diff --git a/include/tests_databases b/include/tests_databases index cbf1091e..d6cb3f81 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -23,9 +23,9 @@ ################################################################################# # # Paths to DATADIR - sMYSQLDBPATHS="/var/lib/mysql" + sMYSQLDBPATHS="${ROOTDIR}var/lib/mysql" # Paths to my.cnf - sMYCNFLOCS="/etc/mysql/my.cnf /usr/etc/my.cnf" + sMYCNFLOCS="${ROOTDIR}etc/mysql/my.cnf ${ROOTDIR}usr/etc/my.cnf" REDIS_CONFIGURATION_FILES="" REDIS_CONFIGURATION_FOUND=0 # @@ -75,13 +75,13 @@ Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking MySQL root password" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Trying to login to local MySQL server without password" - FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?` + FIND=$(${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: Login succeeded, no MySQL root password set!" ReportWarning ${TEST_NO} "No MySQL root password set" Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED AddHP 0 5 - else + else LogText "Result: Login did not succeed, so a MySQL root password is set" Display --indent 4 --text "- Checking MySQL root password" --result "${STATUS_OK}" --color GREEN AddHP 2 2 @@ -102,7 +102,7 @@ POSTGRESQL_RUNNING=1 DATABASE_ENGINE_RUNNING=1 Report "postgresql_running=${POSTGRESQL_RUNNING}" - else + else if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: PostgreSQL process not active" fi @@ -122,11 +122,11 @@ # reco: recovery (optional) Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep"` + FIND=$(${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep") if [ "${FIND}" = "" ]; then if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: Oracle process(es) not active" - else + else Display --indent 2 --text "- Oracle processes status" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Oracle is active" ORACLE_RUNNING=1 @@ -158,7 +158,7 @@ DB2_RUNNING=1 DATABASE_ENGINE_RUNNING=1 Report "db2_running=${DB2_RUNNING}" - else + else if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- DB2 instance running" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: No DB2 instances are running" fi @@ -193,7 +193,7 @@ FOUND=0 for DIR in ${PATHS}; do LogText "Action: scanning directory (${DIR}) for Redis configuration files" - FILES=$(ls ${DIR}/*.conf 2> /dev/null) + FILES=$(${LSBINARY} ${DIR}/*.conf 2> /dev/null) if [ ! -z "${FILES}" ]; then for CONFFILE in ${FILES}; do if FileIsReadable ${CONFFILE}; then @@ -222,7 +222,7 @@ fi done # Sort the list of discovered configuration files so we can make them unique - REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | ${SEDBINARY} 's/^ //' | ${TRBINARY} ' ' '\n' | ${SORTBINARY} | uniq | ${TRBINARY} '\n' ' ') + REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | ${SEDBINARY} 's/^ //' | ${TRBINARY} ' ' '\n' | ${SORTBINARY} | ${UNIQBINARY} | ${TRBINARY} '\n' ' ') for FILE in ${REDIS_CONFIGURATION_FILES}; do if IsWorldReadable ${FILE}; then LogText "Result: configuration file ${FILE} is world readable, this might leak sensitive information!" diff --git a/include/tests_file_integrity b/include/tests_file_integrity index a90eb4fe..687853ff 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -18,7 +18,8 @@ # ################################################################################# # - CSF_CONFIG="/etc/csf/csf.conf" + AIDECONFIG="" + CSF_CONFIG="${ROOTDIR}etc/csf/csf.conf" FILE_INT_TOOL="" FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found # @@ -34,13 +35,13 @@ Register --test-no FINT-4310 --weight L --network NO --category security --description "AFICK availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking AFICK binary" - if [ ! "${AFICKBINARY}" = "" ]; then + if [ ! -z "${AFICKBINARY}" ]; then LogText "Result: AFICK is installed (${AFICKBINARY})" Report "file_integrity_tool[]=afick" FILE_INT_TOOL="afick" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- AFICK" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: AFICK is not installed" if IsVerbose; then Display --indent 4 --text "- AFICK" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi @@ -53,13 +54,13 @@ Register --test-no FINT-4314 --weight L --network NO --category security --description "AIDE availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking AIDE binary" - if [ ! "${AIDEBINARY}" = "" ]; then + if [ ! -z "${AIDEBINARY}" ]; then LogText "Result: AIDE is installed (${AIDEBINARY})" Report "file_integrity_tool[]=aide" FILE_INT_TOOL="aide" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- AIDE" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: AIDE is not installed" if IsVerbose; then Display --indent 4 --text "- AIDE" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi @@ -80,7 +81,8 @@ AIDECONFIG="${I}/aide.conf" fi done - if [ "${AIDECONFIG}" = "" ]; then + + if [ -z "${AIDECONFIG}" ]; then Display --indent 6 --text "- AIDE config file" --result "${STATUS_NOT_FOUND}" --color YELLOW else LogText "Checking configuration file ${AIDECONFIG} for errors" @@ -101,7 +103,7 @@ Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Osiris binary" - if [ ! "${OSIRISBINARY}" = "" ]; then + if [ ! -z "${OSIRISBINARY}" ]; then LogText "Result: Osiris is installed (${OSIRISBINARY})" Report "file_integrity_tool[]=osiris" FILE_INT_TOOL="osiris" @@ -120,7 +122,7 @@ Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Samhain binary" - if [ ! "${SAMHAINBINARY}" = "" ]; then + if [ ! -z "${SAMHAINBINARY}" ]; then LogText "Result: Samhain is installed (${SAMHAINBINARY})" Report "file_integrity_tool[]=samhain" FILE_INT_TOOL="samhain" @@ -139,7 +141,7 @@ Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Tripwire binary" - if [ ! "${TRIPWIREBINARY}" = "" ]; then + if [ ! -z "${TRIPWIREBINARY}" ]; then LogText "Result: Tripwire is installed (${TRIPWIREBINARY})" Report "file_integrity_tool[]=tripwire" FILE_INT_TOOL="tripwire" @@ -179,7 +181,7 @@ Register --test-no FINT-4330 --weight L --network NO --category security --description "mtree availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking mtree binary" - if [ ! "${MTREEBINARY}" = "" ]; then + if [ ! -z "${MTREEBINARY}" ]; then LogText "Result: mtree is installed (${MTREEBINARY})" Report "file_integrity_tool[]=mtree" FILE_INT_TOOL="mtree" @@ -219,26 +221,26 @@ Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd configuration status" if [ ${SKIPTEST} -eq 0 ]; then # LFD configuration parameters - ENABLED=`${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG}` + ENABLED=$(${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG}) if [ ! "${ENABLED}" = "" ]; then LogText "Result: lfd service is configured to run" Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN - else + else LogText "Result: lfd service is configured NOT to run" Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW fi - ENABLED=`${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g'` + ENABLED=$(${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g') if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then LogText "Result: lfd directory watching is enabled (value: ${ENABLED})" Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN - else + else LogText "Result: lfd directory watching is disabled" Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW fi - ENABLED=`${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g'` + ENABLED=$(${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g') if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN - else + else Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW fi fi @@ -257,7 +259,7 @@ FILE_INT_TOOL="osquery" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: syscheck (osquery) not installed" if IsVerbose; then Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi @@ -271,7 +273,7 @@ Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)") - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then LogText "Result: No SHA256 or SHA512 found for creating checksums" Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE" diff --git a/include/tests_file_permissions b/include/tests_file_permissions index 79f721b3..2d627bf9 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -34,7 +34,7 @@ LogText "Test: Checking file permissions" for PROFILE in ${PROFILES}; do LogText "Using profile ${PROFILE} for baseline." - FIND=`${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | ${CUTBINARY} -d: -f2` + FIND=$(${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | ${CUTBINARY} -d: -f2) for I in ${FIND}; do LogText "Checking ${I}" CheckFilePermissions ${I} @@ -43,14 +43,14 @@ LogText " Result: $PERMS" if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then Display --indent 4 --text "${I}" --result "${STATUS_NOT_FOUND}" --color WHITE - elif [ "${PERMS}" = "OK" ]; then + elif [ "${PERMS}" = "OK" ]; then Display --indent 4 --text "${I}" --result "${STATUS_OK}" --color GREEN - elif [ "${PERMS}" = "BAD" ]; then + elif [ "${PERMS}" = "BAD" ]; then Display --indent 4 --text "${I}" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "Incorrect permissions for file ${I}" - else + else LogText "UNKNOWN status for file" - fi + fi done done fi diff --git a/include/tests_filesystems b/include/tests_filesystems index 5d46f831..94f067bf 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -46,20 +46,20 @@ LogText "Result: ${I} is a symlink. Manual check required to determine exact file system options" ReportSuggestion ${TEST_NO} "Symlinked mount point needs to be checked manually" "${I}" "" Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE - elif [ -d ${I} ]; then + elif [ -d ${I} ]; then LogText "Result: directory ${I} exists" - FIND=`mount | ${GREPBINARY} "${I}"` - if [ ! "${FIND}" = "" ]; then + FIND=$(${MOUNTBINARY} | ${GREPBINARY} "${I}") + if [ ! -z "${FIND}" ]; then LogText "Result: found ${I} as a separated mount point" Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_OK}" --color GREEN AddHP 10 10 - else + else LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system" Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition" AddHP 9 10 fi - else + else LogText "Result: directory ${I} does not exist" fi done @@ -76,16 +76,16 @@ LogText "Test: Checking for LVM volume groups" case ${OS} in AIX) - FIND=`${LSVGBINARY} -o` + FIND=$(${LSVGBINARY} -o) ;; Linux) - FIND=`${VGDISPLAYBINARY} 2> /dev/null | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "VG Name" | ${AWKBINARY} '{ print $3 }' | sort` + FIND=$(${VGDISPLAYBINARY} 2> /dev/null | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "VG Name" | ${AWKBINARY} '{ print $3 }' | ${SORTBINARY}) ;; *) ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found" ;; esac - if [ ! "${FIND}" = "" ]; then + if [ ! -z "${FIND}" ]; then LogText "Result: found one or more volume groups" for I in ${FIND}; do LogText "Found LVM volume group: ${I}" @@ -93,7 +93,7 @@ done LVM_VG_USED=1 Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: no LVM volume groups found" if IsVerbose; then Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_NONE}" --color WHITE; fi fi @@ -109,11 +109,11 @@ LogText "Test: Checking for LVM volumes" case ${OS} in AIX) - ACTIVE_VG_LIST=`${LSVGBINARY} -o` - FIND=`for I in ${ACTIVE_VG_LIST}; do ${LSVGBINARY} -l ${I} | ${AWKBINARY} 'NR>2 { print $1 }'; done` + ACTIVE_VG_LIST=$(${LSVGBINARY} -o) + FIND=$(for I in ${ACTIVE_VG_LIST}; do ${LSVGBINARY} -l ${I} | ${AWKBINARY} 'NR>2 { print $1 }'; done) ;; Linux) - FIND=`${LVDISPLAYBINARY} | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "LV Name" | ${AWKBINARY} '{ print $3 }' | sort` + FIND=$(${LVDISPLAYBINARY} | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "LV Name" | ${AWKBINARY} '{ print $3 }' | ${SORTBINARY}) ;; *) ReportException "${TEST_NO}:1" "Need specific test for gathering volume manager data" @@ -126,7 +126,7 @@ Report "lvm_volume[]=${I}" done Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: no LVM volume groups found" Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_NONE}" --color WHITE fi @@ -147,16 +147,16 @@ Register --test-no FILE-6323 --os Linux --weight L --network NO --category security --description "Checking EXT file systems" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for Linux EXT file systems" - FIND=`mount -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }'` - if [ ! "${FIND}" = "" ]; then + FIND=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }') + if [ ! -z "${FIND}" ]; then LogText "Result: found one or more EXT file systems" for I in ${FIND}; do - FILESYSTEM=`echo ${I} | ${CUTBINARY} -d ',' -f1` - FILETYPE=`echo ${I} | ${CUTBINARY} -d ',' -f2` + FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1) + FILETYPE=$(echo ${I} | ${CUTBINARY} -d ',' -f2) LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})" Report "file_systems_ext[]=${FILESYSTEM}|${FILETYPE}|" done - else + else LogText "Result: no EXT file systems found" Report "file_systems_ext[]=none" fi @@ -170,11 +170,11 @@ Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking FFS/UFS file systems" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Query /etc/fstab for available FFS/UFS mount points" - FIND=`${AWKBINARY} '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab` - if [ "${FIND}" = "" ]; then + FIND=$(${AWKBINARY} '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab) + if [ -z "${FIND}" ]; then if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_NONE}" --color WHITE; fi LogText "Result: unable to find any single mount point (FFS/UFS)" - else + else Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_FOUND}" --color GREEN Report "filesystem[]=ufs" for I in ${FIND}; do @@ -191,11 +191,11 @@ Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Query /etc/fstab for available ZFS mount points" - FIND=`mount -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'` - if [ "${FIND}" = "" ]; then + FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}') + if [ -z "${FIND}" ]; then Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE LogText "Result: unable to find any single mount point (ZFS)" - else + else Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_FOUND}" --color GREEN Report "filesystem[]=zfs" for I in ${FIND}; do @@ -215,7 +215,7 @@ FOUND=0 LogText "Test: query swap partitions from /etc/fstab file" # Check if third field contains 'swap' - FIND=`${AWKBINARY} '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | ${GREPBINARY} -v "^#"` + FIND=$(${AWKBINARY} '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | ${GREPBINARY} -v "^#") for I in ${FIND}; do FOUND=1 REAL="" @@ -227,12 +227,12 @@ # Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/) HAS_UUID=`echo ${I} | ${GREPBINARY} "^UUID="` - if [ ! "${HAS_UUID}" = "" ]; then + if [ ! -z "${HAS_UUID}" ]; then UUID=`echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }'` LogText "Result: Using ${UUID} as UUID" - if [ ! "${BLKIDBINARY}" = "" ]; then + if [ ! -z "${BLKIDBINARY}" ]; then FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//') - if [ ! "${FIND2}" = "" ]; then + if [ ! -z "${FIND2}" ]; then REAL="${FIND2}" fi else @@ -241,7 +241,7 @@ if [ -L /dev/disk/by-uuid/${UUID} ]; then LogText "Result: found disk via /dev/disk/by-uuid listing" ShowSymlinkPath /dev/disk/by-uuid/${UUID} - if [ ! "${sFILE}" = "" ]; then + if [ ! -z "${sFILE}" ]; then REAL="${sFILE}" LogText "Result: disk is ${REAL}" fi @@ -251,7 +251,7 @@ fi fi # Set real device - if [ "${REAL}" = "" ]; then + if [ -z "${REAL}" ]; then REAL="${I}" fi Report "swap_partition[]=${I},${REAL}," @@ -275,12 +275,11 @@ if [ ${SKIPTEST} -eq 0 ]; then # Swap partitions should be mounted with 'sw' or 'swap' LogText "Test: check swap partitions with incorrect mount options" - #FIND=`${AWKBINARY} '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` - FIND=`${AWKBINARY} '{ if ($3=="swap" && ($4!~/sw/ && $4!="defaults")) { print $1 }}' /etc/fstab` - if [ "${FIND}" = "" ]; then + FIND=$(${AWKBINARY} '{ if ($3=="swap" && ($4!~/sw/ && $4!="defaults")) { print $1 }}' /etc/fstab) + if [ -z "${FIND}" ]; then Display --indent 2 --text "- Testing swap partitions" --result "${STATUS_OK}" --color GREEN LogText "Result: all swap partitions have correct options (sw or swap)" - else + else Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})" #ReportWarning ${TEST_NO} "Possible incorrect mount options used for swap parition (${FIND})" @@ -295,7 +294,7 @@ # Description : Check proc mount options (Linux >=3.3 only) # Examples : proc /proc proc defaults,hidepid=2 0 0 # Goal : Users should not be able to see processes of other users - if [ "${OS}" = "Linux" -a -f /proc/version ]; then + if [ "${OS}" = "Linux" -a -f ${ROOTDIR}proc/version ]; then LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}') LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}') if [ ! -z "${LINUX_KERNEL_MAJOR}" -a ! -z "${LINUX_KERNEL_MINOR}" ]; then @@ -308,7 +307,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least LogText "Test: check proc mount with incorrect mount options" - FIND=$(mount | ${EGREPBINARY} "/proc " | ${EGREPBINARY} -o "hidepid=[0-9]") + FIND=$(${MOUNTBINARY} | ${EGREPBINARY} "${ROOTDIR}proc " | ${EGREPBINARY} -o "hidepid=[0-9]") if [ "${FIND}" = "hidepid=2" ]; then Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN LogText "Result: proc mount mounted with hidepid=2" @@ -335,15 +334,15 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for old files in /tmp" # Search for files only in /tmp, with an access time older than X days - FIND=`find /tmp -xdev -type f -atime +${TMP_OLD_DAYS} | ${SEDBINARY} 's/ /!space!/g'` - if [ "${FIND}" = "" ]; then + FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} | ${SEDBINARY} 's/ /!space!/g') + if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN LogText "Result: no files found in /tmp which are older than 3 months" - else + else Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED N=0 for I in ${FIND}; do - FILE=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` + FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g') LogText "Old temporary file: ${FILE}" N=$((N + 1)) done @@ -396,28 +395,28 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Test: Checking acl option on ext[2-4] root file system" - FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl` - if [ ! "${FIND}" = "" ]; then + FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl) + if [ ! -z "${FIND}" ]; then LogText "Result: found ACL option" FOUND=1 - else + else LogText "Result: mount point probably mounted with defaults" LogText "Test: Checking device which holds root file system" # Get device on which root file system is mounted. Use /dev/root if it exists, or # else check output of mount - if [ -b /dev/root ]; then - FIND1="/dev/root" - else + if [ -b ${ROOTDIR}dev/root ]; then + FIND1="${ROOTDIR}dev/root" + else # Only determine device if it is EXT2/3/4 #FIND1=`mount | ${GREPBINARY} "on / " | ${AWKBINARY} '{ if ($5~/ext[2-4]/) { print $1 }}'` - FIND1=`mount -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }'` + FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }') fi # Trying to determine default mount options from EXT2/EXT3/EXT4 file systems - if [ ! "${FIND1}" = "" ]; then + if [ ! -z "${FIND1}" ]; then LogText "Result: found ${FIND1}" LogText "Test: Checking default options on ${FIND1}" - FIND2=`${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl"` - if [ ! "${FIND2}" = "" ]; then + FIND2=$(${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl") + if [ ! -z "${FIND2}" ]; then LogText "Result: found ACL option in default mount options" FOUND=1 else @@ -429,8 +428,8 @@ fi LogText "Test: Checking acl option on xfs root file system" - FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr'` - if [ "${FIND}" = "" ]; then + FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr') + if [ -z "${FIND}" ]; then FOUND=1 # some other tests to do ? fi @@ -441,7 +440,7 @@ LogText "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file" Display --indent 2 --text "- ACL support root file system" --result "${STATUS_DISABLED}" --color YELLOW AddHP 0 1 - else + else LogText "Result: ACL option enabled on root file system" Display --indent 2 --text "- ACL support root file system" --result "${STATUS_ENABLED}" --color GREEN AddHP 3 3 @@ -506,11 +505,11 @@ FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' /etc/fstab) if [ "${FS_FSTAB}" = "glusterfs" ]; then EXPECTED_FLAGS=$(echo ${EXPECTED_FLAGS} | ${SEDBINARY} 's/\<\(nodev\|nosuid\)\> *//g') - if [ "${EXPECTED_FLAGS}" = "" ]; then + if [ -z "${EXPECTED_FLAGS}" ]; then FS_FSTAB="" fi fi - if [ ! "${FS_FSTAB}" = "" ]; then + if [ ! -z "${FS_FSTAB}" ]; then FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') LogText "File system: ${FILESYSTEM}" LogText "Expected flags: ${EXPECTED_FLAGS}" @@ -522,7 +521,7 @@ if [ "${FLAG_AVAILABLE}" = "" ]; then LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}" FULLY_HARDENED=0 - else + else LogText "Result: GOOD, found mount option ${FLAG} on file system ${FILESYSTEM}" PARTIALLY_HARDENED=1 fi @@ -540,7 +539,7 @@ LogText "Result: marked ${FILESYSTEM} options as default (non hardened)" Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW AddHP 3 5 - else + else LogText "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)" Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW AddHP 4 5 @@ -562,16 +561,16 @@ if [ -f /etc/fstab ]; then FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab) BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }') - if [ ! "${FIND}" = "" ]; then + if [ ! -z "${FIND}" ]; then LogText "Result: mount system /var/tmp is configured with options: ${FIND}" if [ "${BIND}" = "YES" ]; then Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN LogText "Result : /var/tmp is bind to /tmp" - else + else Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "NON DEFAULT" --color YELLOW LogText "Result: /var/tmp is not bind to /tmp" fi - else + else LogText "Result: no mount point /var/tmp or expected options found" if IsVerbose; then Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "INFO" --color WHITE; fi fi @@ -693,7 +692,7 @@ # Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then + if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then Display --indent 2 --text "- Disable kernel support of some filesystems" LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf" FOUND=0 @@ -701,13 +700,13 @@ AVAILABLE_MODPROBE_FS="" for FS in ${LIST_FS_NOT_SUPPORTED}; do # Check if filesystem is present in modprobe output - FIND=`${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1` + FIND=$(${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1) if [ ! -z "${FIND}" ]; then LogText "Result: found module support in kernel: ${FIND}" Debug "Module ${FS} present in the kernel" LogText "Test: Checking if ${FS} is active" # Check if FS is present in lsmod output - FIND=`${LSMODBINARY} | ${EGREPBINARY} "^${FS}"` + FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}") if [ -z "${FIND}" ]; then LogText "Result: module ${FS} is not loaded in the kernel" AddHP 2 3 diff --git a/include/tests_firewalls b/include/tests_firewalls index 76aff719..cf1e48f2 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -40,8 +40,8 @@ # Description : Check iptables kernel module Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables"` - if [ ! "${FIND}" = "" ]; then + FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables") + if [ ! -z "${FIND}" ]; then FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="iptables" IPTABLES_ACTIVE=1 @@ -51,14 +51,14 @@ for I in ${FIND}; do LogText "Found module: ${I}" done - else + else Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_NOT_FOUND}" --color WHITE # If we can't find an active module, try to find the Linux configuration file and check that if [ -f /proc/config.gz ]; then LINUXCONFIGFILE="/proc/config.gz"; tCATCMD="zcat"; fi - sLINUXCONFIGFILE="/boot/config-`uname -r`" + sLINUXCONFIGFILE="/boot/config-$(uname -r)" if [ -f ${sLINUXCONFIGFILE} ]; then LINUXCONFIGFILE=${sLINUXCONFIGFILE}; tCATCMD="cat"; fi @@ -69,9 +69,9 @@ if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})" - FIND=`${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1` - if [ ! "${FIND}" = "" ]; then - HAVEMOD=`echo ${FIND} | ${CUTBINARY} -d '=' -f2` + FIND=$(${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1) + if [ ! -z "${FIND}" ]; then + HAVEMOD=$(echo ${FIND} | ${CUTBINARY} -d '=' -f2) # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the # active list. if [ "${HAVEMOD}" = "y" ]; then @@ -81,10 +81,10 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="iptables" Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: no iptables found in Linux kernel config file" fi - else + else LogText "Result: no Linux configuration file found" Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -110,9 +110,9 @@ done echo "${FIND}" | while read line; do - table=`echo ${line} | ${AWKBINARY} '{ print $1 }'` - chainname=`echo ${line} | ${AWKBINARY} '{ print $2 }'` - policy=`echo ${line} | ${AWKBINARY} '{ print $3 }'` + table=$(echo ${line} | ${AWKBINARY} '{ print $1 }') + chainname=$(echo ${line} | ${AWKBINARY} '{ print $2 }') + policy=$(echo ${line} | ${AWKBINARY} '{ print $3 }') LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}." LogText "Result: ${policy}" @@ -148,8 +148,8 @@ if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | wc -l | ${TRBINARY} -d ' '` - if [ ! "${FIND}" = "" ]; then + FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ') + if [ ! -z "${FIND}" ]; then FIREWALL_ACTIVE=1 if [ ${FIND} -le 10 ]; then # Firewall is active, but clearly needs configuration @@ -157,7 +157,7 @@ LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "iptables module(s) loaded, but no rules active" - else + else LogText "Result: one or more rules are available (${FIND} rules)" Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN fi @@ -168,20 +168,19 @@ # # Test : FIRE-4513 # Description : Check iptables for unused rules - if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | xargs` - if [ "${FIND}" = "" ]; then + FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY}) + if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN LogText "Result: There are no unused rules present" - else + else Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW LogText "Result: Found one or more possible unused rules" LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." LogText "Output: iptables rule numbers: ${FIND}" - #ReportWarning ${TEST_NO} "Found possible unused iptables rules ($FIND)" ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used" LogText "Tip: iptables --list --numeric --line-numbers --verbose" fi @@ -198,19 +197,19 @@ # Check status with pfctl LogText "Test: checking pf status via pfctl" - if [ ! "${PFCTLBINARY}" = "" ]; then - FIND=`${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | head -1 | ${AWKBINARY} '{ print $2 }'` + if [ ! -z "${PFCTLBINARY}" ]; then + FIND=$(${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | ${HEADBINARY} -1 | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "Enabled" ]; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_ENABLED}" --color GREEN LogText "Result: pf is enabled" PFFOUND=1 AddHP 3 3 - else + else if [ "${FIND}" = "Disabled" ]; then Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED LogText "Result: pf is disabled" AddHP 0 3 - else + else Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW ReportException ${TEST_NO} "Unknown status of pf firewall" fi @@ -221,11 +220,11 @@ if [ ${PFFOUND} -eq 0 ]; then # Check for pf kernel module (FreeBSD and similar) LogText "Test: searching for pf kernel module" - if [ ! "${KLDSTATBINARY}" = "" ]; then - FIND=`${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko'` - if [ "${FIND}" = "" ]; then + if [ ! -z "${KLDSTATBINARY}" ]; then + FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko') + if [ -z "${FIND}" ]; then LogText "Result: Can not find pf KLD" - else + else LogText "Result: pf KLD loaded" PFFOUND=1 fi @@ -239,7 +238,7 @@ Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN PFFOUND=1 PFLOGDFOUND=1 - else + else LogText "Result: pflog daemon not found in process list" fi fi @@ -248,7 +247,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="pf" Report "firewall_software[]=pf" - else + else LogText "Result: pf not running on this system" fi fi @@ -266,15 +265,15 @@ LogText "Result: /etc/pf.conf exists" # Check results from pfctl PFWARNINGS=$(${PFCTLBINARY} -n -f /etc/pf.conf -vvv 2>&1 | ${GREPBINARY} -i 'warning') - if [ "${PFWARNINGS}" = "" ]; then + if [ -z "${PFWARNINGS}" ]; then Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN LogText "Result: no pf filter warnings found" - else + else Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED LogText "Result: found one or more warnings in the pf filter rules" ReportWarning ${TEST_NO} "Found one or more warnings in pf configuration file" "/etc/pf.conf" "text:Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" fi - else + else LogText "Result: /etc/pf.conf does NOT exist" fi fi @@ -298,7 +297,7 @@ FIREWALL_SOFTWARE="csf" Report "firewall_software[]=csf" Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: ${FILE} does NOT exist" fi fi @@ -310,14 +309,14 @@ if [ ! "${IPFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check ipf status" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${IPFBINARY} -n -V | ${GREPBINARY} "^Running" | ${AWKBINARY} '{ print $2 }'` + FIND=$(${IPFBINARY} -n -V | ${GREPBINARY} "^Running" | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "yes" ]; then Display --indent 4 --text "- Checking ipf status" --result "${STATUS_RUNNING}" --color GREEN LogText "Result: ipf is enabled and running" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipf" Report "firewall_software[]=ipf" - else + else Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW LogText "Result: ipf is not running" fi @@ -329,9 +328,9 @@ # Description : Check IPFW (FreeBSD) Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! "${SYSCTLBINARY}" = "" ]; then + if [ ! -z "${SYSCTLBINARY}" ]; then # For now, only check for IPv4. - FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | ${AWKBINARY} '{ print $2 }'` + FIND=$(${SYSCTLBINARY} net.inet.ip.fw.enable | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "1" ]; then Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_RUNNING}" --color GREEN LogText "Result: IPFW is running for IPv4" @@ -363,14 +362,14 @@ if [ -x /usr/libexec/ApplicationFirewall/socketfilterfw ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4532 --weight L --os "MacOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check Mac OS X application firewall" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled"` - if [ ! "${FIND}" = "" ]; then + FIND=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled") + if [ ! -z "${FIND}" ]; then Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN AddHP 3 3 LogText "Result: application firewall of Mac OS X is enabled" APPLICATION_FIREWALL_ACTIVE=1 Report "app_fw[]=macosx-app-fw" - else + else Display --indent 2 --text "- Checking IPFW" --result "${STATUS_DISABLED}" --color YELLOW AddHP 1 3 LogText "Result: application firewall of Mac OS X is disabled" @@ -447,7 +446,7 @@ # YYY Solaris ipf (determine default policy) Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic" AddHP 5 5 - else + else Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW LogText "Result: no host based firewall/packet filter found or configured" ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic" diff --git a/include/tests_hardening b/include/tests_hardening index 91838818..93c01ff5 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -35,7 +35,7 @@ LogText "Result: no compilers found" Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_NOT_FOUND}" --color GREEN AddHP 3 3 - else + else LogText "Result: found installed compiler. See top of logfile which compilers have been found or use ${GREPBINARY} to filter on 'compiler'" Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED AddHP 1 3 @@ -54,7 +54,7 @@ LogText "Result: no compilers found" else # as - if [ ! "${ASBINARY}" = "" ]; then + if [ ! -z "${ASBINARY}" ]; then LogText "Test: Check file permissions for as (Assembler)" if IsWorldExecutable ${ASBINARY}; then LogText "Binary: found ${ASBINARY} (world executable)" @@ -66,7 +66,7 @@ fi fi # gcc - if [ ! "${GCCBINARY}" = "" ]; then + if [ ! -z "${GCCBINARY}" ]; then LogText "Test: Check file permissions for GCC compiler" if IsWorldExecutable ${GCCBINARY}; then LogText "Binary: found ${GCCBINARY} (world executable)" @@ -83,8 +83,8 @@ ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only" fi - #YYY check if compilers have a specific group (like compiler, or NOT root/wheel) -# Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED + # TODO check if compilers have a specific group (like compiler, or NOT root/wheel) + # Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED # /usr/bin/*cc* # /usr/bin/*++* # /usr/bin/ld diff --git a/include/tests_homedirs b/include/tests_homedirs index 5d9dc927..8daef43e 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -38,12 +38,12 @@ if [ ${SKIPTEST} -eq 0 ]; then # Read sixth field of /etc/passwd LogText "Test: query /etc/passwd to obtain home directories" - FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | ${SORTBINARY} -u` + FIND=$(${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | ${SORTBINARY} -u) for I in ${FIND}; do if [ -d ${I} ]; then LogText "Result: found home directory: ${I} (directory exists)" Report "home_directory[]=${I}" - else + else LogText "Result: found home directory: ${I} (directory does not exist)" fi done @@ -55,17 +55,17 @@ # Description : Check for suspicious shell history files Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! "${HOMEDIRS}" = "" ]; then + if [ ! -z "${HOMEDIRS}" ]; then if [ "${OS}" = "Solaris" ]; then # Solaris doesn't support -maxdepth - FIND=`find ${HOMEDIRS} -name ".*history" ! -type f -print` - else - FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" ! -type f -print` + FIND=$(${FINDBINARY} ${HOMEDIRS} -name ".*history" ! -type f -print) + else + FIND=$(${FINDBINARY} ${HOMEDIRS} -maxdepth 1 -name ".*history" ! -type f -print) fi - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking shell history files" --result "${STATUS_OK}" --color GREEN LogText "Result: Ok, history files are type 'file'." - else + else Display --indent 2 --text "- Checking shell history files" --result "${STATUS_WARNING}" --color RED LogText "Result: the following files seem to be of the wrong file type:" LogText "Output: ${FIND}" @@ -73,7 +73,7 @@ ReportWarning ${TEST_NO} "Incorrect file type found for shell history file" fi LogText "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful." - else + else Display --indent 2 --text "- Checking shell history files" --result "${STATUS_SKIPPED}" --color WHITE LogText "Result: Homedirs is empty, test will be skipped" fi @@ -93,13 +93,13 @@ # Notes : For performance reasons we combine the scanning of different files, so inode caching is used # as much as possible for every find command # Profile opt : ignore_home_dir (multiple lines allowed), ignores home directory - if [ ! "${REPORTFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! -z "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories" if [ ${SKIPTEST} -eq 0 ]; then - IGNORE_HOME_DIRS=`${GREPBINARY} "^config:ignore_home_dir:" ${PROFILE} | ${AWKBINARY} -F: '{ print $3 }'` - if [ "${IGNORE_HOME_DIRS}" = "" ]; then + IGNORE_HOME_DIRS=$(${GREPBINARY} "^config:ignore_home_dir:" ${PROFILE} | ${AWKBINARY} -F: '{ print $3 }') + if [ -z "${IGNORE_HOME_DIRS}" ]; then LogText "Result: IGNORE_HOME_DIRS empty, no paths excluded" - else + else LogText "Output: ${IGNORE_HOME_DIRS}" fi fi diff --git a/include/tests_insecure_services b/include/tests_insecure_services index ff80c4ce..d04afd7c 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -27,7 +27,7 @@ ################################################################################# # INETD_ACTIVE=0 - INETD_CONFIG_FILE="/etc/inetd.conf" + INETD_CONFIG_FILE="${ROOTDIR}etc/inetd.conf" # ################################################################################# # diff --git a/include/tests_kernel b/include/tests_kernel index fca531a0..61bfed61 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -456,16 +456,16 @@ Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel" if [ ${SKIPTEST} -eq 0 ]; then REBOOT_NEEDED=2 - FILE="/var/run/reboot-required.pkgs" + FILE="${ROOTDIR}var/run/reboot-required.pkgs" LogText "Test: Checking presence ${FILE}" if [ -f ${FILE} ]; then LogText "Result: file ${FILE} exists" - FIND=$(wc -l < ${FILE}) + FIND=$(${WCBINARY} -l < ${FILE}) if [ "${FIND}" = "0" ]; then LogText "Result: No reboot needed (file empty)" REBOOT_NEEDED=0 else - PKGSCOUNT=$(wc -l < ${FILE}) + PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" for I in ${FIND}; do LogText "Package: ${I}" @@ -476,15 +476,15 @@ LogText "Result: file ${FILE} not found" fi # Check if /boot exists - if [ -d /boot ]; then + if [ -d ${ROOTDIR}boot ]; then LogText "Result: /boot exists, performing more tests from here" - FIND=$(ls /boot/* 2> /dev/null) - if [ ! "${FIND}" = "" ]; then - if [ -f /boot/vmlinuz -a ! -L /boot/vmlinuz ]; then + FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null) + if [ ! -z "${FIND}" ]; then + if [ -f ${ROOTDIR}boot/vmlinuz -a ! -L ${ROOTDIR}boot/vmlinuz ]; then LogText "Result: found /boot/vmlinuz (not symlinked)" NEXTLINE=0 FINDVERSION="" - for I in `file /boot/vmlinuz-linux`; do + for I in $(file ${ROOTDIR}boot/vmlinuz-linux); do if [ ${NEXTLINE} -eq 1 ]; then FINDVERSION="${I}" else @@ -492,7 +492,7 @@ if [ "${I}" = "version" ]; then NEXTLINE=1; fi fi done - if [ ! "${FINDVERSION}" = "" ]; then + if [ ! -z "${FINDVERSION}" ]; then CURRENT_KERNEL=`uname -r` if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then LogText "Result: reboot needed, as current kernel is different than the one loaded" @@ -501,11 +501,11 @@ else ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data" fi - elif [ -f /boot/vmlinuz-linux ]; then + elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)" LogText "Test: checking kernel version on disk" - VERSION_ON_DISK=`file -b /boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}'` - if [ ! "${VERSION_ON_DISK}" = "" ]; then + VERSION_ON_DISK=$(${FILEBINARY} -b ${ROOTDIR}boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}') + if [ ! -z "${VERSION_ON_DISK}" ]; then LogText "Result: found version ${VERSION_ON_DISK}" ACTIVE_KERNEL=`uname -r` LogText "Result: active kernel version ${ACTIVE_KERNEL}" @@ -521,36 +521,36 @@ ReportException "${TEST_NO}:4" "Could not find the kernel version from /boot/vmlinux-linux" fi else - if [ -L /boot/vmlinuz ]; then - LogText "Result: found symlink of /boot/vmlinuz, skipping file" + if [ -L ${ROOTDIR}boot/vmlinuz ]; then + LogText "Result: found symlink of ${ROOTDIR}boot/vmlinuz, skipping file" else - LogText "Result: /boot/vmlinuz not on disk, trying to find /boot/vmlinuz*" + LogText "Result: ${ROOTDIR}boot/vmlinuz not on disk, trying to find ${ROOTDIR}boot/vmlinuz*" fi # Extra current kernel version and replace dashes to allow numeric ${SORTBINARY} later on - MYKERNEL=`uname -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g'` + MYKERNEL=$(${UNAMEBINARY} -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g') LogText "Result: using ${MYKERNEL} as my kernel version (stripped)" - FIND=$(ls /boot/vmlinuz* 2> /dev/null) - if [ ! "${FIND}" = "" ]; then + FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null) + if [ ! -z "${FIND}" ]; then for ITEM in ${FIND}; do LogText "Result: found ${ITEM}" done # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) # Ignore rescue images. Remove generic. and huge. for Slackware machines LogText "Action: checking relevant kernels" - KERNELS=`ls /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` + KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.) KERNELS_ONE_LINE=$(echo ${KERNELS} | ${TRBINARY} '\n' ' ') LogText "Output: ${KERNELS_ONE_LINE}" - elif [ ! "$(ls /boot/kernel* 2> /dev/null)" = "" ]; then - LogText "Output: Found a kernel file in /boot" + elif [ ! "$(ls ${ROOTDIR}boot/kernel* 2> /dev/null)" = "" ]; then + LogText "Output: Found a kernel file in ${ROOTDIR}boot" # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) # Examples: # /boot/kernel-genkernel-x86_64-3.14.14-gentoo - KERNELS=`ls /boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` + KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.) LogText "Output: ${KERNELS}" else ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected" fi - if [ ! "${KERNELS}" = "" ]; then + if [ ! -z "${KERNELS}" ]; then FOUND_KERNEL=0 for I in ${KERNELS}; do # Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist) diff --git a/include/tests_ldap b/include/tests_ldap index 0d940c5f..6c04a3bc 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -26,7 +26,7 @@ # ################################################################################# # - SLAPD_CONF_LOCS="/etc/ldap /etc/openldap /usr/local/etc/openldap" + SLAPD_CONF_LOCS="${ROOTDIR}etc/ldap ${ROOTDIR}etc/openldap ${ROOTDIR}usr/local/etc/openldap" SLAPD_CONF_LOCATION="" SLAPD_RUNNING=0 # @@ -36,12 +36,12 @@ # Description : Check running OpenLDAP instance Register --test-no LDAP-2219 --weight L --network NO --category security --description "Check running OpenLDAP instance" if [ ${SKIPTEST} -eq 0 ]; then - #YYY add additional slash + # TODO adding additional slash needed? IsRunning slapd if [ ${RUNNING} -eq 0 ]; then Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: No running slapd process found." - else + else Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found running slapd process" SLAPDFOUND=1 @@ -61,14 +61,14 @@ if [ -f ${I}/slapd.conf ]; then LogText "Result: found ${I}/slapd.conf" SLAPD_CONF_LOCATION="${I}/slapd.conf" - else + else LogText "Result: ${I} does not contain slapd.conf" fi done # Check if we found a valid location - if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then + if [ ! -z "${SLAPD_CONF_LOCATION}" ]; then Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_FOUND}" --color GREEN - else + else Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi diff --git a/include/tests_logging b/include/tests_logging index 8b48d4dd..538488fc 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -22,7 +22,7 @@ # ################################################################################# # - LOG_FILES_LOCS="/var/log /var/adm" + LOG_FILES_LOCS="${ROOTDIR}var/log ${ROOTDIR}var/adm" LOGROTATE_CONFIG_FOUND=0 LOGROTATE_TOOL="" METALOG_RUNNING=0 @@ -43,14 +43,14 @@ Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for a logging daemon" - FIND=`${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep"` - if [ "${FIND}" = "" ]; then + FIND=$(${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep") + if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured." ReportWarning ${TEST_NO} "No syslog daemon found" AddHP 0 3 - else + else Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_OK}" --color GREEN LogText "Result: Found a logging daemon" SYSLOG_DAEMON_PRESENT=1 @@ -72,7 +72,7 @@ Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_FOUND}" --color GREEN SYSLOG_DAEMON_PRESENT=1 SYSLOG_NG_RUNNING=1 - else + else LogText "Result: Syslog-ng NOT found in process list" Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -85,11 +85,11 @@ if [ ! "${SYSLOGNGBINARY}" = "" -a ${SYSLOG_NG_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Syslog-NG configuration file consistency" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${SYSLOGNGBINARY} -s; echo $?` + FIND=$(${SYSLOGNGBINARY} -s; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: Syslog-NG configuration file seems to be consistent" Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_OK}" --color GREEN - else + else LogText "Result: Syslog-NG configuration file seems NOT to be consistent" Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "Found one or more problems in Syslog-NG configuration file" @@ -108,7 +108,7 @@ if [ ${RUNNING} -eq 1 ]; then Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_FOUND}" --color GREEN SYSTEMD_JOURNAL_RUNNING=1 - else + else Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi @@ -126,7 +126,7 @@ Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_FOUND}" --color GREEN SYSLOG_DAEMON_PRESENT=1 METALOG_RUNNING=1 - else + else LogText "Result: metalog NOT found in process list" Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -145,7 +145,7 @@ Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_FOUND}" --color GREEN SYSLOG_DAEMON_PRESENT=1 RSYSLOG_RUNNING=1 - else + else LogText "Result: rsyslogd NOT found in process list" Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -164,7 +164,7 @@ Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_FOUND}" --color GREEN SYSLOG_DAEMON_PRESENT=1 RFC3195D_RUNNING=1 - else + else LogText "Result: rfc3195d NOT found in process list" Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -188,12 +188,12 @@ if [ ${RUNNING} -eq 1 ]; then LogText "Result: klogd running" Display --indent 4 --text "- Checking klogd" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: No klogd found" Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED ReportWarning ${TEST_NO} "klogd is not running, which could lead to missing kernel messages in log files" fi - else + else LogText "Result: test skipped, because other facility is being used to log kernel messages" fi fi @@ -210,7 +210,7 @@ if [ ${RUNNING} -eq 0 ]; then Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: No minilogd is running" - else + else Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED LogText "Result: minilogd found in process list" # minilogd daemon seems to be running @@ -224,22 +224,22 @@ # Description : Check for logrotate (/etc/logrotate.conf and logrotate.d) Register --test-no LOGG-2146 --weight L --os Linux --network NO --category security --description "Checking logrotate.conf and logrotate.d" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Checking for /etc/logrotate.conf" - if [ -f /etc/logrotate.conf ]; then + LogText "Test: Checking for ${ROOTDIR}etc/logrotate.conf" + if [ -f ${ROOTDIR}etc/logrotate.conf ]; then LOGROTATE_CONFIG_FOUND=1 LOGROTATE_TOOL="logrotate" - LogText "Result: /etc/logrotate.conf found (file)" + LogText "Result: ${ROOTDIR}etc/logrotate.conf found (file)" else - LogText "Result: /etc/logrotate.conf NOT found" + LogText "Result: ${ROOTDIR}etc/logrotate.conf NOT found" fi - LogText "Test: Checking for /etc/logrotate.d (directory)" - if [ -d /etc/logrotate.d ]; then + LogText "Test: Checking for ${ROOTDIR}etc/logrotate.d (directory)" + if [ -d ${ROOTDIR}etc/logrotate.d ]; then LOGROTATE_CONFIG_FOUND=1 LOGROTATE_TOOL="logrotate" - LogText "Result: /etc/logrotate.d found" + LogText "Result: ${ROOTDIR}etc/logrotate.d found" else - LogText "Result: /etc/logrotate.conf found" + LogText "Result: ${ROOTDIR}etc/logrotate.conf found" fi if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then @@ -256,14 +256,14 @@ # # Test : LOGG-2148 # Description : Checking log files rotated with logrotate - if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! -z "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which files are rotated with logrotate and if they exist" - FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'` - if [ "${FIND}" = "" ]; then + FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }') + if [ -z "${FIND}" ]; then LogText "Result: nothing found" - else + else LogText "Result: found one or more files which are rotated via logrotate" for I in ${FIND}; do LogText "Output: ${I}" @@ -304,21 +304,21 @@ if [ ${SKIPTEST} -eq 0 ]; then # Try local hosts file LogText "Result: Checking for loghost in /etc/inet/hosts" - FIND=`${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#"` - if [ ! "${FIND}" = "" ]; then + FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#") + if [ ! -z "${FIND}" ]; then SOLARIS_LOGHOST_FOUND=1 LogText "Result: Found loghost entry in /etc/inet/hosts" - else + else LogText "Result: No loghost entry found in /etc/inet/hosts" # Try name resolving if no entry is present in local host file LogText "Result: Checking for loghost via name resolving" FIND=`getent hosts loghost | ${GREPBINARY} loghost` - if [ ! "${FIND}" = "" ]; then + if [ ! -z "${FIND}" ]; then SOLARIS_LOGHOST_FOUND=1 LogText "Result: name resolving was succesful" LogText "Output: ${FIND}" - else + else LogText "Result: name resolving didn't find results" fi fi @@ -326,7 +326,7 @@ if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then LogText "Result: loghost entry found and most likely used to send syslog messages" Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_OK}" --color GREEN - else + else Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED LogText "Result: No loghost entry found" ReportWarning ${TEST_NO} "No loghost entry found" @@ -344,21 +344,21 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then SYSLOGD_CONF="/etc/syslog-ng/syslog-ng.conf" - else + else SYSLOGD_CONF="/etc/syslog.conf" fi if [ -f ${SYSLOGD_CONF} ]; then LogText "Test: check if logs are also logged to a remote logging host" - FIND=`${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@"` - if [ ! "${FIND}" = "" ]; then + FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@") + if [ ! -z "${FIND}" ]; then LogText "Result: remote logging enabled" REMOTE_LOGGING_ENABLED=1 else # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination - DESTINATIONS=`${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}'` + DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}') for DESTINATION in ${DESTINATIONS}; do - FIND2=`${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)"` - if [ ! "${FIND2}" = "" ]; then + FIND2=$(${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)") + if [ ! -z "${FIND2}" = "" ]; then LogText "Result: found destination ${DESTINATION} configured for remote logging" REMOTE_LOGGING_ENABLED=1 fi @@ -369,7 +369,7 @@ ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection" AddHP 1 3 Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW - else + else AddHP 5 5 Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN fi @@ -382,11 +382,11 @@ # # Test : LOGG-2160 # Description : Check for /etc/newsyslog.conf (FreeBSD/OpenBSD) - if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -f ${ROOTDIR}etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Result: /etc/newsyslog.conf found" - Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: ${ROOTDIR}etc/newsyslog.conf found" + Display --indent 2 --text "- Checking ${ROOTDIR}etc/newsyslog.conf" --result "${STATUS_FOUND}" --color GREEN LOGROTATE_CONFIG_FOUND=1 LOGROTATE_TOOL="newsyslog" fi @@ -399,12 +399,12 @@ Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking directories in /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: parsing directories from /etc/newsyslog.conf file" - FIND=`${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SEDBINARY} 's/\/*[a-zA-Z_.-]*$//g' | ${SORTBINARY} -u` + FIND=$(${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SEDBINARY} 's/\/*[a-zA-Z_.-]*$//g' | ${SORTBINARY} -u) for I in ${FIND}; do if [ -d ${I} ]; then LogText "Result: Directory ${I} found and exists" Report "log_directory[]=${I}" - else + else LogText "Result: Item ${I} is not a directory" fi done @@ -415,15 +415,15 @@ # # Test : LOGG-2164 # Description : Check for files in /etc/newsyslog.conf - if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -f ${ROOTDIR}etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking files specified /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: parsing files from /etc/newsyslog.conf file" - FIND=`${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SORTBINARY} -u` + LogText "Test: parsing files from ${ROOTDIR}etc/newsyslog.conf file" + FIND=$(${AWKBINARY} '/^\// { print $1 }' ${ROOTDIR}etc/newsyslog.conf | ${SORTBINARY} -u) for I in ${FIND}; do if [ -f ${I} ]; then LogText "Result: File ${I} found and exists" - else + else LogText "Result: Item ${I} is not a file" fi done @@ -441,7 +441,7 @@ if [ -d ${I} ]; then LogText "Result: directory ${I} exists" Report "log_directory[]=${I}" - else + else LogText "Result: directory ${I} can't be found" fi done @@ -455,14 +455,14 @@ Register --test-no LOGG-2180 --weight L --network NO --category security --description "Checking open log files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking open log files with lsof" - if [ ! "${LSOFBINARY}" = "" ]; then - FIND=`${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$"` + if [ ! -z "${LSOFBINARY}" ]; then + FIND=$(${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$") for I in ${FIND}; do LogText "Found logfile: ${I}" Report "open_logfile[]=${I}" done Display --indent 2 --text "- Checking open log files" --result "${STATUS_DONE}" --color GREEN - else + else LogText "Result: lsof not installed, skipping test" Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color YELLOW # Add suggestion @@ -493,7 +493,7 @@ fi FIND=$(${LSOFBINARY} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) - if [ ! "${FIND}" = "" ]; then + if [ ! -z "${FIND}" ]; then LogText "Result: found one or more files which are deleted, but still in use" for I in ${FIND}; do LogText "Found deleted file: ${I}" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index dbe833d9..37fef258 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -31,11 +31,11 @@ # Description : Check if AppArmor is installed Register --test-no MACF-6204 --weight L --network NO --category security --description "Check AppArmor presence" if [ ${SKIPTEST} -eq 0 ]; then - if [ "${AASTATUSBINARY}" = "" ]; then + if [ -z "${AASTATUSBINARY}" ]; then APPARMORFOUND=0 LogText "Result: aa-status binary not found, AppArmor not installed" Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_NOT_FOUND}" --color WHITE - else + else APPARMORFOUND=1 LogText "Result: aa-status binary found, AppArmor is installed" Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_FOUND}" --color GREEN @@ -49,14 +49,14 @@ if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled" if [ ${SKIPTEST} -eq 0 ]; then - if [ ! "${AASTATUSBINARY}" = "" ]; then + if [ ! -z "${AASTATUSBINARY}" ]; then # Checking AppArmor status # 0 if apparmor is enabled and policy is loaded. # 1 if apparmor is not enabled/loaded. # 2 if apparmor is enabled but no policy is loaded. # 3 if control files are not available # 4 if apparmor status can't be read - FIND=`${AASTATUSBINARY} > /dev/null; echo $?` + FIND=$(${AASTATUSBINARY} > /dev/null; echo $?) if [ ${FIND} -eq 0 ]; then MAC_FRAMEWORK_ACTIVE=1 LogText "Result: AppArmor is enabled and a policy is loaded" @@ -93,10 +93,10 @@ Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking if we have sestatus binary" - if [ ! "${SESTATUSBINARY}" = "" ]; then + if [ ! -z "${SESTATUSBINARY}" ]; then LogText "Result: found sestatus binary (${SESTATUSBINARY})" Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: sestatus binary NOT found" Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -110,22 +110,22 @@ Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status" if [ ${SKIPTEST} -eq 0 ]; then # Status: Enabled/Disabled - FIND=`${SESTATUSBINARY} | ${GREPBINARY} "^SELinux status" | ${AWKBINARY} '{ print $3 }'` + FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^SELinux status" | ${AWKBINARY} '{ print $3 }') if [ "${FIND}" = "enabled" ]; then MAC_FRAMEWORK_ACTIVE=1 LogText "Result: SELinux framework is enabled" Report "selinux_status=1" SELINUXFOUND=1 Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN - FIND=`${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }'` + FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }') Report "selinux_mode=${FIND}" - FIND2=`${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }'` + FIND2=$(${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }') LogText "Result: current SELinux mode is ${FIND}" LogText "Result: mode configured in config file is ${FIND2}" if [ "${FIND}" = "${FIND2}" ]; then LogText "Result: Current SELinux mode is the same as in config file." Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN - else + else LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})." ReportWarning ${TEST_NO} "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED @@ -145,19 +145,19 @@ Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence" if [ ${SKIPTEST} -eq 0 ]; then # Check Linux kernel configuration - if [ ! "${LINUXCONFIGFILE}" = "" -a -f "${LINUXCONFIGFILE}" ]; then - FIND=`${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE}` + if [ ! -z "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then + FIND=$(${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE}) if [ ! "${FIND}" = "" ]; then LogText "Result: grsecurity available (in kernel config)" GRSEC_FOUND=1 - else + else LogText "Result: no grsecurity found in kernel config" fi fi if [ ${GRSEC_FOUND} -eq 1 ]; then Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 - else + else Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi @@ -172,7 +172,7 @@ Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_OK}" --color GREEN AddHP 3 3 LogText "Result: found implemented MAC framework" - else + else Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_NONE}" --color YELLOW AddHP 2 3 LogText "Result: found no implemented MAC framework" diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index 827c580b..4e6cd8ee 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -28,11 +28,13 @@ # DOVECOT_RUNNING=0 EXIM_RUNNING=0 - SMTP_DAEMON="" + IMAP_DAEMON="" + OPENSMTPD_RUNNING=0 + POP3_DAEMON="" POSTFIX_RUNNING=0 QMAIL_RUNNING=0 SENDMAIL_RUNNING=0 - OPENSMTPD_RUNNING=0 + SMTP_DAEMON="" # ################################################################################# # @@ -47,7 +49,7 @@ Display --indent 2 --text "- Checking Exim status" --result "${STATUS_RUNNING}" --color GREEN EXIM_RUNNING=1 SMTP_DAEMON="exim" - else + else LogText "Result: no running Exim processes found" Display --indent 2 --text "- Checking Exim status" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -62,15 +64,13 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check Postfix status" # Some other processes also use master, therefore it should include both master and postfix - FIND1=`${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"` - #FIND2=`${PSBINARY} ax | ${GREPBINARY} "qmgr" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"` - #FIND3=`${PSBINARY} ax | ${GREPBINARY} "pickup" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"` - if [ ! "${FIND1}" = "" ]; then + FIND1=$(${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep") + if [ ! -z "${FIND1}" ]; then LogText "Result: found running Postfix process" Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_RUNNING}" --color GREEN POSTFIX_RUNNING=1 SMTP_DAEMON="postfix" - else + else LogText "Result: no running Postfix processes found" Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -84,7 +84,7 @@ Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking Postfix configuration" --result "${STATUS_FOUND}" --color GREEN - POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^config_directory' | ${AWKBINARY} '{ print $3 }'` + POSTFIX_CONFIGDIR=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^config_directory' | ${AWKBINARY} '{ print $3 }') POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf" LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}" LogText "Postfix configuration file: ${POSTFIX_CONFIGFILE}" @@ -135,7 +135,7 @@ DOVECOT_RUNNING=1 IMAP_DAEMON="dovecot" POP3_DAEMON="dovecot" - else + else LogText "Result: dovecot not found" Display --indent 2 --text "- Checking Dovecot status" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -154,7 +154,7 @@ Display --indent 2 --text "- Checking Qmail status" --result "${STATUS_RUNNING}" --color GREEN QMAIL_RUNNING=1 SMTP_DAEMON="qmail" - else + else LogText "Result: no running Qmail processes found" Display --indent 2 --text "- Checking Qmail status" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -173,7 +173,7 @@ Display --indent 2 --text "- Checking Sendmail status" --result "${STATUS_RUNNING}" --color GREEN SENDMAIL_RUNNING=1 SMTP_DAEMON="sendmail" - else + else LogText "Result: no running Sendmail processes found" Display --indent 2 --text "- Checking Sendmail status" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -183,17 +183,17 @@ # # Test : MAIL-8920 # Description : Check OpenSMTPD process status - if [ ! "${SMTPCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! -z "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check smtpd status" - FIND=`${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep"` + FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep") if [ ! "${FIND}" = "" ]; then LogText "Result: found running smtpd process" Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN OPENSMTPD_RUNNING=1 SMTP_DAEMON="opensmtpd" - else + else LogText "Result: smtpd not found" Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_NOT_FOUND}" --color WHITE fi diff --git a/include/tests_malware b/include/tests_malware index 19523931..0cc9424f 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -41,13 +41,13 @@ Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking presence chkrootkit" - if [ ! "${CHKROOTKITBINARY}" = "" ]; then + if [ ! -z "${CHKROOTKITBINARY}" ]; then Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found ${CHKROOTKITBINARY}" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 Report "malware_scanner[]=chkrootkit" - else + else LogText "Result: chkrootkit not found" fi fi @@ -59,13 +59,13 @@ Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking presence Rootkit Hunter" - if [ ! "${RKHUNTERBINARY}" = "" ]; then + if [ ! -z "${RKHUNTERBINARY}" ]; then Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found ${RKHUNTERBINARY}" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 Report "malware_scanner[]=rkhunter" - else + else LogText "Result: Rootkit Hunter not found" fi fi @@ -83,7 +83,7 @@ MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 Report "malware_scanner[]=lmd" - else + else LogText "Result: LMD not found" fi fi @@ -113,11 +113,11 @@ LogText "Test: checking process cma or cmdagent (McAfee)" # cma is too generic to match on, so we want to ensure that it is related to McAfee first if [ -x /opt/McAfee/cma/bin/cma ]; then - IsRunning cma - if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi - else - IsRunning cmdagent - if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi + IsRunning cma + if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi + else + IsRunning cmdagent + if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi fi if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then FOUND=1 @@ -167,7 +167,7 @@ MALWARE_SCANNER_INSTALLED=1 CLAMSCAN_INSTALLED=1 AddHP 2 2 - else + else LogText "Result: clamscan couldn't be found" fi fi @@ -185,7 +185,7 @@ LogText "Result: found running clamd process" MALWARE_SCANNER_INSTALLED=1 CLAMD_RUNNING=1 - else + else LogText "Result: clamd not running" fi fi @@ -204,7 +204,7 @@ Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found running freshclam process" AddHP 2 2 - else + else Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: freshclam is not running" ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database" @@ -218,14 +218,14 @@ if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav" if [ ${SKIPTEST} -eq 0 ]; then - CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan'` - if [ ! "${CLAMSCANBINARY}" = "" ]; then + CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan') + if [ ! -z "${CLAMSCANBINARY}" ]; then LogText "Result: Found ClamXav clamscan installed" Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN MALWARE_SCANNER_INSTALLED=1 CLAMSCAN_INSTALLED=1 AddHP 3 3 - else + else LogText "Result: ClamXav malware scanner not found" AddHP 0 3 fi diff --git a/include/tests_memory_processes b/include/tests_memory_processes index c767ddd0..a46650b0 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -33,13 +33,13 @@ if [ -f /proc/meminfo ]; then LogText "Result: found /proc/meminfo" Display --indent 2 --text "- Checking /proc/meminfo" --result "${STATUS_FOUND}" --color GREEN - FIND=`${AWKBINARY} '/^MemTotal/ { print $2, $3 }' /proc/meminfo` - MEMORY_SIZE=`echo ${FIND} | ${AWKBINARY} '{ print $1 }'` - MEMORY_UNITS=`echo ${FIND} | ${AWKBINARY} '{ print $2 }'` + FIND=$(${AWKBINARY} '/^MemTotal/ { print $2, $3 }' /proc/meminfo) + MEMORY_SIZE=$(echo ${FIND} | ${AWKBINARY} '{ print $1 }') + MEMORY_UNITS=$(echo ${FIND} | ${AWKBINARY} '{ print $2 }') LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" Report "memory_size=${MEMORY_SIZE}" Report "memory_units=${MEMORY_UNITS}" - else + else LogText "Result: /proc/meminfo file not found on this system" fi fi @@ -48,17 +48,18 @@ # # Test : PROC-3604 # Description : Query /proc/meminfo + # Notes : TODO - prtconf replacement Register --test-no PROC-3604 --os Solaris --weight L --network NO --category security --description "Query prtconf for memory details" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching /usr/sbin/prtconf" if [ -x /usr/sbin/prtconf ]; then Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_DONE}" --color GREEN - MEMORY_SIZE=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f3` - MEMORY_UNITS=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f4` + MEMORY_SIZE=$(/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f3) + MEMORY_UNITS=$(/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f4) LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" Report "memory_size=${MEMORY_SIZE}" Report "memory_units=${MEMORY_UNITS}" - else + else Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_SKIPPED}" --color WHITE LogText "Result: /usr/sbin/prtconf not found" fi @@ -73,14 +74,14 @@ Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check dead or zombie processes" if [ ${SKIPTEST} -eq 0 ]; then if [ "${OS}" = "AIX" ]; then - FIND=`${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | xargs` - else - FIND=`${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | xargs` + FIND=$(${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | ${XARGSBINARY}) + else + FIND=$(${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | ${XARGSBINARY}) fi - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then LogText "Result: no zombie processes found" Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_OK}" --color GREEN - else + else LogText "Result: found one or more dead or zombie processes" LogText "Output: PIDs ${FIND}" Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_WARNING}" --color RED @@ -97,14 +98,14 @@ Register --test-no PROC-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check heavy IO waiting based processes" if [ ${SKIPTEST} -eq 0 ]; then if [ "${OS}" = "AIX" ]; then - FIND=`${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | xargs` - else - FIND=`${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | xargs` + FIND=$(${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | ${XARGSBINARY}) + else + FIND=$(${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | ${XARGSBINARY}) fi - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then LogText "Result: No processes were waiting for IO requests to be handled first" Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_OK}" --color GREEN - else + else LogText "Result: found one or more processes which were waiting to get IO requests handled first" LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured." LogText "Output: PIDs ${FIND}" diff --git a/include/tests_nameservices b/include/tests_nameservices index 4b4c2863..e7bb7800 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -27,10 +27,10 @@ ################################################################################# # BIND_RUNNING=0 - BIND_CONFIG_LOCS="/etc /etc/bind /usr/local/etc /usr/local/etc/namedb" + BIND_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/bind ${ROOTDIR}usr/local/etc ${ROOTDIR}usr/local/etc/namedb" BIND_CONFIG_LOCATION="" POWERDNS_RUNNING=0 - POWERDNS_CONFIG_LOCS="/etc/powerdns /usr/local/etc" + POWERDNS_CONFIG_LOCS="${ROOTDIR}etc/powerdns ${ROOTDIR}usr/local/etc" POWERDNS_AUTH_CONFIG_LOCATION="" POWERDNS_AUTH_MASTER=0 POWERDNS_AUTH_SLAVE=0 @@ -43,14 +43,14 @@ # Description : Check main domain (domain in /etc/resolv.conf) Register --test-no NAME-4016 --weight L --network NO --category security --description "Check /etc/resolv.conf default domain" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: check /etc/resolv.conf for default domain" - if [ -f /etc/resolv.conf ]; then - LogText "Result: /etc/resolv.conf found" - FIND=`${AWKBINARY} '/^domain/ { print $2 }' /etc/resolv.conf` - if [ "${FIND}" = "" ]; then + LogText "Test: check ${ROOTDIR}etc/resolv.conf for default domain" + if [ -f ${ROOTDIR}etc/resolv.conf ]; then + LogText "Result: ${ROOTDIR}etc/resolv.conf found" + FIND=$(${AWKBINARY} '/^domain/ { print $2 }' ${ROOTDIR}etc/resolv.conf) + if [ -z "${FIND}" ]; then LogText "Result: no default domain found" if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_NONE}" --color WHITE; fi - else + else LogText "Result: found default domain" LogText "Output: ${FIND}" Report "resolv_conf_domain=${FIND}" @@ -68,13 +68,13 @@ Register --test-no NAME-4018 --weight L --network NO --category security --description "Check /etc/resolv.conf search domains" if [ ${SKIPTEST} -eq 0 ]; then N=0 - LogText "Test: check /etc/resolv.conf for search domains" - if [ -f /etc/resolv.conf ]; then - LogText "Result: /etc/resolv.conf found" - FIND=`${AWKBINARY} '/^search/ { print $2 }' /etc/resolv.conf` - if [ "${FIND}" = "" ]; then + LogText "Test: check ${ROOTDIR}etc/resolv.conf for search domains" + if [ -f ${ROOTDIR}etc/resolv.conf ]; then + LogText "Result: ${ROOTDIR}etc/resolv.conf found" + FIND=$(${AWKBINARY} '/^search/ { print $2 }' ${ROOTDIR}etc/resolv.conf) + if [ -z "${FIND}" ]; then LogText "Result: no search domains found, default domain is being used" - else + else for I in ${FIND}; do LogText "Found search domain: ${I}" Report "resolv_conf_search_domain[]=${I}" @@ -85,25 +85,25 @@ LogText "Result: Found ${N} search domains" Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW ReportWarning ${TEST_NO} "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers" - else + else LogText "Result: Found ${N} search domains" Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN fi fi - else - LogText "Result: /etc/resolv.conf does not exist, skipping test" + else + LogText "Result: ${ROOTDIR}etc/resolv.conf does not exist, skipping test" Display --indent 2 --text "- Checking search domains" --result "${STATUS_NOT_FOUND}" --color YELLOW fi # Check amount of search domains (max 1) - FIND=`${GREPBINARY} -c "^search" /etc/resolv.conf` - if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then - LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" - Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW - ReportWarning ${TEST_NO} "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" - else - LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" - fi + FIND=$(${GREPBINARY} -c "^search" ${ROOTDIR}etc/resolv.conf) + if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then + LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" + Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW + ReportWarning ${TEST_NO} "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" + else + LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" + fi fi # ################################################################################# @@ -112,14 +112,14 @@ # Description : Check non default resolv.conf options Register --test-no NAME-4020 --weight L --network NO --category security --description "Check non default options" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: check /etc/resolv.conf for non default options" - if [ -f /etc/resolv.conf ]; then - LogText "Result: /etc/resolv.conf found" - FIND=`${GREPBINARY} "^options" /etc/resolv.conf | ${AWKBINARY} '{ print $2 }'` + LogText "Test: check ${ROOTDIR}etc/resolv.conf for non default options" + if [ -f ${ROOTDIR}etc/resolv.conf ]; then + LogText "Result: ${ROOTDIR}etc/resolv.conf found" + FIND=$(${GREPBINARY} "^options" ${ROOTDIR}etc/resolv.conf | ${AWKBINARY} '{ print $2 }') if [ "${FIND}" = "" ]; then LogText "Result: no specific other options configured in /etc/resolv.conf" if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi - else + else for I in ${FIND}; do LogText "Found option: ${I}" Report "resolv_conf_option[]=${I}" @@ -128,7 +128,7 @@ done Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN fi - else + else LogText "Result: /etc/resolv.conf not found, test skipped" Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NOT_FOUND}" --color YELLOW fi @@ -140,7 +140,7 @@ # Description : Check Solaris uname -n output Register --test-no NAME-4024 --os Solaris --weight L --network NO --category security --description "Solaris uname -n output" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`uname -n` + FIND=$(${UNAMEBINARY} -n) LogText "Result: 'uname -n' returned ${FIND}" Display --indent 2 --text "- Checking uname -n output" --result "${STATUS_DONE}" --color GREEN fi @@ -158,7 +158,7 @@ FIND=`cat /etc/nodename` LogText "Output: ${FIND}" Display --indent 2 --text "- Checking /etc/nodename" --result "${STATUS_DONE}" --color GREEN - else + else LogText "Result: file /etc/nodename could not be found" Display --indent 2 --text "- Checking /etc/nodename" --result "NONE FOUND" --color YELLOW fi @@ -189,24 +189,24 @@ LogText "Test: Checking if dnsdomainname command is available" if [ ! "${DNSDOMAINNAMEBINARY}" = "" ]; then - FIND2=`${DNSDOMAINNAMEBINARY} 2> /dev/null` + FIND2=$(${DNSDOMAINNAMEBINARY} 2> /dev/null) if [ ! "${FIND2}" = "" ]; then LogText "Result: dnsdomainname command returned a value" LogText "Found domain name: ${FIND2}" DOMAINNAME="${FIND2}" - else + else LogText "Result: dnsdomainname command returned no value" fi - else + else LogText "Result: dnsdomainname binary not found, skip specific test" fi # If files and commands can't be found, use defined value from resolv.conf - if [ "${DOMAINNAME}" = "" ]; then - if [ ! "${RESOLV_DOMAINNAME}" = "" ]; then - LogText "Result: using domain name from /etc/resolv.conf" + if [ -z "${DOMAINNAME}" ]; then + if [ ! -z "${RESOLV_DOMAINNAME}" ]; then + LogText "Result: using domain name from ${ROOTDIR}etc/resolv.conf" DOMAINNAME=${RESOLV_DOMAINNAME} - else + else LogText "Result: using domain name from FQDN hostname" #DOMAINNAME=${FQDN#${HOSTNAME}.} DOMAINNAME=`echo ${FQDN} | ${CUTBINARY} -d . -f2-` @@ -218,7 +218,7 @@ Report "domainname=${DOMAINNAME}" Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_FOUND}" --color GREEN Display --indent 6 --text "Domain name: ${DOMAINNAME}" - else + else Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_UNKNOWN}" --color YELLOW ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name" fi @@ -236,7 +236,7 @@ NAME_CACHE_USED=1 LogText "Result: nscd is running" Display --indent 2 --text "- Checking nscd status" --result "${STATUS_RUNNING}" --color GREEN - else + else LogText "Result: nscd is not running" if IsVerbose; then Display --indent 2 --text "- Checking nscd status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi @@ -255,10 +255,10 @@ NAME_CACHE_USED=1 LogText "Result: Unbound daemon is running" Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_RUNNING}" --color GREEN - else + else LogText "Result: Unbound daemon is not running" if IsVerbose; then Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi - fi + fi fi # ################################################################################# @@ -277,7 +277,7 @@ UNBOUND_CONFIG_OK=1 LogText "Result: Configuration is fine" Display --indent 2 --text "- Checking configuration file" --result "${STATUS_OK}" --color GREEN - else + else LogText "Result: Unbound daemon is not running" Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW ReportWarning "${TEST_NO}" "Found Unbound configuration file issues (run unbound-checkconf)" @@ -299,7 +299,7 @@ LogText "Result: found BIND process" Display --indent 2 --text "- Checking BIND status" --result "${STATUS_FOUND}" --color GREEN BIND_RUNNING=1 - else + else LogText "Result: BIND not running" if IsVerbose; then Display --indent 2 --text "- Checking BIND status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi @@ -321,7 +321,7 @@ done if [ ! -z "${BIND_CONFIG_LOCATION}" ]; then Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_FOUND}" --color GREEN - else + else Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi @@ -370,7 +370,7 @@ LogText "Result: no useful information in banner found" Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN AddHP 2 2 - else + else LogText "Result: possible BIND version available in version banner" Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "Found BIND version in banner" @@ -434,7 +434,7 @@ done if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_FOUND}" --color GREEN - else + else Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi @@ -456,13 +456,13 @@ Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS backends" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for PowerDNS backends" - FIND=`${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}` - if [ ! "${FIND}" = "" ]; then + FIND=$(${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}) + if [ ! -z "${FIND}" ]; then for I in ${FIND}; do LogText "Found backend: ${I}" done Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: no PowerDNS backends found" Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_NOT_FOUND}" --color YELLOW fi @@ -472,26 +472,26 @@ # # Test : NAME-4238 # Description : Check PowerDNS authoritive status - if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${POWERDNS_RUNNING} -eq 1 -a ! -z "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritive status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking for PowerDNS master status" - FIND=`${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}` - if [ ! "${FIND}" = "" ]; then + FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}) + if [ ! -z "${FIND}" ]; then LogText "Found master=yes in configuration file" Display --indent 4 --text "- PowerDNS authoritive master: YES" POWERDNS_AUTH_MASTER=1 - else + else LogText "Result: most likely not master (no master=yes)" Display --indent 4 --text "- PowerDNS authoritive master: NO" fi LogText "Test: Checking for PowerDNS slave status" - FIND=`${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}` - if [ ! "${FIND}" = "" ]; then + FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}) + if [ ! -z "${FIND}" ]; then LogText "Found slave=yes in configuration file" Display --indent 4 --text "- PowerDNS authoritive slave: YES" POWERDNS_AUTH_SLAVE=1 - else + else LogText "Result: most likely not slave (no slave=yes)" Display --indent 4 --text "- PowerDNS authoritive slave: NO" fi @@ -531,56 +531,56 @@ Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NIS domain" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking `domainname` for NIS domain value" - FIND=`${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)"` - if [ ! "${FIND}" = "" ]; then + FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)") + if [ ! -z "${FIND}" ]; then LogText "Value: ${FIND}" NISDOMAIN="${FIND}" - else + else LogText "Result: no NIS domain found in command output" fi # Solaris / Linux style - LogText "Test: Checking file /etc/defaultdomain" - if [ -f /etc/defaultdomain ]; then - LogText "Result: file /etc/defaultdomain exists" - FIND2=`cat /etc/defaultdomain` - if [ ! "${FIND2}" = "" ]; then + LogText "Test: Checking file ${ROOTDIR}etc/defaultdomain" + if [ -f ${ROOTDIR}etc/defaultdomain ]; then + LogText "Result: file ${ROOTDIR}etc/defaultdomain exists" + FIND2=`cat ${ROOTDIR}etc/defaultdomain` + if [ ! -z "${FIND2}" ]; then LogText "Output: ${FIND2}" NISDOMAIN="${FIND2}" - else + else LogText "Result: no NIS domain found in file" fi fi # Red Hat style - LogText "Test: checking /etc/sysconfig/network" - if [ -f /etc/sysconfig/network ]; then - LogText "Result: file /etc/sysconfig/network exists" + LogText "Test: checking ${ROOTDIR}etc/sysconfig/network" + if [ -f ${ROOTDIR}etc/sysconfig/network ]; then + LogText "Result: file ${ROOTDIR}etc/sysconfig/network exists" LogText "Test: checking NISDOMAIN value in file" - FIND3=`${GREPBINARY} "^NISDOMAIN" /etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g'` - if [ ! "${FIND3}" = "" ]; then + FIND3=$(${GREPBINARY} "^NISDOMAIN" ${ROOTDIR}etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g') + if [ ! -z "${FIND3}" ]; then LogText "Found NIS domain: ${FIND3}" NISDOMAIN="${FIND3}" - else + else LogText "Result: No NIS domain found in file" fi - else - LogText "Result: file /etc/sysconfig/network does not exist" + else + LogText "Result: file ${ROOTDIR}etc/sysconfig/network does not exist" fi if [ ! "${SYSCTLBINARY}" = "" ]; then # Check sysctl (e.g. FreeBSD) LogText "Test: checking sysctl for kern.domainname" - FIND=`${SYSCTLBINARY} -a 2>&1 | ${GREPBINARY} "^kern.domainname" | ${AWKBINARY} -F: '{ print $2 }' | ${SEDBINARY} 's/ //g' | ${GREPBINARY} -v "^$"` + FIND=$(${SYSCTLBINARY} -a 2>&1 | ${GREPBINARY} "^kern.domainname" | ${AWKBINARY} -F: '{ print $2 }' | ${SEDBINARY} 's/ //g' | ${GREPBINARY} -v "^$") if [ ! "${FIND}" = "" ]; then LogText "Result: found NIS domain via sysctl" NISDOMAIN="${FIND}" fi fi # Check if we found any NIS domain - if [ ! "${NISDOMAIN}" = "" ]; then + if [ ! -z "${NISDOMAIN}" ]; then LogText "Found NIS domain: ${NISDOMAIN}" Report "nisdomain=${NISDOMAIN}" Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: No NIS domain found" Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_UNKNOWN}" --color YELLOW fi @@ -588,31 +588,29 @@ # ################################################################################# # - if [ -f /etc/hosts ]; then - Display --indent 2 --text "- Checking /etc/hosts" - fi + if [ -f ${ROOTDIR}etc/hosts ]; then Display --indent 2 --text "- Checking ${ROOTDIR}etc/hosts"; fi # Test : NAME-4402 # Description : Check /etc/hosts configuration Register --test-no NAME-4402 --weight L --network NO --category security --description "Check duplicate line in /etc/hosts" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: check duplicate line in /etc/hosts" - if [ -f /etc/hosts ]; then - sFIND=`${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${AWKBINARY} '{ print $1, $2 }' | ${SORTBINARY} | uniq -d` + LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts" + if [ -f ${ROOTDIR}etc/hosts ]; then + sFIND=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${AWKBINARY} '{ print $1, $2 }' | ${SORTBINARY} | ${UNIQBINARY} -d) if [ "${sFIND}" = "" ]; then LogText "Result: OK, no duplicate lines found" - Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN - else + Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN + else LogText "Found duplicate line: ${sFIND}" LogText "Result: found duplicate line" - Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion "${TEST_NO}" "Remove duplicate lines in /etc/hosts" + Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts" fi else - LogText "Result: /etc/hosts not found, test skipped" + LogText "Result: ${ROOTDIR}etc/hosts not found, test skipped" Display --indent 4 --text "Searching duplicate line" --result "${STATUS_SKIPPED}" --color YELLOW fi - fi + fi # ################################################################################# # @@ -623,7 +621,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check /etc/hosts contains an entry for this server name" if [ -f /etc/hosts ]; then - sFIND=`${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' /etc/hosts | ${GREPBINARY} -i ${HOSTNAME}` + sFIND=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' /etc/hosts | ${GREPBINARY} -i ${HOSTNAME}) if [ "${sFIND}" != "" ]; then LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts" Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN @@ -645,15 +643,15 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check server hostname not locally mapped in /etc/hosts" sFIND=`${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}` - if [ ! "${sFIND}" = "" ]; then - LogText "Result: Found this server hostname mapped to a local address" - LogText "Output: ${sFIND}" - Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_SUGGESTION}" --color YELLOW - LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface." - ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system" + if [ ! "${sFIND}" = "" ]; then + LogText "Result: Found this server hostname mapped to a local address" + LogText "Output: ${sFIND}" + Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_SUGGESTION}" --color YELLOW + LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface." + ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system" else - LogText "Result: this server hostname is not mapped to a local address" - Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_OK}" --color GREEN + LogText "Result: this server hostname is not mapped to a local address" + Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_OK}" --color GREEN fi fi # diff --git a/include/tests_networking b/include/tests_networking index 608a28e3..9c890128 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -246,7 +246,7 @@ N=$((N + 1)) Report "network_interface[]=${I}" done - else + else ReportException "${TEST_NO}:1" "No interfaces found on this system (OS=${OS})" fi fi @@ -268,7 +268,7 @@ Linux) if [ ! "${IFCONFIGBINARY}" = "" ]; then FIND=`${IFCONFIGBINARY} -a | ${GREPBINARY} "HWaddr" | ${AWKBINARY} '{ if ($4=="HWaddr") print $5 }' | ${SORTBINARY} -u` - else + else if [ ! "${IPBINARY}" = "" ]; then LogText "Test: Using ip binary to gather hardware addresses" FIND=`${IPBINARY} link | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }'` @@ -323,12 +323,12 @@ FIND=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet") print $2 }' | ${CUTBINARY} -d ':' -f2` # Version which works for multiple types of ifconfig (e.g. Slackware) FIND2=`${IFCONFIGBINARY} -a | ${AWKBINARY} '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'` - else + else if [ ! "${IPBINARY}" = "" ]; then LogText "Test: Using ip binary to gather IP addresses" FIND=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | ${SEDBINARY} 's/\/.*//'` FIND2=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | ${SEDBINARY} 's/\/.*//'` - else + else ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)" fi fi @@ -547,23 +547,6 @@ # Description : Checking multipath configuration (Solaris) # ################################################################################# -# - # Test : NETW-3024 - # Description : Netstat/socktstat compare (FreeBSD) - # echo -n " - Comparing output sockstat and netstat" - # LogText "Comparing output of sockstat and netstat" - # NETSTATOUTPUT=`netstat -an | ${GREPBINARY} -v 'TIME_WAIT' | ${GREPBINARY} -v 'ESTABLISHED' | ${GREPBINARY} -v 'SYN_SENT' | ${GREPBINARY} -v 'CLOSE_WAIT' | ${GREPBINARY} -v 'LAST_ACK' | ${GREPBINARY} -v 'SYN_RECV' | ${GREPBINARY} -v 'CLOSING' | ${CUTBINARY} -c 1-44 | ${GREPBINARY} '*.' | ${CUTBINARY} -c 24-32 | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v '*' | ${SORTBINARY} -u` - # - # if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then - # ShowResult OK - # else - # echo "[ ${BAD}Warning!${NORMAL} ]" - # LogText "WARNING!" - # LogText "Sockstat tested output: ${SOCKSTAT}" - # LogText "Netstat tested output: ${NETSTAT}" - # fi -# -################################################################################# # # Test : NETW-3028 # Description : Checking for many waiting connections @@ -573,13 +556,13 @@ Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking connections in WAIT state" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Using netstat for check for connections in WAIT state" - FIND=`${NETSTATBINARY} -an | ${GREPBINARY} WAIT | wc -l | ${AWKBINARY} '{ print $1 }'` - if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi + FIND=$(${NETSTATBINARY} -an | ${GREPBINARY} WAIT | ${WCBINARY} -l | ${AWKBINARY} '{ print $1 }') + if [ -z "${OPTIONS_CONN_MAX_WAIT_STATE}" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})." if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})" - else + else Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_OK}" --color GREEN LogText "Result: ${FIND} connections are in WAIT state" fi @@ -595,7 +578,7 @@ if [ ${RUNNING} -eq 1 ]; then Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE DHCP_CLIENT_RUNNING=1 - else + else Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE fi fi @@ -607,7 +590,7 @@ Register --test-no NETW-3032 --os Linux --weight L --network NO --category security --description "Checking for ARP monitoring software" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - + # arpwatch IsRunning arpwatch if [ ${RUNNING} -eq 1 ]; then @@ -615,7 +598,7 @@ ARPWATCH_RUNNING=1 Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN fi - + # arpon IsRunning arpon if [ ${RUNNING} -eq 1 ]; then diff --git a/include/tests_php b/include/tests_php index 7e6c548b..6f447b96 100644 --- a/include/tests_php +++ b/include/tests_php @@ -40,6 +40,8 @@ PHPINIDIRS="/etc/php5/conf.d \ /etc/php.d" + + PHPVERSION="" # ################################################################################# # @@ -93,26 +95,26 @@ # # Test : PHP-2320 # Description : Check php disable functions option - if [ ! "${PHPINI_ALLFILES}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 for I in ${PHPINI_ALLFILES}; do LogText "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}" - FIND=`${GREPBINARY} "^disable_functions.*=" ${I}` - if [ "${FIND}" = "" ]; then - LogText "Result: ${I}: disabled_functions not found" + FIND=$(${GREPBINARY} "^disable_functions.*=" ${I}) + if [ -z "${FIND}" ]; then + LogText "Result: ${I}: disabled_functions not found" else - LogText "Result: ${I}: found disabled_functions" - FOUND=1 + LogText "Result: ${I}: found disabled_functions" + FOUND=1 fi - FIND=`${GREPBINARY} "^suhosin.executor.func.blacklist=" ${I}` - if [ "${FIND}" = "" ]; then - LogText "Result: ${I}: suhosin.executor.func.blacklist not found" + FIND=$(${GREPBINARY} "^suhosin.executor.func.blacklist=" ${I}) + if [ -z "${FIND}" ]; then + LogText "Result: ${I}: suhosin.executor.func.blacklist not found" else - LogText "Result: ${I}: found suhosin.executor.func.blacklist" - FOUND=1 + LogText "Result: ${I}: found suhosin.executor.func.blacklist" + FOUND=1 fi done if [ ${FOUND} -eq 0 ]; then @@ -121,7 +123,7 @@ ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions" LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)" AddHP 0 1 - else + else LogText "Result: one or more PHP functions are disabled/blacklisted" Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 @@ -133,34 +135,34 @@ # Test : PHP-2368 # Description : Check php register_globals option # Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed) - if [ ! "${PHPINIFILE}" = "" -a ! "${PHPVERSION}" = "" -a ! "${EGREPBINARY}" = "" ]; then + if [ ! -z "${PHPINIFILE}" -a ! -z "${PHPVERSION}" -a ! -z "${EGREPBINARY}" ]; then if [ -f "${PHPINIFILE}" ]; then - FIND=`echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])"` + FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])") if [ "${FIND}" = "" ]; then PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals" - else + else PREQS_MET="YES"; Debug "Found PHP version 4 or up to 5.3 (${FIND}) which we are going to scan" fi - else + else Debug "File php.ini (${PHPINIFILE}) not found" fi else - PREQS_MET="NO" - Debug "Skipping test: php.ini not found, or PHP version empty" - Debug "php.ini: ${PHPINIFILE}" - Debug "version: ${PHPVERSION}" + PREQS_MET="NO" + Debug "Skipping test: php.ini not found, or PHP version empty" + Debug "php.ini: ${PHPINIFILE}" + Debug "version: ${PHPVERSION}" fi Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP register_globals option" - FIND=`${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'` + FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ ! "${FIND}" = "" ]; then Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off" LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting." AddHP 1 2 - else + else Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_OK}" --color GREEN LogText "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value." ReportManual ${TEST_NO}:01 @@ -177,19 +179,19 @@ Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking expose_php option" - FIND=`${EGREPBINARY} -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'` - if [ "${FIND}" = "" ]; then + FIND=$(${EGREPBINARY} -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED ReportWarning ${TEST_NO} "PHP option expose_php is possibly turned on, which can reveal useful information for attackers." ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off" Report "Result: expose_php option is turned on, which can expose useful information for an attacker" AddHP 1 2 - else + else Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_OFF}" --color GREEN LogText "Result: Found 'expose_php' in disabled state (0, no, or off)" AddHP 2 2 fi - #YYY Check through all files + # TODO Check through all files fi # ################################################################################# @@ -207,7 +209,7 @@ Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls" ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules" AddHP 0 1 - else + else Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_OFF}" --color GREEN LogText "Result: Found 'enable_dl' in disabled state (not present, 0, no, or off)" AddHP 2 2 @@ -223,18 +225,18 @@ Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_fopen option" - FIND=`${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'` - if [ "${FIND}" = "" ]; then + FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW LogText "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP" AddHP 0 1 - else + else Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_OFF}" --color GREEN LogText "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)" AddHP 2 2 fi - #YYY Check through all files + # TODO Check through all files fi # ################################################################################# @@ -242,17 +244,17 @@ # Test : PHP-2378 # Description : Check PHP allow_url_include option # Notes : Extend test to check all PHP files YYY - if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_include option" - FIND=`${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'` - if [ "${FIND}" = "" ]; then + FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP" AddHP 0 1 - else + else Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_OFF}" --color GREEN LogText "Result: Found 'allow_url_include' in disabled state (0, no, or off)" AddHP 2 2 diff --git a/include/tests_snmp b/include/tests_snmp index ae2fa62f..ae2eb18a 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -22,7 +22,7 @@ # ################################################################################# # - SNMP_DAEMON_CONFIG_LOCS="/etc/snmp" + SNMP_DAEMON_CONFIG_LOCS="${ROOTDIR}etc/snmp" SNMP_DAEMON_CONFIG="" SNMP_DAEMON_RUNNING=0 # @@ -41,7 +41,7 @@ SNMP_DAEMON_RUNNING=1 LogText "Result: SNMP daemon is running" Display --indent 2 --text "- Checking running SNMP daemon" --result "${STATUS_FOUND}" --color GREEN - else + else LogText "Result: No running SNMP daemon found" Display --indent 2 --text "- Checking running SNMP daemon" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -57,15 +57,15 @@ LogText "Test: searching for snmpd.conf file" for I in ${SNMP_DAEMON_CONFIG_LOCS}; do if [ -f "${I}/snmpd.conf" ]; then - LogText "Result: ${I}/snmpd.conf exists" - SNMPD_DAEMON_CONFIG="${I}/snmpd.conf" + LogText "Result: ${I}/snmpd.conf exists" + SNMP_DAEMON_CONFIG="${I}/snmpd.conf" fi done - if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then + if [ -z "${SNMP_DAEMON_CONFIG}" ]; then LogText "Result: No snmpd configuration found" Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_NOT_FOUND}" --color WHITE - else - LogText "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}" + else + LogText "Restult: using last found configuration file: ${SNMP_DAEMON_CONFIG}" Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_FOUND}" --color GREEN fi fi @@ -74,12 +74,12 @@ # # Test : SNMP-3306 # Description : Determine SNMP communities - if [ ! "${SNMPD_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! "${SNMP_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SNMP communities" if [ ${SKIPTEST} -eq 0 ]; then WARN=0 LogText "Test: reading active snmp communities" - FIND=`${AWKBINARY} '/^com2sec/ { print $4 }' ${SNMPD_DAEMON_CONFIG}` + FIND=$(${AWKBINARY} '/^com2sec/ { print $4 }' ${SNMP_DAEMON_CONFIG}) for I in ${FIND}; do LogText "Output: ${I}" if [ "${I}" = "public" -o "${I}" = "private" ]; then @@ -93,7 +93,7 @@ if [ ${WARN} -eq 0 ]; then Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_OK}" --color GREEN AddHP 2 2 - else + else Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "Found easy guessable SNMP community string" fi