diff --git a/extras/build-lynis.sh b/extras/build-lynis.sh index f0f6cc72..b4f4402e 100755 --- a/extras/build-lynis.sh +++ b/extras/build-lynis.sh @@ -212,7 +212,7 @@ if [ -f ${SOURCEFILE_RPM} ]; then if [ -f lynis.spec ]; then # adjust version in spec file - VERSION_IN_SPECFILE=`cat lynis.spec | grep "^Version:" | sed 's/ //g' | awk -F: '{ print $2 }'` + VERSION_IN_SPECFILE=`awk '/^Version:/ { print $2 }' lynis.spec` echo "[=] Found version ${VERSION_IN_SPECFILE}" if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then echo "[X] Version in specfile is outdated" @@ -372,12 +372,12 @@ Exit #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= echo -n "- Creating MD5 hashes..." - PACKAGE_LIST_FILES=`cat files.dat | grep "^file:" | cut -d ':' -f3` + PACKAGE_LIST_FILES=`grep "^file:" files.dat | cut -d ':' -f3` for I in ${PACKAGE_LIST_FILES}; do echo -n "${I} " - #FULLNAME=`cat files.dat | grep ":file:include: + #FULLNAME=`grep ":file:include:" files.dat #echo "${FULLNAME}" >> ${OPENBSD_CONTENTS} echo "${I}" >> ${OPENBSD_CONTENTS} FILE="../${I}" diff --git a/include/data_upload b/include/data_upload index d7bf1401..cd5f0cda 100644 --- a/include/data_upload +++ b/include/data_upload @@ -127,7 +127,7 @@ output "Settings file: ${SETTINGS_FILE}" ExitFatal fi # Extract the hostid from the parse file - HOSTID=`cat ${REPORTFILE} | grep "^hostid=" | awk -F= '{ print $2 }'` + HOSTID=`awk -F= '/^hostid=/ { print $2 }' ${REPORTFILE}` if [ ! "${HOSTID}" = "" ]; then output "${WHITE}Found hostid: ${HOSTID}${NORMAL}" # Try to connect diff --git a/include/functions b/include/functions index 7bf7ed46..aea0109f 100644 --- a/include/functions +++ b/include/functions @@ -93,10 +93,10 @@ # If 'file' is an directory, use -d if [ -d ${CHECKFILE} ]; then FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10` - PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3` + PROFILEVALUE=`grep '^permdir' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3` else FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10` - PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3` + PROFILEVALUE=`grep '^permfile' ${PROFILE} | grep ":${CHECKFILE}:" | cut -d: -f3` fi if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi fi @@ -929,7 +929,7 @@ # Parse nginx configuration lines ParseNginx() { - FIND=`cat ${REPORTFILE} | grep "^nginx_config_option=" | awk -F= '{ if ($1=="nginx_config_option") { print $2 }}' | sed 's/ /:space:/g'` + FIND=`awk -F= '/^nginx_config_option=/ { print $2 }' ${REPORTFILE} | sed 's/ /:space:/g'` for I in ${FIND}; do I=`echo ${I} | sed 's/:space:/ /g' | sed 's/;$//'` OPTION=`echo ${I} | awk '{ print $1 }'` diff --git a/include/osdetection b/include/osdetection index dbb0d1d8..3aa6af34 100644 --- a/include/osdetection +++ b/include/osdetection @@ -114,7 +114,7 @@ FIND=`grep "Amazon" /etc/system-release` if [ ! "${FIND}" = "" ]; then OS_REDHAT_OR_CLONE=1 - OS_FULLNAME=`cat /etc/system-release | grep "^Amazon"` + OS_FULLNAME=`grep "^Amazon" /etc/system-release` OS_VERSION=`grep "^Amazon" /etc/system-release | awk '{ if ($4=="release") { print $5 } }'` LINUX_VERSION="Amazon" fi @@ -129,8 +129,8 @@ # Chakra Linux if [ -e "/etc/chakra-release" ]; then - OS_FULLNAME=`cat /etc/chakra-release | grep "^Chakra"` - OS_VERSION=`cat /etc/chakra-release | grep "^Chakra" | awk '{ if ($3=="release") { print $4 }}'` + OS_FULLNAME=`grep "^Chakra" /etc/chakra-release` + OS_VERSION=`awk '/^Chakra/ { if ($3=="release") { print $4 }}' /etc/chakra-release` LINUX_VERSION="Chakra Linux" fi @@ -162,7 +162,7 @@ OS_FULLNAME="Debian ${OS_VERSION}" LINUX_VERSION="Debian" fi - # Ubuntu test (optional) `cat /proc/version | grep "[Uu]buntu"` + # Ubuntu test (optional) `grep "[Uu]buntu" /proc/version` fi # E-smith if [ -e "/etc/e-smith-release" ]; then OS_FULLNAME=`cat /etc/e-smith-release`; fi @@ -176,7 +176,7 @@ # CentOS FIND=`grep "CentOS" /etc/redhat-release` if [ ! "${FIND}" = "" ]; then - OS_FULLNAME=`cat /etc/redhat-release | grep "CentOS"` + OS_FULLNAME=`grep "CentOS" /etc/redhat-release` LINUX_VERSION="CentOS" OS_VERSION="${OS_FULLNAME}" fi @@ -184,7 +184,7 @@ # ClearOS FIND=`grep "ClearOS" /etc/redhat-release` if [ ! "${FIND}" = "" ]; then - OS_FULLNAME=`cat /etc/redhat-release | grep "ClearOS"` + OS_FULLNAME=`grep "ClearOS" /etc/redhat-release` LINUX_VERSION="ClearOS" OS_VERSION="${OS_FULLNAME}" fi @@ -192,7 +192,7 @@ # Fedora FIND=`grep "Fedora" /etc/redhat-release` if [ ! "${FIND}" = "" ]; then - OS_FULLNAME=`cat /etc/redhat-release | grep "Fedora"` + OS_FULLNAME=`grep "Fedora" /etc/redhat-release` OS_VERSION="${OS_FULLNAME}" LINUX_VERSION="Fedora" fi @@ -200,7 +200,7 @@ # Mageia (has also /etc/megaia-release) FIND=`grep "Mageia" /etc/redhat-release` if [ ! "${FIND}" = "" ]; then - OS_FULLNAME=`cat /etc/redhat-release | grep "^Mageia"` + OS_FULLNAME=`grep "^Mageia" /etc/redhat-release` OS_VERSION=`grep "^Mageia" /etc/redhat-release | awk '{ if ($2=="release") { print $3 } }'` LINUX_VERSION="Mageia" fi @@ -209,7 +209,7 @@ FIND=`grep "Enterprise Linux Enterprise Linux Server" /etc/redhat-release` if [ ! "${FIND}" = "" ]; then LINUX_VERSION="Oracle Enterprise Linux"; - OS_FULLNAME=`cat /etc/redhat-release | grep "Enterprise Linux"`; + OS_FULLNAME=`grep "Enterprise Linux" /etc/redhat-release`; OS_VERSION="${OS_FULLNAME}"; fi @@ -218,7 +218,7 @@ FIND=`grep "Oracle Linux Server" /etc/oracle-release` if [ ! "${FIND}" = "" ]; then LINUX_VERSION="Oracle Enterprise Linux"; - OS_FULLNAME=`cat /etc/oracle-release | grep "Oracle Linux"`; + OS_FULLNAME=`grep "Oracle Linux" /etc/oracle-release`; OS_VERSION="${OS_FULLNAME}"; fi fi @@ -228,7 +228,7 @@ FIND=`grep "Oracle VM" /etc/ovs-release` if [ ! "${FIND}" = "" ]; then LINUX_VERSION="Oracle VM Server"; - OS_FULLNAME=`cat /etc/ovs-release | grep "Oracle VM"`; + OS_FULLNAME=`grep "Oracle VM" /etc/ovs-release`; OS_VERSION="${OS_FULLNAME}"; fi fi @@ -236,7 +236,7 @@ # Red Hat FIND=`grep "Red Hat" /etc/redhat-release` if [ ! "${FIND}" = "" ]; then - OS_FULLNAME=`cat /etc/redhat-release | grep "Red Hat"` + OS_FULLNAME=`grep "Red Hat" /etc/redhat-release` OS_VERSION="${OS_FULLNAME}" LINUX_VERSION="Red Hat" fi @@ -244,7 +244,7 @@ # Scientific FIND=`grep "Scientific" /etc/redhat-release` if [ ! "${FIND}" = "" ]; then - OS_FULLNAME=`cat /etc/redhat-release | grep "^Scientific"` + OS_FULLNAME=`grep "^Scientific" /etc/redhat-release` OS_VERSION=`grep "^Scientific" /etc/redhat-release | awk '{ if ($3=="release") { print $4 } }'` LINUX_VERSION="Scientific" fi @@ -273,7 +273,7 @@ fi if [ -f /etc/SLOX-release ]; then - OS_FULLNAME=`cat /etc/SLOX-release | grep "SuSE Linux"` + OS_FULLNAME=`grep "SuSE Linux" /etc/SLOX-release` LINUX_VERSION="SuSE" fi diff --git a/include/profiles b/include/profiles index abdb33d9..60f9a707 100644 --- a/include/profiles +++ b/include/profiles @@ -20,7 +20,7 @@ # Display --indent 2 --text "- Checking profile file (${PROFILE})..." logtext "Reading profile/configuration ${PROFILE}" - FIND=`cat ${PROFILE} | grep '^config:' | sed 's/ /!space!/g'` + FIND=`grep '^config:' ${PROFILE} | sed 's/ /!space!/g'` for I in ${FIND}; do OPTION=`echo ${I} | cut -d ':' -f2` VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'` diff --git a/include/report b/include/report index a65f3534..139101c5 100644 --- a/include/report +++ b/include/report @@ -102,7 +102,7 @@ if [ "${CUSTOM_URL_APPEND}" = "" ]; then CUSTOM_URL_APPEND="/"; fi # Show warnings from logfile - SWARNINGS=`cat ${LOGFILE} | grep -i 'warning:' | sed 's/ /!space!/g'` + SWARNINGS=`grep -i 'warning:' ${LOGFILE} | sed 's/ /!space!/g'` if [ "${SWARNINGS}" = "" ]; then echo " ${OK}No warnings${NORMAL}"; echo "" diff --git a/include/tests_authentication b/include/tests_authentication index 06d732f6..d973b01b 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -69,7 +69,7 @@ fi # Check password file if [ -f ${PASSWD_FILE} ]; then - FIND=`cat ${PASSWD_FILE} | grep -v '^#' | cut -d ':' -f3 | sort | uniq -d` + FIND=`grep -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking for non-unique UIDs" --result OK --color GREEN logtext "Result: all accounts found in ${PASSWD_FILE} are unique" @@ -155,7 +155,7 @@ logtext "Test: Checking login shells" if [ -f /etc/master.passwd ]; then # Check for all shells, except: (/usr)/sbin/nologin /nonexistent - FIND=`cat /etc/master.passwd | grep "[a-z]:\*:" | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'` + FIND=`grep "[a-z]:\*:" /etc/master.passwd | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking login shells" --result OK --color GREEN else @@ -194,7 +194,7 @@ Register --test-no AUTH-9222 --weight L --network NO --description "Check for non unique groups" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking for non unique group ID's in /etc/group" - FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d` + FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking non unique group ID's" --result OK --color GREEN logtext "Result: All group ID's are unique" @@ -215,7 +215,7 @@ Register --test-no AUTH-9226 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check non unique group names" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking for non unique group names in /etc/group" - FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d` + FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking non unique group names" --result OK --color GREEN logtext "Result: All group names are unique" @@ -497,7 +497,7 @@ logtext "Result: file /etc/pam.conf exists" Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN logtext "Test: searching PAM configuration files" - FIND=`cat /etc/pam.conf | grep -v "^#" | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'` + FIND=`grep -v "^#" /etc/pam.conf | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'` if [ "${FIND}" = "" ]; then logtext "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)" else @@ -577,7 +577,7 @@ if [ -f /etc/pam.d/common-auth ]; then logtext "Result: file /etc/pam.d/common-auth exists" logtext "Test: checking presence LDAP module" - FIND=`cat /etc/pam.d/common-auth | grep "^auth" | grep "ldap"` + FIND=`grep "^auth.*ldap" /etc/pam.d/common-auth` if [ ! "${FIND}" = "" ]; then logtext "Result: LDAP module present" logtext "Output: ${FIND}" @@ -950,7 +950,7 @@ FOUND=0 WEAK_UMASK=0 logtext "Result: file /etc/login.conf exists" - FIND=`cat /etc/login.conf | grep "umask" | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'` + FIND=`grep "umask" /etc/login.conf | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'` if [ ! "${FIND}" = "" ]; then for UMASK_VALUE in ${FIND}; do case ${UMASK_VALUE} in diff --git a/include/tests_boot_services b/include/tests_boot_services index 299c04c6..bf8f0af1 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -66,7 +66,7 @@ case ${OS} in "Linux") if [ -f /proc/1/cmdline ]; then - FILE=`cat /proc/1/cmdline | grep "^/" | awk '{ print $1 }'` + FILE=`awk '/^\// { print $1 }' /proc/1/cmdline` if [ ! "${FILE}" = "" ]; then if [ -L ${FILE} ]; then ShowSymlinkPath ${FILE} @@ -235,10 +235,10 @@ logtext "Found file ${GRUBCONFFILE}, proceeding with tests." FileIsReadable ${GRUBCONFFILE} if [ ${CANREAD} -eq 1 ]; then - FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'` - FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'` - FIND3=`cat ${GRUBCONFFILE} | grep 'set superusers' | grep -v '^#'` - FIND4=`cat ${GRUBCONFFILE} | grep 'password_pbkdf2' | grep -v '^#'` + FIND=`grep 'password --md5' ${GRUBCONFFILE} | grep -v '^#'` + FIND2=`grep 'password --encrypted' ${GRUBCONFFILE} | grep -v '^#'` + FIND3=`grep 'set superusers' ${GRUBCONFFILE} | grep -v '^#'` + FIND4=`grep 'password_pbkdf2' ${GRUBCONFFILE} | grep -v '^#'` # GRUB1: MD5 or SHA1 if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 @@ -313,7 +313,7 @@ BOOT_LOADER_FOUND=1 Display --indent 2 --text "- Checking presence LILO" --result "OK" --color GREEN logtext "Checking password option LILO" - FIND=`cat ${LILOCONFFILE} | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"` + FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | grep -v "^#"` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Password option presence " --result "WARNING" --color RED logtext "Result: no password set for LILO. Bootloader is unprotected to" diff --git a/include/tests_databases b/include/tests_databases index 80e7405b..98805879 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -136,7 +136,7 @@ #Register --test-no DBS-1842 --weight L --network NO --description "Checking Oracle home paths" #if [ ${SKIPTEST} -eq 0 ]; then # if [ -f /etc/oratab ]; then - # FIND=`cat /etc/oratab | grep -v "#" | awk -F: "{ print $2 }"` + # FIND=`grep -v "#" /etc/oratab | awk -F: "{ print $2 }"` # fi #fi # diff --git a/include/tests_file_permissions b/include/tests_file_permissions index a5f30270..c702e64b 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -29,7 +29,7 @@ Display --indent 2 --text "- Starting file permissions check" logtext "Test: Checking file permissions" logtext "Using profile ${PROFILE} for baseline." - FIND=`cat ${PROFILE} | egrep '^permfile:|^permdir:' | cut -d: -f2` + FIND=`egrep '^permfile:|^permdir:' ${PROFILE} | cut -d: -f2` for I in ${FIND}; do logtext "Checking ${I}" CheckFilePermissions ${I} diff --git a/include/tests_insecure_services b/include/tests_insecure_services index f6b5e15d..d529f959 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -71,7 +71,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002) logtext "Test: check if all services are disabled if inetd is disabled" - FIND=`cat ${INETD_CONFIG_FILE} | grep -v "^#" | grep -v "^$"` + FIND=`grep -v "^#" ${INETD_CONFIG_FILE} | grep -v "^$"` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking inetd.conf services" --result OK --color GREEN else diff --git a/include/tests_kernel b/include/tests_kernel index 495d62bc..7cd49e12 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -105,9 +105,9 @@ if [ -f /proc/cpuinfo ]; then logtext "Result: found /proc/cpuinfo" logtext "Test: Checking CPU options (XD/NX/PAE)" - FIND_PAE_NX=`cat /proc/cpuinfo | grep " pae " | grep " nx "` - FIND_PAE=`cat /proc/cpuinfo | grep " pae "` - FIND_NX=`cat /proc/cpuinfo | grep " nx "` + FIND_PAE_NX=`grep " pae " /proc/cpuinfo | grep " nx "` + FIND_PAE=`grep " pae " /proc/cpuinfo` + FIND_NX=`grep " nx " /proc/cpuinfo` FOUND=0 if [ ! "${FIND_PAE_NX}" = "" ]; then logtext "PAE: Yes" @@ -380,8 +380,8 @@ if [ -f /etc/security/limits.conf ]; then logtext "Result: file /etc/security/limits.conf exists" logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf" - FIND1=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'` - FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'` + FIND1=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'` + FIND2=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'` if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then logtext "Result: core dumps (soft or hard) are enabled" Display --indent 2 --text "- Checking core dumps configuration" --result ENABLED --color YELLOW diff --git a/include/tests_logging b/include/tests_logging index 5e94576d..37728489 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -380,7 +380,7 @@ Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking directories in /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: parsing directories from /etc/newsyslog.conf file" - FIND=`cat /etc/newsyslog.conf | sort -u | grep "^/" | awk '{ print $1 }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort -u` + FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sed 's/\/*[a-zA-Z_.-]*$//g' | sort -u` for I in ${FIND}; do if [ -d ${I} ]; then logtext "Result: Directory ${I} found and exists" @@ -400,7 +400,7 @@ Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking files specified /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: parsing files from /etc/newsyslog.conf file" - FIND=`cat /etc/newsyslog.conf | sort -u | grep "^/" | awk '{ print $1 }'` + FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sort -u` for I in ${FIND}; do if [ -f ${I} ]; then logtext "Result: File ${I} found and exists" diff --git a/include/tests_memory_processes b/include/tests_memory_processes index b78429db..ef48c4ef 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -29,7 +29,7 @@ if [ -f /proc/meminfo ]; then logtext "Result: found /proc/meminfo" Display --indent 2 --text "- Checking /proc/meminfo" --result FOUND --color GREEN - FIND=`cat /proc/meminfo | grep "^MemTotal" | tr -s ' ' | awk '{ print $2" "$3 }'` + FIND=`awk '/^MemTotal/ { print $2, $3 }' /proc/meminfo` MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'` MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'` logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" diff --git a/include/tests_nameservices b/include/tests_nameservices index 06aa98c3..2b84991f 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -42,7 +42,7 @@ logtext "Test: check /etc/resolv.conf for default domain" if [ -f /etc/resolv.conf ]; then logtext "Result: /etc/resolv.conf found" - FIND=`cat /etc/resolv.conf | grep "^domain" | awk '{ print $2 }'` + FIND=`awk '/^domain/ { print $2 }' /etc/resolv.conf` if [ "${FIND}" = "" ]; then logtext "Result: no default domain found" Display --indent 2 --text "- Checking default DNS search domain" --result NONE --color WHITE @@ -67,7 +67,7 @@ logtext "Test: check /etc/resolv.conf for search domains" if [ -f /etc/resolv.conf ]; then logtext "Result: /etc/resolv.conf found" - FIND=`cat /etc/resolv.conf | grep "^search" | sed 's/^search //'` + FIND=`awk '/^search/ { print $2 }' /etc/resolv.conf` if [ "${FIND}" = "" ]; then logtext "Result: no search domains found, default domain is being used" else @@ -92,7 +92,7 @@ fi # Check amount of search domains (max 1) - FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '` + FIND=`grep -c "^search" /etc/resolv.conf` if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW @@ -452,7 +452,7 @@ Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS backends" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking for PowerDNS backends" - FIND=`cat ${POWERDNS_AUTH_CONFIG_LOCATION} | grep "^launch" | awk -F= '{ print $2 }'` + FIND=`awk -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do logtext "Found backend: ${I}" @@ -472,7 +472,7 @@ Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS authoritive status" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking for PowerDNS master status" - FIND=`cat ${POWERDNS_AUTH_CONFIG_LOCATION} | grep "^master=yes"` + FIND=`grep "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}` if [ ! "${FIND}" = "" ]; then logtext "Found master=yes in configuration file" Display --indent 4 --text "- PowerDNS authoritive master: YES" @@ -482,7 +482,7 @@ Display --indent 4 --text "- PowerDNS authoritive master: NO" fi logtext "Test: Checking for PowerDNS slave status" - FIND=`cat ${POWERDNS_AUTH_CONFIG_LOCATION} | grep "^slave=yes"` + FIND=`grep "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}` if [ ! "${FIND}" = "" ]; then logtext "Found slave=yes in configuration file" Display --indent 4 --text "- PowerDNS authoritive slave: YES" @@ -588,7 +588,7 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: check duplicate line in /etc/hosts" if [ -f /etc/hosts ]; then - sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | sort | uniq -d` + sFIND=`egrep -v '^(#|$)' /etc/hosts | awk '{ print $1, $2 }' | sort | uniq -d` if [ "${sFIND}" = "" ]; then logtext "Result: OK, no duplicate lines found" Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result OK --color GREEN @@ -613,7 +613,7 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Check /etc/hosts contains an entry for this server name" if [ -f /etc/hosts ]; then - sFIND=`cat /etc/hosts | egrep -v '^(#|$|^::1\s|localhost)' | grep ${HOSTNAME}` + sFIND=`egrep -v '^(#|$|^::1\s|localhost)' /etc/hosts | grep ${HOSTNAME}` if [ "${sFIND}" != "" ]; then logtext "Result: Found entry for ${HOSTNAME} in /etc/hosts" Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN @@ -634,7 +634,7 @@ Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Check server hostname not locally mapped in /etc/hosts" - sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|^::1\s)' | grep -w ${HOSTNAME}` + sFIND=`egrep -v '^(#|$)' /etc/hosts | egrep '(localhost|^::1\s)' | grep -w ${HOSTNAME}` if [ ! "${sFIND}" = "" ]; then logtext "Result: Found this server hostname mapped to a local address" Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW diff --git a/include/tests_php b/include/tests_php index d4e842c8..96eb63d0 100644 --- a/include/tests_php +++ b/include/tests_php @@ -147,7 +147,7 @@ Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking PHP register_globals option" - FIND=`cat ${PHPINIFILE} | egrep -i 'register_globals.*(on|yes|1)' | grep -v '^;'` + FIND=`egrep -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;'` if [ ! "${FIND}" = "" ]; then Display --indent 4 --text "- Checking register_globals option" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" @@ -171,7 +171,7 @@ Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking expose_php option" - FIND=`cat ${PHPINIFILE} | egrep -i 'expose_php.*(off|no|0)' | grep -v '^;'` + FIND=`egrep -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking expose_php option" --result ON --color RED ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers." @@ -195,7 +195,7 @@ Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking PHP enable_dl option" - FIND=`cat ${PHPINIFILE} | egrep -i 'enable_dl.*(off|no|0)' | grep -v '^;'` + FIND=`egrep -i 'enable_dl.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking enable_dl option" --result ON --color YELLOW report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP" @@ -218,7 +218,7 @@ Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking PHP allow_url_fopen option" - FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_fopen.*(off|no|0)' | grep -v '^;'` + FIND=`egrep -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking allow_url_fopen option" --result ON --color YELLOW report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP" @@ -241,7 +241,7 @@ Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking PHP allow_url_include option" - FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_include.*(off|no|0)' | grep -v '^;'` + FIND=`egrep -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking allow_url_include option" --result ON --color YELLOW report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP" diff --git a/include/tests_shells b/include/tests_shells index 1f1cdc21..64de5921 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -47,7 +47,7 @@ Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --description "Check console TTYs" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking console TTYs" - FIND=`cat /etc/ttys | egrep '^console' | grep -v 'insecure'` + FIND=`egrep '^console' /etc/ttys | grep -v 'insecure'` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking console TTYs" --result OK --color GREEN logtext "Result: console is secured against single user mode without password." @@ -71,7 +71,7 @@ if [ -f /etc/shells ]; then logtext "Result: Found /etc/shells file" logtext "Test: Reading available shells from /etc/shells" - SSHELLS=`cat /etc/shells | grep "^/"` + SSHELLS=`grep "^/" /etc/shells` CSSHELLS=0; CSSHELLS_ALL=0 Display --indent 2 --text "- Checking shells from /etc/shells" for I in ${SSHELLS}; do @@ -113,9 +113,9 @@ if [ -f /etc/profile ]; then # Determine if we can find a TMOUT value - FIND=`cat /etc/profile | grep 'TMOUT=' | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//' | awk -F= '{ print $2 }'` + FIND=`grep 'TMOUT=' /etc/profile | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//' | awk -F= '{ print $2 }'` # Determine if the value is exported (with export, readonly, or typeset) - FIND2=`cat /etc/profile | grep '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | grep -v "^#" | sed 's/#.*//' | awk '{ print $1 }'` + FIND2=`grep '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' /etc/profile | grep -v "^#" | sed 's/#.*//' | awk '{ print $1 }'` if [ ! "${FIND}" = "" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do diff --git a/include/tests_snmp b/include/tests_snmp index 208df92a..5baba15a 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -75,7 +75,7 @@ if [ ${SKIPTEST} -eq 0 ]; then WARN=0 logtext "Test: reading active snmp communities" - FIND=`cat ${SNMPD_DAEMON_CONFIG} | grep "^com2sec" | ${AWKBINARY} '{ print $4 }'` + FIND=`${AWKBINARY} '/^com2sec/ { print $4 }' ${SNMPD_DAEMON_CONFIG}` for I in ${FIND}; do logtext "Output: ${I}" if [ "${I}" = "public" -o "${I}" = "private" ]; then diff --git a/include/tests_squid b/include/tests_squid index f6277feb..59d63dd2 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -110,7 +110,7 @@ Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" - FIND=`cat ${SQUID_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` + FIND=`grep -v "^#" ${SQUID_DAEMON_CONFIG} | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` logtext "Found Squid option: ${I}" diff --git a/include/tests_ssh b/include/tests_ssh index 303af6b6..5cc466ce 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -86,7 +86,7 @@ Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH defined options" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking all specific defined options in ${SSH_DAEMON_CONFIG}" - FIND=`cat ${SSH_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` + FIND=`grep -v "^#" ${SSH_DAEMON_CONFIG} | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` logtext "Found SSH option: ${I}" @@ -102,7 +102,7 @@ Register --test-no SSH-7412 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: PermitRootLogin" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: check PermitRootLogin option" - FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'` + FIND=`awk '/^PermitRootLogin/ { print $2 }' ${SSH_DAEMON_CONFIG}` if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then logtext "Result: PermitRootLogin is enabled, root can login directly" Display --indent 4 --text "- SSH option: PermitRootLogin" --result WARNING --color RED @@ -134,7 +134,7 @@ Register --test-no SSH-7414 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Protocol" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: check allowed SSH protocol versions" - FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'` + FIND=`awk '/^Protocol/ { print $2 }' ${SSH_DAEMON_CONFIG}` if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then logtext "Result: Protocol option is set to allow SSH protocol version 1" Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED @@ -160,7 +160,7 @@ Register --test-no SSH-7416 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: StrictModes" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Check configured StrictModes option" - FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'` + FIND=`awk '/^StrictModes/ { print $2 }' ${SSH_DAEMON_CONFIG}` if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked" Display --indent 4 --text "- SSH option: StrictModes" --result WARNING --color RED diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index 1795aeb6..9f245a9a 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -118,7 +118,7 @@ logtext "Test: check /etc/exports" if [ -f /etc/exports ]; then logtext "Result: /etc/exports exists" - FIND=`cat /etc/exports | grep -v "^$" | grep -v "^#" | sed 's/ /!space!/g'` + FIND=`grep -v "^$" /etc/exports | grep -v "^#" | sed 's/ /!space!/g'` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` diff --git a/include/tests_time b/include/tests_time index 4184f9b3..34321bd0 100644 --- a/include/tests_time +++ b/include/tests_time @@ -102,7 +102,7 @@ for I in ${CRONTAB_FILES}; do if [ -f ${I} ]; then logtext "Test: checking for ntpdate or rdate in crontab file ${I}" - FIND=`cat ${I} | ${EGREPBINARY} "ntpdate|rdate" | grep -v '^#'` + FIND=`${EGREPBINARY} "ntpdate|rdate" ${I} | grep -v '^#'` if [ ! "${FIND}" = "" ]; then FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN diff --git a/include/tests_webservers b/include/tests_webservers index 8987636c..020c1420 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -144,14 +144,14 @@ FileIsReadable ${I} if [ ${CANREAD} -eq 1 ]; then # Search Virtual Hosts - for J in `cat ${I} | grep "ServerName" | grep -v "^#" | awk '{ if ($1=="ServerName") print $2 }'`; do + for J in `grep "ServerName" ${I} | grep -v "^#" | awk '{ if ($1=="ServerName") print $2 }'`; do if [ ! -z ${J} ]; then tVHOSTS="${tVHOSTS} ${J}" cVHOSTS=`expr ${cVHOSTS} + 1` fi done # Search Server aliases - for J in `cat ${I} | grep "ServerAlias" | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do + for J in `grep "ServerAlias" ${I} | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do if [ ! -z ${J} ]; then tVHOSTS="${tVHOSTS} ${J}" cVHOSTS=`expr ${cVHOSTS} + 1` @@ -200,12 +200,12 @@ # for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do # if [ -f ${APACHE_CONFIGFILE} ]; then # # Check if option ServerTokens is configured -# SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'` +# SERVERTOKENSTEST=`grep ServerTokens ${APACHE_CONFIGFILE} | grep -v '^#'` # if [ ! "${SERVERTOKENSTEST}" = "" ]; then # Display --indent 4 --text "- Checking option ServerTokens" --result FOUND --color WHITE # SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '` # logtext "Option ServerTokens found: ${SERVERTOKENSTEST}" -# SERVERTOKENSEXPECTED=`cat ${PROFILE} | grep 'apache' | grep 'ServerTokens' | cut -d ':' -f3` +# SERVERTOKENSEXPECTED=`grep 'apache' ${PROFILE} | grep 'ServerTokens' | cut -d ':' -f3` # if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then # logtext "Result: Value from configuration file yielded the same output as in template" # SERVERTOKENSFOUND=1 @@ -420,7 +420,7 @@ # Remove temp file if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi N=0 - cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ ]*//' | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE} + sed -e 's/^[ ]*//' ${NGINX_CONF_LOCATION} | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE} # Search for included configuration files (may include directories and wild cards) FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'` for I in ${FIND}; do @@ -433,7 +433,7 @@ report "nginx_sub_conf_file=${J}" FileIsReadable ${J} if [ ${CANREAD} -eq 1 ]; then - FIND3=`cat ${J} | sed -e 's/^[ ]*//' | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}` + FIND3=`sed -e 's/^[ ]*//' ${J} | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}` else ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable" fi @@ -442,7 +442,7 @@ done # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx - SORTFILE=`cat ${TMPFILE} | sort -u | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"` + SORTFILE=`sort -u ${TMPFILE} | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"` for I in ${SORTFILE}; do I=`echo ${I} | sed 's/:space:/ /g'` report "nginx_config_option=${I}";