
echo "${FIND}" | while read -r line; do
|
||||
|
|
@ -154,7 +154,7 @@
|
|||
if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
|
||||
FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${GREPBINARY} -E -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
|
||||
if [ -n "${FIND}" ]; then
|
||||
FIREWALL_ACTIVE=1
|
||||
if [ ${FIND} -le 5 ]; then
|
||||
|
|
@ -506,7 +506,7 @@
|
|||
Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Check for empty ruleset
|
||||
NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
|
||||
NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${GREPBINARY} -E -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
|
||||
if [ ${NFT_RULES_LENGTH} -le 3 ]; then
|
||||
FIREWALL_EMPTY_RULESET=1
|
||||
LogText "Result: this firewall set has 3 rules or less and is considered to be empty"
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Check if users' home directories permissions are 750 or more restrictive
|
||||
FOUND=0
|
||||
USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
|
||||
USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
|
||||
while read -r LINE; do
|
||||
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
|
||||
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
|
||||
|
|
@ -93,7 +93,7 @@ EOF
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Check if users own their home directories
|
||||
FOUND=0
|
||||
USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
|
||||
USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
|
||||
while read -r LINE; do
|
||||
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
|
||||
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
|
||||
|
|
|
|||
|
|
@ -298,7 +298,7 @@
|
|||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# # Check presence of Rsh Trust Files
|
||||
# FOUND=0
|
||||
# for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do
|
||||
# for LINE in $(${CAT_BINARY} /etc/passwd | ${GREPBINARY} -E -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do
|
||||
# USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
|
||||
# DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
|
||||
# if [ -d ${DIR} ]; then
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@
|
|||
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
|
||||
ReportException "${TEST_NO}:01"
|
||||
else
|
||||
FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
|
||||
FIND2=$(${ECHOCMD} ${FIND} | ${GREPBINARY} -E "runlevel5|graphical")
|
||||
if HasData "${FIND2}"; then
|
||||
LogText "Result: Found match on runlevel5/graphical"
|
||||
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
|
||||
|
|
@ -401,7 +401,7 @@
|
|||
elif [ -e ${ROOTDIR}etc/rpi-issue ]; then
|
||||
FINDKERNEL="raspberrypi-kernel"
|
||||
LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian"
|
||||
elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then
|
||||
elif $(${GREPBINARY} -E -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then
|
||||
FINDKERNEL="linux-image-$(uname -r)"
|
||||
LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No"
|
||||
else
|
||||
|
|
@ -414,8 +414,8 @@
|
|||
else
|
||||
LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing"
|
||||
LogText "Test: Using apt-cache policy to determine if there is an update available"
|
||||
FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
|
||||
FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
|
||||
FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
|
||||
FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
|
||||
LogText "Kernel installed: ${FINDINSTALLED}"
|
||||
LogText "Kernel candidate: ${FINDCANDIDATE}"
|
||||
if IsEmpty "${FINDINSTALLED}"; then
|
||||
|
|
@ -826,7 +826,7 @@
|
|||
LogText "Check: try to find raspberrypi-kernel file in ${APT_ARCHIVE_DIRECTORY} and extract package date from file name"
|
||||
|
||||
FOUND_KERNEL_DATE=$(${FINDBINARY} ${APT_ARCHIVE_DIRECTORY} -name "raspberrypi-kernel*" -printf "%T@ %Tc %p\n" 2> /dev/null \
|
||||
| ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${EGREPBINARY} -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g')
|
||||
| ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${GREPBINARY} -E -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g')
|
||||
|
||||
if [ -n "${FOUND_KERNEL_DATE}" ]; then
|
||||
FOUND_KERNEL_IN_SECONDS=$(date -d "${FOUND_KERNEL_DATE}" "+%s" 2> /dev/null)
|
||||
|
|
@ -851,21 +851,21 @@
|
|||
next="month"
|
||||
fi
|
||||
elif [ "$next" = "month" ]; then
|
||||
if [ $(${ECHOCMD} "${part}" | ${EGREPBINARY} -c "[A-Z][a-z]") -ge 1 ]; then
|
||||
if [ $(${ECHOCMD} "${part}" | ${GREPBINARY} -E -c "[A-Z][a-z]") -ge 1 ]; then
|
||||
UNAME_DATE_MONTH="${part}"
|
||||
next="day"
|
||||
fi
|
||||
elif [ "${next}" = "day" ]; then
|
||||
if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
|
||||
if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then
|
||||
UNAME_DATE_DAY="${part}"
|
||||
next="time"
|
||||
fi
|
||||
elif [ "${next}" = "time" ]; then
|
||||
if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c ":[0-9][0-9]:") -ge 1 ]; then
|
||||
if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c ":[0-9][0-9]:") -ge 1 ]; then
|
||||
next="year"
|
||||
fi
|
||||
elif [ "${next}" = "year" ]; then
|
||||
if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
|
||||
if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then
|
||||
UNAME_DATE_YEAR="${part}"
|
||||
break
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@
|
|||
Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Searching for a logging daemon"
|
||||
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep")
|
||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep")
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
|
||||
|
|
@ -261,7 +261,7 @@
|
|||
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking which files are rotated with logrotate and if they exist"
|
||||
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }')
|
||||
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }')
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: nothing found"
|
||||
else
|
||||
|
|
@ -280,7 +280,7 @@
|
|||
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking which directories can be found in logrotate configuration"
|
||||
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
|
||||
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: nothing found"
|
||||
else
|
||||
|
|
@ -345,7 +345,7 @@
|
|||
if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ] && [ -n "${SOLARIS_LOGHOST}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no LOGG-2153 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking loghost is localhost"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${EGREPBINARY} "::1|127.0.0.1|127.1")
|
||||
FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} -E "::1|127.0.0.1|127.1")
|
||||
if [ -n "${FIND}" ]; then
|
||||
SOLARIS_LOGHOST_LOCALHOST=1
|
||||
LogText "Result: loghost entry is localhost (default)"
|
||||
|
|
@ -371,7 +371,7 @@
|
|||
TARGET="${ROOTDIR}etc/rsyslog.conf"
|
||||
if [ -f ${TARGET} ]; then
|
||||
LogText "Test: analyzing file ${TARGET} for remote target"
|
||||
DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
|
||||
DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
|
||||
if [ -z "${DATA}" ]; then
|
||||
LogText "Result: no remote target found"
|
||||
else
|
||||
|
|
@ -391,7 +391,7 @@
|
|||
for F in ${FILES}; do
|
||||
F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g')
|
||||
LogText "Test: analyzing file ${F} for remote target"
|
||||
DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
|
||||
DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
|
||||
if [ -n "${DATA}" ]; then
|
||||
LogText "Result: found remote target"
|
||||
REMOTE_LOGGING_ENABLED=1
|
||||
|
|
@ -403,7 +403,7 @@
|
|||
done
|
||||
else
|
||||
# Check new style configuration (omrelp/omfwd). This can be all on one line or even split over multiple lines.
|
||||
DATA=$(${EGREPBINARY} "target=\"([a-zA-Z0-9\-])" ${F})
|
||||
DATA=$(${GREPBINARY} -E "target=\"([a-zA-Z0-9\-])" ${F})
|
||||
if [ -n "${DATA}" ]; then
|
||||
LogText "Result: most likely remote log host is used, as keyword 'target' is used"
|
||||
REMOTE_LOGGING_ENABLED=1
|
||||
|
|
@ -424,7 +424,7 @@
|
|||
|
||||
if [ -f ${SYSLOGD_CONF} ]; then
|
||||
LogText "Test: check if logs are also logged to a remote logging host"
|
||||
FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
|
||||
FIND=$(${GREPBINARY} -E "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
|
||||
if [ -n "${FIND}" ]; then
|
||||
FIND2=$(echo "${FIND}" | ${GREPBINARY} -v "@loghost")
|
||||
if [ ${SOLARIS_LOGHOST_LOCALHOST} -eq 1 ] && [ -z "${FIND2}" ]; then
|
||||
|
|
@ -435,9 +435,9 @@
|
|||
fi
|
||||
else
|
||||
# Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
|
||||
DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
|
||||
DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${GREPBINARY} -E "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
|
||||
for DESTINATION in ${DESTINATIONS}; do
|
||||
FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
|
||||
FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${GREPBINARY} -E "destination\(${DESTINATION}\)")
|
||||
if [ -n "${FIND2}" ]; then
|
||||
LogText "Result: found destination ${DESTINATION} configured for remote logging"
|
||||
REMOTE_LOGGING_ENABLED=1
|
||||
|
|
@ -539,7 +539,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: checking open log files with lsof"
|
||||
if [ -n "${LSOFBINARY}" ]; then
|
||||
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
|
||||
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${GREPBINARY} -E -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
|
||||
for I in ${FIND}; do
|
||||
LogText "Found logfile: ${I}"
|
||||
done
|
||||
|
|
@ -572,7 +572,7 @@
|
|||
LSOF_GREP="${LSOF_GREP}|anacron|awk|run-parts"
|
||||
fi
|
||||
|
||||
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
|
||||
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${GREPBINARY} -E -vw "${LSOF_GREP}" | ${GREPBINARY} -E -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
|
||||
if [ -n "${FIND}" ]; then
|
||||
LogText "Result: found one or more files which are deleted, but still in use"
|
||||
for I in ${FIND}; do
|
||||
|
|
|
|||
|
|
@ -70,18 +70,18 @@
|
|||
unset FIND FIND2 FIND3 FIND4
|
||||
|
||||
# Local Only
|
||||
FIND=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^nonlocal')
|
||||
FIND=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^nonlocal')
|
||||
# Internet Host
|
||||
FIND2=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^dnslookup_relay_to_domains')
|
||||
FIND2=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^dnslookup_relay_to_domains')
|
||||
# Smarthost or Satellite
|
||||
FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost')
|
||||
FIND3=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^smarthost')
|
||||
|
||||
if [ -n "${FIND}" ]; then
|
||||
EXIM_TYPE="LOCAL ONLY"
|
||||
elif [ -n "${FIND2}" ]; then
|
||||
EXIM_TYPE="INTERNET HOST"
|
||||
elif [ -n "${FIND3}" ]; then
|
||||
FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost')
|
||||
FIND4=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^hub_user_smarthost')
|
||||
if [ -n "${FIND4}" ]; then
|
||||
EXIM_TYPE="SATELLITE"
|
||||
else
|
||||
|
|
@ -415,7 +415,7 @@
|
|||
Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: check smtpd status"
|
||||
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep")
|
||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: found running smtpd process"
|
||||
Display --indent 2 --text "- OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN
|
||||
|
|
|
|||
|
|
@ -339,7 +339,7 @@
|
|||
Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Trying to determine version from banner"
|
||||
FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*")
|
||||
FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${GREPBINARY} -E "[0-9].[0-9].[0-9]*")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
LogText "Result: no useful information in banner found"
|
||||
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN
|
||||
|
|
@ -571,7 +571,7 @@
|
|||
Register --test-no NAME-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check duplicate line in /etc/hosts"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts"
|
||||
OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${EGREPBINARY} -v '^(#|$)' | ${EGREPBINARY} "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d)
|
||||
OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E -v '^(#|$)' | ${GREPBINARY} -E "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d)
|
||||
if [ -z "${OUTPUT}" ]; then
|
||||
LogText "Result: OK, no duplicate lines found"
|
||||
Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_NONE}" --color GREEN
|
||||
|
|
@ -592,7 +592,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Check /etc/hosts contains an entry for this server name"
|
||||
if [ -n "${HOSTNAME}" ]; then
|
||||
DATA=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
|
||||
DATA=$(${GREPBINARY} -E -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
|
||||
if [ -n "${DATA}" ]; then
|
||||
LogText "Result: Found entry for ${HOSTNAME} in ${ROOTDIR}etc/hosts"
|
||||
Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
|
@ -615,7 +615,7 @@
|
|||
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Check server hostname not locally mapped in ${ROOTDIR}etc/hosts"
|
||||
DATA=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
|
||||
DATA=$(${GREPBINARY} -E -v '^(#|$)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
|
||||
if [ -n "${DATA}" ]; then
|
||||
LogText "Result: Found this server hostname mapped to a local address"
|
||||
LogText "Output: ${DATA}"
|
||||
|
|
|
|||
|
|
@ -280,7 +280,7 @@
|
|||
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
|
||||
if [ $SKIPTEST -eq 0 ]; then
|
||||
LogText "Test: Searching default gateway(s)"
|
||||
FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
|
||||
FIND=$(${NETSTATBINARY} -rn | ${GREPBINARY} -E "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
|
||||
if [ -n "${FIND}" ]; then
|
||||
for I in ${FIND}; do
|
||||
LogText "Result: Found default gateway ${I}"
|
||||
|
|
|
|||
|
|
@ -285,9 +285,9 @@
|
|||
# Test : PHP-2368
|
||||
# Description : Check php register_globals option
|
||||
# Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
|
||||
if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${EGREPBINARY}" ]; then
|
||||
if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${GREPBINARY} -E" ]; then
|
||||
if [ -f "${PHPINIFILE}" ]; then
|
||||
FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])")
|
||||
FIND=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^(4.|5.[0-3])")
|
||||
if [ -z "${FIND}" ]; then
|
||||
PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals"
|
||||
else
|
||||
|
|
@ -305,7 +305,7 @@
|
|||
Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking PHP register_globals option"
|
||||
FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
||||
FIND=$(${GREPBINARY} -E -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
||||
if [ -n "${FIND}" ]; then
|
||||
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning "${TEST_NO}" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
|
||||
|
|
@ -338,7 +338,7 @@
|
|||
;;
|
||||
esac
|
||||
LogText "Test: Checking file ${FILE}"
|
||||
FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;')
|
||||
FIND=$(${GREPBINARY} -E -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;')
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: found a a possible match on expose_php setting"
|
||||
LogText "Data: ${FIND}"
|
||||
|
|
@ -367,7 +367,7 @@
|
|||
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking PHP enable_dl option"
|
||||
FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
||||
FIND=$(${GREPBINARY} -E -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
||||
if [ -n "${FIND}" ]; then
|
||||
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
|
||||
Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
|
||||
|
|
@ -389,7 +389,7 @@
|
|||
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking PHP allow_url_fopen option"
|
||||
FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
||||
FIND=$(${GREPBINARY} -E -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
|
||||
LogText "Result: allow_url_fopen option is turned on, which can be used for downloads via PHP and is a security risk"
|
||||
|
|
@ -412,7 +412,7 @@
|
|||
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking PHP allow_url_include option"
|
||||
FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
||||
FIND=$(${GREPBINARY} -E -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
|
||||
Report "Result: allow_url_include option is turned on, which can be used for downloads via PHP and is a risk"
|
||||
|
|
@ -436,7 +436,7 @@
|
|||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# FOUND=0
|
||||
# SIMULATION=0
|
||||
# MAJOR_VERSION=$(echo ${PHPVERSION} | ${EGREPBINARY} "^7")
|
||||
# MAJOR_VERSION=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^7")
|
||||
# if [ "${OS}" = "OpenBSD" ]; then
|
||||
# FOUND=1 # On OpenBSD, Suhosin is hard linked into PHP
|
||||
# SIMULATION=off
|
||||
|
|
@ -519,7 +519,7 @@
|
|||
;;
|
||||
esac
|
||||
LogText "Test: Checking file ${FILE}"
|
||||
FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE})
|
||||
FIND=$(${GREPBINARY} -E -i "^listen = [0-9]{1,5}$" ${FILE})
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: found listen on just a port number"
|
||||
LogText "Data: ${FIND}"
|
||||
|
|
|
|||
|
|
@ -836,7 +836,7 @@
|
|||
Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: YUM package update management"
|
||||
FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$")
|
||||
FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -E "^[0-9]+$")
|
||||
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
|
||||
LogText "Result: YUM package update management failed"
|
||||
Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED
|
||||
|
|
@ -1030,7 +1030,7 @@
|
|||
if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then
|
||||
if [ -f ${ROOTDIR}etc/apt/sources.list ]; then
|
||||
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
|
||||
FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
|
||||
FIND=$(${GREPBINARY} -E "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ -n "${FIND}" ]; then
|
||||
FOUND=1
|
||||
Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
|
||||
|
|
@ -1043,7 +1043,7 @@
|
|||
fi
|
||||
if [ -d /etc/apt/sources.list.d ]; then
|
||||
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
|
||||
FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
|
||||
FIND=$(${GREPBINARY} -E -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ -n "${FIND}" ]; then
|
||||
FOUND=1
|
||||
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
|
||||
|
|
@ -1338,7 +1338,7 @@
|
|||
if [ "${DPKGBINARY}" ]; then
|
||||
TESTED=1
|
||||
KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]"
|
||||
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
|
||||
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} -E "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
|
||||
if [ ${KERNELS} -eq 0 ]; then
|
||||
LogText "Result: found no kernels from dpkg -l output, which is unexpected"
|
||||
elif [ ${KERNELS} -gt 5 ]; then
|
||||
|
|
|
|||
|
|
@ -144,14 +144,14 @@
|
|||
LogText "Test: Checking CUPS daemon listening network addresses"
|
||||
|
||||
# Search for Port statement
|
||||
FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE})
|
||||
FIND=$(${GREPBINARY} -E "^Port 631" ${CUPSD_CONFIG_FILE})
|
||||
if [ -n "${FIND}" ]; then
|
||||
LogText "Result: found CUPS listening on port 631 (most likely all interfaces)"
|
||||
PORT_FOUND=1
|
||||
fi
|
||||
|
||||
# Checking network addresses
|
||||
FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
|
||||
FIND=$(${GREPBINARY} -E "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
|
||||
COUNT=0
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Result: found network address: ${ITEM}"
|
||||
|
|
@ -222,7 +222,7 @@
|
|||
QDAEMON_CONFIG_FILE="${ROOTDIR}etc/qconfig"
|
||||
FileIsReadable ${QDAEMON_CONFIG_FILE}
|
||||
if [ ${CANREAD} -eq 1 ]; then
|
||||
FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device")
|
||||
FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${GREPBINARY} -E "backend|device")
|
||||
if [ -n "${FIND}" ]; then
|
||||
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
|
||||
Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@
|
|||
# Description : Check cron daemon
|
||||
Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )")
|
||||
FIND=$(${PSBINARY} aux | ${GREPBINARY} -E "( cron$|/cron(d)? )")
|
||||
if IsEmpty "${FIND}"; then
|
||||
LogText "Result: no cron daemon found"
|
||||
else
|
||||
|
|
@ -55,12 +55,12 @@
|
|||
BAD_FILE_PERMISSIONS=0
|
||||
BAD_FILE_OWNERSHIP=0
|
||||
FindCronJob() {
|
||||
sCRONJOBS=$(${EGREPBINARY} '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
|
||||
sCRONJOBS=$(${GREPBINARY} -E '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
|
||||
}
|
||||
|
||||
CRONTAB_FILE="${ROOTDIR}etc/crontab"
|
||||
if [ -f ${CRONTAB_FILE} ]; then
|
||||
${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab"
|
||||
${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab"
|
||||
if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
|
||||
if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
|
||||
FindCronJob ${CRONTAB_FILE}
|
||||
|
|
@ -86,7 +86,7 @@
|
|||
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
|
||||
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
|
||||
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
|
||||
if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
|
||||
if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
|
||||
FindCronJob ${FILE}
|
||||
if HasData "${sCRONJOBS}"; then
|
||||
for K in ${sCRONJOBS}; do
|
||||
|
|
@ -121,7 +121,7 @@
|
|||
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${FILE}"; Report "insecure_fileperms_cronjob[]=${FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
|
||||
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${FILE}"; Report "bad_fileowner_cronjob[]=${FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
|
||||
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
|
||||
if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
|
||||
if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
|
||||
LogText "Result: Found cronjob (${I}): ${FILE}"
|
||||
Report "cronjob[]=${FILE}"
|
||||
done
|
||||
|
|
@ -141,7 +141,7 @@
|
|||
FIND=$(${FINDBINARY} /var/spool/cron/crontabs -xdev -type f -print 2> /dev/null)
|
||||
for I in ${FIND}; do
|
||||
if FileIsReadable ${I}; then
|
||||
${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
|
||||
${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
|
||||
FindCronJob ${I}
|
||||
for FILE in ${sCRONJOBS}; do
|
||||
LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${FILE})"
|
||||
|
|
@ -154,7 +154,7 @@
|
|||
FIND=$(find ${ROOTDIR}var/spool/cron -type f -print)
|
||||
for I in ${FIND}; do
|
||||
if FileIsReadable ${I}; then
|
||||
${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
|
||||
${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
|
||||
FindCronJob ${I}
|
||||
for FILE in ${sCRONJOBS}; do
|
||||
LogText "Found cronjob in ${ROOTDIR}var/spool/cron: ${I} (${FILE})"
|
||||
|
|
@ -169,7 +169,7 @@
|
|||
if [ "${OS}" = "Linux" ]; then
|
||||
if [ -f /etc/anacrontab ]; then
|
||||
LogText "Test: checking anacrontab"
|
||||
sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
|
||||
sANACRONJOBS=$(${GREPBINARY} -E '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
|
||||
if [ -n "${sANACRONJOBS}" ]; then
|
||||
Report "scheduler[]=anacron"
|
||||
for I in ${sANACRONJOBS}; do
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@
|
|||
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking console TTYs"
|
||||
FIND=$(${EGREPBINARY} '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure')
|
||||
FIND=$(${GREPBINARY} -E '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: console is secured against single user mode without password."
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@
|
|||
LogText "Test: Searching for a Squid daemon"
|
||||
FOUND=0
|
||||
# Check running processes
|
||||
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
|
||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(squid|squid3) " | ${GREPBINARY} -v "grep")
|
||||
if [ -n "${FIND}" ]; then
|
||||
SQUID_DAEMON_RUNNING=1
|
||||
LogText "Result: Squid daemon is running"
|
||||
|
|
|
|||
|
|
@ -299,7 +299,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
# AllowUsers
|
||||
FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
||||
FIND=$(${GREPBINARY} -E -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
||||
if [ -n "${FIND}" ]; then
|
||||
LogText "Result: AllowUsers set, with value ${FIND}"
|
||||
Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
|
@ -310,7 +310,7 @@
|
|||
fi
|
||||
|
||||
# AllowGroups
|
||||
FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
||||
FIND=$(${GREPBINARY} -E -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
||||
if [ -n "${FIND}" ]; then
|
||||
LogText "Result: AllowUsers set ${FIND}"
|
||||
Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
|
|
|||
|
|
@ -38,8 +38,8 @@
|
|||
if [ -d "${ROOTDIR}etc/modprobe.d" ]; then
|
||||
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
|
||||
if [ -n "${FIND}" ]; then
|
||||
FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND1=$(${GREPBINARY} -E "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${GREPBINARY} -E "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: found firewire ohci driver in disabled state"
|
||||
|
|
@ -49,8 +49,8 @@
|
|||
fi
|
||||
fi
|
||||
if [ -f "${ROOTDIR}etc/modprobe.conf" ]; then
|
||||
FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
|
||||
FIND1=$(${GREPBINARY} -E -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${GREPBINARY} -E -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
|
||||
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: found firewire ohci driver in disabled state"
|
||||
|
|
|
|||
|
|
@ -139,7 +139,7 @@
|
|||
for I in ${CRONTAB_FILES}; do
|
||||
if [ -f ${I} ]; then
|
||||
LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}"
|
||||
FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#')
|
||||
FIND=$(${GREPBINARY} -E "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#')
|
||||
if [ -n "${FIND}" ]; then
|
||||
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
||||
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
|
@ -161,10 +161,10 @@
|
|||
for I in ${CRON_DIRS}; do
|
||||
for J in "${I}"/*; do # iterate over folders in a safe way
|
||||
# Check: regular file, readable and not called .placeholder
|
||||
FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$')
|
||||
FIND=$(echo "${J}" | ${GREPBINARY} -E '/.placeholder$')
|
||||
if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then
|
||||
LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}"
|
||||
FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#")
|
||||
FIND=$("${GREPBINARY} -E" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#")
|
||||
if [ -n "${FIND}" ]; then
|
||||
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
|
||||
LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}"
|
||||
|
|
@ -232,7 +232,7 @@
|
|||
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Check the status of time synchronization via timedatectl"
|
||||
FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
|
||||
FIND=$(${TIMEDATECTL} status | ${GREPBINARY} -E "(NTP|System clock) synchronized: yes")
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: time not synchronized via NTP"
|
||||
ReportSuggestion "${TEST_NO}" "Check timedatectl output. Synchronization via NTP is enabled, but status reflects it is not synchronized"
|
||||
|
|
@ -273,7 +273,7 @@
|
|||
else
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Found stratum 16 peer: ${ITEM}"
|
||||
FIND2=$(${EGREPBINARY} "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE})
|
||||
FIND2=$(${GREPBINARY} -E "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE})
|
||||
if IsEmpty "${FIND2}"; then
|
||||
COUNT=$((COUNT + 1))
|
||||
Report "ntp_stratum_16_peer[]=${ITEM}"
|
||||
|
|
@ -303,7 +303,7 @@
|
|||
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking unreliable ntp peers"
|
||||
FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g')
|
||||
FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN
|
||||
LogText "Result: No unreliable peers found"
|
||||
|
|
@ -371,7 +371,7 @@
|
|||
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking preferred time source"
|
||||
FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} '^x')
|
||||
FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E '^x')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: No falsetickers found (items preceding with an 'x')"
|
||||
|
|
@ -455,7 +455,7 @@
|
|||
else
|
||||
LogText "Result: ${FILE} is not empty, which is fine"
|
||||
Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN
|
||||
sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${EGREPBINARY} -v "^127." | ${EGREPBINARY} -v "^::1")
|
||||
sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${GREPBINARY} -E -v "^127." | ${GREPBINARY} -E -v "^::1")
|
||||
for I in ${sFIND}; do
|
||||
FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l)
|
||||
if [ ${FIND} -gt 0 ]; then
|
||||
|
|
@ -553,7 +553,7 @@
|
|||
Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Format is "xx/yy peers valid, ..."
|
||||
FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1)
|
||||
FIND=$(${NTPCTLBINARY} -s status | ${GREPBINARY} -E -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1)
|
||||
if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then
|
||||
ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -259,8 +259,8 @@
|
|||
# # Check email alert configuration
|
||||
# LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}"
|
||||
#
|
||||
# FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
|
||||
# FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
|
||||
# FIND=$(${GREPBINARY} -E "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
|
||||
# FIND2=$(${GREPBINARY} -E "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
|
||||
#
|
||||
# if [ -n "${FIND}" ]; then
|
||||
# FAIL2BAN_EMAIL=1
|
||||
|
|
|
|||
|
|
@ -54,8 +54,8 @@
|
|||
if [ -d /etc/modprobe.d ]; then
|
||||
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
|
||||
if [ -n "${FIND}" ]; then
|
||||
FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
|
||||
FIND=$(${GREPBINARY} -E -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${GREPBINARY} -E -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
|
||||
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
|
||||
|
|
@ -65,7 +65,7 @@
|
|||
fi
|
||||
fi
|
||||
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
|
||||
FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
|
||||
FIND=$(${GREPBINARY} -E "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
|
||||
if [ -n "${FIND}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: found usb-storage driver in disabled state"
|
||||
|
|
@ -316,11 +316,11 @@
|
|||
Display --indent 4 --text "- RuleFile" --result "${STATUS_FOUND}" --color GREEN
|
||||
AddHP 1 1
|
||||
|
||||
USBGUARD_RULES_ALLOW=$(${EGREPBINARY} -c "^allow" ${USBGUARD_RULES})
|
||||
USBGUARD_RULES_ALLOW=$(${GREPBINARY} -E -c "^allow" ${USBGUARD_RULES})
|
||||
Display --indent 6 --text "- Controllers & Devices allow" --result "${USBGUARD_RULES_ALLOW}" --color WHITE
|
||||
USBGUARD_RULES_BLOCK=$(${EGREPBINARY} -c "^block" ${USBGUARD_RULES})
|
||||
USBGUARD_RULES_BLOCK=$(${GREPBINARY} -E -c "^block" ${USBGUARD_RULES})
|
||||
Display --indent 6 --text "- Controllers & Devices block" --result "${USBGUARD_RULES_BLOCK}" --color WHITE
|
||||
USBGUARD_RULES_REJECT=$(${EGREPBINARY} -c "^reject" ${USBGUARD_RULES})
|
||||
USBGUARD_RULES_REJECT=$(${GREPBINARY} -E -c "^reject" ${USBGUARD_RULES})
|
||||
Display --indent 6 --text "- Controllers & Devices reject" --result "${USBGUARD_RULES_REJECT}" --color WHITE
|
||||
else
|
||||
LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)"
|
||||
|
|
|
|||
|
|
@ -63,7 +63,7 @@
|
|||
Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
else
|
||||
LogText "Test: Scanning for Apache binary"
|
||||
IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache')
|
||||
IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} -E '[aA]pache')
|
||||
if IsEmpty "${IS_APACHE}"; then
|
||||
LogText "Result: ${HTTPDBINARY} is not Apache"
|
||||
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
|
||||
|
|
@ -203,7 +203,7 @@
|
|||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# # Testing Debian style
|
||||
# LogText "Test: searching loaded/enabled Apache modules"
|
||||
# apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //'
|
||||
# apachectl -t -D DUMP_MODULES 2>&1 | ${GREPBINARY} -E -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //'
|
||||
# for I in ${APACHE_MODULES_ENABLED_LOCS}; do
|
||||
# LogText "Test: checking ${I}"
|
||||
# if [ -d ${I} ]; then
|
||||
|
|
@ -381,7 +381,7 @@
|
|||
done
|
||||
|
||||
# Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
|
||||
SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})")
|
||||
SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${GREPBINARY} -E -v "(application|audio|image|text|video)/" | ${GREPBINARY} -E -v "({|})")
|
||||
for I in ${SORTFILE}; do
|
||||
I=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g')
|
||||
Report "nginx_config_option[]=${I}";
|
||||
|
|
|
|||
Loading…
Reference in New Issue