tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #82 from SiemKorteweg/master 

Optimized use of cat, grep and awk.
This commit is contained in:
Michael Boelen 2015-10-14 10:55:33 +02:00
parent 24a006da14 0c48fc3880
commit 776a70d6cf
23 changed files with 80 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
extras/build-lynis.sh
View File

@ -212,7 +212,7 @@
if [ -f ${SOURCEFILE_RPM} ]; then
if [ -f lynis.spec ]; then
# adjust version in spec file
VERSION_IN_SPECFILE=`cat lynis.spec | grep "^Version:" | sed 's/ //g' | awk -F: '{ print $2 }'`
VERSION_IN_SPECFILE=`awk '/^Version:/ { print $2 }' lynis.spec`
echo "[=] Found version ${VERSION_IN_SPECFILE}"
if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
echo "[X] Version in specfile is outdated"
@ -372,12 +372,12 @@ Exit
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
echo -n "- Creating MD5 hashes..."
PACKAGE_LIST_FILES=`cat files.dat | grep "^file:" | cut -d ':' -f3`
PACKAGE_LIST_FILES=`grep "^file:" files.dat | cut -d ':' -f3`
for I in ${PACKAGE_LIST_FILES}; do
echo -n "${I} "
#FULLNAME=`cat files.dat | grep ":file:include:
#FULLNAME=`grep ":file:include:" files.dat
#echo "${FULLNAME}" >> ${OPENBSD_CONTENTS}
echo "${I}" >> ${OPENBSD_CONTENTS}
FILE="../${I}"

2
include/data_upload
View File

@ -127,7 +127,7 @@ output "Settings file: ${SETTINGS_FILE}"
ExitFatal
fi
# Extract the hostid from the parse file
HOSTID=`cat ${REPORTFILE} | grep "^hostid=" | awk -F= '{ print $2 }'`
HOSTID=`awk -F= '/^hostid=/ { print $2 }' ${REPORTFILE}`
if [ ! "${HOSTID}" = "" ]; then
output "${WHITE}Found hostid: ${HOSTID}${NORMAL}"
# Try to connect

6
include/functions
View File

@ -93,10 +93,10 @@
# If 'file' is an directory, use -d
if [ -d ${CHECKFILE} ]; then
FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10`
PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3`
PROFILEVALUE=`grep '^permdir' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3`
else
FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10`
PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3`
PROFILEVALUE=`grep '^permfile' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3`
fi
if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi
fi
@ -929,7 +929,7 @@
# Parse nginx configuration lines
ParseNginx()
{
FIND=`cat ${REPORTFILE} | grep "^nginx_config_option=" | awk -F= '{ if ($1=="nginx_config_option") { print $2 }}' | sed 's/ /:space:/g'`
FIND=`awk -F= '/^nginx_config_option=/ { print $2 }' ${REPORTFILE} | sed 's/ /:space:/g'`
for I in ${FIND}; do
I=`echo ${I} | sed 's/:space:/ /g' | sed 's/;$//'`
OPTION=`echo ${I} | awk '{ print $1 }'`

28
include/osdetection
View File

@ -114,7 +114,7 @@
FIND=`grep "Amazon" /etc/system-release`
if [ ! "${FIND}" = "" ]; then
OS_REDHAT_OR_CLONE=1
OS_FULLNAME=`cat /etc/system-release | grep "^Amazon"`
OS_FULLNAME=`grep "^Amazon" /etc/system-release`
OS_VERSION=`grep "^Amazon" /etc/system-release | awk '{ if ($4=="release") { print $5 } }'`
LINUX_VERSION="Amazon"
fi
@ -129,8 +129,8 @@
# Chakra Linux
if [ -e "/etc/chakra-release" ]; then
OS_FULLNAME=`cat /etc/chakra-release | grep "^Chakra"`
OS_VERSION=`cat /etc/chakra-release | grep "^Chakra" | awk '{ if ($3=="release") { print $4 }}'`
OS_FULLNAME=`grep "^Chakra" /etc/chakra-release`
OS_VERSION=`awk '/^Chakra/ { if ($3=="release") { print $4 }}' /etc/chakra-release`
LINUX_VERSION="Chakra Linux"
fi
@ -162,7 +162,7 @@
OS_FULLNAME="Debian ${OS_VERSION}"
LINUX_VERSION="Debian"
fi
# Ubuntu test (optional) `cat /proc/version | grep "[Uu]buntu"`
# Ubuntu test (optional) `grep "[Uu]buntu" /proc/version`
fi
# E-smith
if [ -e "/etc/e-smith-release" ]; then OS_FULLNAME=`cat /etc/e-smith-release`; fi
@ -176,7 +176,7 @@
# CentOS
FIND=`grep "CentOS" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=`cat /etc/redhat-release | grep "CentOS"`
OS_FULLNAME=`grep "CentOS" /etc/redhat-release`
LINUX_VERSION="CentOS"
OS_VERSION="${OS_FULLNAME}"
fi
@ -184,7 +184,7 @@
# ClearOS
FIND=`grep "ClearOS" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=`cat /etc/redhat-release | grep "ClearOS"`
OS_FULLNAME=`grep "ClearOS" /etc/redhat-release`
LINUX_VERSION="ClearOS"
OS_VERSION="${OS_FULLNAME}"
fi
@ -192,7 +192,7 @@
# Fedora
FIND=`grep "Fedora" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=`cat /etc/redhat-release | grep "Fedora"`
OS_FULLNAME=`grep "Fedora" /etc/redhat-release`
OS_VERSION="${OS_FULLNAME}"
LINUX_VERSION="Fedora"
fi
@ -200,7 +200,7 @@
# Mageia (has also /etc/megaia-release)
FIND=`grep "Mageia" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=`cat /etc/redhat-release | grep "^Mageia"`
OS_FULLNAME=`grep "^Mageia" /etc/redhat-release`
OS_VERSION=`grep "^Mageia" /etc/redhat-release | awk '{ if ($2=="release") { print $3 } }'`
LINUX_VERSION="Mageia"
fi
@ -209,7 +209,7 @@
FIND=`grep "Enterprise Linux Enterprise Linux Server" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
LINUX_VERSION="Oracle Enterprise Linux";
OS_FULLNAME=`cat /etc/redhat-release | grep "Enterprise Linux"`;
OS_FULLNAME=`grep "Enterprise Linux" /etc/redhat-release`;
OS_VERSION="${OS_FULLNAME}";
fi
@ -218,7 +218,7 @@
FIND=`grep "Oracle Linux Server" /etc/oracle-release`
if [ ! "${FIND}" = "" ]; then
LINUX_VERSION="Oracle Enterprise Linux";
OS_FULLNAME=`cat /etc/oracle-release | grep "Oracle Linux"`;
OS_FULLNAME=`grep "Oracle Linux" /etc/oracle-release`;
OS_VERSION="${OS_FULLNAME}";
fi
fi
@ -228,7 +228,7 @@
FIND=`grep "Oracle VM" /etc/ovs-release`
if [ ! "${FIND}" = "" ]; then
LINUX_VERSION="Oracle VM Server";
OS_FULLNAME=`cat /etc/ovs-release | grep "Oracle VM"`;
OS_FULLNAME=`grep "Oracle VM" /etc/ovs-release`;
OS_VERSION="${OS_FULLNAME}";
fi
fi
@ -236,7 +236,7 @@
# Red Hat
FIND=`grep "Red Hat" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=`cat /etc/redhat-release | grep "Red Hat"`
OS_FULLNAME=`grep "Red Hat" /etc/redhat-release`
OS_VERSION="${OS_FULLNAME}"
LINUX_VERSION="Red Hat"
fi
@ -244,7 +244,7 @@
# Scientific
FIND=`grep "Scientific" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=`cat /etc/redhat-release | grep "^Scientific"`
OS_FULLNAME=`grep "^Scientific" /etc/redhat-release`
OS_VERSION=`grep "^Scientific" /etc/redhat-release | awk '{ if ($3=="release") { print $4 } }'`
LINUX_VERSION="Scientific"
fi
@ -273,7 +273,7 @@
fi
if [ -f /etc/SLOX-release ]; then
OS_FULLNAME=`cat /etc/SLOX-release | grep "SuSE Linux"`
OS_FULLNAME=`grep "SuSE Linux" /etc/SLOX-release`
LINUX_VERSION="SuSE"
fi

2
include/profiles
View File

@ -20,7 +20,7 @@
#
Display --indent 2 --text "- Checking profile file (${PROFILE})..."
logtext "Reading profile/configuration ${PROFILE}"
FIND=`cat ${PROFILE} | grep '^config:' | sed 's/ /!space!/g'`
FIND=`grep '^config:' ${PROFILE} | sed 's/ /!space!/g'`
for I in ${FIND}; do
OPTION=`echo ${I} | cut -d ':' -f2`
VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'`

2
include/report
View File

@ -102,7 +102,7 @@
if [ "${CUSTOM_URL_APPEND}" = "" ]; then CUSTOM_URL_APPEND="/"; fi
# Show warnings from logfile
SWARNINGS=`cat ${LOGFILE} | grep -i 'warning:' | sed 's/ /!space!/g'`
SWARNINGS=`grep -i 'warning:' ${LOGFILE} | sed 's/ /!space!/g'`
if [ "${SWARNINGS}" = "" ]; then
echo " ${OK}No warnings${NORMAL}"; echo ""

14
include/tests_authentication
View File

@ -69,7 +69,7 @@
fi
# Check password file
if [ -f ${PASSWD_FILE} ]; then
FIND=`cat ${PASSWD_FILE} | grep -v '^#' | cut -d ':' -f3 | sort | uniq -d`
FIND=`grep -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for non-unique UIDs" --result OK --color GREEN
logtext "Result: all accounts found in ${PASSWD_FILE} are unique"
@ -155,7 +155,7 @@
logtext "Test: Checking login shells"
if [ -f /etc/master.passwd ]; then
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
FIND=`cat /etc/master.passwd | grep "[a-z]:\*:" | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'`
FIND=`grep "[a-z]:\*:" /etc/master.passwd | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking login shells" --result OK --color GREEN
else
@ -194,7 +194,7 @@
Register --test-no AUTH-9222 --weight L --network NO --description "Check for non unique groups"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for non unique group ID's in /etc/group"
FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d`
FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking non unique group ID's" --result OK --color GREEN
logtext "Result: All group ID's are unique"
@ -215,7 +215,7 @@
Register --test-no AUTH-9226 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check non unique group names"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for non unique group names in /etc/group"
FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d`
FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking non unique group names" --result OK --color GREEN
logtext "Result: All group names are unique"
@ -497,7 +497,7 @@
logtext "Result: file /etc/pam.conf exists"
Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN
logtext "Test: searching PAM configuration files"
FIND=`cat /etc/pam.conf | grep -v "^#" | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'`
FIND=`grep -v "^#" /etc/pam.conf | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'`
if [ "${FIND}" = "" ]; then
logtext "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)"
else
@ -577,7 +577,7 @@
if [ -f /etc/pam.d/common-auth ]; then
logtext "Result: file /etc/pam.d/common-auth exists"
logtext "Test: checking presence LDAP module"
FIND=`cat /etc/pam.d/common-auth | grep "^auth" | grep "ldap"`
FIND=`grep "^auth.*ldap" /etc/pam.d/common-auth`
if [ ! "${FIND}" = "" ]; then
logtext "Result: LDAP module present"
logtext "Output: ${FIND}"
@ -950,7 +950,7 @@
FOUND=0
WEAK_UMASK=0
logtext "Result: file /etc/login.conf exists"
FIND=`cat /etc/login.conf | grep "umask" | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'`
FIND=`grep "umask" /etc/login.conf | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'`
if [ ! "${FIND}" = "" ]; then
for UMASK_VALUE in ${FIND}; do
case ${UMASK_VALUE} in

12
include/tests_boot_services
View File

@ -66,7 +66,7 @@
case ${OS} in
"Linux")
if [ -f /proc/1/cmdline ]; then
FILE=`cat /proc/1/cmdline | grep "^/" | awk '{ print $1 }'`
FILE=`awk '/^\// { print $1 }' /proc/1/cmdline`
if [ ! "${FILE}" = "" ]; then
if [ -L ${FILE} ]; then
ShowSymlinkPath ${FILE}
@ -235,10 +235,10 @@
logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
FileIsReadable ${GRUBCONFFILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
FIND3=`cat ${GRUBCONFFILE} | grep 'set superusers' | grep -v '^#'`
FIND4=`cat ${GRUBCONFFILE} | grep 'password_pbkdf2' | grep -v '^#'`
FIND=`grep 'password --md5' ${GRUBCONFFILE} | grep -v '^#'`
FIND2=`grep 'password --encrypted' ${GRUBCONFFILE} | grep -v '^#'`
FIND3=`grep 'set superusers' ${GRUBCONFFILE} | grep -v '^#'`
FIND4=`grep 'password_pbkdf2' ${GRUBCONFFILE} | grep -v '^#'`
# GRUB1: MD5 or SHA1
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
@ -313,7 +313,7 @@
BOOT_LOADER_FOUND=1
Display --indent 2 --text "- Checking presence LILO" --result "OK" --color GREEN
logtext "Checking password option LILO"
FIND=`cat ${LILOCONFFILE} | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"`
FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | grep -v "^#"`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Password option presence " --result "WARNING" --color RED
logtext "Result: no password set for LILO. Bootloader is unprotected to"

2
include/tests_databases
View File

@ -136,7 +136,7 @@
#Register --test-no DBS-1842 --weight L --network NO --description "Checking Oracle home paths"
#if [ ${SKIPTEST} -eq 0 ]; then
# if [ -f /etc/oratab ]; then
# FIND=`cat /etc/oratab | grep -v "#" | awk -F: "{ print $2 }"`
# FIND=`grep -v "#" /etc/oratab | awk -F: "{ print $2 }"`
# fi
#fi
#

2
include/tests_file_permissions
View File

@ -29,7 +29,7 @@
Display --indent 2 --text "- Starting file permissions check"
logtext "Test: Checking file permissions"
logtext "Using profile ${PROFILE} for baseline."
FIND=`cat ${PROFILE} | egrep '^permfile:|^permdir:' | cut -d: -f2`
FIND=`egrep '^permfile:|^permdir:' ${PROFILE} | cut -d: -f2`
for I in ${FIND}; do
logtext "Checking ${I}"
CheckFilePermissions ${I}

2
include/tests_insecure_services
View File

@ -71,7 +71,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002)
logtext "Test: check if all services are disabled if inetd is disabled"
FIND=`cat ${INETD_CONFIG_FILE} | grep -v "^#" | grep -v "^$"`
FIND=`grep -v "^#" ${INETD_CONFIG_FILE} | grep -v "^$"`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking inetd.conf services" --result OK --color GREEN
else

10
include/tests_kernel
View File

@ -105,9 +105,9 @@
if [ -f /proc/cpuinfo ]; then
logtext "Result: found /proc/cpuinfo"
logtext "Test: Checking CPU options (XD/NX/PAE)"
FIND_PAE_NX=`cat /proc/cpuinfo | grep " pae " | grep " nx "`
FIND_PAE=`cat /proc/cpuinfo | grep " pae "`
FIND_NX=`cat /proc/cpuinfo | grep " nx "`
FIND_PAE_NX=`grep " pae " /proc/cpuinfo | grep " nx "`
FIND_PAE=`grep " pae " /proc/cpuinfo`
FIND_NX=`grep " nx " /proc/cpuinfo`
FOUND=0
if [ ! "${FIND_PAE_NX}" = "" ]; then
logtext "PAE: Yes"
@ -380,8 +380,8 @@
if [ -f /etc/security/limits.conf ]; then
logtext "Result: file /etc/security/limits.conf exists"
logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf"
FIND1=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'`
FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'`
FIND1=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'`
FIND2=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'`
if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
logtext "Result: core dumps (soft or hard) are enabled"
Display --indent 2 --text "- Checking core dumps configuration" --result ENABLED --color YELLOW

4
include/tests_logging
View File

@ -380,7 +380,7 @@
Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking directories in /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: parsing directories from /etc/newsyslog.conf file"
FIND=`cat /etc/newsyslog.conf | sort -u | grep "^/" | awk '{ print $1 }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort -u`
FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sed 's/\/*[a-zA-Z_.-]*$//g' | sort -u`
for I in ${FIND}; do
if [ -d ${I} ]; then
logtext "Result: Directory ${I} found and exists"
@ -400,7 +400,7 @@
Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking files specified /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: parsing files from /etc/newsyslog.conf file"
FIND=`cat /etc/newsyslog.conf | sort -u | grep "^/" | awk '{ print $1 }'`
FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sort -u`
for I in ${FIND}; do
if [ -f ${I} ]; then
logtext "Result: File ${I} found and exists"

2
include/tests_memory_processes
View File

@ -29,7 +29,7 @@
if [ -f /proc/meminfo ]; then
logtext "Result: found /proc/meminfo"
Display --indent 2 --text "- Checking /proc/meminfo" --result FOUND --color GREEN
FIND=`cat /proc/meminfo | grep "^MemTotal" | tr -s ' ' | awk '{ print $2" "$3 }'`
FIND=`awk '/^MemTotal/ { print $2, $3 }' /proc/meminfo`
MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'`
MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'`
logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"

18
include/tests_nameservices
View File

@ -42,7 +42,7 @@
logtext "Test: check /etc/resolv.conf for default domain"
if [ -f /etc/resolv.conf ]; then
logtext "Result: /etc/resolv.conf found"
FIND=`cat /etc/resolv.conf | grep "^domain" | awk '{ print $2 }'`
FIND=`awk '/^domain/ { print $2 }' /etc/resolv.conf`
if [ "${FIND}" = "" ]; then
logtext "Result: no default domain found"
Display --indent 2 --text "- Checking default DNS search domain" --result NONE --color WHITE
@ -67,7 +67,7 @@
logtext "Test: check /etc/resolv.conf for search domains"
if [ -f /etc/resolv.conf ]; then
logtext "Result: /etc/resolv.conf found"
FIND=`cat /etc/resolv.conf | grep "^search" | sed 's/^search //'`
FIND=`awk '/^search/ { print $2 }' /etc/resolv.conf`
if [ "${FIND}" = "" ]; then
logtext "Result: no search domains found, default domain is being used"
else
@ -92,7 +92,7 @@
fi
# Check amount of search domains (max 1)
FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '`
FIND=`grep -c "^search" /etc/resolv.conf`
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
@ -452,7 +452,7 @@
Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS backends"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for PowerDNS backends"
FIND=`cat ${POWERDNS_AUTH_CONFIG_LOCATION} | grep "^launch" | awk -F= '{ print $2 }'`
FIND=`awk -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
logtext "Found backend: ${I}"
@ -472,7 +472,7 @@
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS authoritive status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for PowerDNS master status"
FIND=`cat ${POWERDNS_AUTH_CONFIG_LOCATION} | grep "^master=yes"`
FIND=`grep "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}`
if [ ! "${FIND}" = "" ]; then
logtext "Found master=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive master: YES"
@ -482,7 +482,7 @@
Display --indent 4 --text "- PowerDNS authoritive master: NO"
fi
logtext "Test: Checking for PowerDNS slave status"
FIND=`cat ${POWERDNS_AUTH_CONFIG_LOCATION} | grep "^slave=yes"`
FIND=`grep "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}`
if [ ! "${FIND}" = "" ]; then
logtext "Found slave=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive slave: YES"
@ -588,7 +588,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check duplicate line in /etc/hosts"
if [ -f /etc/hosts ]; then
sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | sort | uniq -d`
sFIND=`egrep -v '^(#|$)' /etc/hosts | awk '{ print $1, $2 }' | sort | uniq -d`
if [ "${sFIND}" = "" ]; then
logtext "Result: OK, no duplicate lines found"
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result OK --color GREEN
@ -613,7 +613,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check /etc/hosts contains an entry for this server name"
if [ -f /etc/hosts ]; then
sFIND=`cat /etc/hosts | egrep -v '^(#|$|^::1\s|localhost)' | grep ${HOSTNAME}`
sFIND=`egrep -v '^(#|$|^::1\s|localhost)' /etc/hosts | grep ${HOSTNAME}`
if [ "${sFIND}" != "" ]; then
logtext "Result: Found entry for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN
@ -634,7 +634,7 @@
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check server hostname not locally mapped in /etc/hosts"
sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|^::1\s)' | grep -w ${HOSTNAME}`
sFIND=`egrep -v '^(#|$)' /etc/hosts | egrep '(localhost|^::1\s)' | grep -w ${HOSTNAME}`
if [ ! "${sFIND}" = "" ]; then
logtext "Result: Found this server hostname mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW

10
include/tests_php
View File

@ -147,7 +147,7 @@
Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP register_globals option"
FIND=`cat ${PHPINIFILE} | egrep -i 'register_globals.*(on|yes|1)' | grep -v '^;'`
FIND=`egrep -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;'`
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking register_globals option" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
@ -171,7 +171,7 @@
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking expose_php option"
FIND=`cat ${PHPINIFILE} | egrep -i 'expose_php.*(off|no|0)' | grep -v '^;'`
FIND=`egrep -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking expose_php option" --result ON --color RED
ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
@ -195,7 +195,7 @@
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP enable_dl option"
FIND=`cat ${PHPINIFILE} | egrep -i 'enable_dl.*(off|no|0)' | grep -v '^;'`
FIND=`egrep -i 'enable_dl.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking enable_dl option" --result ON --color YELLOW
report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP"
@ -218,7 +218,7 @@
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP allow_url_fopen option"
FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_fopen.*(off|no|0)' | grep -v '^;'`
FIND=`egrep -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_fopen option" --result ON --color YELLOW
report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
@ -241,7 +241,7 @@
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP allow_url_include option"
FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_include.*(off|no|0)' | grep -v '^;'`
FIND=`egrep -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_include option" --result ON --color YELLOW
report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"

8
include/tests_shells
View File

@ -47,7 +47,7 @@
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --description "Check console TTYs"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking console TTYs"
FIND=`cat /etc/ttys | egrep '^console' | grep -v 'insecure'`
FIND=`egrep '^console' /etc/ttys | grep -v 'insecure'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking console TTYs" --result OK --color GREEN
logtext "Result: console is secured against single user mode without password."
@ -71,7 +71,7 @@
if [ -f /etc/shells ]; then
logtext "Result: Found /etc/shells file"
logtext "Test: Reading available shells from /etc/shells"
SSHELLS=`cat /etc/shells | grep "^/"`
SSHELLS=`grep "^/" /etc/shells`
CSSHELLS=0; CSSHELLS_ALL=0
Display --indent 2 --text "- Checking shells from /etc/shells"
for I in ${SSHELLS}; do
@ -113,9 +113,9 @@
if [ -f /etc/profile ]; then
# Determine if we can find a TMOUT value
FIND=`cat /etc/profile | grep 'TMOUT=' | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//' | awk -F= '{ print $2 }'`
FIND=`grep 'TMOUT=' /etc/profile | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//' | awk -F= '{ print $2 }'`
# Determine if the value is exported (with export, readonly, or typeset)
FIND2=`cat /etc/profile | grep '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | grep -v "^#" | sed 's/#.*//' | awk '{ print $1 }'`
FIND2=`grep '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | grep -v "^#" | sed 's/#.*//' | awk '{ print $1 }'`
if [ ! "${FIND}" = "" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do

2
include/tests_snmp
View File

@ -75,7 +75,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
WARN=0
logtext "Test: reading active snmp communities"
FIND=`cat ${SNMPD_DAEMON_CONFIG} | grep "^com2sec" | ${AWKBINARY} '{ print $4 }'`
FIND=`${AWKBINARY} '/^com2sec/ { print $4 }' ${SNMPD_DAEMON_CONFIG}`
for I in ${FIND}; do
logtext "Output: ${I}"
if [ "${I}" = "public" -o "${I}" = "private" ]; then

2
include/tests_squid
View File

@ -110,7 +110,7 @@
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
FIND=`cat ${SQUID_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
FIND=`grep -v "^#" ${SQUID_DAEMON_CONFIG} | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found Squid option: ${I}"

8
include/tests_ssh
View File

@ -86,7 +86,7 @@
Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH defined options"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking all specific defined options in ${SSH_DAEMON_CONFIG}"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
FIND=`grep -v "^#" ${SSH_DAEMON_CONFIG} | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found SSH option: ${I}"
@ -102,7 +102,7 @@
Register --test-no SSH-7412 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: PermitRootLogin"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check PermitRootLogin option"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'`
FIND=`awk '/^PermitRootLogin/ { print $2 }' ${SSH_DAEMON_CONFIG}`
if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
logtext "Result: PermitRootLogin is enabled, root can login directly"
Display --indent 4 --text "- SSH option: PermitRootLogin" --result WARNING --color RED
@ -134,7 +134,7 @@
Register --test-no SSH-7414 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Protocol"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check allowed SSH protocol versions"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'`
FIND=`awk '/^Protocol/ { print $2 }' ${SSH_DAEMON_CONFIG}`
if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
logtext "Result: Protocol option is set to allow SSH protocol version 1"
Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED
@ -160,7 +160,7 @@
Register --test-no SSH-7416 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: StrictModes"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check configured StrictModes option"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'`
FIND=`awk '/^StrictModes/ { print $2 }' ${SSH_DAEMON_CONFIG}`
if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then
logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked"
Display --indent 4 --text "- SSH option: StrictModes" --result WARNING --color RED

2
include/tests_storage_nfs
View File

@ -118,7 +118,7 @@
logtext "Test: check /etc/exports"
if [ -f /etc/exports ]; then
logtext "Result: /etc/exports exists"
FIND=`cat /etc/exports | grep -v "^$" | grep -v "^#" | sed 's/ /!space!/g'`
FIND=`grep -v "^$" /etc/exports | grep -v "^#" | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`

2
include/tests_time
View File

@ -102,7 +102,7 @@
for I in ${CRONTAB_FILES}; do
if [ -f ${I} ]; then
logtext "Test: checking for ntpdate or rdate in crontab file ${I}"
FIND=`cat ${I} | ${EGREPBINARY} "ntpdate|rdate" | grep -v '^#'`
FIND=`${EGREPBINARY} "ntpdate|rdate" ${I} | grep -v '^#'`
if [ ! "${FIND}" = "" ]; then
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN

14
include/tests_webservers
View File

@ -144,14 +144,14 @@
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
# Search Virtual Hosts
for J in `cat ${I} | grep "ServerName" | grep -v "^#" | awk '{ if ($1=="ServerName") print $2 }'`; do
for J in `grep "ServerName" ${I} | grep -v "^#" | awk '{ if ($1=="ServerName") print $2 }'`; do
if [ ! -z ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=`expr ${cVHOSTS} + 1`
fi
done
# Search Server aliases
for J in `cat ${I} | grep "ServerAlias" | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do
for J in `grep "ServerAlias" ${I} | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do
if [ ! -z ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=`expr ${cVHOSTS} + 1`
@ -200,12 +200,12 @@
# for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do
# if [ -f ${APACHE_CONFIGFILE} ]; then
# # Check if option ServerTokens is configured
# SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'`
# SERVERTOKENSTEST=`grep ServerTokens ${APACHE_CONFIGFILE} | grep -v '^#'`
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then
# Display --indent 4 --text "- Checking option ServerTokens" --result FOUND --color WHITE
# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '`
# logtext "Option ServerTokens found: ${SERVERTOKENSTEST}"
# SERVERTOKENSEXPECTED=`cat ${PROFILE} | grep 'apache' | grep 'ServerTokens' | cut -d ':' -f3`
# SERVERTOKENSEXPECTED=`grep 'apache' ${PROFILE} | grep 'ServerTokens' | cut -d ':' -f3`
# if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then
# logtext "Result: Value from configuration file yielded the same output as in template"
# SERVERTOKENSFOUND=1
@ -420,7 +420,7 @@
# Remove temp file
if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
N=0
cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ ]*//' | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}
sed -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}
# Search for included configuration files (may include directories and wild cards)
FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'`
for I in ${FIND}; do
@ -433,7 +433,7 @@
report "nginx_sub_conf_file=${J}"
FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then
FIND3=`cat ${J} | sed -e 's/^[ ]*//' | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}`
FIND3=`sed -e 's/^[ ]*//' ${J} | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}`
else
ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
fi
@ -442,7 +442,7 @@
done
# Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
SORTFILE=`cat ${TMPFILE} | sort -u | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"`
SORTFILE=`sort -u ${TMPFILE} | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"`
for I in ${SORTFILE}; do
I=`echo ${I} | sed 's/:space:/ /g'`
report "nginx_config_option=${I}";