tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-27 15:54:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

Code cleanups and generic enhancements

Browse Source
This commit is contained in:
Michael Boelen 2016-09-10 16:12:44 +02:00
parent 2534fb99a9
commit 903016df36
19 changed files with 458 additions and 474 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
include/tests_databases
View File

@ -23,9 +23,9 @@
################################################################################# #################################################################################
# #
# Paths to DATADIR # Paths to DATADIR
sMYSQLDBPATHS="/var/lib/mysql" sMYSQLDBPATHS="${ROOTDIR}var/lib/mysql"
# Paths to my.cnf # Paths to my.cnf
sMYCNFLOCS="/etc/mysql/my.cnf /usr/etc/my.cnf" sMYCNFLOCS="${ROOTDIR}etc/mysql/my.cnf ${ROOTDIR}usr/etc/my.cnf"
REDIS_CONFIGURATION_FILES="" REDIS_CONFIGURATION_FILES=""
REDIS_CONFIGURATION_FOUND=0 REDIS_CONFIGURATION_FOUND=0
# #
@ -75,7 +75,7 @@
Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking MySQL root password" Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking MySQL root password"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Trying to login to local MySQL server without password" LogText "Test: Trying to login to local MySQL server without password"
FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?` FIND=$(${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result: Login succeeded, no MySQL root password set!" LogText "Result: Login succeeded, no MySQL root password set!"
ReportWarning ${TEST_NO} "No MySQL root password set" ReportWarning ${TEST_NO} "No MySQL root password set"
@ -122,7 +122,7 @@
# reco: recovery (optional) # reco: recovery (optional)
Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes" Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep"` FIND=$(${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep")
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: Oracle process(es) not active" LogText "Result: Oracle process(es) not active"
@ -193,7 +193,7 @@
FOUND=0 FOUND=0
for DIR in ${PATHS}; do for DIR in ${PATHS}; do
LogText "Action: scanning directory (${DIR}) for Redis configuration files" LogText "Action: scanning directory (${DIR}) for Redis configuration files"
FILES=$(ls ${DIR}/*.conf 2> /dev/null) FILES=$(${LSBINARY} ${DIR}/*.conf 2> /dev/null)
if [ ! -z "${FILES}" ]; then if [ ! -z "${FILES}" ]; then
for CONFFILE in ${FILES}; do for CONFFILE in ${FILES}; do
if FileIsReadable ${CONFFILE}; then if FileIsReadable ${CONFFILE}; then
@ -222,7 +222,7 @@
fi fi
done done
# Sort the list of discovered configuration files so we can make them unique # Sort the list of discovered configuration files so we can make them unique
REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | ${SEDBINARY} 's/^ //' | ${TRBINARY} ' ' '\n' | ${SORTBINARY} | uniq | ${TRBINARY} '\n' ' ') REDIS_CONFIGURATION_FILES=$(echo ${REDIS_CONFIGURATION_FILES} | ${SEDBINARY} 's/^ //' | ${TRBINARY} ' ' '\n' | ${SORTBINARY} | ${UNIQBINARY} | ${TRBINARY} '\n' ' ')
for FILE in ${REDIS_CONFIGURATION_FILES}; do for FILE in ${REDIS_CONFIGURATION_FILES}; do
if IsWorldReadable ${FILE}; then if IsWorldReadable ${FILE}; then
LogText "Result: configuration file ${FILE} is world readable, this might leak sensitive information!" LogText "Result: configuration file ${FILE} is world readable, this might leak sensitive information!"

26
include/tests_file_integrity
View File

@ -18,7 +18,8 @@
# #
################################################################################# #################################################################################
# #
CSF_CONFIG="/etc/csf/csf.conf" AIDECONFIG=""
CSF_CONFIG="${ROOTDIR}etc/csf/csf.conf"
FILE_INT_TOOL="" FILE_INT_TOOL=""
FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found
# #
@ -34,7 +35,7 @@
Register --test-no FINT-4310 --weight L --network NO --category security --description "AFICK availability" Register --test-no FINT-4310 --weight L --network NO --category security --description "AFICK availability"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking AFICK binary" LogText "Test: Checking AFICK binary"
if [ ! "${AFICKBINARY}" = "" ]; then if [ ! -z "${AFICKBINARY}" ]; then
LogText "Result: AFICK is installed (${AFICKBINARY})" LogText "Result: AFICK is installed (${AFICKBINARY})"
Report "file_integrity_tool[]=afick" Report "file_integrity_tool[]=afick"
FILE_INT_TOOL="afick" FILE_INT_TOOL="afick"
@ -53,7 +54,7 @@
Register --test-no FINT-4314 --weight L --network NO --category security --description "AIDE availability" Register --test-no FINT-4314 --weight L --network NO --category security --description "AIDE availability"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking AIDE binary" LogText "Test: Checking AIDE binary"
if [ ! "${AIDEBINARY}" = "" ]; then if [ ! -z "${AIDEBINARY}" ]; then
LogText "Result: AIDE is installed (${AIDEBINARY})" LogText "Result: AIDE is installed (${AIDEBINARY})"
Report "file_integrity_tool[]=aide" Report "file_integrity_tool[]=aide"
FILE_INT_TOOL="aide" FILE_INT_TOOL="aide"
@ -80,7 +81,8 @@
AIDECONFIG="${I}/aide.conf" AIDECONFIG="${I}/aide.conf"
fi fi
done done
if [ "${AIDECONFIG}" = "" ]; then
if [ -z "${AIDECONFIG}" ]; then
Display --indent 6 --text "- AIDE config file" --result "${STATUS_NOT_FOUND}" --color YELLOW Display --indent 6 --text "- AIDE config file" --result "${STATUS_NOT_FOUND}" --color YELLOW
else else
LogText "Checking configuration file ${AIDECONFIG} for errors" LogText "Checking configuration file ${AIDECONFIG} for errors"
@ -101,7 +103,7 @@
Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability" Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Osiris binary" LogText "Test: Checking Osiris binary"
if [ ! "${OSIRISBINARY}" = "" ]; then if [ ! -z "${OSIRISBINARY}" ]; then
LogText "Result: Osiris is installed (${OSIRISBINARY})" LogText "Result: Osiris is installed (${OSIRISBINARY})"
Report "file_integrity_tool[]=osiris" Report "file_integrity_tool[]=osiris"
FILE_INT_TOOL="osiris" FILE_INT_TOOL="osiris"
@ -120,7 +122,7 @@
Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability" Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Samhain binary" LogText "Test: Checking Samhain binary"
if [ ! "${SAMHAINBINARY}" = "" ]; then if [ ! -z "${SAMHAINBINARY}" ]; then
LogText "Result: Samhain is installed (${SAMHAINBINARY})" LogText "Result: Samhain is installed (${SAMHAINBINARY})"
Report "file_integrity_tool[]=samhain" Report "file_integrity_tool[]=samhain"
FILE_INT_TOOL="samhain" FILE_INT_TOOL="samhain"
@ -139,7 +141,7 @@
Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability" Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Tripwire binary" LogText "Test: Checking Tripwire binary"
if [ ! "${TRIPWIREBINARY}" = "" ]; then if [ ! -z "${TRIPWIREBINARY}" ]; then
LogText "Result: Tripwire is installed (${TRIPWIREBINARY})" LogText "Result: Tripwire is installed (${TRIPWIREBINARY})"
Report "file_integrity_tool[]=tripwire" Report "file_integrity_tool[]=tripwire"
FILE_INT_TOOL="tripwire" FILE_INT_TOOL="tripwire"
@ -179,7 +181,7 @@
Register --test-no FINT-4330 --weight L --network NO --category security --description "mtree availability" Register --test-no FINT-4330 --weight L --network NO --category security --description "mtree availability"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking mtree binary" LogText "Test: Checking mtree binary"
if [ ! "${MTREEBINARY}" = "" ]; then if [ ! -z "${MTREEBINARY}" ]; then
LogText "Result: mtree is installed (${MTREEBINARY})" LogText "Result: mtree is installed (${MTREEBINARY})"
Report "file_integrity_tool[]=mtree" Report "file_integrity_tool[]=mtree"
FILE_INT_TOOL="mtree" FILE_INT_TOOL="mtree"
@ -219,7 +221,7 @@
Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd configuration status" Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd configuration status"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# LFD configuration parameters # LFD configuration parameters
ENABLED=`${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG}` ENABLED=$(${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG})
if [ ! "${ENABLED}" = "" ]; then if [ ! "${ENABLED}" = "" ]; then
LogText "Result: lfd service is configured to run" LogText "Result: lfd service is configured to run"
Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN
@ -227,7 +229,7 @@
LogText "Result: lfd service is configured NOT to run" LogText "Result: lfd service is configured NOT to run"
Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW
fi fi
ENABLED=`${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g'` ENABLED=$(${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
LogText "Result: lfd directory watching is enabled (value: ${ENABLED})" LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN
@ -235,7 +237,7 @@
LogText "Result: lfd directory watching is disabled" LogText "Result: lfd directory watching is disabled"
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW
fi fi
ENABLED=`${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g'` ENABLED=$(${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN
else else
@ -271,7 +273,7 @@
Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)" Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)") FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
LogText "Result: No SHA256 or SHA512 found for creating checksums" LogText "Result: No SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW
ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE" ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE"

2
include/tests_file_permissions
View File

@ -34,7 +34,7 @@
LogText "Test: Checking file permissions" LogText "Test: Checking file permissions"
for PROFILE in ${PROFILES}; do for PROFILE in ${PROFILES}; do
LogText "Using profile ${PROFILE} for baseline." LogText "Using profile ${PROFILE} for baseline."
FIND=`${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | ${CUTBINARY} -d: -f2` FIND=$(${EGREPBINARY} '^permfile:|^permdir:' ${PROFILE} | ${CUTBINARY} -d: -f2)
for I in ${FIND}; do for I in ${FIND}; do
LogText "Checking ${I}" LogText "Checking ${I}"
CheckFilePermissions ${I} CheckFilePermissions ${I}

91
include/tests_filesystems
View File

@ -48,8 +48,8 @@
Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE
elif [ -d ${I} ]; then elif [ -d ${I} ]; then
LogText "Result: directory ${I} exists" LogText "Result: directory ${I} exists"
FIND=`mount | ${GREPBINARY} "${I}"` FIND=$(${MOUNTBINARY} | ${GREPBINARY} "${I}")
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
LogText "Result: found ${I} as a separated mount point" LogText "Result: found ${I} as a separated mount point"
Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_OK}" --color GREEN Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_OK}" --color GREEN
AddHP 10 10 AddHP 10 10
@ -76,16 +76,16 @@
LogText "Test: Checking for LVM volume groups" LogText "Test: Checking for LVM volume groups"
case ${OS} in case ${OS} in
AIX) AIX)
FIND=`${LSVGBINARY} -o` FIND=$(${LSVGBINARY} -o)
;; ;;
Linux) Linux)
FIND=`${VGDISPLAYBINARY} 2> /dev/null | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "VG Name" | ${AWKBINARY} '{ print $3 }' | sort` FIND=$(${VGDISPLAYBINARY} 2> /dev/null | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "VG Name" | ${AWKBINARY} '{ print $3 }' | ${SORTBINARY})
;; ;;
*) *)
ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found" ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found"
;; ;;
esac esac
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
LogText "Result: found one or more volume groups" LogText "Result: found one or more volume groups"
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found LVM volume group: ${I}" LogText "Found LVM volume group: ${I}"
@ -109,11 +109,11 @@
LogText "Test: Checking for LVM volumes" LogText "Test: Checking for LVM volumes"
case ${OS} in case ${OS} in
AIX) AIX)
ACTIVE_VG_LIST=`${LSVGBINARY} -o` ACTIVE_VG_LIST=$(${LSVGBINARY} -o)
FIND=`for I in ${ACTIVE_VG_LIST}; do ${LSVGBINARY} -l ${I} | ${AWKBINARY} 'NR>2 { print $1 }'; done` FIND=$(for I in ${ACTIVE_VG_LIST}; do ${LSVGBINARY} -l ${I} | ${AWKBINARY} 'NR>2 { print $1 }'; done)
;; ;;
Linux) Linux)
FIND=`${LVDISPLAYBINARY} | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "LV Name" | ${AWKBINARY} '{ print $3 }' | sort` FIND=$(${LVDISPLAYBINARY} | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "LV Name" | ${AWKBINARY} '{ print $3 }' | ${SORTBINARY})
;; ;;
*) *)
ReportException "${TEST_NO}:1" "Need specific test for gathering volume manager data" ReportException "${TEST_NO}:1" "Need specific test for gathering volume manager data"
@ -147,12 +147,12 @@
Register --test-no FILE-6323 --os Linux --weight L --network NO --category security --description "Checking EXT file systems" Register --test-no FILE-6323 --os Linux --weight L --network NO --category security --description "Checking EXT file systems"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for Linux EXT file systems" LogText "Test: Checking for Linux EXT file systems"
FIND=`mount -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }'` FIND=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }')
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
LogText "Result: found one or more EXT file systems" LogText "Result: found one or more EXT file systems"
for I in ${FIND}; do for I in ${FIND}; do
FILESYSTEM=`echo ${I} | ${CUTBINARY} -d ',' -f1` FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
FILETYPE=`echo ${I} | ${CUTBINARY} -d ',' -f2` FILETYPE=$(echo ${I} | ${CUTBINARY} -d ',' -f2)
LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})" LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})"
Report "file_systems_ext[]=${FILESYSTEM}|${FILETYPE}|" Report "file_systems_ext[]=${FILESYSTEM}|${FILETYPE}|"
done done
@ -170,8 +170,8 @@
Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking FFS/UFS file systems" Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking FFS/UFS file systems"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Query /etc/fstab for available FFS/UFS mount points" LogText "Test: Query /etc/fstab for available FFS/UFS mount points"
FIND=`${AWKBINARY} '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab` FIND=$(${AWKBINARY} '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab)
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_NONE}" --color WHITE; fi if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_NONE}" --color WHITE; fi
LogText "Result: unable to find any single mount point (FFS/UFS)" LogText "Result: unable to find any single mount point (FFS/UFS)"
else else
@ -191,8 +191,8 @@
Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems" Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Query /etc/fstab for available ZFS mount points" LogText "Test: Query /etc/fstab for available ZFS mount points"
FIND=`mount -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'` FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}')
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE
LogText "Result: unable to find any single mount point (ZFS)" LogText "Result: unable to find any single mount point (ZFS)"
else else
@ -215,7 +215,7 @@
FOUND=0 FOUND=0
LogText "Test: query swap partitions from /etc/fstab file" LogText "Test: query swap partitions from /etc/fstab file"
# Check if third field contains 'swap' # Check if third field contains 'swap'
FIND=`${AWKBINARY} '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | ${GREPBINARY} -v "^#"` FIND=$(${AWKBINARY} '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | ${GREPBINARY} -v "^#")
for I in ${FIND}; do for I in ${FIND}; do
FOUND=1 FOUND=1
REAL="" REAL=""
@ -227,12 +227,12 @@
# Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>) # Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>)
HAS_UUID=`echo ${I} | ${GREPBINARY} "^UUID="` HAS_UUID=`echo ${I} | ${GREPBINARY} "^UUID="`
if [ ! "${HAS_UUID}" = "" ]; then if [ ! -z "${HAS_UUID}" ]; then
UUID=`echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }'` UUID=`echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }'`
LogText "Result: Using ${UUID} as UUID" LogText "Result: Using ${UUID} as UUID"
if [ ! "${BLKIDBINARY}" = "" ]; then if [ ! -z "${BLKIDBINARY}" ]; then
FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//') FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//')
if [ ! "${FIND2}" = "" ]; then if [ ! -z "${FIND2}" ]; then
REAL="${FIND2}" REAL="${FIND2}"
fi fi
else else
@ -241,7 +241,7 @@
if [ -L /dev/disk/by-uuid/${UUID} ]; then if [ -L /dev/disk/by-uuid/${UUID} ]; then
LogText "Result: found disk via /dev/disk/by-uuid listing" LogText "Result: found disk via /dev/disk/by-uuid listing"
ShowSymlinkPath /dev/disk/by-uuid/${UUID} ShowSymlinkPath /dev/disk/by-uuid/${UUID}
if [ ! "${sFILE}" = "" ]; then if [ ! -z "${sFILE}" ]; then
REAL="${sFILE}" REAL="${sFILE}"
LogText "Result: disk is ${REAL}" LogText "Result: disk is ${REAL}"
fi fi
@ -251,7 +251,7 @@
fi fi
fi fi
# Set real device # Set real device
if [ "${REAL}" = "" ]; then if [ -z "${REAL}" ]; then
REAL="${I}" REAL="${I}"
fi fi
Report "swap_partition[]=${I},${REAL}," Report "swap_partition[]=${I},${REAL},"
@ -275,9 +275,8 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Swap partitions should be mounted with 'sw' or 'swap' # Swap partitions should be mounted with 'sw' or 'swap'
LogText "Test: check swap partitions with incorrect mount options" LogText "Test: check swap partitions with incorrect mount options"
#FIND=`${AWKBINARY} '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` FIND=$(${AWKBINARY} '{ if ($3=="swap" && ($4!~/sw/ && $4!="defaults")) { print $1 }}' /etc/fstab)
FIND=`${AWKBINARY} '{ if ($3=="swap" && ($4!~/sw/ && $4!="defaults")) { print $1 }}' /etc/fstab` if [ -z "${FIND}" ]; then
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Testing swap partitions" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Testing swap partitions" --result "${STATUS_OK}" --color GREEN
LogText "Result: all swap partitions have correct options (sw or swap)" LogText "Result: all swap partitions have correct options (sw or swap)"
else else
@ -295,7 +294,7 @@
# Description : Check proc mount options (Linux >=3.3 only) # Description : Check proc mount options (Linux >=3.3 only)
# Examples : proc /proc proc defaults,hidepid=2 0 0 # Examples : proc /proc proc defaults,hidepid=2 0 0
# Goal : Users should not be able to see processes of other users # Goal : Users should not be able to see processes of other users
if [ "${OS}" = "Linux" -a -f /proc/version ]; then if [ "${OS}" = "Linux" -a -f ${ROOTDIR}proc/version ]; then
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}') LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}') LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
if [ ! -z "${LINUX_KERNEL_MAJOR}" -a ! -z "${LINUX_KERNEL_MINOR}" ]; then if [ ! -z "${LINUX_KERNEL_MAJOR}" -a ! -z "${LINUX_KERNEL_MINOR}" ]; then
@ -308,7 +307,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least # Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least
LogText "Test: check proc mount with incorrect mount options" LogText "Test: check proc mount with incorrect mount options"
FIND=$(mount | ${EGREPBINARY} "/proc " | ${EGREPBINARY} -o "hidepid=[0-9]") FIND=$(${MOUNTBINARY} | ${EGREPBINARY} "${ROOTDIR}proc " | ${EGREPBINARY} -o "hidepid=[0-9]")
if [ "${FIND}" = "hidepid=2" ]; then if [ "${FIND}" = "hidepid=2" ]; then
Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN
LogText "Result: proc mount mounted with hidepid=2" LogText "Result: proc mount mounted with hidepid=2"
@ -335,15 +334,15 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for old files in /tmp" LogText "Test: Searching for old files in /tmp"
# Search for files only in /tmp, with an access time older than X days # Search for files only in /tmp, with an access time older than X days
FIND=`find /tmp -xdev -type f -atime +${TMP_OLD_DAYS} | ${SEDBINARY} 's/ /!space!/g'` FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} | ${SEDBINARY} 's/ /!space!/g')
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN
LogText "Result: no files found in /tmp which are older than 3 months" LogText "Result: no files found in /tmp which are older than 3 months"
else else
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED
N=0 N=0
for I in ${FIND}; do for I in ${FIND}; do
FILE=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` FILE=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
LogText "Old temporary file: ${FILE}" LogText "Old temporary file: ${FILE}"
N=$((N + 1)) N=$((N + 1))
done done
@ -396,8 +395,8 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
LogText "Test: Checking acl option on ext[2-4] root file system" LogText "Test: Checking acl option on ext[2-4] root file system"
FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl` FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl)
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
LogText "Result: found ACL option" LogText "Result: found ACL option"
FOUND=1 FOUND=1
else else
@ -405,19 +404,19 @@
LogText "Test: Checking device which holds root file system" LogText "Test: Checking device which holds root file system"
# Get device on which root file system is mounted. Use /dev/root if it exists, or # Get device on which root file system is mounted. Use /dev/root if it exists, or
# else check output of mount # else check output of mount
if [ -b /dev/root ]; then if [ -b ${ROOTDIR}dev/root ]; then
FIND1="/dev/root" FIND1="${ROOTDIR}dev/root"
else else
# Only determine device if it is EXT2/3/4 # Only determine device if it is EXT2/3/4
#FIND1=`mount | ${GREPBINARY} "on / " | ${AWKBINARY} '{ if ($5~/ext[2-4]/) { print $1 }}'` #FIND1=`mount | ${GREPBINARY} "on / " | ${AWKBINARY} '{ if ($5~/ext[2-4]/) { print $1 }}'`
FIND1=`mount -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }'` FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }')
fi fi
# Trying to determine default mount options from EXT2/EXT3/EXT4 file systems # Trying to determine default mount options from EXT2/EXT3/EXT4 file systems
if [ ! "${FIND1}" = "" ]; then if [ ! -z "${FIND1}" ]; then
LogText "Result: found ${FIND1}" LogText "Result: found ${FIND1}"
LogText "Test: Checking default options on ${FIND1}" LogText "Test: Checking default options on ${FIND1}"
FIND2=`${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl"` FIND2=$(${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl")
if [ ! "${FIND2}" = "" ]; then if [ ! -z "${FIND2}" ]; then
LogText "Result: found ACL option in default mount options" LogText "Result: found ACL option in default mount options"
FOUND=1 FOUND=1
else else
@ -429,8 +428,8 @@
fi fi
LogText "Test: Checking acl option on xfs root file system" LogText "Test: Checking acl option on xfs root file system"
FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr'` FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr')
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
FOUND=1 FOUND=1
# some other tests to do ? # some other tests to do ?
fi fi
@ -506,11 +505,11 @@
FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' /etc/fstab) FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' /etc/fstab)
if [ "${FS_FSTAB}" = "glusterfs" ]; then if [ "${FS_FSTAB}" = "glusterfs" ]; then
EXPECTED_FLAGS=$(echo ${EXPECTED_FLAGS} | ${SEDBINARY} 's/\<\(nodev\|nosuid\)\> *//g') EXPECTED_FLAGS=$(echo ${EXPECTED_FLAGS} | ${SEDBINARY} 's/\<\(nodev\|nosuid\)\> *//g')
if [ "${EXPECTED_FLAGS}" = "" ]; then if [ -z "${EXPECTED_FLAGS}" ]; then
FS_FSTAB="" FS_FSTAB=""
fi fi
fi fi
if [ ! "${FS_FSTAB}" = "" ]; then if [ ! -z "${FS_FSTAB}" ]; then
FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
LogText "File system: ${FILESYSTEM}" LogText "File system: ${FILESYSTEM}"
LogText "Expected flags: ${EXPECTED_FLAGS}" LogText "Expected flags: ${EXPECTED_FLAGS}"
@ -562,7 +561,7 @@
if [ -f /etc/fstab ]; then if [ -f /etc/fstab ]; then
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab) FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab)
BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }') BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
LogText "Result: mount system /var/tmp is configured with options: ${FIND}" LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
if [ "${BIND}" = "YES" ]; then if [ "${BIND}" = "YES" ]; then
Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN
@ -693,7 +692,7 @@
# Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf # Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf
Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems" Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then if [ ! -z "${LSMODBINARY}" -a -f /proc/modules ]; then
Display --indent 2 --text "- Disable kernel support of some filesystems" Display --indent 2 --text "- Disable kernel support of some filesystems"
LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf" LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf"
FOUND=0 FOUND=0
@ -701,13 +700,13 @@
AVAILABLE_MODPROBE_FS="" AVAILABLE_MODPROBE_FS=""
for FS in ${LIST_FS_NOT_SUPPORTED}; do for FS in ${LIST_FS_NOT_SUPPORTED}; do
# Check if filesystem is present in modprobe output # Check if filesystem is present in modprobe output
FIND=`${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1` FIND=$(${MODPROBEBINARY} -v -n $FS 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | tail -1)
if [ ! -z "${FIND}" ]; then if [ ! -z "${FIND}" ]; then
LogText "Result: found module support in kernel: ${FIND}" LogText "Result: found module support in kernel: ${FIND}"
Debug "Module ${FS} present in the kernel" Debug "Module ${FS} present in the kernel"
LogText "Test: Checking if ${FS} is active" LogText "Test: Checking if ${FS} is active"
# Check if FS is present in lsmod output # Check if FS is present in lsmod output
FIND=`${LSMODBINARY} | ${EGREPBINARY} "^${FS}"` FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
if [ -z "${FIND}" ]; then if [ -z "${FIND}" ]; then
LogText "Result: module ${FS} is not loaded in the kernel" LogText "Result: module ${FS} is not loaded in the kernel"
AddHP 2 3 AddHP 2 3

51
include/tests_firewalls
View File

@ -40,8 +40,8 @@
# Description : Check iptables kernel module # Description : Check iptables kernel module
Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module" Register --test-no FIRE-4502 --os Linux --weight L --network NO --category security --description "Check iptables kernel module"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables"` FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} "^ip*_tables")
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
FIREWALL_ACTIVE=1 FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="iptables" FIREWALL_SOFTWARE="iptables"
IPTABLES_ACTIVE=1 IPTABLES_ACTIVE=1
@ -58,7 +58,7 @@
if [ -f /proc/config.gz ]; then if [ -f /proc/config.gz ]; then
LINUXCONFIGFILE="/proc/config.gz"; tCATCMD="zcat"; LINUXCONFIGFILE="/proc/config.gz"; tCATCMD="zcat";
fi fi
sLINUXCONFIGFILE="/boot/config-`uname -r`" sLINUXCONFIGFILE="/boot/config-$(uname -r)"
if [ -f ${sLINUXCONFIGFILE} ]; then if [ -f ${sLINUXCONFIGFILE} ]; then
LINUXCONFIGFILE=${sLINUXCONFIGFILE}; tCATCMD="cat"; LINUXCONFIGFILE=${sLINUXCONFIGFILE}; tCATCMD="cat";
fi fi
@ -69,9 +69,9 @@
if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ ! "${LINUXCONFIGFILE}" = "" ]; then
if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then
LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})" LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})"
FIND=`${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1` FIND=$(${tCATCMD} ${LINUXCONFIGFILE} | ${GREPBINARY} -v '^#' | ${GREPBINARY} "CONFIG_IP_NF_IPTABLES" | head -n 1)
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
HAVEMOD=`echo ${FIND} | ${CUTBINARY} -d '=' -f2` HAVEMOD=$(echo ${FIND} | ${CUTBINARY} -d '=' -f2)
# Do not use iptables if it's compiled as a module (=m), since we already tested for it in the # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
# active list. # active list.
if [ "${HAVEMOD}" = "y" ]; then if [ "${HAVEMOD}" = "y" ]; then
@ -110,9 +110,9 @@
done done
echo "${FIND}" | while read line; do echo "${FIND}" | while read line; do
table=`echo ${line} | ${AWKBINARY} '{ print $1 }'` table=$(echo ${line} | ${AWKBINARY} '{ print $1 }')
chainname=`echo ${line} | ${AWKBINARY} '{ print $2 }'` chainname=$(echo ${line} | ${AWKBINARY} '{ print $2 }')
policy=`echo ${line} | ${AWKBINARY} '{ print $3 }'` policy=$(echo ${line} | ${AWKBINARY} '{ print $3 }')
LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}." LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}."
LogText "Result: ${policy}" LogText "Result: ${policy}"
@ -148,8 +148,8 @@
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset" Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | wc -l | ${TRBINARY} -d ' '` FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
FIREWALL_ACTIVE=1 FIREWALL_ACTIVE=1
if [ ${FIND} -le 10 ]; then if [ ${FIND} -le 10 ]; then
# Firewall is active, but clearly needs configuration # Firewall is active, but clearly needs configuration
@ -168,11 +168,11 @@
# #
# Test : FIRE-4513 # Test : FIRE-4513
# Description : Check iptables for unused rules # Description : Check iptables for unused rules
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! -z "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules" Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for unused rules"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | xargs` FIND=$(${IPTABLESBINARY} --list --numeric --line-numbers --verbose | ${AWKBINARY} '{ if ($2=="0") print $1 }' | ${XARGSBINARY})
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN
LogText "Result: There are no unused rules present" LogText "Result: There are no unused rules present"
else else
@ -181,7 +181,6 @@
LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
LogText "Output: iptables rule numbers: ${FIND}" LogText "Output: iptables rule numbers: ${FIND}"
#ReportWarning ${TEST_NO} "Found possible unused iptables rules ($FIND)"
ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used" ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used"
LogText "Tip: iptables --list --numeric --line-numbers --verbose" LogText "Tip: iptables --list --numeric --line-numbers --verbose"
fi fi
@ -198,8 +197,8 @@
# Check status with pfctl # Check status with pfctl
LogText "Test: checking pf status via pfctl" LogText "Test: checking pf status via pfctl"
if [ ! "${PFCTLBINARY}" = "" ]; then if [ ! -z "${PFCTLBINARY}" ]; then
FIND=`${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | head -1 | ${AWKBINARY} '{ print $2 }'` FIND=$(${PFCTLBINARY} -sa 2>&1 | ${GREPBINARY} "^Status" | ${HEADBINARY} -1 | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "Enabled" ]; then if [ "${FIND}" = "Enabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_ENABLED}" --color GREEN Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_ENABLED}" --color GREEN
LogText "Result: pf is enabled" LogText "Result: pf is enabled"
@ -221,9 +220,9 @@
if [ ${PFFOUND} -eq 0 ]; then if [ ${PFFOUND} -eq 0 ]; then
# Check for pf kernel module (FreeBSD and similar) # Check for pf kernel module (FreeBSD and similar)
LogText "Test: searching for pf kernel module" LogText "Test: searching for pf kernel module"
if [ ! "${KLDSTATBINARY}" = "" ]; then if [ ! -z "${KLDSTATBINARY}" ]; then
FIND=`${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko'` FIND=$(${KLDSTATBINARY} | ${GREPBINARY} 'pf.ko')
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
LogText "Result: Can not find pf KLD" LogText "Result: Can not find pf KLD"
else else
LogText "Result: pf KLD loaded" LogText "Result: pf KLD loaded"
@ -266,7 +265,7 @@
LogText "Result: /etc/pf.conf exists" LogText "Result: /etc/pf.conf exists"
# Check results from pfctl # Check results from pfctl
PFWARNINGS=$(${PFCTLBINARY} -n -f /etc/pf.conf -vvv 2>&1 | ${GREPBINARY} -i 'warning') PFWARNINGS=$(${PFCTLBINARY} -n -f /etc/pf.conf -vvv 2>&1 | ${GREPBINARY} -i 'warning')
if [ "${PFWARNINGS}" = "" ]; then if [ -z "${PFWARNINGS}" ]; then
Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN
LogText "Result: no pf filter warnings found" LogText "Result: no pf filter warnings found"
else else
@ -310,7 +309,7 @@
if [ ! "${IPFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${IPFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check ipf status" Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check ipf status"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPFBINARY} -n -V | ${GREPBINARY} "^Running" | ${AWKBINARY} '{ print $2 }'` FIND=$(${IPFBINARY} -n -V | ${GREPBINARY} "^Running" | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "yes" ]; then if [ "${FIND}" = "yes" ]; then
Display --indent 4 --text "- Checking ipf status" --result "${STATUS_RUNNING}" --color GREEN Display --indent 4 --text "- Checking ipf status" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: ipf is enabled and running" LogText "Result: ipf is enabled and running"
@ -329,9 +328,9 @@
# Description : Check IPFW (FreeBSD) # Description : Check IPFW (FreeBSD)
Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status" Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --category security --description "Check IPFW status"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${SYSCTLBINARY}" = "" ]; then if [ ! -z "${SYSCTLBINARY}" ]; then
# For now, only check for IPv4. # For now, only check for IPv4.
FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | ${AWKBINARY} '{ print $2 }'` FIND=$(${SYSCTLBINARY} net.inet.ip.fw.enable | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "1" ]; then if [ "${FIND}" = "1" ]; then
Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_RUNNING}" --color GREEN Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_RUNNING}" --color GREEN
LogText "Result: IPFW is running for IPv4" LogText "Result: IPFW is running for IPv4"
@ -363,8 +362,8 @@
if [ -x /usr/libexec/ApplicationFirewall/socketfilterfw ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -x /usr/libexec/ApplicationFirewall/socketfilterfw ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4532 --weight L --os "MacOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check Mac OS X application firewall" Register --test-no FIRE-4532 --weight L --os "MacOS" --preqs-met ${PREQS_MET} --network NO --category security --description "Check Mac OS X application firewall"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled"` FIND=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | ${GREPBINARY} "Firewall is enabled")
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3 AddHP 3 3
LogText "Result: application firewall of Mac OS X is enabled" LogText "Result: application firewall of Mac OS X is enabled"

8
include/tests_hardening
View File

@ -54,7 +54,7 @@
LogText "Result: no compilers found" LogText "Result: no compilers found"
else else
# as # as
if [ ! "${ASBINARY}" = "" ]; then if [ ! -z "${ASBINARY}" ]; then
LogText "Test: Check file permissions for as (Assembler)" LogText "Test: Check file permissions for as (Assembler)"
if IsWorldExecutable ${ASBINARY}; then if IsWorldExecutable ${ASBINARY}; then
LogText "Binary: found ${ASBINARY} (world executable)" LogText "Binary: found ${ASBINARY} (world executable)"
@ -66,7 +66,7 @@
fi fi
fi fi
# gcc # gcc
if [ ! "${GCCBINARY}" = "" ]; then if [ ! -z "${GCCBINARY}" ]; then
LogText "Test: Check file permissions for GCC compiler" LogText "Test: Check file permissions for GCC compiler"
if IsWorldExecutable ${GCCBINARY}; then if IsWorldExecutable ${GCCBINARY}; then
LogText "Binary: found ${GCCBINARY} (world executable)" LogText "Binary: found ${GCCBINARY} (world executable)"
@ -83,8 +83,8 @@
ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only" ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only"
fi fi
#YYY check if compilers have a specific group (like compiler, or NOT root/wheel) # TODO check if compilers have a specific group (like compiler, or NOT root/wheel)
# Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED # Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
# /usr/bin/*cc* # /usr/bin/*cc*
# /usr/bin/*++* # /usr/bin/*++*
# /usr/bin/ld # /usr/bin/ld

16
include/tests_homedirs
View File

@ -38,7 +38,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Read sixth field of /etc/passwd # Read sixth field of /etc/passwd
LogText "Test: query /etc/passwd to obtain home directories" LogText "Test: query /etc/passwd to obtain home directories"
FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | ${SORTBINARY} -u` FIND=$(${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | ${SORTBINARY} -u)
for I in ${FIND}; do for I in ${FIND}; do
if [ -d ${I} ]; then if [ -d ${I} ]; then
LogText "Result: found home directory: ${I} (directory exists)" LogText "Result: found home directory: ${I} (directory exists)"
@ -55,14 +55,14 @@
# Description : Check for suspicious shell history files # Description : Check for suspicious shell history files
Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files" Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${HOMEDIRS}" = "" ]; then if [ ! -z "${HOMEDIRS}" ]; then
if [ "${OS}" = "Solaris" ]; then if [ "${OS}" = "Solaris" ]; then
# Solaris doesn't support -maxdepth # Solaris doesn't support -maxdepth
FIND=`find ${HOMEDIRS} -name ".*history" ! -type f -print` FIND=$(${FINDBINARY} ${HOMEDIRS} -name ".*history" ! -type f -print)
else else
FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" ! -type f -print` FIND=$(${FINDBINARY} ${HOMEDIRS} -maxdepth 1 -name ".*history" ! -type f -print)
fi fi
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking shell history files" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Checking shell history files" --result "${STATUS_OK}" --color GREEN
LogText "Result: Ok, history files are type 'file'." LogText "Result: Ok, history files are type 'file'."
else else
@ -93,11 +93,11 @@
# Notes : For performance reasons we combine the scanning of different files, so inode caching is used # Notes : For performance reasons we combine the scanning of different files, so inode caching is used
# as much as possible for every find command # as much as possible for every find command
# Profile opt : ignore_home_dir (multiple lines allowed), ignores home directory # Profile opt : ignore_home_dir (multiple lines allowed), ignores home directory
if [ ! "${REPORTFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! -z "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories" Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
IGNORE_HOME_DIRS=`${GREPBINARY} "^config:ignore_home_dir:" ${PROFILE} | ${AWKBINARY} -F: '{ print $3 }'` IGNORE_HOME_DIRS=$(${GREPBINARY} "^config:ignore_home_dir:" ${PROFILE} | ${AWKBINARY} -F: '{ print $3 }')
if [ "${IGNORE_HOME_DIRS}" = "" ]; then if [ -z "${IGNORE_HOME_DIRS}" ]; then
LogText "Result: IGNORE_HOME_DIRS empty, no paths excluded" LogText "Result: IGNORE_HOME_DIRS empty, no paths excluded"
else else
LogText "Output: ${IGNORE_HOME_DIRS}" LogText "Output: ${IGNORE_HOME_DIRS}"

2
include/tests_insecure_services
View File

@ -27,7 +27,7 @@
################################################################################# #################################################################################
# #
INETD_ACTIVE=0 INETD_ACTIVE=0
INETD_CONFIG_FILE="/etc/inetd.conf" INETD_CONFIG_FILE="${ROOTDIR}etc/inetd.conf"
# #
################################################################################# #################################################################################
# #

46
include/tests_kernel
View File

@ -456,16 +456,16 @@
Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel" Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
REBOOT_NEEDED=2 REBOOT_NEEDED=2
FILE="/var/run/reboot-required.pkgs" FILE="${ROOTDIR}var/run/reboot-required.pkgs"
LogText "Test: Checking presence ${FILE}" LogText "Test: Checking presence ${FILE}"
if [ -f ${FILE} ]; then if [ -f ${FILE} ]; then
LogText "Result: file ${FILE} exists" LogText "Result: file ${FILE} exists"
FIND=$(wc -l < ${FILE}) FIND=$(${WCBINARY} -l < ${FILE})
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result: No reboot needed (file empty)" LogText "Result: No reboot needed (file empty)"
REBOOT_NEEDED=0 REBOOT_NEEDED=0
else else
PKGSCOUNT=$(wc -l < ${FILE}) PKGSCOUNT=$(${WCBINARY} -l < ${FILE})
LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages"
for I in ${FIND}; do for I in ${FIND}; do
LogText "Package: ${I}" LogText "Package: ${I}"
@ -476,15 +476,15 @@
LogText "Result: file ${FILE} not found" LogText "Result: file ${FILE} not found"
fi fi
# Check if /boot exists # Check if /boot exists
if [ -d /boot ]; then if [ -d ${ROOTDIR}boot ]; then
LogText "Result: /boot exists, performing more tests from here" LogText "Result: /boot exists, performing more tests from here"
FIND=$(ls /boot/* 2> /dev/null) FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null)
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
if [ -f /boot/vmlinuz -a ! -L /boot/vmlinuz ]; then if [ -f ${ROOTDIR}boot/vmlinuz -a ! -L ${ROOTDIR}boot/vmlinuz ]; then
LogText "Result: found /boot/vmlinuz (not symlinked)" LogText "Result: found /boot/vmlinuz (not symlinked)"
NEXTLINE=0 NEXTLINE=0
FINDVERSION="" FINDVERSION=""
for I in `file /boot/vmlinuz-linux`; do for I in $(file ${ROOTDIR}boot/vmlinuz-linux); do
if [ ${NEXTLINE} -eq 1 ]; then if [ ${NEXTLINE} -eq 1 ]; then
FINDVERSION="${I}" FINDVERSION="${I}"
else else
@ -492,7 +492,7 @@
if [ "${I}" = "version" ]; then NEXTLINE=1; fi if [ "${I}" = "version" ]; then NEXTLINE=1; fi
fi fi
done done
if [ ! "${FINDVERSION}" = "" ]; then if [ ! -z "${FINDVERSION}" ]; then
CURRENT_KERNEL=`uname -r` CURRENT_KERNEL=`uname -r`
if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then
LogText "Result: reboot needed, as current kernel is different than the one loaded" LogText "Result: reboot needed, as current kernel is different than the one loaded"
@ -501,11 +501,11 @@
else else
ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data" ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data"
fi fi
elif [ -f /boot/vmlinuz-linux ]; then elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)" LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)"
LogText "Test: checking kernel version on disk" LogText "Test: checking kernel version on disk"
VERSION_ON_DISK=`file -b /boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}'` VERSION_ON_DISK=$(${FILEBINARY} -b ${ROOTDIR}boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}')
if [ ! "${VERSION_ON_DISK}" = "" ]; then if [ ! -z "${VERSION_ON_DISK}" ]; then
LogText "Result: found version ${VERSION_ON_DISK}" LogText "Result: found version ${VERSION_ON_DISK}"
ACTIVE_KERNEL=`uname -r` ACTIVE_KERNEL=`uname -r`
LogText "Result: active kernel version ${ACTIVE_KERNEL}" LogText "Result: active kernel version ${ACTIVE_KERNEL}"
@ -521,36 +521,36 @@
ReportException "${TEST_NO}:4" "Could not find the kernel version from /boot/vmlinux-linux" ReportException "${TEST_NO}:4" "Could not find the kernel version from /boot/vmlinux-linux"
fi fi
else else
if [ -L /boot/vmlinuz ]; then if [ -L ${ROOTDIR}boot/vmlinuz ]; then
LogText "Result: found symlink of /boot/vmlinuz, skipping file" LogText "Result: found symlink of ${ROOTDIR}boot/vmlinuz, skipping file"
else else
LogText "Result: /boot/vmlinuz not on disk, trying to find /boot/vmlinuz*" LogText "Result: ${ROOTDIR}boot/vmlinuz not on disk, trying to find ${ROOTDIR}boot/vmlinuz*"
fi fi
# Extra current kernel version and replace dashes to allow numeric ${SORTBINARY} later on # Extra current kernel version and replace dashes to allow numeric ${SORTBINARY} later on
MYKERNEL=`uname -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g'` MYKERNEL=$(${UNAMEBINARY} -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g')
LogText "Result: using ${MYKERNEL} as my kernel version (stripped)" LogText "Result: using ${MYKERNEL} as my kernel version (stripped)"
FIND=$(ls /boot/vmlinuz* 2> /dev/null) FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null)
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
for ITEM in ${FIND}; do for ITEM in ${FIND}; do
LogText "Result: found ${ITEM}" LogText "Result: found ${ITEM}"
done done
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
# Ignore rescue images. Remove generic. and huge. for Slackware machines # Ignore rescue images. Remove generic. and huge. for Slackware machines
LogText "Action: checking relevant kernels" LogText "Action: checking relevant kernels"
KERNELS=`ls /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
KERNELS_ONE_LINE=$(echo ${KERNELS} | ${TRBINARY} '\n' ' ') KERNELS_ONE_LINE=$(echo ${KERNELS} | ${TRBINARY} '\n' ' ')
LogText "Output: ${KERNELS_ONE_LINE}" LogText "Output: ${KERNELS_ONE_LINE}"
elif [ ! "$(ls /boot/kernel* 2> /dev/null)" = "" ]; then elif [ ! "$(ls ${ROOTDIR}boot/kernel* 2> /dev/null)" = "" ]; then
LogText "Output: Found a kernel file in /boot" LogText "Output: Found a kernel file in ${ROOTDIR}boot"
# Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers)
# Examples: # Examples:
# /boot/kernel-genkernel-x86_64-3.14.14-gentoo # /boot/kernel-genkernel-x86_64-3.14.14-gentoo
KERNELS=`ls /boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.)
LogText "Output: ${KERNELS}" LogText "Output: ${KERNELS}"
else else
ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected" ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected"
fi fi
if [ ! "${KERNELS}" = "" ]; then if [ ! -z "${KERNELS}" ]; then
FOUND_KERNEL=0 FOUND_KERNEL=0
for I in ${KERNELS}; do for I in ${KERNELS}; do
# Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist) # Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist)

6
include/tests_ldap
View File

@ -26,7 +26,7 @@
# #
################################################################################# #################################################################################
# #
SLAPD_CONF_LOCS="/etc/ldap /etc/openldap /usr/local/etc/openldap" SLAPD_CONF_LOCS="${ROOTDIR}etc/ldap ${ROOTDIR}etc/openldap ${ROOTDIR}usr/local/etc/openldap"
SLAPD_CONF_LOCATION="" SLAPD_CONF_LOCATION=""
SLAPD_RUNNING=0 SLAPD_RUNNING=0
# #
@ -36,7 +36,7 @@
# Description : Check running OpenLDAP instance # Description : Check running OpenLDAP instance
Register --test-no LDAP-2219 --weight L --network NO --category security --description "Check running OpenLDAP instance" Register --test-no LDAP-2219 --weight L --network NO --category security --description "Check running OpenLDAP instance"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
#YYY add additional slash # TODO adding additional slash needed?
IsRunning slapd IsRunning slapd
if [ ${RUNNING} -eq 0 ]; then if [ ${RUNNING} -eq 0 ]; then
Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_NOT_FOUND}" --color WHITE Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_NOT_FOUND}" --color WHITE
@ -66,7 +66,7 @@
fi fi
done done
# Check if we found a valid location # Check if we found a valid location
if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then if [ ! -z "${SLAPD_CONF_LOCATION}" ]; then
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_FOUND}" --color GREEN
else else
Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW

66
include/tests_logging
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
LOG_FILES_LOCS="/var/log /var/adm" LOG_FILES_LOCS="${ROOTDIR}var/log ${ROOTDIR}var/adm"
LOGROTATE_CONFIG_FOUND=0 LOGROTATE_CONFIG_FOUND=0
LOGROTATE_TOOL="" LOGROTATE_TOOL=""
METALOG_RUNNING=0 METALOG_RUNNING=0
@ -43,8 +43,8 @@
Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon" Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for a logging daemon" LogText "Test: Searching for a logging daemon"
FIND=`${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep"` FIND=$(${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep")
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured." ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured."
@ -85,7 +85,7 @@
if [ ! "${SYSLOGNGBINARY}" = "" -a ${SYSLOG_NG_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${SYSLOGNGBINARY}" = "" -a ${SYSLOG_NG_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Syslog-NG configuration file consistency" Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Syslog-NG configuration file consistency"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSLOGNGBINARY} -s; echo $?` FIND=$(${SYSLOGNGBINARY} -s; echo $?)
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
LogText "Result: Syslog-NG configuration file seems to be consistent" LogText "Result: Syslog-NG configuration file seems to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_OK}" --color GREEN Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_OK}" --color GREEN
@ -224,22 +224,22 @@
# Description : Check for logrotate (/etc/logrotate.conf and logrotate.d) # Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
Register --test-no LOGG-2146 --weight L --os Linux --network NO --category security --description "Checking logrotate.conf and logrotate.d" Register --test-no LOGG-2146 --weight L --os Linux --network NO --category security --description "Checking logrotate.conf and logrotate.d"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for /etc/logrotate.conf" LogText "Test: Checking for ${ROOTDIR}etc/logrotate.conf"
if [ -f /etc/logrotate.conf ]; then if [ -f ${ROOTDIR}etc/logrotate.conf ]; then
LOGROTATE_CONFIG_FOUND=1 LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="logrotate" LOGROTATE_TOOL="logrotate"
LogText "Result: /etc/logrotate.conf found (file)" LogText "Result: ${ROOTDIR}etc/logrotate.conf found (file)"
else else
LogText "Result: /etc/logrotate.conf NOT found" LogText "Result: ${ROOTDIR}etc/logrotate.conf NOT found"
fi fi
LogText "Test: Checking for /etc/logrotate.d (directory)" LogText "Test: Checking for ${ROOTDIR}etc/logrotate.d (directory)"
if [ -d /etc/logrotate.d ]; then if [ -d ${ROOTDIR}etc/logrotate.d ]; then
LOGROTATE_CONFIG_FOUND=1 LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="logrotate" LOGROTATE_TOOL="logrotate"
LogText "Result: /etc/logrotate.d found" LogText "Result: ${ROOTDIR}etc/logrotate.d found"
else else
LogText "Result: /etc/logrotate.conf found" LogText "Result: ${ROOTDIR}etc/logrotate.conf found"
fi fi
if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then
@ -256,12 +256,12 @@
# #
# Test : LOGG-2148 # Test : LOGG-2148
# Description : Checking log files rotated with logrotate # Description : Checking log files rotated with logrotate
if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! -z "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files" Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which files are rotated with logrotate and if they exist" LogText "Test: Checking which files are rotated with logrotate and if they exist"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'` FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }')
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
LogText "Result: nothing found" LogText "Result: nothing found"
else else
LogText "Result: found one or more files which are rotated via logrotate" LogText "Result: found one or more files which are rotated via logrotate"
@ -304,8 +304,8 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Try local hosts file # Try local hosts file
LogText "Result: Checking for loghost in /etc/inet/hosts" LogText "Result: Checking for loghost in /etc/inet/hosts"
FIND=`${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#"` FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#")
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
SOLARIS_LOGHOST_FOUND=1 SOLARIS_LOGHOST_FOUND=1
LogText "Result: Found loghost entry in /etc/inet/hosts" LogText "Result: Found loghost entry in /etc/inet/hosts"
else else
@ -314,7 +314,7 @@
# Try name resolving if no entry is present in local host file # Try name resolving if no entry is present in local host file
LogText "Result: Checking for loghost via name resolving" LogText "Result: Checking for loghost via name resolving"
FIND=`getent hosts loghost | ${GREPBINARY} loghost` FIND=`getent hosts loghost | ${GREPBINARY} loghost`
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
SOLARIS_LOGHOST_FOUND=1 SOLARIS_LOGHOST_FOUND=1
LogText "Result: name resolving was succesful" LogText "Result: name resolving was succesful"
LogText "Output: ${FIND}" LogText "Output: ${FIND}"
@ -349,16 +349,16 @@
fi fi
if [ -f ${SYSLOGD_CONF} ]; then if [ -f ${SYSLOGD_CONF} ]; then
LogText "Test: check if logs are also logged to a remote logging host" LogText "Test: check if logs are also logged to a remote logging host"
FIND=`${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@"` FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
LogText "Result: remote logging enabled" LogText "Result: remote logging enabled"
REMOTE_LOGGING_ENABLED=1 REMOTE_LOGGING_ENABLED=1
else else
# Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
DESTINATIONS=`${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}'` DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
for DESTINATION in ${DESTINATIONS}; do for DESTINATION in ${DESTINATIONS}; do
FIND2=`${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)"` FIND2=$(${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
if [ ! "${FIND2}" = "" ]; then if [ ! -z "${FIND2}" = "" ]; then
LogText "Result: found destination ${DESTINATION} configured for remote logging" LogText "Result: found destination ${DESTINATION} configured for remote logging"
REMOTE_LOGGING_ENABLED=1 REMOTE_LOGGING_ENABLED=1
fi fi
@ -382,11 +382,11 @@
# #
# Test : LOGG-2160 # Test : LOGG-2160
# Description : Check for /etc/newsyslog.conf (FreeBSD/OpenBSD) # Description : Check for /etc/newsyslog.conf (FreeBSD/OpenBSD)
if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -f ${ROOTDIR}etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking /etc/newsyslog.conf" Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Result: /etc/newsyslog.conf found" LogText "Result: ${ROOTDIR}etc/newsyslog.conf found"
Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Checking ${ROOTDIR}etc/newsyslog.conf" --result "${STATUS_FOUND}" --color GREEN
LOGROTATE_CONFIG_FOUND=1 LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="newsyslog" LOGROTATE_TOOL="newsyslog"
fi fi
@ -399,7 +399,7 @@
Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking directories in /etc/newsyslog.conf" Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking directories in /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: parsing directories from /etc/newsyslog.conf file" LogText "Test: parsing directories from /etc/newsyslog.conf file"
FIND=`${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SEDBINARY} 's/\/*[a-zA-Z_.-]*$//g' | ${SORTBINARY} -u` FIND=$(${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SEDBINARY} 's/\/*[a-zA-Z_.-]*$//g' | ${SORTBINARY} -u)
for I in ${FIND}; do for I in ${FIND}; do
if [ -d ${I} ]; then if [ -d ${I} ]; then
LogText "Result: Directory ${I} found and exists" LogText "Result: Directory ${I} found and exists"
@ -415,11 +415,11 @@
# #
# Test : LOGG-2164 # Test : LOGG-2164
# Description : Check for files in /etc/newsyslog.conf # Description : Check for files in /etc/newsyslog.conf
if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -f ${ROOTDIR}etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking files specified /etc/newsyslog.conf" Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking files specified /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: parsing files from /etc/newsyslog.conf file" LogText "Test: parsing files from ${ROOTDIR}etc/newsyslog.conf file"
FIND=`${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SORTBINARY} -u` FIND=$(${AWKBINARY} '/^\// { print $1 }' ${ROOTDIR}etc/newsyslog.conf | ${SORTBINARY} -u)
for I in ${FIND}; do for I in ${FIND}; do
if [ -f ${I} ]; then if [ -f ${I} ]; then
LogText "Result: File ${I} found and exists" LogText "Result: File ${I} found and exists"
@ -455,8 +455,8 @@
Register --test-no LOGG-2180 --weight L --network NO --category security --description "Checking open log files" Register --test-no LOGG-2180 --weight L --network NO --category security --description "Checking open log files"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking open log files with lsof" LogText "Test: checking open log files with lsof"
if [ ! "${LSOFBINARY}" = "" ]; then if [ ! -z "${LSOFBINARY}" ]; then
FIND=`${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$"` FIND=$(${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found logfile: ${I}" LogText "Found logfile: ${I}"
Report "open_logfile[]=${I}" Report "open_logfile[]=${I}"
@ -493,7 +493,7 @@
fi fi
FIND=$(${LSOFBINARY} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) FIND=$(${LSOFBINARY} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
LogText "Result: found one or more files which are deleted, but still in use" LogText "Result: found one or more files which are deleted, but still in use"
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found deleted file: ${I}" LogText "Found deleted file: ${I}"

18
include/tests_mac_frameworks
View File

@ -31,7 +31,7 @@
# Description : Check if AppArmor is installed # Description : Check if AppArmor is installed
Register --test-no MACF-6204 --weight L --network NO --category security --description "Check AppArmor presence" Register --test-no MACF-6204 --weight L --network NO --category security --description "Check AppArmor presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ "${AASTATUSBINARY}" = "" ]; then if [ -z "${AASTATUSBINARY}" ]; then
APPARMORFOUND=0 APPARMORFOUND=0
LogText "Result: aa-status binary not found, AppArmor not installed" LogText "Result: aa-status binary not found, AppArmor not installed"
Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_NOT_FOUND}" --color WHITE Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_NOT_FOUND}" --color WHITE
@ -49,14 +49,14 @@
if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled" Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${AASTATUSBINARY}" = "" ]; then if [ ! -z "${AASTATUSBINARY}" ]; then
# Checking AppArmor status # Checking AppArmor status
# 0 if apparmor is enabled and policy is loaded. # 0 if apparmor is enabled and policy is loaded.
# 1 if apparmor is not enabled/loaded. # 1 if apparmor is not enabled/loaded.
# 2 if apparmor is enabled but no policy is loaded. # 2 if apparmor is enabled but no policy is loaded.
# 3 if control files are not available # 3 if control files are not available
# 4 if apparmor status can't be read # 4 if apparmor status can't be read
FIND=`${AASTATUSBINARY} > /dev/null; echo $?` FIND=$(${AASTATUSBINARY} > /dev/null; echo $?)
if [ ${FIND} -eq 0 ]; then if [ ${FIND} -eq 0 ]; then
MAC_FRAMEWORK_ACTIVE=1 MAC_FRAMEWORK_ACTIVE=1
LogText "Result: AppArmor is enabled and a policy is loaded" LogText "Result: AppArmor is enabled and a policy is loaded"
@ -93,7 +93,7 @@
Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence" Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking if we have sestatus binary" LogText "Test: checking if we have sestatus binary"
if [ ! "${SESTATUSBINARY}" = "" ]; then if [ ! -z "${SESTATUSBINARY}" ]; then
LogText "Result: found sestatus binary (${SESTATUSBINARY})" LogText "Result: found sestatus binary (${SESTATUSBINARY})"
Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN
else else
@ -110,16 +110,16 @@
Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status" Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Status: Enabled/Disabled # Status: Enabled/Disabled
FIND=`${SESTATUSBINARY} | ${GREPBINARY} "^SELinux status" | ${AWKBINARY} '{ print $3 }'` FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^SELinux status" | ${AWKBINARY} '{ print $3 }')
if [ "${FIND}" = "enabled" ]; then if [ "${FIND}" = "enabled" ]; then
MAC_FRAMEWORK_ACTIVE=1 MAC_FRAMEWORK_ACTIVE=1
LogText "Result: SELinux framework is enabled" LogText "Result: SELinux framework is enabled"
Report "selinux_status=1" Report "selinux_status=1"
SELINUXFOUND=1 SELINUXFOUND=1
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN
FIND=`${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }'` FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }')
Report "selinux_mode=${FIND}" Report "selinux_mode=${FIND}"
FIND2=`${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }'` FIND2=$(${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }')
LogText "Result: current SELinux mode is ${FIND}" LogText "Result: current SELinux mode is ${FIND}"
LogText "Result: mode configured in config file is ${FIND2}" LogText "Result: mode configured in config file is ${FIND2}"
if [ "${FIND}" = "${FIND2}" ]; then if [ "${FIND}" = "${FIND2}" ]; then
@ -145,8 +145,8 @@
Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence" Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check Linux kernel configuration # Check Linux kernel configuration
if [ ! "${LINUXCONFIGFILE}" = "" -a -f "${LINUXCONFIGFILE}" ]; then if [ ! -z "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then
FIND=`${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE}` FIND=$(${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE})
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: grsecurity available (in kernel config)" LogText "Result: grsecurity available (in kernel config)"
GRSEC_FOUND=1 GRSEC_FOUND=1

18
include/tests_mail_messaging
View File

@ -28,11 +28,13 @@
# #
DOVECOT_RUNNING=0 DOVECOT_RUNNING=0
EXIM_RUNNING=0 EXIM_RUNNING=0
SMTP_DAEMON="" IMAP_DAEMON=""
OPENSMTPD_RUNNING=0
POP3_DAEMON=""
POSTFIX_RUNNING=0 POSTFIX_RUNNING=0
QMAIL_RUNNING=0 QMAIL_RUNNING=0
SENDMAIL_RUNNING=0 SENDMAIL_RUNNING=0
OPENSMTPD_RUNNING=0 SMTP_DAEMON=""
# #
################################################################################# #################################################################################
# #
@ -62,10 +64,8 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check Postfix status" LogText "Test: check Postfix status"
# Some other processes also use master, therefore it should include both master and postfix # Some other processes also use master, therefore it should include both master and postfix
FIND1=`${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"` FIND1=$(${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep")
#FIND2=`${PSBINARY} ax | ${GREPBINARY} "qmgr" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"` if [ ! -z "${FIND1}" ]; then
#FIND3=`${PSBINARY} ax | ${GREPBINARY} "pickup" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep"`
if [ ! "${FIND1}" = "" ]; then
LogText "Result: found running Postfix process" LogText "Result: found running Postfix process"
Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_RUNNING}" --color GREEN Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_RUNNING}" --color GREEN
POSTFIX_RUNNING=1 POSTFIX_RUNNING=1
@ -84,7 +84,7 @@
Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration" Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking Postfix configuration" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Checking Postfix configuration" --result "${STATUS_FOUND}" --color GREEN
POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^config_directory' | ${AWKBINARY} '{ print $3 }'` POSTFIX_CONFIGDIR=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^config_directory' | ${AWKBINARY} '{ print $3 }')
POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf" POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf"
LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}" LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
LogText "Postfix configuration file: ${POSTFIX_CONFIGFILE}" LogText "Postfix configuration file: ${POSTFIX_CONFIGFILE}"
@ -183,11 +183,11 @@
# #
# Test : MAIL-8920 # Test : MAIL-8920
# Description : Check OpenSMTPD process status # Description : Check OpenSMTPD process status
if [ ! "${SMTPCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! -z "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status" Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check smtpd status" LogText "Test: check smtpd status"
FIND=`${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep"` FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found running smtpd process" LogText "Result: found running smtpd process"
Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN

8
include/tests_malware
View File

@ -41,7 +41,7 @@
Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit" Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence chkrootkit" LogText "Test: checking presence chkrootkit"
if [ ! "${CHKROOTKITBINARY}" = "" ]; then if [ ! -z "${CHKROOTKITBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CHKROOTKITBINARY}" LogText "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
@ -59,7 +59,7 @@
Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter" Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence Rootkit Hunter" LogText "Test: checking presence Rootkit Hunter"
if [ ! "${RKHUNTERBINARY}" = "" ]; then if [ ! -z "${RKHUNTERBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${RKHUNTERBINARY}" LogText "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
@ -218,8 +218,8 @@
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav" Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan'` CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan')
if [ ! "${CLAMSCANBINARY}" = "" ]; then if [ ! -z "${CLAMSCANBINARY}" ]; then
LogText "Result: Found ClamXav clamscan installed" LogText "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1

23
include/tests_memory_processes
View File

@ -33,9 +33,9 @@
if [ -f /proc/meminfo ]; then if [ -f /proc/meminfo ]; then
LogText "Result: found /proc/meminfo" LogText "Result: found /proc/meminfo"
Display --indent 2 --text "- Checking /proc/meminfo" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Checking /proc/meminfo" --result "${STATUS_FOUND}" --color GREEN
FIND=`${AWKBINARY} '/^MemTotal/ { print $2, $3 }' /proc/meminfo` FIND=$(${AWKBINARY} '/^MemTotal/ { print $2, $3 }' /proc/meminfo)
MEMORY_SIZE=`echo ${FIND} | ${AWKBINARY} '{ print $1 }'` MEMORY_SIZE=$(echo ${FIND} | ${AWKBINARY} '{ print $1 }')
MEMORY_UNITS=`echo ${FIND} | ${AWKBINARY} '{ print $2 }'` MEMORY_UNITS=$(echo ${FIND} | ${AWKBINARY} '{ print $2 }')
LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
Report "memory_size=${MEMORY_SIZE}" Report "memory_size=${MEMORY_SIZE}"
Report "memory_units=${MEMORY_UNITS}" Report "memory_units=${MEMORY_UNITS}"
@ -48,13 +48,14 @@
# #
# Test : PROC-3604 # Test : PROC-3604
# Description : Query /proc/meminfo # Description : Query /proc/meminfo
# Notes : TODO - prtconf replacement
Register --test-no PROC-3604 --os Solaris --weight L --network NO --category security --description "Query prtconf for memory details" Register --test-no PROC-3604 --os Solaris --weight L --network NO --category security --description "Query prtconf for memory details"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching /usr/sbin/prtconf" LogText "Test: Searching /usr/sbin/prtconf"
if [ -x /usr/sbin/prtconf ]; then if [ -x /usr/sbin/prtconf ]; then
Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_DONE}" --color GREEN Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_DONE}" --color GREEN
MEMORY_SIZE=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f3` MEMORY_SIZE=$(/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f3)
MEMORY_UNITS=`/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f4` MEMORY_UNITS=$(/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f4)
LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
Report "memory_size=${MEMORY_SIZE}" Report "memory_size=${MEMORY_SIZE}"
Report "memory_units=${MEMORY_UNITS}" Report "memory_units=${MEMORY_UNITS}"
@ -73,11 +74,11 @@
Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check dead or zombie processes" Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check dead or zombie processes"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "AIX" ]; then if [ "${OS}" = "AIX" ]; then
FIND=`${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | xargs` FIND=$(${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | ${XARGSBINARY})
else else
FIND=`${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | xargs` FIND=$(${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | ${XARGSBINARY})
fi fi
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
LogText "Result: no zombie processes found" LogText "Result: no zombie processes found"
Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_OK}" --color GREEN
else else
@ -97,11 +98,11 @@
Register --test-no PROC-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check heavy IO waiting based processes" Register --test-no PROC-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check heavy IO waiting based processes"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "AIX" ]; then if [ "${OS}" = "AIX" ]; then
FIND=`${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | xargs` FIND=$(${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | ${XARGSBINARY})
else else
FIND=`${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | xargs` FIND=$(${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | ${XARGSBINARY})
fi fi
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
LogText "Result: No processes were waiting for IO requests to be handled first" LogText "Result: No processes were waiting for IO requests to be handled first"
Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_OK}" --color GREEN
else else

110
include/tests_nameservices
View File

@ -27,10 +27,10 @@
################################################################################# #################################################################################
# #
BIND_RUNNING=0 BIND_RUNNING=0
BIND_CONFIG_LOCS="/etc /etc/bind /usr/local/etc /usr/local/etc/namedb" BIND_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/bind ${ROOTDIR}usr/local/etc ${ROOTDIR}usr/local/etc/namedb"
BIND_CONFIG_LOCATION="" BIND_CONFIG_LOCATION=""
POWERDNS_RUNNING=0 POWERDNS_RUNNING=0
POWERDNS_CONFIG_LOCS="/etc/powerdns /usr/local/etc" POWERDNS_CONFIG_LOCS="${ROOTDIR}etc/powerdns ${ROOTDIR}usr/local/etc"
POWERDNS_AUTH_CONFIG_LOCATION="" POWERDNS_AUTH_CONFIG_LOCATION=""
POWERDNS_AUTH_MASTER=0 POWERDNS_AUTH_MASTER=0
POWERDNS_AUTH_SLAVE=0 POWERDNS_AUTH_SLAVE=0
@ -43,11 +43,11 @@
# Description : Check main domain (domain <domain name> in /etc/resolv.conf) # Description : Check main domain (domain <domain name> in /etc/resolv.conf)
Register --test-no NAME-4016 --weight L --network NO --category security --description "Check /etc/resolv.conf default domain" Register --test-no NAME-4016 --weight L --network NO --category security --description "Check /etc/resolv.conf default domain"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check /etc/resolv.conf for default domain" LogText "Test: check ${ROOTDIR}etc/resolv.conf for default domain"
if [ -f /etc/resolv.conf ]; then if [ -f ${ROOTDIR}etc/resolv.conf ]; then
LogText "Result: /etc/resolv.conf found" LogText "Result: ${ROOTDIR}etc/resolv.conf found"
FIND=`${AWKBINARY} '/^domain/ { print $2 }' /etc/resolv.conf` FIND=$(${AWKBINARY} '/^domain/ { print $2 }' ${ROOTDIR}etc/resolv.conf)
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
LogText "Result: no default domain found" LogText "Result: no default domain found"
if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_NONE}" --color WHITE; fi if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_NONE}" --color WHITE; fi
else else
@ -68,11 +68,11 @@
Register --test-no NAME-4018 --weight L --network NO --category security --description "Check /etc/resolv.conf search domains" Register --test-no NAME-4018 --weight L --network NO --category security --description "Check /etc/resolv.conf search domains"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
N=0 N=0
LogText "Test: check /etc/resolv.conf for search domains" LogText "Test: check ${ROOTDIR}etc/resolv.conf for search domains"
if [ -f /etc/resolv.conf ]; then if [ -f ${ROOTDIR}etc/resolv.conf ]; then
LogText "Result: /etc/resolv.conf found" LogText "Result: ${ROOTDIR}etc/resolv.conf found"
FIND=`${AWKBINARY} '/^search/ { print $2 }' /etc/resolv.conf` FIND=$(${AWKBINARY} '/^search/ { print $2 }' ${ROOTDIR}etc/resolv.conf)
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
LogText "Result: no search domains found, default domain is being used" LogText "Result: no search domains found, default domain is being used"
else else
for I in ${FIND}; do for I in ${FIND}; do
@ -91,12 +91,12 @@
fi fi
fi fi
else else
LogText "Result: /etc/resolv.conf does not exist, skipping test" LogText "Result: ${ROOTDIR}etc/resolv.conf does not exist, skipping test"
Display --indent 2 --text "- Checking search domains" --result "${STATUS_NOT_FOUND}" --color YELLOW Display --indent 2 --text "- Checking search domains" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi fi
# Check amount of search domains (max 1) # Check amount of search domains (max 1)
FIND=`${GREPBINARY} -c "^search" /etc/resolv.conf` FIND=$(${GREPBINARY} -c "^search" ${ROOTDIR}etc/resolv.conf)
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
@ -112,10 +112,10 @@
# Description : Check non default resolv.conf options # Description : Check non default resolv.conf options
Register --test-no NAME-4020 --weight L --network NO --category security --description "Check non default options" Register --test-no NAME-4020 --weight L --network NO --category security --description "Check non default options"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check /etc/resolv.conf for non default options" LogText "Test: check ${ROOTDIR}etc/resolv.conf for non default options"
if [ -f /etc/resolv.conf ]; then if [ -f ${ROOTDIR}etc/resolv.conf ]; then
LogText "Result: /etc/resolv.conf found" LogText "Result: ${ROOTDIR}etc/resolv.conf found"
FIND=`${GREPBINARY} "^options" /etc/resolv.conf | ${AWKBINARY} '{ print $2 }'` FIND=$(${GREPBINARY} "^options" ${ROOTDIR}etc/resolv.conf | ${AWKBINARY} '{ print $2 }')
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: no specific other options configured in /etc/resolv.conf" LogText "Result: no specific other options configured in /etc/resolv.conf"
if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi
@ -140,7 +140,7 @@
# Description : Check Solaris uname -n output # Description : Check Solaris uname -n output
Register --test-no NAME-4024 --os Solaris --weight L --network NO --category security --description "Solaris uname -n output" Register --test-no NAME-4024 --os Solaris --weight L --network NO --category security --description "Solaris uname -n output"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`uname -n` FIND=$(${UNAMEBINARY} -n)
LogText "Result: 'uname -n' returned ${FIND}" LogText "Result: 'uname -n' returned ${FIND}"
Display --indent 2 --text "- Checking uname -n output" --result "${STATUS_DONE}" --color GREEN Display --indent 2 --text "- Checking uname -n output" --result "${STATUS_DONE}" --color GREEN
fi fi
@ -189,7 +189,7 @@
LogText "Test: Checking if dnsdomainname command is available" LogText "Test: Checking if dnsdomainname command is available"
if [ ! "${DNSDOMAINNAMEBINARY}" = "" ]; then if [ ! "${DNSDOMAINNAMEBINARY}" = "" ]; then
FIND2=`${DNSDOMAINNAMEBINARY} 2> /dev/null` FIND2=$(${DNSDOMAINNAMEBINARY} 2> /dev/null)
if [ ! "${FIND2}" = "" ]; then if [ ! "${FIND2}" = "" ]; then
LogText "Result: dnsdomainname command returned a value" LogText "Result: dnsdomainname command returned a value"
LogText "Found domain name: ${FIND2}" LogText "Found domain name: ${FIND2}"
@ -202,9 +202,9 @@
fi fi
# If files and commands can't be found, use defined value from resolv.conf # If files and commands can't be found, use defined value from resolv.conf
if [ "${DOMAINNAME}" = "" ]; then if [ -z "${DOMAINNAME}" ]; then
if [ ! "${RESOLV_DOMAINNAME}" = "" ]; then if [ ! -z "${RESOLV_DOMAINNAME}" ]; then
LogText "Result: using domain name from /etc/resolv.conf" LogText "Result: using domain name from ${ROOTDIR}etc/resolv.conf"
DOMAINNAME=${RESOLV_DOMAINNAME} DOMAINNAME=${RESOLV_DOMAINNAME}
else else
LogText "Result: using domain name from FQDN hostname" LogText "Result: using domain name from FQDN hostname"
@ -456,8 +456,8 @@
Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS backends" Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS backends"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for PowerDNS backends" LogText "Test: Checking for PowerDNS backends"
FIND=`${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}` FIND=$(${AWKBINARY} -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
for I in ${FIND}; do for I in ${FIND}; do
LogText "Found backend: ${I}" LogText "Found backend: ${I}"
done done
@ -472,12 +472,12 @@
# #
# Test : NAME-4238 # Test : NAME-4238
# Description : Check PowerDNS authoritive status # Description : Check PowerDNS authoritive status
if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${POWERDNS_RUNNING} -eq 1 -a ! -z "${POWERDNS_AUTH_CONFIG_LOCATION}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritive status" Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PowerDNS authoritive status"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for PowerDNS master status" LogText "Test: Checking for PowerDNS master status"
FIND=`${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}` FIND=$(${GREPBINARY} "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
LogText "Found master=yes in configuration file" LogText "Found master=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive master: YES" Display --indent 4 --text "- PowerDNS authoritive master: YES"
POWERDNS_AUTH_MASTER=1 POWERDNS_AUTH_MASTER=1
@ -486,8 +486,8 @@
Display --indent 4 --text "- PowerDNS authoritive master: NO" Display --indent 4 --text "- PowerDNS authoritive master: NO"
fi fi
LogText "Test: Checking for PowerDNS slave status" LogText "Test: Checking for PowerDNS slave status"
FIND=`${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}` FIND=$(${GREPBINARY} "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION})
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
LogText "Found slave=yes in configuration file" LogText "Found slave=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive slave: YES" Display --indent 4 --text "- PowerDNS authoritive slave: YES"
POWERDNS_AUTH_SLAVE=1 POWERDNS_AUTH_SLAVE=1
@ -531,19 +531,19 @@
Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NIS domain" Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NIS domain"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking `domainname` for NIS domain value" LogText "Test: Checking `domainname` for NIS domain value"
FIND=`${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)"` FIND=$(${DOMAINNAMEBINARY} | ${GREPBINARY} -v "(none)")
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
LogText "Value: ${FIND}" LogText "Value: ${FIND}"
NISDOMAIN="${FIND}" NISDOMAIN="${FIND}"
else else
LogText "Result: no NIS domain found in command output" LogText "Result: no NIS domain found in command output"
fi fi
# Solaris / Linux style # Solaris / Linux style
LogText "Test: Checking file /etc/defaultdomain" LogText "Test: Checking file ${ROOTDIR}etc/defaultdomain"
if [ -f /etc/defaultdomain ]; then if [ -f ${ROOTDIR}etc/defaultdomain ]; then
LogText "Result: file /etc/defaultdomain exists" LogText "Result: file ${ROOTDIR}etc/defaultdomain exists"
FIND2=`cat /etc/defaultdomain` FIND2=`cat ${ROOTDIR}etc/defaultdomain`
if [ ! "${FIND2}" = "" ]; then if [ ! -z "${FIND2}" ]; then
LogText "Output: ${FIND2}" LogText "Output: ${FIND2}"
NISDOMAIN="${FIND2}" NISDOMAIN="${FIND2}"
else else
@ -551,32 +551,32 @@
fi fi
fi fi
# Red Hat style # Red Hat style
LogText "Test: checking /etc/sysconfig/network" LogText "Test: checking ${ROOTDIR}etc/sysconfig/network"
if [ -f /etc/sysconfig/network ]; then if [ -f ${ROOTDIR}etc/sysconfig/network ]; then
LogText "Result: file /etc/sysconfig/network exists" LogText "Result: file ${ROOTDIR}etc/sysconfig/network exists"
LogText "Test: checking NISDOMAIN value in file" LogText "Test: checking NISDOMAIN value in file"
FIND3=`${GREPBINARY} "^NISDOMAIN" /etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g'` FIND3=$(${GREPBINARY} "^NISDOMAIN" ${ROOTDIR}etc/sysconfig/network | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} 's/"//g')
if [ ! "${FIND3}" = "" ]; then if [ ! -z "${FIND3}" ]; then
LogText "Found NIS domain: ${FIND3}" LogText "Found NIS domain: ${FIND3}"
NISDOMAIN="${FIND3}" NISDOMAIN="${FIND3}"
else else
LogText "Result: No NIS domain found in file" LogText "Result: No NIS domain found in file"
fi fi
else else
LogText "Result: file /etc/sysconfig/network does not exist" LogText "Result: file ${ROOTDIR}etc/sysconfig/network does not exist"
fi fi
if [ ! "${SYSCTLBINARY}" = "" ]; then if [ ! "${SYSCTLBINARY}" = "" ]; then
# Check sysctl (e.g. FreeBSD) # Check sysctl (e.g. FreeBSD)
LogText "Test: checking sysctl for kern.domainname" LogText "Test: checking sysctl for kern.domainname"
FIND=`${SYSCTLBINARY} -a 2>&1 | ${GREPBINARY} "^kern.domainname" | ${AWKBINARY} -F: '{ print $2 }' | ${SEDBINARY} 's/ //g' | ${GREPBINARY} -v "^$"` FIND=$(${SYSCTLBINARY} -a 2>&1 | ${GREPBINARY} "^kern.domainname" | ${AWKBINARY} -F: '{ print $2 }' | ${SEDBINARY} 's/ //g' | ${GREPBINARY} -v "^$")
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found NIS domain via sysctl" LogText "Result: found NIS domain via sysctl"
NISDOMAIN="${FIND}" NISDOMAIN="${FIND}"
fi fi
fi fi
# Check if we found any NIS domain # Check if we found any NIS domain
if [ ! "${NISDOMAIN}" = "" ]; then if [ ! -z "${NISDOMAIN}" ]; then
LogText "Found NIS domain: ${NISDOMAIN}" LogText "Found NIS domain: ${NISDOMAIN}"
Report "nisdomain=${NISDOMAIN}" Report "nisdomain=${NISDOMAIN}"
Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN
@ -588,28 +588,26 @@
# #
################################################################################# #################################################################################
# #
if [ -f /etc/hosts ]; then if [ -f ${ROOTDIR}etc/hosts ]; then Display --indent 2 --text "- Checking ${ROOTDIR}etc/hosts"; fi
Display --indent 2 --text "- Checking /etc/hosts"
fi
# Test : NAME-4402 # Test : NAME-4402
# Description : Check /etc/hosts configuration # Description : Check /etc/hosts configuration
Register --test-no NAME-4402 --weight L --network NO --category security --description "Check duplicate line in /etc/hosts" Register --test-no NAME-4402 --weight L --network NO --category security --description "Check duplicate line in /etc/hosts"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check duplicate line in /etc/hosts" LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts"
if [ -f /etc/hosts ]; then if [ -f ${ROOTDIR}etc/hosts ]; then
sFIND=`${EGREPBINARY} -v '^(#|$)' /etc/hosts | ${AWKBINARY} '{ print $1, $2 }' | ${SORTBINARY} | uniq -d` sFIND=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${AWKBINARY} '{ print $1, $2 }' | ${SORTBINARY} | ${UNIQBINARY} -d)
if [ "${sFIND}" = "" ]; then if [ "${sFIND}" = "" ]; then
LogText "Result: OK, no duplicate lines found" LogText "Result: OK, no duplicate lines found"
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN
else else
LogText "Found duplicate line: ${sFIND}" LogText "Found duplicate line: ${sFIND}"
LogText "Result: found duplicate line" LogText "Result: found duplicate line"
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Remove duplicate lines in /etc/hosts" ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts"
fi fi
else else
LogText "Result: /etc/hosts not found, test skipped" LogText "Result: ${ROOTDIR}etc/hosts not found, test skipped"
Display --indent 4 --text "Searching duplicate line" --result "${STATUS_SKIPPED}" --color YELLOW Display --indent 4 --text "Searching duplicate line" --result "${STATUS_SKIPPED}" --color YELLOW
fi fi
fi fi
@ -623,7 +621,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check /etc/hosts contains an entry for this server name" LogText "Test: Check /etc/hosts contains an entry for this server name"
if [ -f /etc/hosts ]; then if [ -f /etc/hosts ]; then
sFIND=`${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' /etc/hosts | ${GREPBINARY} -i ${HOSTNAME}` sFIND=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' /etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
if [ "${sFIND}" != "" ]; then if [ "${sFIND}" != "" ]; then
LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts" LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN

21
include/tests_networking
View File

@ -547,23 +547,6 @@
# Description : Checking multipath configuration (Solaris) # Description : Checking multipath configuration (Solaris)
# #
################################################################################# #################################################################################
#
# Test : NETW-3024
# Description : Netstat/socktstat compare (FreeBSD)
# echo -n " - Comparing output sockstat and netstat"
# LogText "Comparing output of sockstat and netstat"
# NETSTATOUTPUT=`netstat -an | ${GREPBINARY} -v 'TIME_WAIT' | ${GREPBINARY} -v 'ESTABLISHED' | ${GREPBINARY} -v 'SYN_SENT' | ${GREPBINARY} -v 'CLOSE_WAIT' | ${GREPBINARY} -v 'LAST_ACK' | ${GREPBINARY} -v 'SYN_RECV' | ${GREPBINARY} -v 'CLOSING' | ${CUTBINARY} -c 1-44 | ${GREPBINARY} '*.' | ${CUTBINARY} -c 24-32 | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v '*' | ${SORTBINARY} -u`
#
# if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then
# ShowResult OK
# else
# echo "[ ${BAD}Warning!${NORMAL} ]"
# LogText "WARNING!"
# LogText "Sockstat tested output: ${SOCKSTAT}"
# LogText "Netstat tested output: ${NETSTAT}"
# fi
#
#################################################################################
# #
# Test : NETW-3028 # Test : NETW-3028
# Description : Checking for many waiting connections # Description : Checking for many waiting connections
@ -573,8 +556,8 @@
Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking connections in WAIT state" Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking connections in WAIT state"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Using netstat for check for connections in WAIT state" LogText "Test: Using netstat for check for connections in WAIT state"
FIND=`${NETSTATBINARY} -an | ${GREPBINARY} WAIT | wc -l | ${AWKBINARY} '{ print $1 }'` FIND=$(${NETSTATBINARY} -an | ${GREPBINARY} WAIT | ${WCBINARY} -l | ${AWKBINARY} '{ print $1 }')
if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi if [ -z "${OPTIONS_CONN_MAX_WAIT_STATE}" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})." LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW

36
include/tests_php
View File

@ -40,6 +40,8 @@
PHPINIDIRS="/etc/php5/conf.d \ PHPINIDIRS="/etc/php5/conf.d \
/etc/php.d" /etc/php.d"
PHPVERSION=""
# #
################################################################################# #################################################################################
# #
@ -93,22 +95,22 @@
# #
# Test : PHP-2320 # Test : PHP-2320
# Description : Check php disable functions option # Description : Check php disable functions option
if [ ! "${PHPINI_ALLFILES}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions" Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
for I in ${PHPINI_ALLFILES}; do for I in ${PHPINI_ALLFILES}; do
LogText "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}" LogText "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}"
FIND=`${GREPBINARY} "^disable_functions.*=" ${I}` FIND=$(${GREPBINARY} "^disable_functions.*=" ${I})
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
LogText "Result: ${I}: disabled_functions not found" LogText "Result: ${I}: disabled_functions not found"
else else
LogText "Result: ${I}: found disabled_functions" LogText "Result: ${I}: found disabled_functions"
FOUND=1 FOUND=1
fi fi
FIND=`${GREPBINARY} "^suhosin.executor.func.blacklist=" ${I}` FIND=$(${GREPBINARY} "^suhosin.executor.func.blacklist=" ${I})
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
LogText "Result: ${I}: suhosin.executor.func.blacklist not found" LogText "Result: ${I}: suhosin.executor.func.blacklist not found"
else else
LogText "Result: ${I}: found suhosin.executor.func.blacklist" LogText "Result: ${I}: found suhosin.executor.func.blacklist"
@ -133,9 +135,9 @@
# Test : PHP-2368 # Test : PHP-2368
# Description : Check php register_globals option # Description : Check php register_globals option
# Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed) # Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
if [ ! "${PHPINIFILE}" = "" -a ! "${PHPVERSION}" = "" -a ! "${EGREPBINARY}" = "" ]; then if [ ! -z "${PHPINIFILE}" -a ! -z "${PHPVERSION}" -a ! -z "${EGREPBINARY}" ]; then
if [ -f "${PHPINIFILE}" ]; then if [ -f "${PHPINIFILE}" ]; then
FIND=`echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])"` FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])")
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals" PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals"
else else
@ -153,7 +155,7 @@
Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option" Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP register_globals option" LogText "Test: Checking PHP register_globals option"
FIND=`${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'` FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
@ -177,8 +179,8 @@
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option" Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking expose_php option" LogText "Test: Checking expose_php option"
FIND=`${EGREPBINARY} -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'` FIND=$(${EGREPBINARY} -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED
ReportWarning ${TEST_NO} "PHP option expose_php is possibly turned on, which can reveal useful information for attackers." ReportWarning ${TEST_NO} "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off" ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off"
@ -189,7 +191,7 @@
LogText "Result: Found 'expose_php' in disabled state (0, no, or off)" LogText "Result: Found 'expose_php' in disabled state (0, no, or off)"
AddHP 2 2 AddHP 2 2
fi fi
#YYY Check through all files # TODO Check through all files
fi fi
# #
################################################################################# #################################################################################
@ -223,8 +225,8 @@
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option" Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_fopen option" LogText "Test: Checking PHP allow_url_fopen option"
FIND=`${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'` FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
LogText "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP" LogText "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
@ -234,7 +236,7 @@
LogText "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)" LogText "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
AddHP 2 2 AddHP 2 2
fi fi
#YYY Check through all files # TODO Check through all files
fi fi
# #
################################################################################# #################################################################################
@ -242,12 +244,12 @@
# Test : PHP-2378 # Test : PHP-2378
# Description : Check PHP allow_url_include option # Description : Check PHP allow_url_include option
# Notes : Extend test to check all PHP files YYY # Notes : Extend test to check all PHP files YYY
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option" Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_include option" LogText "Test: Checking PHP allow_url_include option"
FIND=`${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;'` FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP" Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"

12
include/tests_snmp
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
SNMP_DAEMON_CONFIG_LOCS="/etc/snmp" SNMP_DAEMON_CONFIG_LOCS="${ROOTDIR}etc/snmp"
SNMP_DAEMON_CONFIG="" SNMP_DAEMON_CONFIG=""
SNMP_DAEMON_RUNNING=0 SNMP_DAEMON_RUNNING=0
# #
@ -58,14 +58,14 @@
for I in ${SNMP_DAEMON_CONFIG_LOCS}; do for I in ${SNMP_DAEMON_CONFIG_LOCS}; do
if [ -f "${I}/snmpd.conf" ]; then if [ -f "${I}/snmpd.conf" ]; then
LogText "Result: ${I}/snmpd.conf exists" LogText "Result: ${I}/snmpd.conf exists"
SNMPD_DAEMON_CONFIG="${I}/snmpd.conf" SNMP_DAEMON_CONFIG="${I}/snmpd.conf"
fi fi
done done
if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then if [ -z "${SNMP_DAEMON_CONFIG}" ]; then
LogText "Result: No snmpd configuration found" LogText "Result: No snmpd configuration found"
Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_NOT_FOUND}" --color WHITE Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_NOT_FOUND}" --color WHITE
else else
LogText "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}" LogText "Restult: using last found configuration file: ${SNMP_DAEMON_CONFIG}"
Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_FOUND}" --color GREEN
fi fi
fi fi
@ -74,12 +74,12 @@
# #
# Test : SNMP-3306 # Test : SNMP-3306
# Description : Determine SNMP communities # Description : Determine SNMP communities
if [ ! "${SNMPD_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${SNMP_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SNMP communities" Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SNMP communities"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
WARN=0 WARN=0
LogText "Test: reading active snmp communities" LogText "Test: reading active snmp communities"
FIND=`${AWKBINARY} '/^com2sec/ { print $4 }' ${SNMPD_DAEMON_CONFIG}` FIND=$(${AWKBINARY} '/^com2sec/ { print $4 }' ${SNMP_DAEMON_CONFIG})
for I in ${FIND}; do for I in ${FIND}; do
LogText "Output: ${I}" LogText "Output: ${I}"
if [ "${I}" = "public" -o "${I}" = "private" ]; then if [ "${I}" = "public" -o "${I}" = "private" ]; then