mirror of https://github.com/CISOfy/lynis.git
Code enhancements
This commit is contained in:
parent
9e9b95e1da
commit
70ea29483a
|
@ -76,19 +76,19 @@
|
|||
LogText "Test: Check accounting information"
|
||||
if [ -f ${ROOTDIR}var/account/pacct ]; then
|
||||
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: /var/account/pacct available"
|
||||
LogText "Result: ${ROOTDIR}var/account/pacct available"
|
||||
AddHP 3 3
|
||||
elif [ -f ${ROOTDIR}var/log/account/pacct ]; then
|
||||
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: /var/log/account/pacct available"
|
||||
LogText "Result: ${ROOTDIR}var/log/account/pacct available"
|
||||
AddHP 3 3
|
||||
elif [ -f ${ROOTDIR}var/log/pacct ]; then
|
||||
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: /var/log/pacct available"
|
||||
LogText "Result: ${ROOTDIR}var/log/pacct available"
|
||||
AddHP 3 3
|
||||
else
|
||||
Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
LogText "Result: No accounting information available (/var/account/pacct, /var/log/account/pact nor /var/log/pact exist)"
|
||||
LogText "Result: No accounting information available (${ROOTDIR}var/account/pacct, ${ROOTDIR}var/log/account/pact nor ${ROOTDIR}var/log/pact exist)"
|
||||
LogText "Remark: Possibly there is another location where the accounting data is stored"
|
||||
ReportSuggestion ${TEST_NO} "Enable process accounting"
|
||||
AddHP 2 3
|
||||
|
@ -101,11 +101,11 @@
|
|||
# Description : Check sysstat accounting data
|
||||
Register --test-no ACCT-9626 --os Linux --weight L --network NO --category security --description "Check for sysstat accounting data"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: check /etc/default/sysstat presence"
|
||||
LogText "Test: check ${ROOTDIR}etc/default/sysstat presence"
|
||||
if [ -f ${ROOTDIR}etc/default/sysstat ]; then
|
||||
LogText "Result: ${ROOTDIR}etc/default/sysstat found"
|
||||
FIND=$(${GREPBINARY} "^ENABLED" ${ROOTDIR}etc/default/sysstat | ${GREPBINARY} -i true)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: sysstat enabled via ${ROOTDIR}etc/default/sysstat"
|
||||
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
|
||||
else
|
||||
|
@ -124,7 +124,7 @@
|
|||
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)"
|
||||
fi
|
||||
else
|
||||
LogText "Result: sysstat not found via ${ROOTDIR}etc/default/sysstat or /etc/cron.d/sysstat"
|
||||
LogText "Result: sysstat not found via ${ROOTDIR}etc/default/sysstat or ${ROOTDIR}etc/cron.d/sysstat"
|
||||
Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)"
|
||||
fi
|
||||
|
@ -134,7 +134,7 @@
|
|||
#
|
||||
# Test : ACCT-9628
|
||||
# Description : Check auditd status
|
||||
if [ ! "${AUDITDBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${AUDITDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no ACCT-9628 --os Linux --weight L --network NO --category security --description "Check for auditd"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Check auditd status"
|
||||
|
@ -189,7 +189,7 @@
|
|||
#
|
||||
# Test : ACCT-9632
|
||||
# Description : Check auditd configuration file
|
||||
if [ ! "${AUDITDBINARY}" = "" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${AUDITDBINARY}" -a ${LINUX_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd configuration file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking auditd configuration file"
|
||||
|
@ -202,7 +202,7 @@
|
|||
fi
|
||||
done
|
||||
# Check if we discovered the configuration file. It should be there is the binaries are available and process is running
|
||||
if [ ! "${AUDITD_CONF_FILE}" = "" ]; then
|
||||
if [ ! -z "${AUDITD_CONF_FILE}" ]; then
|
||||
Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
LogText "Result: could not find auditd configuration file"
|
||||
|
@ -252,14 +252,14 @@
|
|||
if [ -f ${ROOTDIR}etc/ld.so.preload ]; then
|
||||
LogText "Result: found ${ROOTDIR}etc/ld.so.preload, testing if snoopy.so is listed"
|
||||
FIND=$(${GREPBINARY} ${FILE} ${ROOTDIR}etc/ld.so.preload)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: found snoopy in ld.so.preload"
|
||||
LogText "Output: ${FIND}"
|
||||
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
|
||||
Report "audit_trail_tool[]=snoopy"
|
||||
else
|
||||
Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via /etc/ld.so.preload"
|
||||
ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via ${ROOTDIR}etc/ld.so.preload"
|
||||
AddHP 3 3
|
||||
fi
|
||||
else
|
||||
|
@ -293,11 +293,11 @@
|
|||
#
|
||||
# Test : ACCT-9652
|
||||
# Description : Check Solaris auditd service status
|
||||
if [ -x /usr/bin/svcs -a ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/bin/svcs -a ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no ACCT-9652 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check auditd SMF status"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: check if auditd service is enabled and online"
|
||||
FIND=$(/usr/bin/svcs svc:/system/auditd:default | ${GREPBINARY} "^online")
|
||||
FIND=$(${ROOTDIR}usr/bin/svcs svc:/system/auditd:default | ${GREPBINARY} "^online")
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: auditd service is online"
|
||||
Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN
|
||||
|
@ -312,7 +312,7 @@
|
|||
# Test : ACCT-9654
|
||||
# Description : Check Solaris Basic Security Mode (BSM) in /etc/system
|
||||
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no ACCT-9654 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check BSM auditing in /etc/system"
|
||||
Register --test-no ACCT-9654 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check BSM auditing in ${ROOTDIR}etc/system"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: check if BSM is enabled in ${ROOTDIR}etc/system"
|
||||
if [ -f ${ROOTDIR}etc/system ]; then
|
||||
|
@ -337,9 +337,9 @@
|
|||
Register --test-no ACCT-9656 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check BSM auditing in module list"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: check if c2audit module is active"
|
||||
if [ -x /usr/sbin/modinfo ]; then
|
||||
FIND=$(/usr/sbin/modinfo | ${GREPBINARY} c2audit)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ -x ${ROOTDIR}usr/sbin/modinfo ]; then
|
||||
FIND=$(${ROOTDIR}usr/sbin/modinfo | ${GREPBINARY} c2audit)
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: c2audit found in modinfo output"
|
||||
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN
|
||||
else
|
||||
|
@ -347,7 +347,7 @@
|
|||
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
fi
|
||||
else
|
||||
LogText "Result: /usr/sbin/modinfo does not exist, skipping test"
|
||||
LogText "Result: ${ROOTDIR}usr/sbin/modinfo does not exist, skipping test"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -358,11 +358,11 @@
|
|||
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no ACCT-9660 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check location of audit events"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: check /etc/security/audit_control for event logging location"
|
||||
LogText "Test: check ${ROOTDIR}etc/security/audit_control for event logging location"
|
||||
if [ -f ${ROOTDIR}etc/security/audit_control ]; then
|
||||
LogText "Result: file ${ROOTDIR}etc/security/audit_control found"
|
||||
FIND=$(${GREPBINARY} "^dir" ${ROOTDIR}etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: found location ${FIND}"
|
||||
LogText "Test: Checking if location is a valid directory"
|
||||
if [ -d ${FIND} ]; then
|
||||
|
@ -392,14 +392,14 @@
|
|||
Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Solaris auditing stats"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Check auditing statistics"
|
||||
if [ -x /usr/sbin/auditstat ]; then
|
||||
FIND=$(/usr/sbin/auditstat | ${TRBINARY} -s ' ' ',')
|
||||
if [ -x ${ROOTDIR}usr/sbin/auditstat ]; then
|
||||
FIND=$(${ROOTDIR}usr/sbin/auditstat | ${TRBINARY} -s ' ' ',')
|
||||
for ITEM in ${FIND}; do
|
||||
LogText "Output: ${ITEM}"
|
||||
done
|
||||
Display --indent 4 --text "- Checking Solaris audit statistics" --result "${STATUS_DONE}" --color GREEN
|
||||
else
|
||||
LogText "Result: /usr/sbin/auditstat not found, skipping test"
|
||||
LogText "Result: ${ROOTDIR}usr/sbin/auditstat not found, skipping test"
|
||||
Display --indent 4 --text "- Checking Solaris audit statistics" --result "${STATUS_SKIPPED}" --color YELLOW
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -24,9 +24,9 @@
|
|||
#
|
||||
LDAP_AUTH_ENABLED=0
|
||||
LDAP_PAM_ENABLED=0
|
||||
LDAP_CONF_LOCATIONS="/etc/ldap.conf /etc/ldap/ldap.conf /etc/openldap/ldap.conf /usr/local/etc/ldap.conf /usr/local/etc/openldap/ldap.conf"
|
||||
PAM_FILE_LOCATIONS="/lib/i386-linux-gnu/security /lib/security /lib/x86_64-linux-gnu/security /lib64/security /usr/lib /usr/lib/security"
|
||||
SUDOERS_LOCATIONS="/etc/sudoers /usr/local/etc/sudoers /usr/pkg/etc/sudoers"
|
||||
LDAP_CONF_LOCATIONS="${ROOTDIR}etc/ldap.conf ${ROOTDIR}etc/ldap/ldap.conf ${ROOTDIR}etc/openldap/ldap.conf ${ROOTDIR}usr/local/etc/ldap.conf ${ROOTDIR}usr/local/etc/openldap/ldap.conf"
|
||||
PAM_FILE_LOCATIONS="${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security"
|
||||
SUDOERS_LOCATIONS="${ROOTDIR}etc/sudoers ${ROOTDIR}usr/local/etc/sudoers ${ROOTDIR}usr/pkg/etc/sudoers"
|
||||
SUDOERS_FILE=""
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -40,8 +40,8 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Search accounts with UID 0
|
||||
LogText "Test: Searching accounts with UID 0"
|
||||
FIND=$(${GREPBINARY} ':0:' /etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Found more than one administrator accounts"
|
||||
ReportWarning "${TEST_NO}" "Multiple users with UID 0 found in passwd file"
|
||||
|
@ -68,9 +68,9 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking for non-unique accounts"
|
||||
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" -o "${OS}" = "OpenBSD" ]; then
|
||||
PASSWD_FILE="/etc/master.passwd"
|
||||
PASSWD_FILE="${ROOTDIR}etc/master.passwd"
|
||||
else
|
||||
PASSWD_FILE="/etc/passwd"
|
||||
PASSWD_FILE="${ROOTDIR}etc/passwd"
|
||||
fi
|
||||
# Check password file
|
||||
if [ -f ${PASSWD_FILE} ]; then
|
||||
|
@ -96,13 +96,13 @@
|
|||
# Test : AUTH-9212
|
||||
# Description : Test group file with chkgrp tool (ie FreeBSD)
|
||||
LogText "Prerequisite test: /usr/sbin/chkgrp"
|
||||
if [ -x /usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test group file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
Display --indent 2 --text "- Checking chkgrp tool" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)."
|
||||
LogText "Test: Testing consistency of /etc/group file"
|
||||
FIND=$(/usr/sbin/chkgrp | ${GREPBINARY} -v 'is fine')
|
||||
FIND=$(${ROOTDIR}usr/sbin/chkgrp | ${GREPBINARY} -v 'is fine')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: chkgrp test performed, Group file seems to be ok."
|
||||
|
@ -119,7 +119,7 @@
|
|||
# Test : AUTH-9216
|
||||
# Description : Check /etc/group and shadow group files
|
||||
# Notes : Run grpck to test group files (most likely /etc/group and shadow group files)
|
||||
if [ ! "${GRPCKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${GRPCKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check group and shadow group files"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking for grpck binary output"
|
||||
|
@ -156,7 +156,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
LogText "Test: Checking login shells"
|
||||
if [ -f /etc/master.passwd ]; then
|
||||
if [ -f ${ROOTDIR}etc/master.passwd ]; then
|
||||
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
|
||||
FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
|
@ -200,10 +200,10 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
LogText "Test: Checking login shells"
|
||||
if [ -f /etc/master.passwd ]; then
|
||||
if [ -f ${ROOTDIR}etc/master.passwd ]; then
|
||||
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
|
||||
FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
Display --indent 2 --text "- Login shells" --result "${STATUS_WARNING}" --color RED
|
||||
|
@ -230,7 +230,7 @@
|
|||
fi
|
||||
else
|
||||
Display --indent 2 --text "- Login shells" --result "${STATUS_SKIPPED}" --color WHITE
|
||||
LogText "Result: No /etc/master.passwd file found"
|
||||
LogText "Result: No ${ROOTDIR}etc/master.passwd file found"
|
||||
fi
|
||||
unset LINE SHELL
|
||||
fi
|
||||
|
@ -242,7 +242,7 @@
|
|||
Register --test-no AUTH-9222 --weight L --network NO --category security --description "Check unique groups (IDs)"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking for non unique group ID's in /etc/group"
|
||||
FIND=$(${GREPBINARY} -v '^#' /etc/group | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $3 }' | ${SORTBINARY} | uniq -d)
|
||||
FIND=$(${GREPBINARY} -v '^#' ${ROOTDIR}etc/group | ${GREPBINARY} -v '^$' | ${AWKBINARY} -F: '{ print $3 }' | ${SORTBINARY} | uniq -d)
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Unique group IDs" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: All group ID's are unique"
|
||||
|
@ -287,23 +287,23 @@
|
|||
# Test : AUTH-9228
|
||||
# Description : Check password file consistency with pwck
|
||||
# Notes : Operating systems include Linux, Solaris
|
||||
if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no AUTH-9228 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check password file consistency with pwck"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking password file consistency (pwck)"
|
||||
TESTED=0
|
||||
case ${OS} in
|
||||
"Linux")
|
||||
FIND=$(/usr/sbin/pwck -q -r 2> /dev/null; echo $?)
|
||||
FIND=$(${ROOTDIR}usr/sbin/pwck -q -r 2> /dev/null; echo $?)
|
||||
TESTED=1
|
||||
;;
|
||||
"Solaris")
|
||||
FIND=$(/usr/sbin/pwck 2> /dev/null; echo $?)
|
||||
FIND=$(${ROOTDIR}usr/sbin/pwck 2> /dev/null; echo $?)
|
||||
TESTED=1
|
||||
;;
|
||||
*)
|
||||
LogText "Dev: found /usr/sbin/pwck, but unsure how to call it on this operating system"
|
||||
ReportException "${TEST_NO}:1" "Found /usr/sbin/pwck, but unsure how to call it on this operating system"
|
||||
LogText "Dev: found ${ROOTDIR}usr/sbin/pwck, but unsure how to call it on this operating system"
|
||||
ReportException "${TEST_NO}:1" "Found ${ROOTDIR}usr/sbin/pwck, but unsure how to call it on this operating system"
|
||||
;;
|
||||
esac
|
||||
# Only display if this test has been executed
|
||||
|
@ -346,7 +346,7 @@
|
|||
|
||||
"Linux")
|
||||
UID_MIN=""
|
||||
if [ -f /etc/login.defs ]; then
|
||||
if [ -f ${ROOTDIR}etc/login.defs ]; then
|
||||
UID_MIN=$(${GREPBINARY} "^UID_MIN" /etc/login.defs | ${AWKBINARY} '{print $2}')
|
||||
LogText "Result: found minimal user id specified: ${UID_MIN}"
|
||||
fi
|
||||
|
@ -408,16 +408,16 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -f /etc/nsswitch.conf ]; then
|
||||
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: NIS+ authentication not enabled"
|
||||
Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE
|
||||
else
|
||||
FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nisplus")
|
||||
FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nisplus")
|
||||
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
|
||||
else
|
||||
FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
|
||||
FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
|
||||
if [ ! -z "${FIND2}" -o ! -z "${FIND3}" ]; then
|
||||
LogText "Result: NIS+ authentication enabled"
|
||||
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
|
||||
else
|
||||
else
|
||||
LogText "Result: NIS+ authentication not enabled"
|
||||
Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE
|
||||
fi
|
||||
|
@ -435,21 +435,21 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -f /etc/nsswitch.conf ]; then
|
||||
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: NIS authentication not enabled"
|
||||
Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE
|
||||
else
|
||||
else
|
||||
FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
|
||||
FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
|
||||
if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
|
||||
if [ ! -z "${FIND2}" -o ! -z "${FIND3}" ]; then
|
||||
LogText "Result: NIS authentication enabled"
|
||||
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
|
||||
else
|
||||
else
|
||||
LogText "Result: NIS authentication not enabled"
|
||||
Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE
|
||||
fi
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: /etc/nsswitch.conf not found"
|
||||
fi
|
||||
fi
|
||||
|
@ -467,14 +467,14 @@
|
|||
FOUND=1
|
||||
SUDOERS_FILE="${I}"
|
||||
LogText "Result: found file (${SUDOERS_FILE})"
|
||||
else
|
||||
else
|
||||
LogText "Result: file ${I} not found"
|
||||
fi
|
||||
done
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
LogText "Result: sudoers file found (${SUDOERS_FILE})"
|
||||
Display --indent 2 --text "- sudoers file" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
else
|
||||
LogText "Result: sudoers file NOT found"
|
||||
Display --indent 2 --text "- sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
fi
|
||||
|
@ -484,7 +484,7 @@
|
|||
#
|
||||
# Test : AUTH-9252
|
||||
# Description : Check for sudoers file permissions
|
||||
if [ ! "${SUDOERS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sudoers file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: checking sudoers file (${SUDOERS_FILE}) permissions"
|
||||
|
@ -493,7 +493,7 @@
|
|||
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
|
||||
LogText "Result: file ${SUDOERS_FILE} has correct permissions"
|
||||
Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
else
|
||||
LogText "Result: file has possibly unsafe file permissions"
|
||||
Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_WARNING}" --color RED
|
||||
fi
|
||||
|
@ -506,7 +506,7 @@
|
|||
Register --test-no AUTH-9254 --os Solaris --weight L --network NO --root-only YES --category security --description "Solaris passwordless accounts"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(logins -p | ${AWKBINARY} '{ print $1 }')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: no passwordless accounts found"
|
||||
Display --indent 2 --text "- Passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
|
@ -555,7 +555,7 @@
|
|||
if [ ${FOUND_CRACKLIB} -eq 1 ]; then
|
||||
LogText "Result: pam_cracklib.so found"
|
||||
Report "pam_cracklib=1"
|
||||
else
|
||||
else
|
||||
LogText "Result: pam_cracklib.so NOT found (crack library PAM)"
|
||||
fi
|
||||
|
||||
|
@ -563,7 +563,7 @@
|
|||
if [ ${FOUND_PASSWDQC} -eq 1 ]; then
|
||||
LogText "Result: pam_passwdqc.so found"
|
||||
Report "pam_passwdqc=1"
|
||||
else
|
||||
else
|
||||
LogText "Result: pam_passwdqc.so NOT found (passwd quality control PAM)"
|
||||
fi
|
||||
|
||||
|
@ -571,7 +571,7 @@
|
|||
if [ ${FOUND_PWQUALITY} -eq 1 ]; then
|
||||
LogText "Result: pam_pwquality.so found"
|
||||
Report "pam_pwquality=1"
|
||||
else
|
||||
else
|
||||
LogText "Result: pam_pwquality.so NOT found (pwquality control PAM)"
|
||||
fi
|
||||
|
||||
|
@ -580,7 +580,7 @@
|
|||
LogText "Result: no PAM modules for password strength testing found"
|
||||
ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
|
||||
AddHP 0 3
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: found at least one PAM module for password strength testing"
|
||||
AddHP 3 3
|
||||
|
@ -594,12 +594,12 @@
|
|||
Register --test-no AUTH-9264 --weight L --network NO --category security --description "Checking presence pam.conf"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking file /etc/pam.conf"
|
||||
if [ -f /etc/pam.conf ]; then
|
||||
LogText "Result: file /etc/pam.conf exists"
|
||||
if [ -f ${ROOTDIR}etc/pam.conf ]; then
|
||||
LogText "Result: file ${ROOTDIR}etc/pam.conf exists"
|
||||
Display --indent 2 --text "- PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Test: searching PAM configuration files"
|
||||
FIND=$(${EGREPBINARY} -v "^#" /etc/pam.conf | ${EGREPBINARY} -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${EGREPBINARY} -v "^#" ${ROOTDIR}etc/pam.conf | ${EGREPBINARY} -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g')
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)"
|
||||
else
|
||||
LogText "Result: found one or more configuration lines"
|
||||
|
@ -621,7 +621,7 @@
|
|||
Register --test-no AUTH-9266 --weight L --network NO --category security --description "Checking presence pam.d files"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking directory /etc/pam.d"
|
||||
if [ -d /etc/pam.d ]; then
|
||||
if [ -d ${ROOTDIR}etc/pam.d ]; then
|
||||
LogText "Result: directory /etc/pam.d exists"
|
||||
Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Test: searching PAM configuration files"
|
||||
|
@ -629,7 +629,7 @@
|
|||
for FILE in ${FIND}; do
|
||||
LogText "Found file: ${FILE}"
|
||||
done
|
||||
else
|
||||
else
|
||||
LogText "Result: directory /etc/pam.d could not be found"
|
||||
Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
|
@ -651,12 +651,12 @@
|
|||
LogText "Result: directory ${DIR} exists"
|
||||
# Search in the specified directory
|
||||
if [ "${OS}" = "Solaris" ]; then
|
||||
# Solaris doesn't support -maxdepth
|
||||
# Solaris does not support -maxdepth
|
||||
FIND=$(find ${DIR} -type f -name "pam_*.so" -print | sort)
|
||||
else
|
||||
else
|
||||
FIND=$(find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort)
|
||||
fi
|
||||
if [ ! "${FIND}" = "" ]; then FOUND=1; fi
|
||||
if [ ! -z "${FIND}" ]; then FOUND=1; fi
|
||||
for FILE in ${FIND}; do
|
||||
LogText "Found file: ${FILE}"
|
||||
Report "pam_module[]=${FILE}"
|
||||
|
@ -692,11 +692,11 @@
|
|||
Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN
|
||||
LDAP_AUTH_ENABLED=1
|
||||
LDAP_PAM_ENABLED=1
|
||||
else
|
||||
else
|
||||
LogText "Result: LDAP module not found"
|
||||
Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: file /etc/pam.d/common-auth not found, skipping test"
|
||||
fi
|
||||
fi
|
||||
|
@ -720,7 +720,7 @@
|
|||
FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
|
||||
;;
|
||||
esac
|
||||
else
|
||||
else
|
||||
LogText "Result: skipping test for this Linux version"
|
||||
ReportManual "AUTH-9282:01"
|
||||
PREQS_MET="NO"
|
||||
|
@ -736,35 +736,38 @@
|
|||
Register --test-no AUTH-9282 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking password protected account without expire date"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking Linux version and password expire date status"
|
||||
if [ "${FIND}" = "" ]; then
|
||||
LogText "Result: all accounts seem to have an expire date"
|
||||
Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
LogText "Result: found one or more accounts with expire date set"
|
||||
for I in ${FIND}; do
|
||||
LogText "Account without expire date: ${I}"
|
||||
done
|
||||
Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts"
|
||||
fi
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: all accounts seem to have an expire date"
|
||||
Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
LogText "Result: found one or more accounts with expire date set"
|
||||
for I in ${FIND}; do
|
||||
LogText "Account without expire date: ${I}"
|
||||
done
|
||||
Display --indent 2 --text "- Accounts without expire date" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : AUTH-9283
|
||||
# Description : Search passwordless accounts
|
||||
Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking accounts without password"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking passwordless accounts"
|
||||
if [ "${FIND2}" = "" ]; then
|
||||
LogText "Result: all accounts seem to have a password"
|
||||
Display --indent 2 --text "- Accounts without password" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
LogText "Result: found one or more accounts without password"
|
||||
for I in ${FIND2}; do
|
||||
LogText "Account without password: ${I}"
|
||||
Report "account_without_password=${I}"
|
||||
done
|
||||
Display --indent 2 --text "- Accounts without password" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "Found accounts without password"
|
||||
fi
|
||||
if [ "${FIND2}" = "" ]; then
|
||||
LogText "Result: all accounts seem to have a password"
|
||||
Display --indent 2 --text "- Accounts without password" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
LogText "Result: found one or more accounts without password"
|
||||
for I in ${FIND2}; do
|
||||
LogText "Account without password: ${I}"
|
||||
Report "account_without_password=${I}"
|
||||
done
|
||||
Display --indent 2 --text "- Accounts without password" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "Found accounts without password"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -773,11 +776,11 @@
|
|||
# Description : Check user password aging
|
||||
# Notes : MIN = minimum age, avoid rotation of passwords too quickly
|
||||
# : MAX = maximum age, ensure regular change of passwords
|
||||
if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -f ${ROOTDIR}etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking user password aging"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking PASS_MIN_DAYS option in /etc/login.defs "
|
||||
FIND=$(${GREPBINARY} "^PASS_MIN_DAYS" /etc/login.defs | ${AWKBINARY} '{ if ($1=="PASS_MIN_DAYS") { print $2 } }')
|
||||
LogText "Test: Checking PASS_MIN_DAYS option in ${ROOTDIR}etc/login.defs"
|
||||
FIND=$(${GREPBINARY} "^PASS_MIN_DAYS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="PASS_MIN_DAYS") { print $2 } }')
|
||||
if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then
|
||||
LogText "Result: password minimum age is not configured"
|
||||
Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW
|
||||
|
@ -790,9 +793,9 @@
|
|||
AddHP 3 3
|
||||
fi
|
||||
|
||||
LogText "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
|
||||
FIND=$(${GREPBINARY} "^PASS_MAX_DAYS" /etc/login.defs | ${AWKBINARY} '{ if ($1=="PASS_MAX_DAYS") { print $2 } }')
|
||||
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
|
||||
LogText "Test: Checking PASS_MAX_DAYS option in ${ROOTDIR}etc/login.defs "
|
||||
FIND=$(${GREPBINARY} "^PASS_MAX_DAYS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="PASS_MAX_DAYS") { print $2 } }')
|
||||
if [ -z "${FIND}" -o "${FIND}" = "99999" ]; then
|
||||
LogText "Result: password aging limits are not configured"
|
||||
Display --indent 2 --text "- User password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs"
|
||||
|
@ -810,14 +813,14 @@
|
|||
# Test : AUTH-9288
|
||||
# Description : Determine which accounts have an expired password
|
||||
# Notes : This test might not work (yet) on all platforms
|
||||
if [ -f /etc/shadow ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -f ${ROOTDIR}etc/shadow ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no AUTH-9288 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Checking for expired passwords"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if FileIsReadable /etc/shadow; then
|
||||
if FileIsReadable ${ROOTDIR}etc/shadow; then
|
||||
|
||||
if [ "$OS" = "Solaris" ]; then
|
||||
if [ "${OS}" = "Solaris" ]; then
|
||||
NOW=$(nawk 'BEGIN{print srand()}')
|
||||
else
|
||||
else
|
||||
NOW=$(date "+%s")
|
||||
fi
|
||||
|
||||
|
@ -826,7 +829,7 @@
|
|||
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
|
||||
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
|
||||
FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
for ACCOUNT in ${FIND}; do
|
||||
LogText "Result: password of user ${ACCOUNT} has been expired"
|
||||
Report "account_password_expired[]=${ACCOUNT}"
|
||||
|
@ -839,7 +842,7 @@
|
|||
Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 10 10
|
||||
fi
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_SKIPPED}" --color YELLOW
|
||||
fi
|
||||
fi
|
||||
|
@ -852,11 +855,11 @@
|
|||
Register --test-no AUTH-9304 --os Solaris --weight L --network NO --category security --description "Check single user login configuration"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Check if file exists (Solaris 10 does not have this file by default)
|
||||
if [ -f /etc/default/sulogin ]; then
|
||||
LogText "Result: file /etc/default/sulogin exists"
|
||||
if [ -f ${ROOTDIR}etc/default/sulogin ]; then
|
||||
LogText "Result: file ${ROOTDIR}etc/default/sulogin exists"
|
||||
LogText "Test: checking presence PASSREQ=NO"
|
||||
FIND=$(${GREPBINARY} "^PASSREQ=NO" /etc/default/sulogin)
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${GREPBINARY} "^PASSREQ=NO" ${ROOTDIR}etc/default/sulogin)
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: option not present or configured to request a password at single user mode login"
|
||||
Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 1 1
|
||||
|
@ -882,8 +885,8 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Check if file exists
|
||||
LogText "Test: Searching /tcb/files/auth/system/default"
|
||||
if [ -f /tcb/files/auth/system/default ]; then
|
||||
LogText "Result: file /tcb/files/auth/system/default exists"
|
||||
if [ -f ${ROOTDIR}tcb/files/auth/system/default ]; then
|
||||
LogText "Result: file ${ROOTDIR}tcb/files/auth/system/default exists"
|
||||
LogText "Test: checking presence :d_boot_authenticate@:"
|
||||
FIND=$(${GREPBINARY} "^:d_boot_authenticate@" /tcb/files/auth/system/default)
|
||||
if [ -z "${FIND}" ]; then
|
||||
|
@ -896,8 +899,8 @@
|
|||
ReportSuggestion ${TEST_NO} "Set password for system boot"
|
||||
AddHP 0 1
|
||||
fi
|
||||
else
|
||||
LogText "Result: file /tcb/files/auth/system/default does not exist"
|
||||
else
|
||||
LogText "Result: file ${ROOTDIR}tcb/files/auth/system/default does not exist"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -912,10 +915,10 @@
|
|||
|
||||
if [ ${HAS_SYSTEMD} -eq 0 ]; then
|
||||
# Check inittab
|
||||
LogText "Test: Searching /etc/inittab"
|
||||
if [ -f /etc/inittab ]; then
|
||||
LogText "Test: Searching ${ROOTDIR}etc/inittab"
|
||||
if [ -f ${ROOTDIR}etc/inittab ]; then
|
||||
TEST_PERFORMED=1
|
||||
LogText "Result: file /etc/inittab exists"
|
||||
LogText "Result: file ${ROOTDIR}etc/inittab exists"
|
||||
LogText "Test: checking presence sulogin for single user mode"
|
||||
FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
|
||||
FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
|
||||
|
@ -923,23 +926,23 @@
|
|||
FOUND=1
|
||||
LogText "Result: found sulogin, so single user is protected"
|
||||
fi
|
||||
else
|
||||
LogText "Result: file /etc/inittab does not exist"
|
||||
else
|
||||
LogText "Result: file ${ROOTDIR}etc/inittab does not exist"
|
||||
fi
|
||||
|
||||
# Check init
|
||||
LogText "Test: Searching /etc/sysconfig/init"
|
||||
if [ -f /etc/sysconfig/init ]; then
|
||||
LogText "Test: Searching ${ROOTDIR}etc/sysconfig/init"
|
||||
if [ -f ${ROOTDIR}etc/sysconfig/init ]; then
|
||||
TEST_PERFORMED=1
|
||||
LogText "Result: file /etc/sysconfig/init exists"
|
||||
LogText "Result: file ${ROOTDIR}etc/sysconfig/init exists"
|
||||
LogText "Test: checking presence sulogin for single user mode"
|
||||
FIND=$(${GREPBINARY} "^SINGLE=/sbin/sulogin" /etc/sysconfig/init)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
FIND=$(${GREPBINARY} "^SINGLE=/sbin/sulogin" ${ROOTDIR}etc/sysconfig/init)
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: found sulogin, so single user is protected"
|
||||
fi
|
||||
else
|
||||
LogText "Result: file /etc/sysconfig/init does not exist"
|
||||
else
|
||||
LogText "Result: file ${ROOTDIR}etc/sysconfig/init does not exist"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -958,11 +961,11 @@
|
|||
FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "/sulogin")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication"
|
||||
else
|
||||
else
|
||||
LogText "Result: sulogin was found, which is a good measure to protect single user mode"
|
||||
FOUND=1
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: target ${I} not found"
|
||||
fi
|
||||
done
|
||||
|
@ -975,13 +978,13 @@
|
|||
ReportWarning ${TEST_NO} "No password set for single mode"
|
||||
ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface"
|
||||
AddHP 0 2
|
||||
else
|
||||
else
|
||||
LogText "Result: option set, password is needed at single user mode boot"
|
||||
Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 2 2
|
||||
fi
|
||||
else
|
||||
LogText "Result: no tests performed"
|
||||
else
|
||||
LogText "Result: no tests performed"
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -999,10 +1002,10 @@
|
|||
WEAK_UMASK=0
|
||||
|
||||
# /etc/profile.d
|
||||
LogText "Test: Checking /etc/profile.d directory"
|
||||
if [ -d /etc/profile.d ]; then
|
||||
LogText "Test: Checking ${ROOTDIR}etc/profile.d directory"
|
||||
if [ -d ${ROOTDIR}etc/profile.d ]; then
|
||||
FOUND=0
|
||||
FIND=$(ls /etc/profile.d/* 2> /dev/null)
|
||||
FIND=$(ls ${ROOTDIR}etc/profile.d/* 2> /dev/null)
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: found /etc/profile.d, with one or more files in it"
|
||||
for FILE in ${FIND}; do
|
||||
|
@ -1133,12 +1136,12 @@
|
|||
LogText "Result: umask is ${FIND}, which is fine"
|
||||
Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 2 2
|
||||
else
|
||||
else
|
||||
LogText "Result: found umask ${FIND}, which could be improved"
|
||||
Display --indent 4 --text "- umask (/etc/init.d/functions)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
AddHP 0 2
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: file /etc/init.d/functions does not exist"
|
||||
fi
|
||||
|
||||
|
@ -1157,7 +1160,7 @@
|
|||
LogText "Result: umask is ${FIND}, which is fine"
|
||||
Display --indent 4 --text "- umask (/etc/init.d/rc)" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 2 2
|
||||
else
|
||||
else
|
||||
LogText "Result: found umask ${FIND}, which could be improved"
|
||||
Display --indent 4 --text "- umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027"
|
||||
|
@ -1197,7 +1200,7 @@
|
|||
Display --indent 4 --text "- umask (/etc/login.conf)" --result WEAK --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: no umask setting found in /etc/login.conf, which is unexpected"
|
||||
Display --indent 4 --text "- umask (/etc/login.conf)" --result "${STATUS_NONE}" --color YELLOW
|
||||
fi
|
||||
|
@ -1216,17 +1219,17 @@
|
|||
Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027"
|
||||
AddHP 1 2
|
||||
elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then
|
||||
elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then
|
||||
LogText "Result: umask is ${FIND2}, which is fine"
|
||||
Display --indent 4 --text "- umask (/etc/init.d/rcS)" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 2 2
|
||||
else
|
||||
else
|
||||
LogText "Result: found umask ${FIND2}, which could be improved"
|
||||
Display --indent 4 --text "- umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027"
|
||||
AddHP 0 2
|
||||
fi
|
||||
else
|
||||
else
|
||||
# Improve check
|
||||
LogText "Result: exec line present in file, setting of umask not needed in this script"
|
||||
LogText "Output: ${FIND}"
|
||||
|
@ -1244,45 +1247,45 @@
|
|||
Register --test-no AUTH-9340 --os Solaris --weight L --network NO --category security --description "Solaris account locking"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
if [ -f /etc/security/policy.conf ]; then
|
||||
LogText "Result: found /etc/security/policy.conf"
|
||||
if [ -f ${ROOTDIR}etc/security/policy.conf ]; then
|
||||
LogText "Result: found ${ROOTDIR}etc/security/policy.conf"
|
||||
FIND=$(${GREPBINARY} "^LOCK_AFTER_RETRIES" /etc/security/policy.conf)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: account locking option set"
|
||||
LogText "Output: ${FIND}"
|
||||
AddHP 2 2
|
||||
else
|
||||
else
|
||||
LogText "Result: option LOCK_AFTER_RETRIES not set"
|
||||
AddHP 1 2
|
||||
fi
|
||||
else
|
||||
LogText "Result: /etc/security/policy.conf does not exist"
|
||||
else
|
||||
LogText "Result: ${ROOTDIR}etc/security/policy.conf does not exist"
|
||||
fi
|
||||
# If policy.conf does not exist, we most likely deal with a Solaris version below 10
|
||||
# and we proceed with checking the softer option RETRIES in /etc/default/login
|
||||
# which does not lock account, but discourages brute force password attacks.
|
||||
if [ ${FOUND} -eq 0 ]; then
|
||||
LogText "Test: checking /etc/default/login"
|
||||
if [ -f /etc/default/login ]; then
|
||||
LogText "Result: file /etc/default/login exists"
|
||||
FIND=$(${GREPBINARY} "^RETRIES" /etc/default/login)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Test: checking ${ROOTDIR}etc/default/login"
|
||||
if [ -f ${ROOTDIR}etc/default/login ]; then
|
||||
LogText "Result: file ${ROOTDIR}etc/default/login exists"
|
||||
FIND=$(${GREPBINARY} "^RETRIES" ${ROOTDIR}etc/default/login)
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: retries option configured"
|
||||
LogText "Output: ${FIND}"
|
||||
AddHP 2 2
|
||||
else
|
||||
else
|
||||
LogText "Result: retries option not configured"
|
||||
AddHP 1 2
|
||||
fi
|
||||
else
|
||||
LogText "Result: file /etc/default/login does not exist"
|
||||
else
|
||||
LogText "Result: file ${ROOTDIR}etc/default/login does not exist"
|
||||
fi
|
||||
fi
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 2 --text "- Checking account locking" --result "${STATUS_ENABLED}" --color GREEN
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW
|
||||
fi
|
||||
fi
|
||||
|
@ -1293,8 +1296,8 @@
|
|||
# Description : Query LDAP authentication support
|
||||
Register --test-no AUTH-9402 --weight L --network NO --category security --description "Query LDAP authentication support"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -f /etc/nsswitch.conf ]; then
|
||||
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "ldap")
|
||||
if [ -f ${ROOTDIR}etc/nsswitch.conf ]; then
|
||||
FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
LogText "Result: LDAP authentication not enabled"
|
||||
Display --indent 2 --text "- LDAP authentication support" --result "NOT ENABLED" --color WHITE
|
||||
|
@ -1339,18 +1342,18 @@
|
|||
#
|
||||
# Test : AUTH-9408
|
||||
# Description : Logging of failed login attempts
|
||||
if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -f ${ROOTDIR}etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Logging of failed login attempts via /etc/login.defs"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking FAILLOG_ENAB option in /etc/login.defs "
|
||||
FIND=$(${GREPBINARY} "^FAILLOG_ENAB" /etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }')
|
||||
LogText "Test: Checking FAILLOG_ENAB option in ${ROOTDIR}etc/login.defs "
|
||||
FIND=$(${GREPBINARY} "^FAILLOG_ENAB" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="FAILLOG_ENAB") { print $2 } }')
|
||||
# Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value)
|
||||
if [ "${FIND}" = "yes" ]; then
|
||||
AUTH_FAILED_LOGINS_LOGGED=1
|
||||
LogText "Result: failed login attempts are logged in /var/log/faillog"
|
||||
Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_ENABLED}" --color GREEN
|
||||
AddHP 3 3
|
||||
else
|
||||
else
|
||||
LogText "Result: failed login attempts are not logged"
|
||||
Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_DISABLED}" --color YELLOW
|
||||
#ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog"
|
||||
|
@ -1364,9 +1367,7 @@
|
|||
Report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}"
|
||||
Report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
|
||||
Report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
|
||||
if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then
|
||||
Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"
|
||||
fi
|
||||
if [ ! -z "${LDAP_CLIENT_CONFIG_FILE}" ]; then Report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"; fi
|
||||
Report "password_min_days=${PASSWORD_MINIMUM_DAYS}"
|
||||
Report "password_max_days=${PASSWORD_MAXIMUM_DAYS}"
|
||||
|
||||
|
|
|
@ -51,8 +51,6 @@
|
|||
BOOT_LOADER_FOUND=1
|
||||
else
|
||||
LogText "Result: no data received from bootinfo, most likely boot device not found"
|
||||
#Display --indent 4 --text "- Checking boot device (bootinfo)" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
#ReportSuggestion ${TEST_NO} "Only use root (not sudo account) to query properly boot device"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
@ -74,7 +72,7 @@
|
|||
FILENAME=$(${AWKBINARY} '/(^\/|init)/ { print $1 }' /proc/1/cmdline)
|
||||
LogText "Result: cmdline found = ${FILENAME}"
|
||||
ISFILE=$(echo ${FILENAME} | ${GREPBINARY} "^/")
|
||||
if [ ! "${ISFILE}" = "" ]; then
|
||||
if [ ! -z "${ISFILE}" ]; then
|
||||
if [ -L ${ISFILE} ]; then
|
||||
ShowSymlinkPath ${ISFILE}
|
||||
FILENAME="${SYMLINK}"
|
||||
|
@ -84,7 +82,7 @@
|
|||
LogText "Result: cmdline of PID 1 is not a file"
|
||||
fi
|
||||
fi
|
||||
if [ ! "${FILENAME}" = "" ]; then
|
||||
if [ ! -z "${FILENAME}" ]; then
|
||||
SHORTNAME=$(echo ${FILENAME} | ${AWKBINARY} -F/ '{ print $NF }')
|
||||
LogText "Found: ${SHORTNAME}"
|
||||
case ${SHORTNAME} in
|
||||
|
@ -277,7 +275,7 @@
|
|||
#
|
||||
# Test : BOOT-5122
|
||||
# Description : Check for GRUB boot loader configuration
|
||||
if [ ! "${GRUBCONFFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${GRUBCONFFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for GRUB boot password"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
|
@ -499,7 +497,7 @@
|
|||
# Description : Check for FreeBSD boot services
|
||||
Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --category security --description "Check for FreeBSD boot services"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ! "${SERVICEBINARY}" = "" ]; then
|
||||
if [ ! -z "${SERVICEBINARY}" ]; then
|
||||
# FreeBSD (Ask services(8) for enabled services)
|
||||
LogText "Searching for services at startup (service)"
|
||||
FIND=$(${SERVICEBINARY} -e | ${SEDBINARY} 's|^.*\/||' | ${SORTBINARY})
|
||||
|
@ -599,7 +597,7 @@
|
|||
if [ "${sRUNLEVEL}" = "2" ]; then
|
||||
LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found"
|
||||
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc2.d -type l -print | ${CUTBINARY} -d '/' -f4 | ${SEDBINARY} "s/S[0-9][0-9]//g" | sort)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
N=0
|
||||
for SERVICE in ${FIND}; do
|
||||
LogText "Found service (at boot, runlevel 2): ${SERVICE}"
|
||||
|
|
|
@ -35,11 +35,11 @@
|
|||
#
|
||||
# Test : CONT-8004
|
||||
# Description : Query running Solaris zones
|
||||
if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no CONT-8004 --os Solaris --weight L --network NO --category security --description "Query running Solaris zones"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: query zoneadm to list all running zones"
|
||||
FIND=$(/usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }')
|
||||
FIND=$(${ROOTDIR}usr/sbin/zoneadm list -p | ${AWKBINARY} -F: '{ if ($2!="global") print $0 }')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
|
@ -137,7 +137,7 @@
|
|||
# Check total of containers
|
||||
LogText "Test: checking total amount of Docker containers"
|
||||
DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${GREPBINARY} "^Containers: " | ${AWKBINARY} '{ print $2 }')
|
||||
if [ "${DOCKER_CONTAINERS_TOTAL}" = "" ]; then
|
||||
if [ -z "${DOCKER_CONTAINERS_TOTAL}" ]; then
|
||||
DOCKER_CONTAINERS_TOTAL=0
|
||||
fi
|
||||
|
||||
|
@ -169,7 +169,7 @@
|
|||
# Test : CONT-8107
|
||||
# Description : Checking Docker number of unused containers
|
||||
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
|
||||
if [ ! "${DOCKERBINARY}" = "" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no CONT-8107 --preqs-met ${PREQS_MET} --weight L --network NO --category performance --description "Check number of Docker containers"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Check if there aren't too many unused containers on the system
|
||||
|
@ -192,10 +192,10 @@
|
|||
# Test : CONT-8108
|
||||
# Description : Checking Docker file permissions
|
||||
# Notes : /var/run/docker.sock - Usually root as owner, docker as group - should not be world writable
|
||||
if [ ! "${DOCKERBINARY}" = "" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${DOCKERBINARY}" -a ${RUN_DOCKER_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no CONT-8108 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check file permissions for Docker files"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
NOT_WORLD_WRITABLE="/var/run/docker.sock"
|
||||
NOT_WORLD_WRITABLE="${ROOTDIR}var/run/docker.sock"
|
||||
for FILE in ${NOT_WORLD_WRITABLE}; do
|
||||
LogText "Test: Check ${FILE}"
|
||||
if [ -f ${FILE} ]; then
|
||||
|
|
|
@ -38,7 +38,7 @@
|
|||
Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "mysqld|mysqld_safe" | ${GREPBINARY} -v "grep")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
|
||||
LogText "Result: MySQL process not active"
|
||||
else
|
||||
|
@ -190,7 +190,7 @@
|
|||
Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
|
||||
LogText "Result: Oracle process(es) not active"
|
||||
else
|
||||
|
|
|
@ -70,7 +70,7 @@
|
|||
#
|
||||
# Test : FINT-4315
|
||||
# Description : Check AIDE configuration file
|
||||
if [ ! "${AIDEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check AIDE configuration file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
AIDE_CONFIG_LOCS="/etc /etc/aide /usr/local/etc"
|
||||
|
@ -223,7 +223,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# LFD configuration parameters
|
||||
ENABLED=$(${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG})
|
||||
if [ ! "${ENABLED}" = "" ]; then
|
||||
if [ ! -z "${ENABLED}" ]; then
|
||||
LogText "Result: lfd service is configured to run"
|
||||
Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN
|
||||
else
|
||||
|
@ -231,7 +231,7 @@
|
|||
Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW
|
||||
fi
|
||||
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
|
||||
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
|
||||
if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then
|
||||
LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
|
||||
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN
|
||||
else
|
||||
|
@ -239,7 +239,7 @@
|
|||
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW
|
||||
fi
|
||||
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
|
||||
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
|
||||
if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then
|
||||
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN
|
||||
else
|
||||
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW
|
||||
|
@ -270,7 +270,7 @@
|
|||
#
|
||||
# Test : FINT-4402 (was FINT-4316)
|
||||
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
|
||||
if [ ! "${AIDEBINARY}" = "" -a ! "${AIDECONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! "${AIDEBINARY}" = "" -a ! -z "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")
|
||||
|
|
|
@ -42,52 +42,52 @@
|
|||
LogText "Test: Checking for systemd default.target"
|
||||
if [ -L /etc/systemd/system/default.target ]; then
|
||||
LogText "Result: symlink found"
|
||||
if [ ! "${READLINKBINARY}" = "" ]; then
|
||||
if HasData "${READLINKBINARY}"; then
|
||||
FIND=$(${READLINKBINARY} /etc/systemd/system/default.target)
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if ! HasData "${FIND}"; then
|
||||
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
|
||||
ReportException "${TEST_NO}:01"
|
||||
else
|
||||
else
|
||||
FIND2=$(echo ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
|
||||
if [ ! "${FIND2}" = "" ]; then
|
||||
if HasData "${FIND2}"; then
|
||||
LogText "Result: Found match on runlevel5/graphical"
|
||||
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
|
||||
Report "linux_default_runlevel=5"
|
||||
else
|
||||
else
|
||||
LogText "Result: No match found on runlevel, defaulting to runlevel 3"
|
||||
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
|
||||
Report "linux_default_runlevel=3"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: No readlink binary, can't determine where symlink is pointing to"
|
||||
Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: no systemd found, so trying inittab"
|
||||
LogText "Test: Checking /etc/inittab"
|
||||
if [ -f /etc/inittab ]; then
|
||||
LogText "Result: file /etc/inittab found"
|
||||
LogText "Test: Checking default Linux run level"
|
||||
FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' /etc/inittab | head -n 1)
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' ${ROOTDIR}etc/inittab | head -n 1)
|
||||
if IsEmpty "${FIND}"; then
|
||||
Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
LogText "Result: Can't determine default run level from /etc/inittab"
|
||||
else
|
||||
LogText "Result: Can't determine default run level from ${ROOTDIR}etc/inittab"
|
||||
else
|
||||
Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN
|
||||
LogText "Found default run level '${FIND}'"
|
||||
Report "linux_default_runlevel=${FIND}"
|
||||
fi
|
||||
else
|
||||
LogText "Result: file /etc/inittab not found"
|
||||
else
|
||||
LogText "Result: file ${ROOTDIR}etc/inittab not found"
|
||||
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then
|
||||
LogText "Test: Checking run level with who -r, for Debian based systems"
|
||||
FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Result: Found default run level '${FIND}'"
|
||||
Report "linux_default_runlevel=${FIND}"
|
||||
Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN
|
||||
else
|
||||
else
|
||||
LogText "Result: Can't determine default run level from who -r"
|
||||
Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
fi
|
||||
|
@ -113,7 +113,7 @@
|
|||
FIND_PAE=$(${GREPBINARY} " pae " /proc/cpuinfo)
|
||||
FIND_NX=$(${GREPBINARY} " nx " /proc/cpuinfo)
|
||||
FOUND=0
|
||||
if [ ! "${FIND_PAE_NX}" = "" ]; then
|
||||
if HasData "${FIND_PAE_NX}"; then
|
||||
LogText "PAE: Yes"
|
||||
LogText "NX: Yes"
|
||||
CPU_PAE=1
|
||||
|
@ -122,30 +122,30 @@
|
|||
Report "cpu_pae=1"
|
||||
Report "cpu_nx=1"
|
||||
FOUND=1
|
||||
else
|
||||
if [ ! "${FIND_PAE}" = "" -a "${FIND_NX}" = "" ]; then
|
||||
else
|
||||
if [ HasData "${FIND_PAE}" -a IsEmpty "${FIND_NX}" ]; then
|
||||
Report "cpu_pae=1"
|
||||
LogText "Result: found PAE"
|
||||
CPU_PAE=1
|
||||
FOUND=1
|
||||
else
|
||||
if [ ! "${FIND_NX}" = "" -a "${FIND_PAE}" = "" ]; then
|
||||
else
|
||||
if [ HasData "${FIND_NX}" -a IsEmpty "${FIND_PAE}" ]; then
|
||||
Report "cpu_nx=1"
|
||||
LogText "Result: found No eXecute"
|
||||
CPU_NX=1
|
||||
FOUND=1
|
||||
else
|
||||
else
|
||||
LogText "Result: found no CPU options enabled (PAE or NX bit)"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
else
|
||||
Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result "${STATUS_NONE}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
|
||||
fi
|
||||
else
|
||||
else
|
||||
Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result "${STATUS_SKIPPED}" --color YELLOW
|
||||
LogText "Result: /proc/cpuinfo not found"
|
||||
fi
|
||||
|
@ -181,7 +181,7 @@
|
|||
# Description : Check if Linux is build as a monolithic kernel or not
|
||||
Register --test-no KRNL-5723 --os Linux --weight L --network NO --category security --description "Determining if Linux kernel is monolithic"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
|
||||
if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
|
||||
LogText "Test: checking if kernel is monolithic or modular"
|
||||
# Checking if any modules are loaded
|
||||
FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ')
|
||||
|
@ -190,12 +190,12 @@
|
|||
LogText "Result: Found monolithic kernel"
|
||||
Report "linux_kernel_type=monolithic"
|
||||
MONOLITHIC_KERNEL=1
|
||||
else
|
||||
else
|
||||
LogText "Result: Found modular kernel"
|
||||
Report "linux_kernel_type=modular"
|
||||
MONOLITHIC_KERNEL=0
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Test skipped, lsmod binary not found or /proc/modules can not be opened"
|
||||
fi
|
||||
fi
|
||||
|
@ -206,23 +206,23 @@
|
|||
# Description : Checking Linux loaded kernel modules
|
||||
Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
|
||||
if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
|
||||
FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort)
|
||||
Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
LogText "Loaded modules according lsmod:"
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
LogText "Loaded module: ${I}"
|
||||
Report "loaded_kernel_module[]=${I}"
|
||||
N=$((N + 1))
|
||||
LogText "Loaded module: ${I}"
|
||||
Report "loaded_kernel_module[]=${I}"
|
||||
N=$((N + 1))
|
||||
done
|
||||
Display --indent 6 --text "Found ${N} active modules"
|
||||
else
|
||||
else
|
||||
LogText "Result: no loaded modules found"
|
||||
LogText "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Test skipped, lsmod binary not found or /proc/modules can not be opened"
|
||||
fi
|
||||
fi
|
||||
|
@ -238,16 +238,16 @@
|
|||
LINUXCONFIGFILE="${CHECKFILE}"
|
||||
LogText "Result: found config (${LINUXCONFIGFILE})"
|
||||
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
|
||||
elif [ -f /proc/config.gz ]; then
|
||||
elif [ -f /proc/config.gz ]; then
|
||||
LINUXCONFIGFILE="${CHECKFILE}"
|
||||
LINUXCONFIGFILE_ZIPPED=1
|
||||
LogText "Result: found config: /proc/config.gz (compressed)"
|
||||
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
else
|
||||
LogText "Result: no Linux kernel configuration file found in /boot"
|
||||
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
if [ ! "${LINUXCONFIGFILE}" = "" ]; then
|
||||
if HasData "${LINUXCONFIGFILE}"; then
|
||||
Report "linux_config_file=${LINUXCONFIGFILE}"
|
||||
fi
|
||||
fi
|
||||
|
@ -259,7 +259,7 @@
|
|||
# Notes : This test could be extended with testing some of the specific devices like disks
|
||||
# cat /sys/block/sda/queue/scheduler
|
||||
PREQS_MET="NO"
|
||||
if [ ! "${LINUXCONFIGFILE}" = "" ]; then
|
||||
if HasData "${LINUXCONFIGFILE}"; then
|
||||
if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi
|
||||
fi
|
||||
Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking disk I/O kernel scheduler"
|
||||
|
@ -272,11 +272,11 @@
|
|||
LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
|
||||
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN
|
||||
Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
|
||||
else
|
||||
else
|
||||
LogText "Result: no default i/o kernel scheduler found"
|
||||
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
else
|
||||
else
|
||||
ReportException "${TEST_NO}" "No valid ${GREPBINARY} tool found to search kernel settings"
|
||||
fi
|
||||
fi
|
||||
|
@ -302,12 +302,11 @@
|
|||
N=$((N + 1))
|
||||
done
|
||||
Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
else
|
||||
else
|
||||
Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Problem with executing kldstat"
|
||||
fi
|
||||
else
|
||||
echo "[ ${WHITE}SKIPPED${NORMAL} ]"
|
||||
else
|
||||
LogText "Result: no results, can't find /sbin/kldstat"
|
||||
fi
|
||||
fi
|
||||
|
@ -333,11 +332,11 @@
|
|||
N=$((N + 1))
|
||||
done
|
||||
Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
else
|
||||
else
|
||||
Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Problem with executing kldstat"
|
||||
fi
|
||||
else
|
||||
else
|
||||
echo "[ ${WHITE}SKIPPED${NORMAL} ]"
|
||||
LogText "Result: no results, can't find /sbin/kldstat"
|
||||
fi
|
||||
|
@ -351,13 +350,13 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: searching loaded kernel modules"
|
||||
FIND=$(/usr/sbin/modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if HasData "${FIND}"; then
|
||||
for I in ${FIND}; do
|
||||
LogText "Found module: ${I}"
|
||||
Report "loaded_kernel_module[]=${I}"
|
||||
done
|
||||
Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_DONE}" --color GREEN
|
||||
else
|
||||
else
|
||||
LogText "Result: no output"
|
||||
Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
fi
|
||||
|
@ -392,7 +391,7 @@
|
|||
FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
|
||||
LogText "Kernel installed: ${FINDINST}"
|
||||
LogText "Kernel candidate: ${FINDCAND}"
|
||||
if [ -z "${FINDINST}" ]; then
|
||||
if IsEmpty "${FINDINST}"; then
|
||||
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||
LogText "Result: Exception occurred, no output from apt-cache policy"
|
||||
ReportException "${TEST_NO}:01"
|
||||
|
@ -414,7 +413,7 @@
|
|||
ReportSuggestion ${TEST_NO} "Determine priority for available kernel update"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests."
|
||||
fi
|
||||
fi
|
||||
|
@ -465,7 +464,7 @@
|
|||
Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW
|
||||
AddHP 1 1
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: file /etc/security/limits.conf does not exist, skipping test"
|
||||
fi
|
||||
# TODO: Check ulimit settings in /etc/profile and /etc/profile.d
|
||||
|
|
|
@ -47,7 +47,7 @@
|
|||
IPV6_MISCONFIGURED=0
|
||||
IPV6_MISCONFIGURED_MTU=0
|
||||
FIND=$(sysctl -a 2> /dev/null | ${GREPBINARY} "^net.ipv6" | ${SEDBINARY} "s/ = /=/")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
IPV6_CONFIGURED=1
|
||||
for I in ${FIND}; do
|
||||
SYSCTL_KEY=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
|
||||
|
@ -124,7 +124,7 @@
|
|||
if [ -f /etc/resolv.conf ]; then
|
||||
LogText "Result: Found /etc/resolv.conf file"
|
||||
FIND=$(${GREPBINARY} '^nameserver' /etc/resolv.conf | ${TRBINARY} -d '\t' | ${SEDBINARY} 's/nameserver*//g' | uniq)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
Display --indent 4 --text "- Testing nameservers"
|
||||
LogText "Test: Querying nameservers"
|
||||
for I in ${FIND}; do
|
||||
|
@ -134,7 +134,7 @@
|
|||
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then
|
||||
LOCAL_DNSRESOLVER_FOUND=1
|
||||
fi
|
||||
if [ ! "${DIGBINARY}" = "" ]; then
|
||||
if [ ! -z "${DIGBINARY}" ]; then
|
||||
# See if we can query something at the nameserver
|
||||
# 0=good, other=bad
|
||||
DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?)
|
||||
|
@ -166,7 +166,7 @@
|
|||
if [ ${LOCAL_DNSRESOLVER_FOUND} -eq 0 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check availability two nameservers"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ! "${DIGBINARY}" = "" ]; then
|
||||
if [ ! -z "${DIGBINARY}" ]; then
|
||||
if [ ${NUMBERACTIVENS} -lt 2 ]; then
|
||||
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: less than 2 responsive nameservers found"
|
||||
|
@ -192,12 +192,12 @@
|
|||
# Test : NETW-3001
|
||||
# Description : Find default gateway (route)
|
||||
# More info : BSD: ^default Linux: 0.0.0.0
|
||||
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${NETSTATBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
|
||||
if [ $SKIPTEST -eq 0 ]; then
|
||||
LogText "Test: Searching default gateway(s)"
|
||||
FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
for I in ${FIND}; do
|
||||
LogText "Result: Found default gateway ${I}"
|
||||
Report "default_gateway[]=${I}"
|
||||
|
@ -222,9 +222,9 @@
|
|||
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "flags=" | ${AWKBINARY} -F ":" '{ print $1 }')
|
||||
;;
|
||||
Linux)
|
||||
if [ ! "${IPBINARY}" = "" ]; then
|
||||
if [ ! -z "${IPBINARY}" ]; then
|
||||
FIND=$(${IPBINARY} link show 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} 's/://g')
|
||||
elif [ ! "${IFCONFIGBINARY}" = "" ]; then
|
||||
elif [ ! -z "${IFCONFIGBINARY}" ]; then
|
||||
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ( $2 == "Link" ) { print $1 }}')
|
||||
fi
|
||||
;;
|
||||
|
@ -239,7 +239,7 @@
|
|||
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find available network interfaces"
|
||||
;;
|
||||
esac
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
for I in ${FIND}; do
|
||||
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${I}"
|
||||
LogText "Found network interface: ${I}"
|
||||
|
@ -266,10 +266,10 @@
|
|||
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="ether") print $2 }' | ${SORTBINARY} -u)
|
||||
;;
|
||||
Linux)
|
||||
if [ ! "${IFCONFIGBINARY}" = "" ]; then
|
||||
if [ ! -z "${IFCONFIGBINARY}" ]; then
|
||||
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u)
|
||||
else
|
||||
if [ ! "${IPBINARY}" = "" ]; then
|
||||
if [ ! -z "${IPBINARY}" ]; then
|
||||
LogText "Test: Using ip binary to gather hardware addresses"
|
||||
FIND=$(${IPBINARY} link 2> /dev/null | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }')
|
||||
else
|
||||
|
@ -319,12 +319,12 @@
|
|||
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") print $2 }')
|
||||
;;
|
||||
Linux)
|
||||
if [ ! "${IFCONFIGBINARY}" = "" ]; then
|
||||
if [ ! -z "${IFCONFIGBINARY}" ]; then
|
||||
FIND=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2)
|
||||
# Version which works for multiple types of ifconfig (e.g. Slackware)
|
||||
FIND2=$(${IFCONFIGBINARY} -a 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }')
|
||||
else
|
||||
if [ ! "${IPBINARY}" = "" ]; then
|
||||
if [ ! -z "${IPBINARY}" ]; then
|
||||
LogText "Test: Using ip binary to gather IP addresses"
|
||||
FIND=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
|
||||
FIND2=$(${IPBINARY} addr 2> /dev/null | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//')
|
||||
|
@ -376,7 +376,7 @@
|
|||
N=0
|
||||
case ${OS} in
|
||||
DragonFly|FreeBSD)
|
||||
if [ ! "${SOCKSTATBINARY}" = "" ]; then
|
||||
if [ ! -z "${SOCKSTATBINARY}" ]; then
|
||||
FIND=$(${SOCKSTATBINARY} | ${AWKBINARY} '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u)
|
||||
# To strip off IP's: ${SEDBINARY} 's/|.*:/|/'
|
||||
else
|
||||
|
@ -385,7 +385,7 @@
|
|||
FIND2=""
|
||||
;;
|
||||
Linux)
|
||||
if [ ! "${NETSTATBINARY}" = "" ]; then
|
||||
if [ ! -z "${NETSTATBINARY}" ]; then
|
||||
# UDP
|
||||
FIND=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:')
|
||||
# TCP
|
||||
|
|
|
@ -25,37 +25,34 @@
|
|||
InsertSection "PHP"
|
||||
|
||||
# Possible locations of php.ini
|
||||
PHPINILOCS="/etc/php.ini /etc/php.ini.default \
|
||||
/etc/php/php.ini /etc/php5.5/php.ini /etc/php5.6/php.ini /etc/php7.0/php.ini /etc/php7.1/php.ini \
|
||||
/etc/php/cgi-php5/php.ini /etc/php/cli-php5/php.ini /etc/php/apache2-php5/php.ini \
|
||||
/etc/php/apache2-php7.1/php.ini /etc/php/apache2-php5.5/php.ini /etc/php/apache2-php5.6/php.ini /etc/php/apache2-php7.0/php.ini \
|
||||
/etc/php/cgi-php7.1/php.ini /etc/php/cgi-php5.5/php.ini /etc/php/cgi-php5.6/php.ini /etc/php/cgi-php7.0/php.ini \
|
||||
/etc/php/cli-php7.1/php.ini /etc/php/cli-php5.5/php.ini /etc/php/cli-php5.6/php.ini /etc/php/cli-php7.0/php.ini \
|
||||
/etc/php/embed-php7.1/php.ini /etc/php/embed-php5.5/php.ini /etc/php/embed-php5.6/php.ini /etc/php/embed-php7.0/php.ini \
|
||||
/etc/php/fpm-php7.1/php.ini /etc/php/fpm-php5.5/php.ini /etc/php/fpm-php5.6/php.ini /etc/php/fpm-php7.0/php.ini \
|
||||
/etc/php5/cgi/php.ini \
|
||||
/etc/php5/cli/php.ini \
|
||||
/etc/php5/cli-php5.4/php.ini /etc/php5/cli-php5.5/php.ini /etc/php5/cli-php5.6/php.ini \
|
||||
/etc/php5/apache2/php.ini \
|
||||
/etc/php5/fpm/php.ini \
|
||||
/private/etc/php.ini \
|
||||
/var/www/conf/php.ini \
|
||||
/usr/local/etc/php.ini /usr/local/lib/php.ini \
|
||||
/usr/local/zend/etc/php.ini \
|
||||
/usr/pkg/etc/php.ini \
|
||||
/opt/cpanel/ea-php54/root/etc/php.ini \
|
||||
/opt/cpanel/ea-php55/root/etc/php.ini \
|
||||
/opt/cpanel/ea-php56/root/etc/php.ini \
|
||||
/opt/cpanel/ea-php70/root/etc/php.ini \
|
||||
/opt/cpanel/ea-php71/root/etc/php.ini"
|
||||
PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \
|
||||
${ROOTDIR}etc/php/php.ini ${ROOTDIR}etc/php5.5/php.ini ${ROOTDIR}etc/php5.6/php.ini ${ROOTDIR}etc/php7.0/php.ini ${ROOTDIR}etc/php7.1/php.ini ${ROOTDIR}etc/php7.2/php.ini \
|
||||
${ROOTDIR}etc/php/cgi-php5/php.ini ${ROOTDIR}etc/php/cli-php5/php.ini ${ROOTDIR}etc/php/apache2-php5/php.ini \
|
||||
${ROOTDIR}etc/php/apache2-php5.5/php.ini ${ROOTDIR}etc/php/apache2-php5.6/php.ini ${ROOTDIR}etc/php/apache2-php7.0/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.ini \
|
||||
${ROOTDIR}etc/php/cgi-php7.1/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.inietc/php/cgi-php5.5/php.ini ${ROOTDIR}etc/php/cgi-php5.6/php.ini ${ROOTDIR}etc/php/cgi-php7.0/php.ini \
|
||||
${ROOTDIR}etc/php/cli-php7.1/php.ini ${ROOTDIR}etc/php/cli-php5.5/php.ini ${ROOTDIR}etc/php/cli-php5.6/php.ini ${ROOTDIR}etc/php/cli-php7.0/php.ini \
|
||||
${ROOTDIR}etc/php/embed-php7.1/php.ini ${ROOTDIR}etc/php/embed-php5.5/php.ini ${ROOTDIR}etc/php/embed-php5.6/php.ini ${ROOTDIR}etc/php/embed-php7.0/php.ini \
|
||||
${ROOTDIR}etc/php/fpm-php7.1/php.ini ${ROOTDIR}etc/php/fpm-php5.5/php.ini ${ROOTDIR}etc/php/fpm-php5.6/php.ini ${ROOTDIR}etc/php/fpm-php7.0/php.ini \
|
||||
${ROOTDIR}etc/php5/cgi/php.ini \
|
||||
${ROOTDIR}etc/php5/cli/php.ini \
|
||||
${ROOTDIR}etc/php5/cli-php5.4/php.ini ${ROOTDIR}etc/php5/cli-php5.5/php.ini ${ROOTDIR}etc/php5/cli-php5.6/php.ini \
|
||||
${ROOTDIR}etc/php5/apache2/php.ini \
|
||||
${ROOTDIR}etc/php5/fpm/php.ini \
|
||||
${ROOTDIR}private/etc/php.ini \
|
||||
${ROOTDIR}var/www/conf/php.ini \
|
||||
${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \
|
||||
${ROOTDIR}usr/local/zend/etc/php.ini \
|
||||
${ROOTDIR}usr/pkg/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
|
||||
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini"
|
||||
|
||||
PHPINIDIRS="/etc/php5/conf.d \
|
||||
/etc/php.d \
|
||||
/opt/cpanel/ea-php54/root/etc/php.d \
|
||||
/opt/cpanel/ea-php55/root/etc/php.d \
|
||||
/opt/cpanel/ea-php56/root/etc/php.d \
|
||||
/opt/cpanel/ea-php70/root/etc/php.d \
|
||||
/opt/cpanel/ea-php71/root/etc/php.d"
|
||||
PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
|
||||
${ROOTDIR}etc/php.d \
|
||||
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
|
||||
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d"
|
||||
|
||||
PHPVERSION=""
|
||||
#
|
||||
|
@ -154,10 +151,10 @@
|
|||
if [ ! -z "${PHPINIFILE}" -a ! -z "${PHPVERSION}" -a ! -z "${EGREPBINARY}" ]; then
|
||||
if [ -f "${PHPINIFILE}" ]; then
|
||||
FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals"
|
||||
else
|
||||
PREQS_MET="YES"; Debug "Found PHP version 4 or up to 5.3 (${FIND}) which we are going to scan"
|
||||
PREQS_MET="YES"; Debug "Found PHP version 4 or up to 5.3 (${FIND}) which we are going to scan"
|
||||
fi
|
||||
else
|
||||
Debug "File php.ini (${PHPINIFILE}) not found"
|
||||
|
@ -172,7 +169,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking PHP register_globals option"
|
||||
FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
|
||||
ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
|
||||
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
|
||||
|
@ -191,7 +188,7 @@
|
|||
# Test : PHP-2372
|
||||
# Description : Check php expose_php option
|
||||
# Notes : Extend test to check all PHP files YYY
|
||||
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking expose_php option"
|
||||
|
@ -215,7 +212,7 @@
|
|||
# Test : PHP-2374
|
||||
# Description : Check PHP enable_dl option
|
||||
# Notes : Extend test to check all PHP files
|
||||
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking PHP enable_dl option"
|
||||
|
@ -237,7 +234,7 @@
|
|||
# Test : PHP-2376
|
||||
# Description : Check PHP allow_url_fopen option
|
||||
# Notes : Extend test to check all PHP files YYY
|
||||
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking PHP allow_url_fopen option"
|
||||
|
|
|
@ -88,7 +88,7 @@
|
|||
# Test : PKGS-7303
|
||||
# Description : Query brew package manager
|
||||
FIND=$(which brew 2> /dev/null | grep -v "no [^ ]* in ")
|
||||
if [ ! "${FIND}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${FIND}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
@ -102,7 +102,7 @@
|
|||
LogText "Found package ${J}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
|
||||
done
|
||||
else
|
||||
else
|
||||
LogText "Result: brew can NOT be found on this system"
|
||||
fi
|
||||
#
|
||||
|
@ -148,7 +148,7 @@
|
|||
LogText "Found package ${J}"
|
||||
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
|
||||
done
|
||||
else
|
||||
else
|
||||
LogText "Result: pkginfo can NOT be found on this system"
|
||||
fi
|
||||
#
|
||||
|
@ -156,7 +156,7 @@
|
|||
#
|
||||
# Test : PKGS-7308
|
||||
# Description : RPM package based systems
|
||||
if [ ! "${RPMBINARY}" = "" -a "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
|
@ -167,11 +167,11 @@
|
|||
Display --indent 6 --text "- Querying RPM package manager"
|
||||
LogText "Output:"; LogText "--------"
|
||||
SPACKAGES=$(${RPMBINARY} -qa --queryformat "%{NAME},%{VERSION}-%{RELEASE}.%{ARCH}\n" 2> /dev/null | sort)
|
||||
if [ "${SPACKAGES}" = "" ]; then
|
||||
if [ -z "${SPACKAGES}" ]; then
|
||||
LogText "Result: RPM binary available, but package list seems to be empty"
|
||||
LogText "Info: looks like the rpm binary is installed, but not used for package installation"
|
||||
ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages"
|
||||
else
|
||||
else
|
||||
for J in ${SPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{print $1}')
|
||||
|
@ -189,7 +189,7 @@
|
|||
#
|
||||
# Test : PKGS-7310
|
||||
# Description : pacman package based systems
|
||||
if [ ! "${PACMANBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${PACMANBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
|
@ -200,7 +200,7 @@
|
|||
Display --indent 6 --text "- Querying pacman package manager"
|
||||
LogText "Output:"; LogText "--------"
|
||||
SPACKAGES=$(${PACMANBINARY} -Q | ${SORTBINARY} | ${SEDBINARY} 's/ /,/g')
|
||||
if [ "${SPACKAGES}" = "" ]; then
|
||||
if [ -z "${SPACKAGES}" ]; then
|
||||
LogText "Result: pacman binary available, but package list seems to be empty"
|
||||
LogText "Info: looks like the pacman binary is installed, but not used for package installation"
|
||||
else
|
||||
|
@ -319,14 +319,14 @@
|
|||
#
|
||||
# Test : PKGS-7328
|
||||
# Description : Check installed packages with Zypper
|
||||
if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
PACKAGE_AUDIT_TOOL="zypper"
|
||||
FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
for I in ${FIND}; do
|
||||
N=$((N + 1))
|
||||
LogText "Installed package: ${I}"
|
||||
|
@ -343,28 +343,28 @@
|
|||
#
|
||||
# Test : PKGS-7330
|
||||
# Description : Check vulnerable packages with Zypper
|
||||
if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${ZYPPERBINARY} -n pchk | ${GREPBINARY} "(0 security patches)")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
LogText "Result: No security updates found with Zypper"
|
||||
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
|
||||
else
|
||||
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Zypper found one or more installed packages which are vulnerable."
|
||||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed"
|
||||
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
|
||||
FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
|
||||
LogText "List of vulnerable packages/version:"
|
||||
for I in ${FIND}; do
|
||||
VULNERABLE_PACKAGES_FOUND=1
|
||||
Report "vulnerable_package[]=${I}"
|
||||
LogText "Vulnerable package: ${I}"
|
||||
# Decrease hardening points for every found vulnerable package
|
||||
AddHP 1 2
|
||||
done
|
||||
fi
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: No security updates found with Zypper"
|
||||
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
|
||||
else
|
||||
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Zypper found one or more installed packages which are vulnerable."
|
||||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed"
|
||||
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
|
||||
FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
|
||||
LogText "List of vulnerable packages/version:"
|
||||
for I in ${FIND}; do
|
||||
VULNERABLE_PACKAGES_FOUND=1
|
||||
Report "vulnerable_package[]=${I}"
|
||||
LogText "Vulnerable package: ${I}"
|
||||
# Decrease hardening points for every found vulnerable package
|
||||
AddHP 1 2
|
||||
done
|
||||
fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -405,7 +405,7 @@
|
|||
N=0
|
||||
LogText "Test: Querying dpkg -l to get unpurged packages"
|
||||
SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort)
|
||||
if [ "${SPACKAGES}" = "" ]; then
|
||||
if [ -z "${SPACKAGES}" ]; then
|
||||
Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN
|
||||
LogText "Result: no packages found with left overs"
|
||||
else
|
||||
|
@ -449,7 +449,7 @@
|
|||
# Test : PKGS-7350
|
||||
# Description : Use Dandified YUM to gather installed packages
|
||||
# Notes : Possible replacement for YUM in the long term
|
||||
if [ ! "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
Display --indent 4 --text "- Searching DNF package manager" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
@ -469,16 +469,18 @@
|
|||
done
|
||||
Report "installed_packages=${N}"
|
||||
fi
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : PKGS-7352
|
||||
# Description : Use Dandified YUM to detect security updates
|
||||
if [ ! "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no "PKGS-7352" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for security updates with DNF utility"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Check for security updates
|
||||
LogText "Action: checking updateinfo for security updates"
|
||||
FIND=$(${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
VULNERABLE_PACKAGES_FOUND=1
|
||||
LogText "Result: found vulnerable packages, upgrade of system needed."
|
||||
for PKG in ${FIND}; do
|
||||
|
@ -489,30 +491,31 @@
|
|||
done
|
||||
ReportWarning ${TEST_NO} "Found one or more vulnerable packages. Run: dnf upgrade"
|
||||
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
|
||||
|
||||
else
|
||||
LogText "Result: no security updates found"
|
||||
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
|
||||
AddHP 5 5
|
||||
fi
|
||||
fi
|
||||
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : PKGS-7354
|
||||
# Description : Perform integrity tests for package database
|
||||
if [ ! "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Check if repoquery plugin is available
|
||||
FIND=$(${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Action: checking integrity of package database"
|
||||
FIND=$(${DNFBINARY} -q repoquery --duplicated)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: found unexpected result on repoquery --duplicated"
|
||||
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated"
|
||||
fi
|
||||
FIND=$(${DNFBINARY} -q repoquery --unsatisfied)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: found unexpected result on repoquery --unsatisfied"
|
||||
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --unsatisfied"
|
||||
fi
|
||||
|
@ -525,17 +528,17 @@
|
|||
#
|
||||
# Test : PKGS-7366
|
||||
# Description : Checking if debsecan is installed and enabled on Debian systems
|
||||
if [ ! "${DEBSECANBINARY}" = "" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsecan utility"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ! "${DEBSECANBINARY}" = "" ]; then
|
||||
if [ ! -z "${DEBSECANBINARY}" ]; then
|
||||
LogText "Result: debsecan utility is installed"
|
||||
Display --indent 4 --text "- debsecan utility" --result "${STATUS_FOUND}" --color GREEN
|
||||
AddHP 3 3
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
PACKAGE_AUDIT_TOOL="debsecan"
|
||||
FIND=$(${FINDBINARY} ${ROOTDIR}etc/cron* -name debsecan)
|
||||
if [ ! ${FIND} = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: cron job is configured for debsecan"
|
||||
Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN
|
||||
AddHP 3 3
|
||||
|
@ -558,10 +561,10 @@
|
|||
# Test : PKGS-7370
|
||||
# Description : Checking debsums installation status and presence in cron job
|
||||
# Note : Run this only when it is a DPKG based system
|
||||
if [ ! "${DPKGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${DPKGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsums utility"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ! "${DEBSUMSBINARY}" = "" ]; then
|
||||
if [ ! -z "${DEBSUMSBINARY}" ]; then
|
||||
LogText "Result: debsums utility is installed"
|
||||
Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN
|
||||
AddHP 1 1
|
||||
|
@ -588,12 +591,12 @@
|
|||
#
|
||||
# Test : PKGS-7378
|
||||
# Description : Query FreeBSD portmaster for available port upgrades
|
||||
if [ -x /usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query portmaster for port upgrades"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
LogText "Test: Querying portmaster for possible port upgrades"
|
||||
UPACKAGES=$(/usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }')
|
||||
UPACKAGES=$(${ROOTDIR}usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }')
|
||||
for J in ${UPACKAGES}; do
|
||||
N=$((N + 1))
|
||||
LogText "Upgrade available (new version): ${J}"
|
||||
|
@ -603,7 +606,7 @@
|
|||
if [ ${N} -eq 0 ]; then
|
||||
LogText "Result: no upgrades found"
|
||||
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_NONE}" --color GREEN
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_FOUND}" --color YELLOW
|
||||
fi
|
||||
fi
|
||||
|
@ -619,7 +622,7 @@
|
|||
PACKAGE_AUDIT_TOOL="pkg_admin audit"
|
||||
if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then
|
||||
FIND=$(/usr/sbin/pkg_admin audit)
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: pkg_admin audit results are clean"
|
||||
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
|
||||
AddHP 10 10
|
||||
|
@ -703,7 +706,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
FIND=$(/usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: Portaudit results are clean"
|
||||
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
|
||||
AddHP 10 10
|
||||
|
@ -728,7 +731,7 @@
|
|||
# Test : PKGS-7383
|
||||
# Description : Check for YUM package Update management
|
||||
# Notes : Skip if DNF is used as package manager
|
||||
if [ ! "${YUMBINARY}" = "" -a "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: YUM package update management"
|
||||
|
@ -747,7 +750,7 @@
|
|||
#
|
||||
# Test : PKGS-7384
|
||||
# Description : Search for YUM utils package
|
||||
if [ ! "${YUMBINARY}" = "" -a "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ -x /usr/bin/package-cleanup ]; then
|
||||
|
@ -792,7 +795,7 @@
|
|||
# : RHEL 7: plugin default installed
|
||||
# : RHEL 6: yum-security-plugin (plugin)
|
||||
# : RHEL 5: yum-security (plugin)
|
||||
if [ -x /usr/bin/yum -a "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7386 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM security package"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
DO_TEST=0
|
||||
|
@ -800,27 +803,27 @@
|
|||
|
||||
# Check for built-in --security option
|
||||
if [ ${DO_TEST} -eq 0 ]; then
|
||||
FileExists /usr/share/yum-cli/cli.py
|
||||
FileExists ${ROOTDIR}usr/share/yum-cli/cli.py
|
||||
if [ ${FILE_FOUND} -eq 1 ]; then
|
||||
SearchItem "\-\-security" "/usr/share/yum-cli/cli.py"
|
||||
SearchItem "\-\-security" "${ROOTDIR}usr/share/yum-cli/cli.py"
|
||||
if [ ${ITEM_FOUND} -eq 1 ]; then
|
||||
DO_TEST=1
|
||||
LogText "Result: found built-in security in yum"
|
||||
else
|
||||
LogText "Result: did not find --security in /usr/share/yum-cli/cli.py"
|
||||
LogText "Result: did not find --security in ${ROOTDIR}usr/share/yum-cli/cli.py"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ${DO_TEST} -eq 0 ]; then
|
||||
FileExists /etc/yum/pluginconf.d/security.conf
|
||||
FileExists ${ROOTDIR}etc/yum/pluginconf.d/security.conf
|
||||
if [ ${FILE_FOUND} -eq 1 ]; then
|
||||
SearchItem "^enabled=1$" "/etc/yum/pluginconf.d/security.conf"
|
||||
SearchItem "^enabled=1$" "${ROOTDIR}etc/yum/pluginconf.d/security.conf"
|
||||
if [ ${ITEM_FOUND} -eq 1 ]; then
|
||||
DO_TEST=1
|
||||
LogText "Result: found enabled plugin"
|
||||
else
|
||||
LogText "Result: plugin NOT enabled in /etc/yum/pluginconf.d/security.conf"
|
||||
LogText "Result: plugin NOT enabled in ${ROOTDIR}etc/yum/pluginconf.d/security.conf"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
@ -828,7 +831,7 @@
|
|||
# Check if it's installed as package (this is old style)
|
||||
if [ ${DO_TEST} -eq 0 ]; then
|
||||
FIND=$(rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: found yum-plugin-security package"
|
||||
DO_TEST=1
|
||||
fi
|
||||
|
@ -839,8 +842,8 @@
|
|||
PACKAGE_AUDIT_TOOL_FOUND=1
|
||||
PACKAGE_AUDIT_TOOL="yum-security"
|
||||
LogText "Test: Checking for vulnerable packages"
|
||||
FIND2=$(/usr/bin/yum list-sec security | ${AWKBINARY} '{ if($2=="security" || $2~"Sec") print $3","$5 }')
|
||||
if [ "${FIND2}" = "" ]; then
|
||||
FIND2=$(${ROOTDIR}usr/bin/yum list-sec security | ${AWKBINARY} '{ if($2=="security" || $2~"Sec") print $3","$5 }')
|
||||
if [ -z "${FIND2}" ]; then
|
||||
LogText "Result: no vulnerable packages found"
|
||||
Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_OK}" --color GREEN
|
||||
else
|
||||
|
@ -907,18 +910,18 @@
|
|||
#
|
||||
# Test : PKGS-7388
|
||||
# Description : Check security repository in Debian/ubuntu apt sources.list file
|
||||
if [ -f /etc/apt/sources.list -a -d /etc/apt/sources.list.d ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check security repository in Debian/ubuntu apt sources.list file"
|
||||
if [ $SKIPTEST -eq 0 ]; then
|
||||
FOUND=0
|
||||
if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then
|
||||
if [ -f /etc/apt/sources.list ]; then
|
||||
if [ -f ${ROOTDIR}etc/apt/sources.list ]; then
|
||||
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
|
||||
FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security " /etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
FOUND=1
|
||||
Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: Found security repository in /etc/apt/sources.list"
|
||||
LogText "Result: Found security repository in ${ROOTDIR}etc/apt/sources.list"
|
||||
for REPO in ${FIND}; do
|
||||
REPO=$(echo ${REPO} | ${SEDBINARY} 's/!space!/ /g')
|
||||
LogText "Output: ${REPO}"
|
||||
|
@ -1018,8 +1021,8 @@
|
|||
|
||||
# Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
|
||||
# Show packages which would be upgraded and match 'security' in repository name
|
||||
FIND=$(/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | ${CUTBINARY} -d ' ' -f2 | ${SORTBINARY} -u)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
FIND=$(${ROOTDIR}usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | ${CUTBINARY} -d ' ' -f2 | ${SORTBINARY} -u)
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
VULNERABLE_PACKAGES_FOUND=1
|
||||
SCAN_PERFORMED=1
|
||||
LogText "Result: found vulnerable package(s) via apt-get (-security channel)"
|
||||
|
@ -1184,9 +1187,7 @@
|
|||
#################################################################################
|
||||
#
|
||||
|
||||
if [ ! "${INSTALLED_PACKAGES}" = "" ]; then
|
||||
Report "installed_packages_array=${INSTALLED_PACKAGES}"
|
||||
fi
|
||||
if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi
|
||||
|
||||
Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}"
|
||||
Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}"
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
CUPSD_CONFIG_LOCS="/etc/cups /usr/local/etc/cups /private/etc/cups"
|
||||
CUPSD_CONFIG_LOCS="${ROOTDIR}etc/cups ${ROOTDIR}usr/local/etc/cups ${ROOTDIR}private/etc/cups"
|
||||
CUPSD_CONFIG_FILE=""
|
||||
CUPSD_RUNNING=0
|
||||
CUPSD_FOUND=0
|
||||
|
@ -43,21 +43,21 @@
|
|||
Register --test-no PRNT-2302 --os FreeBSD --weight L --network NO --category security --description "Check for printcap consistency"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Searching /usr/sbin/chkprintcap"
|
||||
if [ ! -f /usr/sbin/chkprintcap ]; then
|
||||
if [ ! -f ${ROOTDIR}usr/sbin/chkprintcap ]; then
|
||||
Display --indent 2 --text "- Checking chkprintcap" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: /usr/sbin/chkprintcap NOT found, test skipped."
|
||||
LogText "Result: ${ROOTDIR}usr/sbin/chkprintcap NOT found, test skipped"
|
||||
else
|
||||
LogText "Result: /usr/sbin/chkprintcap found"
|
||||
FIND=$(/usr/sbin/chkprintcap > /dev/null ; echo $?)
|
||||
LogText "Result: ${ROOTDIR}usr/sbin/chkprintcap found"
|
||||
FIND=$(${ROOTDIR}usr/sbin/chkprintcap > /dev/null ; echo $?)
|
||||
# Only an exit code of zero should come back. Use string instead of integer, due unexpected trash
|
||||
if [ "${FIND}" = "0" ]; then
|
||||
Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: chkprintcap did NOT gave any warnings"
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file"
|
||||
LogText "Output from chkprintcap: ${FIND}"
|
||||
LogText "Run chkprintcap and check the /etc/printcap file."
|
||||
LogText "Run chkprintcap and check the ${ROOTDIR}etc/printcap file"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
@ -69,13 +69,12 @@
|
|||
Register --test-no PRNT-2304 --weight L --network NO --category security --description "Check cupsd status"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking cupsd status"
|
||||
#FIND=$(${PSBINARY} ax | ${GREPBINARY} "cupsd" | ${GREPBINARY} -v "grep" | ${GREPBINARY} -v apcupsd)
|
||||
IsRunning cupsd
|
||||
if [ ${RUNNING} -eq 1 ]; then
|
||||
Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN
|
||||
LogText "Result: cups daemon running"
|
||||
CUPSD_RUNNING=1; PRINTING_DAEMON="cups"
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
LogText "Result: cups daemon not running, cups daemon tests skipped"
|
||||
fi
|
||||
|
@ -97,7 +96,7 @@
|
|||
fi
|
||||
fi
|
||||
done
|
||||
if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then
|
||||
if [ ! -z "${CUPSD_CONFIG_FILE}" ]; then
|
||||
Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})"
|
||||
CUPSD_FOUND=1
|
||||
|
@ -194,7 +193,7 @@
|
|||
Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_RUNNING}" --color GREEN
|
||||
LogText "Result: lp daemon running"
|
||||
LPD_RUNNING=1; PRINTING_DAEMON="lp"
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE
|
||||
LogText "Result: lp daemon not running"
|
||||
AddHP 4 4
|
||||
|
@ -202,37 +201,25 @@
|
|||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : PRNT-23xx
|
||||
# Description : Test Linux printcap file
|
||||
#if [ ${CUPSD_RUNNING} -eq 1 -a ! "${CUPSD_CONFIG_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
#Register --test-no PRNT-23xx--preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check cupsd address configuration"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
#if [ "${OS}" = "Linux" ]; then
|
||||
# echo " - Testing printcap file [Test not implemented yet]"
|
||||
# # Check printcap with checkpc command
|
||||
#fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : PRNT-2416
|
||||
# Description : Check /etc/qconfig file
|
||||
Register --test-no PRNT-2316 --os AIX --weight L --network NO --category security --description "Checking /etc/qconfig file"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking /etc/qconfig"
|
||||
QDAEMON_CONFIG_FILE="/etc/qconfig"
|
||||
LogText "Test: Checking ${ROOTDIR}etc/qconfig"
|
||||
QDAEMON_CONFIG_FILE="${ROOTDIR}etc/qconfig"
|
||||
FileIsReadable ${QDAEMON_CONFIG_FILE}
|
||||
if [ ${CANREAD} -eq 1 ]; then
|
||||
FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
|
||||
Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN
|
||||
QDAEMON_CONFIG_ENABLED=1
|
||||
else
|
||||
else
|
||||
LogText "Result: ${QDAEMON_CONFIG_FILE} is empty. No printers are defined"
|
||||
Display --indent 2 --text "- Checking /etc/qconfig file" --result EMPTY --color WHITE
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: Can not read ${QDAEMON_CONFIG_FILE} (no permission)"
|
||||
fi
|
||||
fi
|
||||
|
@ -271,7 +258,7 @@
|
|||
DirectoryExists /var/spool/lpd/qdir
|
||||
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
|
||||
FIND=$(find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
N=0
|
||||
for I in ${FIND}; do
|
||||
FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
||||
|
@ -282,7 +269,7 @@
|
|||
Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
|
||||
LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"
|
||||
else
|
||||
else
|
||||
LogText "Result: Old print jobs not found in /var/spool/lpd/qdir"
|
||||
Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_NONE}" --color GREEN
|
||||
fi
|
||||
|
@ -292,7 +279,7 @@
|
|||
#################################################################################
|
||||
#
|
||||
|
||||
Report "printing_daemon=${PRINTING_DAEMON}"
|
||||
if [ ! -z ${PRINTING_DAEMON} ]; then Report "printing_daemon=${PRINTING_DAEMON}"; fi
|
||||
|
||||
WaitForKeyPress
|
||||
|
||||
|
|
|
@ -58,7 +58,7 @@
|
|||
sCRONJOBS=$(${EGREPBINARY} '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',')
|
||||
}
|
||||
|
||||
CRONTAB_FILE="/etc/crontab"
|
||||
CRONTAB_FILE="${ROOTDIR}etc/crontab"
|
||||
if [ -f ${CRONTAB_FILE} ]; then
|
||||
if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
|
||||
if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
|
||||
|
@ -69,15 +69,15 @@
|
|||
done
|
||||
fi
|
||||
|
||||
CRON_DIRS="/etc/cron.d"
|
||||
CRON_DIRS="${ROOTDIR}etc/cron.d"
|
||||
for I in ${CRON_DIRS}; do
|
||||
LogText "Test: checking directory ${I}"
|
||||
if [ -d ${I} ]; then
|
||||
if FileIsReadable ${I}; then
|
||||
LogText "Result: found directory ${I}"
|
||||
LogText "Test: searching files in ${I}"
|
||||
FIND=$(find ${I} -type f -print | ${GREPBINARY} -v ".placeholder")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${FINDBINARY} ${I} -type f -print | ${GREPBINARY} -v ".placeholder")
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: no files found in ${I}"
|
||||
else
|
||||
LogText "Result: found one or more files in ${I}. Analyzing files.."
|
||||
|
@ -85,7 +85,7 @@
|
|||
if IsWorldWritable ${J}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
|
||||
if ! IsOwnedByRoot ${J}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
|
||||
FindCronJob ${J}
|
||||
if [ ! "${sCRONJOBS}" = "" ]; then
|
||||
if [ ! -z "${sCRONJOBS}" ]; then
|
||||
for K in ${sCRONJOBS}; do
|
||||
LogText "Result: Found cronjob (${J}): ${K}"
|
||||
Report "cronjob[]=${J}"
|
||||
|
@ -102,15 +102,15 @@
|
|||
fi
|
||||
done
|
||||
|
||||
CRON_DIRS="/etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly"
|
||||
CRON_DIRS="${ROOTDIR}etc/cron.hourly ${ROOTDIR}etc/cron.daily ${ROOTDIR}etc/cron.weekly ${ROOTDIR}etc/cron.monthly"
|
||||
for I in ${CRON_DIRS}; do
|
||||
LogText "Test: checking directory ${I}"
|
||||
if [ -d ${I} ]; then
|
||||
LogText "Result: found directory ${I}"
|
||||
if FileIsReadable ${I}; then
|
||||
LogText "Test: searching files in ${I}"
|
||||
FIND=$(find ${I} -type f -print 2> /dev/null | ${GREPBINARY} -v ".placeholder")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${FINDBINARY} ${I} -type f -print 2> /dev/null | ${GREPBINARY} -v ".placeholder")
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: no files found in ${I}"
|
||||
else
|
||||
LogText "Result: found one or more files in ${I}. Analyzing files.."
|
||||
|
@ -232,7 +232,7 @@
|
|||
if [ ${CANREAD} -eq 1 ]; then
|
||||
LogText "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
|
||||
FIND=$(${SORTBINARY} ${AT_ALLOW})
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: File empty, no users are allowed to schedule at jobs"
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
|
@ -250,7 +250,7 @@
|
|||
if [ ${CANREAD} -eq 1 ]; then
|
||||
LogText "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs"
|
||||
FIND=$(${SORTBINARY} ${AT_DENY})
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: file is empty, no users are denied access to schedule jobs"
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
|
@ -281,7 +281,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Check scheduled at jobs"
|
||||
FIND=$(atq | ${GREPBINARY} -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: found one or more jobs"
|
||||
for I in ${FIND}; do
|
||||
VALUE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
||||
|
|
|
@ -39,9 +39,9 @@
|
|||
# /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc
|
||||
# $ZDOTDIR/.zshrc /etc/zlogin /etc/zsh/zlogin
|
||||
|
||||
SHELL_LOGIN_FILES="/etc/csh.cshrc /etc/csh.login /etc/zshenv /etc/zsh/zshenv
|
||||
/etc/zprofile /etc/zsh/zprofile /etc/zshrc /etc/zsh/zshrc
|
||||
/etc/zlogin /etc/zsh/zlogin"
|
||||
SHELL_LOGIN_FILES="${ROOTDIR}etc/csh.cshrc ${ROOTDIR}etc/csh.login ${ROOTDIR}etc/zshenv ${ROOTDIR}etc/zsh/zshenv
|
||||
${ROOTDIR}etc/zprofile ${ROOTDIR}etc/zsh/zprofile ${ROOTDIR}etc/zshrc ${ROOTDIR}etc/zsh/zshrc
|
||||
${ROOTDIR}etc/zlogin ${ROOTDIR}etc/zsh/zlogin"
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
@ -51,11 +51,11 @@
|
|||
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking console TTYs"
|
||||
FIND=$(${EGREPBINARY} '^console' /etc/ttys | ${GREPBINARY} -v 'insecure')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${EGREPBINARY} '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure')
|
||||
if [ -z "${FIND}" ]; then
|
||||
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN
|
||||
LogText "Result: console is secured against single user mode without password."
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_WARNING}" --color RED
|
||||
LogText "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!"
|
||||
LogText "Output /etc/ttys:"
|
||||
|
@ -71,26 +71,26 @@
|
|||
# Description : which shells are available according /etc/shells
|
||||
Register --test-no SHLL-6211 --weight L --network NO --category security --description "Checking available and valid shells"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Searching for /etc/shells"
|
||||
LogText "Test: Searching for ${ROOTDIR}etc/shells"
|
||||
if [ -f /etc/shells ]; then
|
||||
LogText "Result: Found /etc/shells file"
|
||||
LogText "Test: Reading available shells from /etc/shells"
|
||||
SSHELLS=$(${GREPBINARY} "^/" /etc/shells)
|
||||
SSHELLS=$(${GREPBINARY} "^/" ${ROOTDIR}etc/shells)
|
||||
CSSHELLS=0; CSSHELLS_ALL=0
|
||||
Display --indent 2 --text "- Checking shells from /etc/shells"
|
||||
for I in ${SSHELLS}; do
|
||||
CSSHELLS_ALL=$((CSSHELLS_ALL + 1))
|
||||
Report "available_shell[]=${I}"
|
||||
# YYY add check for symlinked shells
|
||||
# TODO add check for symlinked shells
|
||||
if [ -f ${I} ]; then
|
||||
LogText "Found installed shell: ${I}"
|
||||
CSSHELLS=$((CSSHELLS + 1))
|
||||
else
|
||||
else
|
||||
LogText "Shell ${I} not installed. Probably a dummy or non existing shell."
|
||||
fi
|
||||
done
|
||||
Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})."
|
||||
else
|
||||
else
|
||||
LogText "Result: /etc/shells not found, skipping test"
|
||||
fi
|
||||
fi
|
||||
|
@ -115,12 +115,12 @@
|
|||
Report="session_timeout_method[]=autolog"
|
||||
fi
|
||||
|
||||
if [ -f /etc/profile ]; then
|
||||
if [ -f ${ROOTDIR}etc/profile ]; then
|
||||
# Determine if we can find a TMOUT value
|
||||
FIND=$(${GREPBINARY} 'TMOUT=' /etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
|
||||
FIND=$(${GREPBINARY} 'TMOUT=' ${ROOTDIR}etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
|
||||
# Determine if the value is exported (with export, readonly, or typeset)
|
||||
FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
N=0; IDLE_TIMEOUT=1
|
||||
for I in ${FIND}; do
|
||||
LogText "Output: ${I}"
|
||||
|
@ -129,15 +129,15 @@
|
|||
done
|
||||
if [ ${N} -eq 1 ]; then
|
||||
LogText "Result: found TMOUT value configured in /etc/profile"
|
||||
else
|
||||
else
|
||||
LogText "Result: found several TMOUT values configured in /etc/profile"
|
||||
fi
|
||||
Report "session_timeout_method[]=profile"
|
||||
else
|
||||
else
|
||||
LogText "Result: could not find TMOUT setting in /etc/profile"
|
||||
fi
|
||||
|
||||
if [ ! "${FIND2}" = "" ]; then
|
||||
if [ ! -z "${FIND2}" ]; then
|
||||
N=0;
|
||||
for I in ${FIND2}; do
|
||||
LogText "Output: ${I}"
|
||||
|
@ -148,26 +148,26 @@
|
|||
if [ ${N} -gt 0 ]; then
|
||||
LogText "Result: found readonly setting in /etc/profile (readonly or typeset -r)"
|
||||
Report "session_timeout_set_readonly=1"
|
||||
else
|
||||
else
|
||||
LogText "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)"
|
||||
Report "session_timeout_set_readonly=0"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: could not find export, readonly or typeset -r in /etc/profile"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: skip /etc/profile test, file not available on this system"
|
||||
fi
|
||||
|
||||
if [ -d /etc/profile.d ]; then
|
||||
FIND=$(ls /etc/profile.d/*.sh 2> /dev/null)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ -d ${ROOTDIR}etc/profile.d ]; then
|
||||
FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null)
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
# Determine if we can find a TMOUT value
|
||||
FIND=$(cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
|
||||
FIND=$(${CATBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
|
||||
# Determine if the value is exported (with export, readonly, or typeset)
|
||||
FIND2=$(cat /etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
|
||||
FIND2=$(${CATBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
|
||||
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
N=0; IDLE_TIMEOUT=1
|
||||
for I in ${FIND}; do
|
||||
LogText "Output: ${I}"
|
||||
|
@ -176,15 +176,15 @@
|
|||
done
|
||||
if [ ${N} -eq 1 ]; then
|
||||
LogText "Result: found TMOUT value configured in one of the files in /etc/profile.d directory"
|
||||
else
|
||||
else
|
||||
LogText "Result: found several TMOUT values configured in one of the files in /etc/profile.d directory"
|
||||
fi
|
||||
Report "session_timeout_method[]=profile"
|
||||
else
|
||||
else
|
||||
LogText "Result: could not find TMOUT setting in /etc/profile.d/*.sh"
|
||||
fi
|
||||
# Check for readonly
|
||||
if [ ! "${FIND2}" = "" ]; then
|
||||
if [ ! -z "${FIND2}" ]; then
|
||||
N=0;
|
||||
for I in ${FIND2}; do
|
||||
LogText "Output: ${I}"
|
||||
|
@ -195,11 +195,11 @@
|
|||
if [ ${N} -gt 0 ]; then
|
||||
LogText "Result: found readonly setting in /etc/profile (readonly or typeset -r)"
|
||||
Report "session_timeout_set_readonly=1"
|
||||
else
|
||||
else
|
||||
LogText "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)"
|
||||
Report "session_timeout_set_readonly=0"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: could not find export, readonly or typeset -r in /etc/profile"
|
||||
fi
|
||||
fi
|
||||
|
@ -232,10 +232,10 @@
|
|||
LogText "Result: file ${FILE} exists"
|
||||
FOUND=1
|
||||
FIND=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//g' | ${SEDBINARY} 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: did not find umask configured in ${FILE}"
|
||||
Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW
|
||||
else
|
||||
else
|
||||
for UMASKVALUE in ${FIND}; do
|
||||
LogText "Result: found umask ${UMASKVALUE} in ${FILE}"
|
||||
case ${UMASKVALUE} in
|
||||
|
@ -251,27 +251,22 @@
|
|||
if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
|
||||
Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 3 3
|
||||
else
|
||||
else
|
||||
Display --indent 4 --text "- Checking default umask in ${FILE}" --result WEAK --color YELLOW
|
||||
AddHP 1 3
|
||||
fi
|
||||
fi
|
||||
else
|
||||
LogText "Result: file ${FILE} not found"
|
||||
LogText "Result: file ${FILE} not found"
|
||||
fi
|
||||
done
|
||||
#if [ ${FOUND} -eq 1 ]; then
|
||||
# if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
|
||||
# LogText "Result: all shell files found, contain a proper umask"
|
||||
# Display --indent 4 --text "- Default umask" --result "${STATUS_OK}" --color GREEN
|
||||
# fi
|
||||
#fi
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : SHLL-6290
|
||||
# Description : Check for Shellshock vulnerability
|
||||
# TODO remove this test?
|
||||
Register --test-no SHLL-6290 --weight H --network NO --category security --description "Perform Shellshock vulnerability tests"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
|
@ -281,13 +276,13 @@
|
|||
if [ -f /etc/shells ]; then
|
||||
LogText "Test: checking for bash shell in /etc/shells"
|
||||
FIND=$(${EGREPBINARY} '(/usr)?(/local)?/bin/bash' /etc/shells | ${GREPBINARY} -v "^#" | head -1)
|
||||
else
|
||||
else
|
||||
LogText "Test: checking if bash is available via which command"
|
||||
FIND=$(which bash 2> /dev/null | grep -v "no [^ ]* in " | head -1)
|
||||
fi
|
||||
|
||||
LogText "Result: command revealed ${FIND} as output"
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
if [ -x "${FIND}" -a ! -L "${FIND}" ]; then
|
||||
LogText "Result: found ${FIND} as a valid shell"
|
||||
CreateTempFile || ExitFatal
|
||||
|
@ -298,14 +293,13 @@
|
|||
echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
if [ ! -z "${VULNERABLE}" ]; then
|
||||
LogText "Output: ${VULNERABLE}"
|
||||
LogText "Result: Vulnerable to original shellshock (CVE-2014-6271)"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "${STATUS_WARNING}" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
else
|
||||
LogText "Result: Not vulnerable to original shellshock (CVE-2014-6271)"
|
||||
#Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "${STATUS_OK}" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-6277 (disabled, as this test was giving too much false positives)
|
||||
|
@ -315,14 +309,13 @@
|
|||
echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | ${GREPBINARY} 'vulnerable'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
if [ ! -z "${VULNERABLE}" ]; then
|
||||
LogText "Output: ${VULNERABLE}"
|
||||
LogText "Result: Vulnerable to CVE-2014-6278"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "${STATUS_WARNING}" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
else
|
||||
LogText "Result: Not vulnerable to CVE-2014-6278"
|
||||
#Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "${STATUS_OK}" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-7169
|
||||
|
@ -335,9 +328,8 @@
|
|||
LogText "Result: Vulnerable to taviso bug (CVE-2014-7169)"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "${STATUS_WARNING}" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
else
|
||||
LogText "Result: Not vulnerable to taviso bug (CVE-2014-7169)"
|
||||
#Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "${STATUS_OK}" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-7186
|
||||
|
@ -350,9 +342,8 @@
|
|||
LogText "Result: Vulnerable to CVE-2014-7186"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "${STATUS_WARNING}" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
else
|
||||
LogText "Result: Not vulnerable to CVE-2014-7186"
|
||||
#Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "${STATUS_OK}" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-7187
|
||||
|
@ -365,9 +356,8 @@
|
|||
LogText "Result: Vulnerable to CVE-2014-7187"
|
||||
Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "${STATUS_WARNING}" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
else
|
||||
LogText "Result: Not vulnerable to CVE-2014-7187"
|
||||
#Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "${STATUS_OK}" --color GREEN
|
||||
fi
|
||||
|
||||
# CVE-2014-////
|
||||
|
@ -375,26 +365,25 @@
|
|||
echo "env X=' () { }; echo hello' bash -c 'date'| ${GREPBINARY} 'hello'" > ${SHELLSHOCK_TMP}
|
||||
VULNERABLE=$(${FIND} ${SHELLSHOCK_TMP} 2> /dev/null)
|
||||
rm -f ${SHELLSHOCK_TMP}
|
||||
if [ ! "${VULNERABLE}" = "" ]; then
|
||||
if [ ! -z "${VULNERABLE}" ]; then
|
||||
LogText "Output: ${VULNERABLE}"
|
||||
LogText "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)"
|
||||
Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "${STATUS_WARNING}" --color RED
|
||||
FOUND=1
|
||||
else
|
||||
else
|
||||
LogText "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)"
|
||||
#Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "${STATUS_OK}" --color GREEN
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: bash binary found, but not executable, or it is symlinked"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: could not find bash to be a valid shell"
|
||||
fi
|
||||
|
||||
if [ ${FOUND} -eq 1 ]; then
|
||||
ReportWarning ${TEST_NO} "System vulnerable to Shellshock (bash)"
|
||||
AddHP 0 25
|
||||
else
|
||||
else
|
||||
AddHP 5 5
|
||||
fi
|
||||
unset x
|
||||
|
|
|
@ -74,7 +74,7 @@
|
|||
#
|
||||
# Test : SNMP-3306
|
||||
# Description : Determine SNMP communities
|
||||
if [ ! "${SNMP_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${SNMP_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SNMP communities"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
WARN=0
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
SQUID_DAEMON_CONFIG_LOCS="/etc /etc/squid /etc/squid3 /usr/local/etc/squid /usr/local/squid/etc"
|
||||
SQUID_DAEMON_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/squid ${ROOTDIR}etc/squid3 ${ROOTDIR}usr/local/etc/squid ${ROOTDIR}usr/local/squid/etc"
|
||||
SQUID_DAEMON_CONFIG=""
|
||||
SQUID_DAEMON_UNSAFE_PORTS_LIST="22 23 25"
|
||||
SQUID_DAEMON_RUNNING=0
|
||||
|
@ -43,11 +43,11 @@
|
|||
FOUND=0
|
||||
# Check running processes
|
||||
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
SQUID_DAEMON_RUNNING=1
|
||||
LogText "Result: Squid daemon is running"
|
||||
Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
else
|
||||
LogText "Result: No running Squid daemon found"
|
||||
Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
|
@ -73,10 +73,10 @@
|
|||
SQUID_DAEMON_CONFIG="${I}/squid3.conf"
|
||||
fi
|
||||
done
|
||||
if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then
|
||||
if [ -z "${SQUID_DAEMON_CONFIG}" ]; then
|
||||
LogText "Result: No Squid configuration file found"
|
||||
Display --indent 4 --text "- Searching Squid configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
else
|
||||
else
|
||||
LogText "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}"
|
||||
Display --indent 4 --text "- Searching Squid configuration" --result "${STATUS_FOUND}" --color GREEN
|
||||
fi
|
||||
|
@ -86,22 +86,22 @@
|
|||
#
|
||||
# Test : SQD-3606
|
||||
# Description : Check Squid version
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ! "${SQUIDBINARY}" = "" ]; then
|
||||
if [ ! -z "${SQUIDBINARY}" ]; then
|
||||
LogText "Result: Squid binary found (${SQUIDBINARY})"
|
||||
# Skip check if a setuid/setgid bit is found
|
||||
FIND=$(find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print)
|
||||
if [ "${FIND}" = "" ]; then
|
||||
FIND=$(${FINDBINARY} ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print)
|
||||
if [ -z "${FIND}" ]; then
|
||||
FIND2=$(${SQUIDBINARY} -v | ${AWKBINARY} '{ if ($3=="Version") { print $4 } }')
|
||||
Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN
|
||||
SQUID_VERSION="${FIND2}"
|
||||
else
|
||||
else
|
||||
LogText "Result: test skipped for security reasons, setuid/setgid bit set"
|
||||
Display --indent 4 --text "- Checking Squid version" --result "${STATUS_SKIPPED}" --color RED
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: no Squid binary found"
|
||||
fi
|
||||
fi
|
||||
|
@ -110,7 +110,7 @@
|
|||
#
|
||||
# Test : SQD-3610
|
||||
# Description : Check Squid configuration options
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
|
||||
|
@ -127,18 +127,18 @@
|
|||
#
|
||||
# Test : SQD-3613
|
||||
# Description : Check Squid configuration options
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
|
||||
FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
|
||||
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
|
||||
ReportWarning ${TEST_NO} "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
|
||||
AddHP 0 2
|
||||
else
|
||||
else
|
||||
LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
|
||||
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_OK}" --color GREEN
|
||||
AddHP 2 2
|
||||
|
@ -147,7 +147,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
|
||||
Display --indent 4 --text "- Checking Squid access control"
|
||||
fi
|
||||
#
|
||||
|
@ -155,15 +155,15 @@
|
|||
#
|
||||
# Test : SQD-3614
|
||||
# Description : Check Squid authentication
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid authentication methods"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: check auth_param option for authentication methods"
|
||||
FIND=$(${GREPBINARY} "^auth_param" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $2 }')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
|
||||
Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW
|
||||
else
|
||||
else
|
||||
Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_FOUND}" --color GREEN
|
||||
for I in ${FIND}; do
|
||||
LogText "Result: found authentication method ${I}"
|
||||
|
@ -176,15 +176,15 @@
|
|||
#
|
||||
# Test : SQD-3616
|
||||
# Description : Check external Squid authentication
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check external Squid authentication"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: check external_acl_type option for external authentication helpers"
|
||||
FIND=$(${GREPBINARY} "^external_acl_type" ${SQUID_DAEMON_CONFIG})
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "No external_acl_type found"
|
||||
Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW
|
||||
else
|
||||
else
|
||||
Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_FOUND}" --color GREEN
|
||||
for I in ${FIND}; do
|
||||
LogText "Result: found external authentication method helper"
|
||||
|
@ -207,7 +207,7 @@
|
|||
if [ "${FIND}" = "" ]; then
|
||||
LogText "Result: No ACLs found"
|
||||
Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED
|
||||
else
|
||||
else
|
||||
for I in ${FIND}; do
|
||||
N=$((N + 1))
|
||||
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
||||
|
@ -229,18 +229,18 @@
|
|||
N=0
|
||||
LogText "Test: checking ACL Safe_ports http_access option"
|
||||
FIND=$(${GREPBINARY} "^http_access" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} "Safe_ports")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: no Safe_ports found"
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
|
||||
else
|
||||
else
|
||||
LogText "Result: checking ACL safe ports"
|
||||
FIND2=$(${GREPBINARY} "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | ${AWKBINARY} '{ print $4 }')
|
||||
if [ "${FIND2}" = "" ]; then
|
||||
if [ -z "${FIND2}" ]; then
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
|
||||
AddHP 0 1
|
||||
else
|
||||
else
|
||||
LogText "Result: Safe_ports found"
|
||||
for I in ${FIND}; do
|
||||
LogText "Found safe port: ${I}"
|
||||
|
@ -252,10 +252,10 @@
|
|||
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
|
||||
LogText "Test: Checking port ${I} in Safe_ports list"
|
||||
FIND2=$(${GREPBINARY} -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG})
|
||||
if [ "${FIND2}" = "" ]; then
|
||||
if [ -z "${FIND2}" ]; then
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN
|
||||
AddHP 1 1
|
||||
else
|
||||
else
|
||||
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_FOUND}" --color RED
|
||||
ReportWarning ${TEST_NO} "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
|
||||
AddHP 0 1
|
||||
|
@ -266,7 +266,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
|
||||
Display --indent 4 --text "- Checking Squid Denial of Service tuning options"
|
||||
fi
|
||||
#
|
||||
|
@ -274,18 +274,18 @@
|
|||
#
|
||||
# Test : SQD-3630 [T]
|
||||
# Description : Check reply_body_max_size value
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid reply_body_max_size option"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
N=0
|
||||
LogText "Test: checking option reply_body_max_size"
|
||||
FIND=$(${GREPBINARY} "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: option reply_body_max_size not configured"
|
||||
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED
|
||||
AddHP 1 2
|
||||
ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests."
|
||||
else
|
||||
else
|
||||
LogText "Result: option reply_body_max_size configured"
|
||||
LogText "Output: ${FIND}"
|
||||
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
@ -295,7 +295,7 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then
|
||||
Display --indent 4 --text "- Checking Squid general options"
|
||||
fi
|
||||
#
|
||||
|
@ -303,16 +303,16 @@
|
|||
#
|
||||
# Test : SQD-3680
|
||||
# Description : Check httpd_suppress_version_string
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppresion"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Result: option httpd_suppress_version_string not configured"
|
||||
Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
AddHP 1 2
|
||||
ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
|
||||
else
|
||||
else
|
||||
LogText "Result: option httpd_suppress_version_string configured"
|
||||
LogText "Output: ${FIND}"
|
||||
Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_FOUND}" --color GREEN
|
||||
|
|
|
@ -47,7 +47,7 @@
|
|||
CreateTempFile
|
||||
SSH_DAEMON_OPTIONS_FILE="${TEMP_FILE}"
|
||||
${SSHDBINARY} -T 2> /dev/null > ${SSH_DAEMON_OPTIONS_FILE}
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
fi
|
||||
|
@ -72,16 +72,16 @@
|
|||
if [ ${CANREAD} -eq 1 ]; then
|
||||
FOUND=1
|
||||
SSH_DAEMON_CONFIG="${I}/sshd_config"
|
||||
else
|
||||
else
|
||||
LogText "Result: can not read ${I}/sshd_config file (no permission)"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
|
||||
if [ -z "${SSH_DAEMON_CONFIG}" ]; then
|
||||
LogText "Result: No sshd configuration found"
|
||||
Display --indent 4 --text "- Searching SSH configuration" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found"
|
||||
else
|
||||
else
|
||||
LogText "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
|
||||
Display --indent 4 --text "- Searching SSH configuration" --result "${STATUS_FOUND}" --color GREEN
|
||||
fi
|
||||
|
@ -92,7 +92,7 @@
|
|||
# Test : SSH-7408
|
||||
# Description : Check SSH specific defined options
|
||||
# Notes : Instead of parsing the configuration file, we query the SSH daemon itself
|
||||
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_OPTIONS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH specific defined options"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}"
|
||||
|
@ -150,7 +150,7 @@
|
|||
FOUNDVALUE=$(${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1)
|
||||
LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}"
|
||||
|
||||
if [ ! "${FOUNDVALUE}" = "" ]; then
|
||||
if [ ! -z "${FOUNDVALUE}" ]; then
|
||||
LogText "Result: Option ${OPTIONNAME} found"
|
||||
LogText "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}"
|
||||
|
||||
|
@ -246,7 +246,7 @@
|
|||
LogText "Result: Option ${OPTIONNAME} not found in output"
|
||||
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
else
|
||||
else
|
||||
if IsVerbose; then Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "SKIPPED (via config)" --color WHITE; fi
|
||||
fi
|
||||
done
|
||||
|
@ -257,28 +257,28 @@
|
|||
# Test : SSH-7440
|
||||
# Description : AllowUsers / AllowGroups
|
||||
# Goal : Check if only a specific amount of users/groups can log in to the system
|
||||
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_OPTIONS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH option: AllowUsers and AllowGroups"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
# AllowUsers
|
||||
FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: AllowUsers set, with value ${FIND}"
|
||||
Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
|
||||
FOUND=1
|
||||
else
|
||||
else
|
||||
LogText "Result: AllowUsers is not set"
|
||||
Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
|
||||
# AllowGroups
|
||||
FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: AllowUsers set ${FIND}"
|
||||
Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
|
||||
FOUND=1
|
||||
else
|
||||
else
|
||||
LogText "Result: AllowGroups is not set"
|
||||
Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
|
@ -286,7 +286,7 @@
|
|||
if [ ${FOUND} -eq 1 ]; then
|
||||
LogText "Result: SSH is limited to a specific set of users, which is good"
|
||||
AddHP 2 2
|
||||
else
|
||||
else
|
||||
LogText "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine."
|
||||
AddHP 0 1
|
||||
fi
|
||||
|
@ -296,7 +296,6 @@
|
|||
#
|
||||
|
||||
Report "ssh_daemon_running=${SSH_DAEMON_RUNNING}"
|
||||
#Report "ssh_daemon_port=${SSH_DAEMON_PORT}"
|
||||
|
||||
WaitForKeyPress
|
||||
|
||||
|
|
|
@ -35,21 +35,21 @@
|
|||
FOUND=0
|
||||
LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
|
||||
if [ -d /etc/modprobe.d ]; then
|
||||
FIND=$(ls /etc/modprobe.d/* 2> /dev/null)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" /etc/modprobe.d/*)
|
||||
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
|
||||
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
|
||||
if [ ! -z "${FIND}" -o ! -z "${FIND2}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
|
||||
fi
|
||||
else
|
||||
else
|
||||
LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it."
|
||||
fi
|
||||
fi
|
||||
if [ -f /etc/modprobe.conf ]; then
|
||||
FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
|
||||
FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: found usb-storage driver in disabled state"
|
||||
fi
|
||||
|
@ -59,7 +59,7 @@
|
|||
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
|
||||
ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
|
||||
AddHP 2 3
|
||||
else
|
||||
else
|
||||
LogText "Result: usb-storage driver is disabled"
|
||||
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN
|
||||
AddHP 3 3
|
||||
|
@ -111,23 +111,23 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
FOUND=0
|
||||
LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
|
||||
if [ -d /etc/modprobe.d ]; then
|
||||
FIND=$(ls /etc/modprobe.d/* 2> /dev/null)
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
|
||||
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
|
||||
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
|
||||
if [ ! -z "${FIND1}" -o ! -z "${FIND2}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: found firewire ohci driver in disabled state"
|
||||
fi
|
||||
else
|
||||
LogText "Result: skipping /etc/modprobe.d, directory found but no files in it"
|
||||
else
|
||||
LogText "Result: skipping ${ROOTDIR}etc/modprobe.d, directory found but no files in it"
|
||||
fi
|
||||
fi
|
||||
if [ -f /etc/modprobe.conf ]; then
|
||||
FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.conf | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} -v "#")
|
||||
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
|
||||
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
|
||||
FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#")
|
||||
FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} -v "#")
|
||||
if [ ! -z "${FIND1}" -o ! -z "${FIND2}" ]; then
|
||||
FOUND=1
|
||||
LogText "Result: found firewire ohci driver in disabled state"
|
||||
fi
|
||||
|
@ -139,7 +139,7 @@
|
|||
ReportSuggestion ${TEST_NO} "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft"
|
||||
# after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u
|
||||
AddHP 2 3
|
||||
else
|
||||
else
|
||||
LogText "Result: firewire ohci driver is disabled"
|
||||
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN
|
||||
AddHP 3 3
|
||||
|
|
|
@ -33,7 +33,7 @@
|
|||
#
|
||||
# Test : STRG-1902
|
||||
# Description : Check rpcinfo
|
||||
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking rpcinfo registered programs"
|
||||
|
@ -48,7 +48,7 @@
|
|||
#
|
||||
# Test : STRG-1904
|
||||
# Description : Check nfs versions in rpcinfo
|
||||
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking NFS registered versions"
|
||||
|
@ -63,7 +63,7 @@
|
|||
#
|
||||
# Test : STRG-1906
|
||||
# Description : Check nfs protocols (TCP/UDP) and port in rpcinfo
|
||||
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ! -z "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking NFS registered protocols"
|
||||
|
@ -71,7 +71,7 @@
|
|||
for I in ${FIND}; do
|
||||
LogText "Found protocol: ${I}"
|
||||
done
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Output: no NFS protocols found"
|
||||
fi
|
||||
|
||||
|
@ -81,7 +81,7 @@
|
|||
for I in ${FIND}; do
|
||||
LogText "Found port: ${I}"
|
||||
done
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Output: no NFS port number found"
|
||||
fi
|
||||
Display --indent 2 --text "- Query NFS protocols" --result "${STATUS_DONE}" --color GREEN
|
||||
|
@ -95,10 +95,10 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: Checking running NFS daemon"
|
||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} "nfsd" | ${GREPBINARY} -v "grep")
|
||||
if [ "${FIND}" = "" ]; then
|
||||
if [ -z "${FIND}" ]; then
|
||||
LogText "Output: NFS daemon is not running"
|
||||
Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
else
|
||||
else
|
||||
LogText "Output: NFS daemon is running"
|
||||
Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_FOUND}" --color GREEN
|
||||
NFS_DAEMON_RUNNING=1
|
||||
|
@ -120,22 +120,22 @@
|
|||
Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking NFS exports"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: check /etc/exports"
|
||||
if [ -f /etc/exports ]; then
|
||||
LogText "Result: /etc/exports exists"
|
||||
FIND=$(${GREPBINARY} -v "^$" /etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ -f ${ROOTDIR}etc/exports ]; then
|
||||
LogText "Result: ${ROOTDIR}etc/exports exists"
|
||||
FIND=$(${GREPBINARY} -v "^$" ${ROOTDIR}etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g')
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
for I in ${FIND}; do
|
||||
I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
|
||||
LogText "Found line: ${I}"
|
||||
done
|
||||
else
|
||||
LogText "Result: /etc/exports does not contain exported file systems"
|
||||
else
|
||||
LogText "Result: ${ROOTDIR}etc/exports does not contain exported file systems"
|
||||
NFS_EXPORTS_EMPTY=1
|
||||
fi
|
||||
Display --indent 4 --text "- Checking /etc/exports" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
Display --indent 4 --text "- Checking ${ROOTDIR}etc/exports" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
LogText "Result: file /etc/exports does not exist"
|
||||
Display --indent 4 --text "- Checking /etc/exports" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
Display --indent 4 --text "- Checking ${ROOTDIR}etc/exports" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
fi
|
||||
#
|
||||
|
@ -148,7 +148,7 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
|
||||
Display --indent 6 --text "- Checking empty /etc/exports" --result "${STATUS_SUGGESTION}" --color YELLOW
|
||||
LogText "Result: /etc/exports seems to have no exported file systems"
|
||||
LogText "Result: ${ROOTDIR}etc/exports seems to have no exported file systems"
|
||||
ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
|
||||
fi
|
||||
fi
|
||||
|
@ -160,9 +160,8 @@
|
|||
if [ ${NFS_DAEMON_RUNNING} -eq 1 -a ${NFS_EXPORTS_EMPTY} -eq 0 -a ! "${SHOWMOUNTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
#LogText "Test: "
|
||||
sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d'| ${GREPBINARY} "\*")
|
||||
if [ "${sFIND}" != "" ]; then
|
||||
sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d' | ${GREPBINARY} "\*")
|
||||
if [ ! -z "${sFIND}" ]; then
|
||||
LogText "Result: all client are allowed to access a NFS share in /etc/exports"
|
||||
Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports"
|
||||
|
|
|
@ -25,16 +25,15 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
InsertSection "Software: file integrity"
|
||||
InsertSection "Software: system integrity"
|
||||
Display --indent 2 --text "- Checking file integrity tools"
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
if [ -x "/usr/bin/csrutil" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No CSrutil binary found"; fi
|
||||
if [ -x ${ROOTDIR}/usr/bin/csrutil ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No CSrutil binary found"; fi
|
||||
Register --test-no SINT-7010 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight H --network NO --category security --description "System Integrity Status"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Most tests use the "if-then-else". If something is true, take one step, otherwise the other.
|
||||
if /usr/bin/csrutil status|grep -sq enabled ; then
|
||||
if ${ROOTDIR}usr/bin/csrutil status | ${GREPBINARY} -sq enabled ; then
|
||||
Display --indent 2 --text "- System Integrity Protectioni (status)" --result "${STATUS_OK}" --color GREEN
|
||||
Report "system_integrity_tool[]=mac-sip"
|
||||
LogText "Result: SIP enabled, OK"
|
||||
|
@ -43,7 +42,6 @@
|
|||
Display --indent 2 --text "- System Integrity Protection (status)" --result "${STATUS_NO}" --color RED
|
||||
LogText "Result: SIP disabled, BAD"
|
||||
AddHP 0 3
|
||||
# TODO: add suggestion
|
||||
fi
|
||||
fi
|
||||
|
||||
|
|
|
@ -139,7 +139,7 @@
|
|||
SALT_MASTER_RUNNING=1
|
||||
Report "automation_tool_running[]=saltstack-minion"
|
||||
Display --indent 4 --text "Found: SaltStack master (salt-master)" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
else
|
||||
IsRunning "salt-master"
|
||||
if [ ${RUNNING} -eq 1 ]; then
|
||||
LogText "Result: found SaltStack (master)"
|
||||
|
@ -152,7 +152,7 @@
|
|||
|
||||
if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then
|
||||
Display --indent 2 --text "- Automation tooling" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Automation tooling" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
||||
ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management"
|
||||
fi
|
||||
|
@ -176,7 +176,7 @@
|
|||
LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})"
|
||||
Report "ids_ips_tooling[]=fail2ban"
|
||||
Display --indent 2 --text "- Checking presence of Fail2ban" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
else
|
||||
LogText "Result: Fail2ban not present (fail2ban-server not found)"
|
||||
fi
|
||||
|
||||
|
@ -280,9 +280,9 @@
|
|||
#
|
||||
# LogText "Checking for fail2ban iptables chains"
|
||||
#
|
||||
# if [ ! "${IPTABLESBINARY}" = "" ]; then
|
||||
# if [ ! -z "${IPTABLESBINARY}" ]; then
|
||||
# CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban)
|
||||
# if [ ! "${CHECK_CHAINS}" = "" ]; then
|
||||
# if [ ! -z "${CHECK_CHAINS}" ]; then
|
||||
# LogText "Result: found at least one iptables chain for fail2ban"
|
||||
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
|
||||
# else
|
||||
|
@ -308,7 +308,7 @@
|
|||
if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then
|
||||
Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_FOUND}" --color GREEN
|
||||
AddHP 2 2
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_NONE}" --color YELLOW
|
||||
#ReportSuggestion ${TEST_NO} "Install and configure automated intrusion detection/prevention tools"
|
||||
AddHP 0 2
|
||||
|
|
|
@ -39,8 +39,8 @@
|
|||
#################################################################################
|
||||
#
|
||||
sTEST_APACHE_TARGETS="${ROOTDIR}etc/apache ${ROOTDIR}etc/apache2 ${ROOTDIR}etc/httpd ${ROOTDIR}usr/local/apache ${ROOTDIR}usr/local/apache2 \
|
||||
${ROOTDIR}usr/local/etc/apache ${ROOTDIR}usr/local/etc/apache2 ${ROOTDIR}usr/local/etc/apache22 \
|
||||
${ROOTDIR}usr/pkg/etc/httpd ${ROOTDIR}etc/sysconfig/apache2"
|
||||
${ROOTDIR}usr/local/etc/apache ${ROOTDIR}usr/local/etc/apache2 ${ROOTDIR}usr/local/etc/apache22 \
|
||||
${ROOTDIR}usr/pkg/etc/httpd ${ROOTDIR}etc/sysconfig/apache2"
|
||||
|
||||
CreateTempFile || ExitFatal
|
||||
TMPFILE="${TEMP_FILE}"
|
||||
|
@ -57,15 +57,15 @@
|
|||
Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache presence"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then HTTPDBINARY=""; fi
|
||||
if [ "${HTTPDBINARY}" = "" ]; then
|
||||
if [ -z "${HTTPDBINARY}" ]; then
|
||||
Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
else
|
||||
else
|
||||
LogText "Test: Scanning for Apache binary"
|
||||
IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache')
|
||||
if [ "${IS_APACHE}" = "" ]; then
|
||||
if [ -z "${IS_APACHE}" ]; then
|
||||
LogText "Result: ${HTTPDBINARY} is not Apache"
|
||||
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
|
||||
else
|
||||
else
|
||||
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "${STATUS_FOUND}" --color GREEN
|
||||
LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon"
|
||||
APACHE_INSTALLED=1
|
||||
|
@ -84,7 +84,7 @@
|
|||
if [ ${APACHE_INSTALLED} -eq 1 ]; then
|
||||
if [ ! "${OS}" = "NetBSD" -a ! "${OS}" = "OpenBSD" ]; then
|
||||
PREQS_MET="YES"
|
||||
else
|
||||
else
|
||||
PREQS_MET="NO"
|
||||
fi
|
||||
else
|
||||
|
@ -95,14 +95,14 @@
|
|||
APACHE_CONFIGFILE=""
|
||||
APACHE_TEST=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D SERVER_CONFIG_FILE=" | ${SEDBINARY} 's/[ ]-D SERVER_CONFIG_FILE=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '[:cntrl:]')
|
||||
|
||||
if [ "${APACHE_TEST}" = "" ]; then
|
||||
if [ -z "${APACHE_TEST}" ]; then
|
||||
LogText "Result: Can't find the configuration file, so skipping some Apache related tests"
|
||||
else
|
||||
else
|
||||
# We found a possible match. Checking if it's valid filename. If not, we need to add a prefix
|
||||
if [ -f ${APACHE_TEST} ]; then
|
||||
APACHE_CONFIGFILE="${APACHE_TEST}"
|
||||
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
|
||||
else
|
||||
else
|
||||
# Probably the prefix is missing, so we are going to search that
|
||||
APACHE_HTTPDROOT=$(${HTTPDBINARY} -V 2> /dev/null | ${GREPBINARY} "\-D HTTPD_ROOT=" | ${SEDBINARY} 's/[ ]-D HTTPD_ROOT=//' | ${TRBINARY} -d '"' | ${TRBINARY} -d ' ')
|
||||
#echo "Apache root prefix: ${APACHE_HTTPDROOT}"
|
||||
|
@ -112,7 +112,7 @@
|
|||
APACHE_CONFIGFILE="${APACHE_TESTFILE}"
|
||||
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
|
||||
LogText "Result: Configuration file found (${APACHE_CONFIGFILE})"
|
||||
else
|
||||
else
|
||||
LogText "Result: File or directory ${APACHE_CONFIGFILE} does not exist"
|
||||
Display --indent 6 --text "[Notice] possible directory/file parts found, but still unsure what the real configuration file is. Skipping some Apache related tests"
|
||||
ReportException "${TEST_NO}:1" "Found some unknown directory or file references in Apache configuration"
|
||||
|
@ -162,7 +162,7 @@
|
|||
cVHOSTS=$((cVHOSTS + 1))
|
||||
fi
|
||||
done
|
||||
else
|
||||
else
|
||||
LogText "Result: can not read configuration file with this user ID"
|
||||
ReportException "${TEST_NO}:1" "Can not read configuration file $I"
|
||||
fi
|
||||
|
@ -180,66 +180,16 @@
|
|||
LogText "Result: found ${cVHOSTS} virtual hosts"
|
||||
if [ ${cVHOSTS} -gt 0 ]; then
|
||||
Display --indent 6 --text "Info: Found ${cVHOSTS} virtual hosts"
|
||||
else
|
||||
else
|
||||
Display --indent 6 --text "Info: No virtual hosts found"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Remove temp files
|
||||
if [ -f ${TMPFILE} -a ! "${TMPFILE}" = "" ]; then
|
||||
if [ -f ${TMPFILE} -a ! -z "${TMPFILE}" ]; then
|
||||
rm -f ${TMPFILE}
|
||||
fi
|
||||
if [ ! "${TMPFILE2}" = "" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : HTTP-6628
|
||||
# Description : Testing other Apache configuration files
|
||||
#if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
#Register --test-no HTTP-6628 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Testing other Apache configuration file"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# # Configuration specific tests
|
||||
# SERVERTOKENSFOUND=0
|
||||
# APACHE_CONFIGFILES="${APACHE_CONFIGFILE} /usr/local/etc/apache22/extra/httpd-default.conf /etc/apache2/sysconfig.d/global.conf"
|
||||
#
|
||||
# for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do
|
||||
# if [ -f ${APACHE_CONFIGFILE} ]; then
|
||||
# # Check if option ServerTokens is configured
|
||||
# SERVERTOKENSTEST=$(${GREPBINARY} ServerTokens ${APACHE_CONFIGFILE} | ${GREPBINARY} -v '^#')
|
||||
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then
|
||||
# Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_FOUND}" --color WHITE
|
||||
# SERVERTOKENSTEST=$(echo ${SERVERTOKENSTEST} | ${SEDBINARY} 's/ServerTokens//' | ${TRBINARY} -d ' ')
|
||||
# LogText "Option ServerTokens found: ${SERVERTOKENSTEST}"
|
||||
# SERVERTOKENSEXPECTED=$(${GREPBINARY} 'apache' ${PROFILE} | ${GREPBINARY} 'ServerTokens' | ${CUTBINARY} -d ':' -f3)
|
||||
# if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then
|
||||
# LogText "Result: Value from configuration file yielded the same output as in template"
|
||||
# SERVERTOKENSFOUND=1
|
||||
# else
|
||||
# LogText "Result: Value of ServerTokens within active configuration is different than from used template."
|
||||
# LogText "Found: ${SERVERTOKENSTEST}"
|
||||
# LogText "Expected: ${SERVERTOKENSEXPECTED}"
|
||||
# fi
|
||||
# else
|
||||
# Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
# fi
|
||||
#
|
||||
# else
|
||||
# # File does not exist, skipping
|
||||
# LogText "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file"
|
||||
# fi
|
||||
# done
|
||||
#
|
||||
# # Display results from checks
|
||||
# if [ ${SERVERTOKENSFOUND} -eq 1 ]; then
|
||||
# Display --indent 6 --text "- Value of ServerTokens" --result "${STATUS_OK}" --color GREEN
|
||||
# else
|
||||
# Display --indent 6 --text "- Value of ServerTokens" --result "${STATUS_WARNING}" --color RED
|
||||
# ReportWarning ${TEST_NO} "Value of 'ServerTokens' in Apache config is different than template"
|
||||
# fi
|
||||
# fi
|
||||
# fi
|
||||
# fi
|
||||
|
||||
if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
@ -284,7 +234,7 @@
|
|||
if [ ${N} -eq 0 ]; then
|
||||
Display --indent 4 --text "* Loadable modules" --result "${STATUS_NONE}" --color WHITE
|
||||
ReportException "${TEST_NO}:1" "No loadable Apache modules found"
|
||||
else
|
||||
else
|
||||
Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND}" --color GREEN
|
||||
Display --indent 8 --text "- Found ${N} loadable modules"
|
||||
fi
|
||||
|
@ -302,7 +252,7 @@
|
|||
if [ ${ITEM_FOUND} -eq 1 ]; then
|
||||
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_FOUND}" --color GREEN
|
||||
AddHP 3 3
|
||||
else
|
||||
else
|
||||
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
AddHP 2 3
|
||||
ReportSuggestion ${TEST_NO} "Install Apache mod_evasive to guard webserver against DoS/brute force attempts"
|
||||
|
@ -330,26 +280,6 @@
|
|||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : HTTP-6642
|
||||
# Description : Search for special Apache modules: Spamhaus
|
||||
# Notes : This test is outdated
|
||||
#if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
#Register --test-no HTTP-6642 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules"
|
||||
#if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# # Check modules, module
|
||||
# CheckItem "apache_module" "/mod_spamhaus.so"
|
||||
# if [ ${ITEM_FOUND} -eq 1 ]; then
|
||||
# Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "${STATUS_FOUND}" --color GREEN
|
||||
# AddHP 3 3
|
||||
# else
|
||||
# Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
# AddHP 2 3
|
||||
# ReportSuggestion ${TEST_NO} "Install Apache mod_spamhaus to guard webserver against spammers"
|
||||
# fi
|
||||
#fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : HTTP-6643
|
||||
# Description : Search for special Apache modules: security
|
||||
|
@ -361,12 +291,11 @@
|
|||
if [ ${ITEM_FOUND} -eq 1 ]; then
|
||||
Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_FOUND}" --color GREEN
|
||||
AddHP 3 3
|
||||
else
|
||||
else
|
||||
Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
AddHP 2 3
|
||||
ReportSuggestion ${TEST_NO} "Install Apache modsecurity to guard webserver against web application attacks"
|
||||
fi
|
||||
# Extend test with nginx?
|
||||
fi
|
||||
#
|
||||
#################################################################################
|
||||
|
@ -382,12 +311,12 @@
|
|||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: searching running nginx process"
|
||||
FIND=$(${PSBINARY} ax | ${GREPBINARY} "/nginx" | ${GREPBINARY} "master" | ${GREPBINARY} -v "grep")
|
||||
if [ ! "${FIND}" = "" ]; then
|
||||
if [ ! -z "${FIND}" ]; then
|
||||
LogText "Result: found running nginx process(es)"
|
||||
Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN
|
||||
NGINX_RUNNING=1
|
||||
Report "nginx_running=1"
|
||||
else
|
||||
else
|
||||
LogText "Result: no running nginx process found"
|
||||
Display --indent 2 --text "- Checking nginx" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
|
@ -408,11 +337,11 @@
|
|||
NGINX_CONF_FILES="${I}/nginx.conf"
|
||||
fi
|
||||
done
|
||||
if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then
|
||||
if [ ! -z "${NGINX_CONF_LOCATION}" ]; then
|
||||
LogText "Result: found nginx configuration file"
|
||||
Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
|
||||
Display --indent 4 --text "- Searching nginx configuration file" --result "${STATUS_FOUND}" --color GREEN
|
||||
else
|
||||
else
|
||||
LogText "Result: no nginx configuration file found"
|
||||
Display --indent 2 --text "- Searching nginx configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
fi
|
||||
|
@ -423,11 +352,11 @@
|
|||
# Test : HTTP-6706
|
||||
# Description : Search for includes within nginx configuration file
|
||||
# Notes : Daemon nginx should be running, nginx.conf should be found
|
||||
if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for additional nginx configuration files"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# Remove temp file
|
||||
if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
|
||||
if [ ! -z "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
|
||||
N=0
|
||||
${SEDBINARY} -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE}
|
||||
# Search for included configuration files (may include directories and wild cards)
|
||||
|
@ -440,13 +369,13 @@
|
|||
N=$((N + 1))
|
||||
LogText "Result: found Nginx configuration file ${J}"
|
||||
Report "nginx_sub_conf_file[]=${J}"
|
||||
FileIsReadable ${J}
|
||||
if [ ${CANREAD} -eq 1 ]; then
|
||||
NGINX_CONF_FILES="${NGINX_CONF_FILES} ${J}"
|
||||
FIND3=$(sed -e 's/^[ ]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE})
|
||||
else
|
||||
ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
|
||||
fi
|
||||
FileIsReadable ${J}
|
||||
if [ ${CANREAD} -eq 1 ]; then
|
||||
NGINX_CONF_FILES="${NGINX_CONF_FILES} ${J}"
|
||||
FIND3=$(sed -e 's/^[ ]*//' ${J} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "^$" | ${SEDBINARY} 's/[ ]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ / /g' >> ${TMPFILE})
|
||||
else
|
||||
ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
@ -463,7 +392,7 @@
|
|||
|
||||
if [ ${N} -eq 0 ]; then
|
||||
LogText "Result: no nginx include statements found"
|
||||
else
|
||||
else
|
||||
Display --indent 6 --text "- Found nginx includes" --result "${N} FOUND" --color GREEN
|
||||
fi
|
||||
fi
|
||||
|
@ -473,7 +402,7 @@
|
|||
# Test : HTTP-6708
|
||||
# Description : Check discovered nginx configuration settings for further hardening
|
||||
# Notes : Daemon of nginx should be running, nginx.conf should be found
|
||||
if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_FILES}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_FILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check discovered nginx configuration settings"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
LogText "Test: start parsing all discovered nginx options"
|
||||
|
@ -513,7 +442,7 @@
|
|||
# Test : HTTP-6710
|
||||
# Description : Check SSL configuration of nginx
|
||||
# Notes : Daemon of nginx should be running, nginx.conf should be found
|
||||
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx SSL configuration settings"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
NGINX_SSL_SUGGESTION=0
|
||||
|
@ -524,14 +453,14 @@
|
|||
# Cipher tests
|
||||
if [ ${NGINX_SSL_CIPHERS} -eq 1 ]; then
|
||||
Display --indent 8 --text "- Ciphers configured" --result "${STATUS_YES}" --color GREEN
|
||||
else
|
||||
else
|
||||
Display --indent 8 --text "- Ciphers configured" --result "${STATUS_NO}" --color RED
|
||||
NGINX_SSL_SUGGESTION=1
|
||||
fi
|
||||
|
||||
if [ ${NGINX_SSL_PREFER_SERVER_CIPHERS} -eq 1 ]; then
|
||||
Display --indent 8 --text "- Prefer server ciphers" --result "${STATUS_YES}" --color GREEN
|
||||
else
|
||||
else
|
||||
Display --indent 8 --text "- Prefer server ciphers" --result "${STATUS_NO}" --color RED
|
||||
NGINX_SSL_SUGGESTION=1
|
||||
fi
|
||||
|
@ -540,16 +469,15 @@
|
|||
Display --indent 8 --text "- Protocols configured" --result "${STATUS_YES}" --color GREEN
|
||||
if [ ${NGINX_WEAK_SSL_PROTOCOL_FOUND} -eq 0 ]; then
|
||||
Display --indent 10 --text "- Insecure protocols found" --result "${STATUS_NO}" --color GREEN
|
||||
else
|
||||
else
|
||||
Display --indent 10 --text "- Insecure protocols found" --result "${STATUS_YES}" --color RED
|
||||
ReportSuggestion "${TEST_NO}" "Disable weak protocol in nginx configuration"
|
||||
fi
|
||||
else
|
||||
else
|
||||
Display --indent 8 --text "- Protocols configured" --result "${STATUS_NO}" --color RED
|
||||
NGINX_SSL_SUGGESTION=1
|
||||
fi
|
||||
|
||||
else
|
||||
else
|
||||
LogText "Result: No SSL configuration found"
|
||||
Display --indent 6 --text "- SSL configured" --result "${STATUS_NO}" --color RED
|
||||
ReportSuggestion ${TEST_NO} "Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy"
|
||||
|
@ -566,7 +494,7 @@
|
|||
# Test : HTTP-6712
|
||||
# Description : Check logging configuration of nginx
|
||||
# Notes : Daemon of nginx should be running, nginx.conf should be found
|
||||
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx access logging"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
NGINX_LOG_SUGGESTION=0
|
||||
|
@ -576,7 +504,7 @@
|
|||
if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then
|
||||
NGINX_LOG_SUGGESTION=1
|
||||
Display --indent 8 --text "- Missing log files (access_log)" --result "${STATUS_YES}" --color RED
|
||||
else
|
||||
else
|
||||
Display --indent 8 --text "- Missing log files (access_log)" --result "${STATUS_NO}" --color GREEN
|
||||
fi
|
||||
# Access log disabled
|
||||
|
@ -585,7 +513,7 @@
|
|||
LogText "Result: found one or more virtual hosts which have their access log disabled"
|
||||
Display --indent 8 --text "- Disabled access logging" --result "${STATUS_YES}" --color RED
|
||||
AddHP 2 3
|
||||
else
|
||||
else
|
||||
LogText "Result: no virtual hosts found which have their access log disabled"
|
||||
Display --indent 8 --text "- Disabled access logging" --result "${STATUS_NO}" --color GREEN
|
||||
AddHP 3 3
|
||||
|
@ -600,7 +528,7 @@
|
|||
#
|
||||
# Test : HTTP-6714
|
||||
# Description : Check missing error logs in nginx
|
||||
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for missing error logs in nginx"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
NGINX_LOG_SUGGESTION=0
|
||||
|
@ -608,7 +536,7 @@
|
|||
if [ ${NGINX_ERROR_LOG_MISSING} -eq 1 ]; then
|
||||
NGINX_LOG_SUGGESTION=1
|
||||
Display --indent 8 --text "- Missing log files (error_log)" --result "${STATUS_YES}" --color RED
|
||||
else
|
||||
else
|
||||
Display --indent 8 --text "- Missing log files (error_log)" --result "${STATUS_NO}" --color GREEN
|
||||
fi
|
||||
# Report suggestion
|
||||
|
@ -621,7 +549,7 @@
|
|||
#
|
||||
# Test : HTTP-6716
|
||||
# Description : Check debug mode on error log in nginx
|
||||
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
if [ ${NGINX_RUNNING} -eq 1 -a ! -z "${NGINX_CONF_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for debug mode on error log in nginx"
|
||||
if [ ${SKIPTEST} -eq 0 ]; then
|
||||
NGINX_LOG_SUGGESTION=0
|
||||
|
@ -631,7 +559,7 @@
|
|||
LogText "Result: found one or more virtual hosts which have their error log in debug mode"
|
||||
Display --indent 8 --text "- Debugging mode on error_log" --result "${STATUS_YES}" --color RED
|
||||
AddHP 2 3
|
||||
else
|
||||
else
|
||||
LogText "Result: no virtual hosts found which have their access log disabled"
|
||||
Display --indent 8 --text "- Debugging mode on error_log" --result "${STATUS_NO}" --color GREEN
|
||||
AddHP 3 3
|
||||
|
@ -643,56 +571,6 @@
|
|||
fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : HTTP-67xx
|
||||
# Description : Check if nginx is running as a reverse proxy
|
||||
# Notes : aliases are not counted yet (YYY)
|
||||
# if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
# Register --test-no HTTP-67xx --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx virtual hosts"
|
||||
# if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# N=0
|
||||
# LogText "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}"
|
||||
# FIND=$(${GREPBINARY} "proxy_pass" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/proxy_pass//g' | ${TRBINARY} -d ';')
|
||||
# for I in ${FIND}; do
|
||||
# LogText "Found reverse proxy configuration for: ${I}"
|
||||
# N=$((N + 1))
|
||||
# done
|
||||
# if [ ${N} -eq 0 ]; then
|
||||
# LogText "Result: no reverse proxying functionality found"
|
||||
# Display --indent 4 --text "- Searching reverse proxy functionality" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
# else
|
||||
# LogText "Result: found ${N} addresses for which nginx will be a reverse proxy"
|
||||
# Display --indent 4 --text "- Searching reverse proxy functionality" --result "${N} FOUND" --color GREEN
|
||||
# fi
|
||||
# fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : HTTP-67xx
|
||||
# Description : Search for nginx virtual hosts
|
||||
# Notes : Test if not aware yet of included configuration files
|
||||
# if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||
# Register --test-no HTTP-67xx --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nginx virtual hosts"
|
||||
# if [ ${SKIPTEST} -eq 0 ]; then
|
||||
# N=0
|
||||
# LogText "Test: searching nginx virtual hosts"
|
||||
# FIND=$(${GREPBINARY} "server_name" ${NGINX_CONF_LOCATION} | ${GREPBINARY} -v "#" | ${SEDBINARY} 's/server_name//g' | ${TRBINARY} -d ';')
|
||||
# for I in ${FIND}; do
|
||||
# if [ "${I}" = "_" ]; then I="Default virtual host"; fi
|
||||
# LogText "Found virtual host: ${I}"
|
||||
# Report "nginx_vhost_name[]=${I}"
|
||||
# N=$((N + 1))
|
||||
# done
|
||||
# if [ ${N} -eq 0 ]; then
|
||||
# LogText "Result: no virtual hosts found"
|
||||
# Display --indent 4 --text "- Searching virtual hosts" --result "${STATUS_NOT_FOUND}" --color WHITE
|
||||
# else
|
||||
# LogText "Result: found ${N} virtual hosts"
|
||||
# Display --indent 4 --text "- Searching virtual hosts" --result "${N} FOUND" --color GREEN
|
||||
# fi
|
||||
# fi
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : HTTP-6720
|
||||
# Description : Search for Nginx log files
|
||||
|
@ -727,18 +605,11 @@
|
|||
#
|
||||
#################################################################################
|
||||
#
|
||||
# Test : HTTP-6740
|
||||
# Description : Nginx: Check for server_tokens off in configuration files
|
||||
#
|
||||
#################################################################################
|
||||
#
|
||||
|
||||
# Remove temp file (double check)
|
||||
if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
|
||||
if [ ! "${TMPFILE2}" = "" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
|
||||
if [ ! -z "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
|
||||
if [ ! -z "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
|
||||
|
||||
|
||||
WaitForKeyPress
|
||||
WaitForKeyPress
|
||||
|
||||
#
|
||||
#================================================================================
|
||||
|
|
Loading…
Reference in New Issue