diff --git a/include/tests_accounting b/include/tests_accounting index 0c0ba8bb..22cbd4eb 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -35,11 +35,11 @@ Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --description "Check for available FreeBSD accounting information" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /var/account/acct ]; then - Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN + Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN LogText "Result: /var/account/acct available" AddHP 3 3 else - Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW LogText "Result: No accounting information available" LogText "Remark: Possibly there is another location where the accounting data is stored" ReportSuggestion ${TEST_NO} "Enable process accounting" @@ -54,11 +54,11 @@ Register --test-no ACCT-2760 --os OpenBSD --weight L --network NO --description "Check for available OpenBSD accounting information" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /var/account/acct ]; then - Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN + Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN LogText "Result: /var/account/acct available" AddHP 3 3 else - Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW LogText "Result: No accounting information available" LogText "Remark: Possibly there is another location where the accounting data is stored" ReportSuggestion ${TEST_NO} "Enable process accounting" @@ -75,19 +75,19 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check accounting information" if [ -f /var/account/pacct ]; then - Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN + Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN LogText "Result: /var/account/pacct available" AddHP 3 3 elif [ -f /var/log/account/pacct ]; then - Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN + Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN LogText "Result: /var/log/account/pacct available" AddHP 3 3 elif [ -f /var/log/pacct ]; then - Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN + Display --indent 2 --text "- Checking accounting information" --result "${STATUS_OK}" --color GREEN LogText "Result: /var/log/pacct available" AddHP 3 3 else - Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking accounting information" --result "${STATUS_NOT_FOUND}" --color YELLOW LogText "Result: No accounting information available (/var/account/pacct, /var/log/account/pact nor /var/log/pact exist)" LogText "Remark: Possibly there is another location where the accounting data is stored" ReportSuggestion ${TEST_NO} "Enable process accounting" @@ -107,25 +107,25 @@ FIND=`grep "^ENABLED" /etc/default/sysstat | grep -i true` if [ ! "${FIND}" = "" ]; then LogText "Result: sysstat enabled via /etc/default/sysstat" - Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN + Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: sysstat disabled via /etc/default/sysstat" - Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE + Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)" fi elif [ -f /etc/cron.d/sysstat ]; then FIND=`grep -v '^[[:space:]]*\(#\|$\)' /etc/cron.d/sysstat` if [ ! "${FIND}" = "" ]; then LogText "Result: sysstat enabled via /etc/cron.d/sysstat" - Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN + Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: sysstat disabled via /etc/cron.d/sysstat" - Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE + Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)" fi else LogText "Result: sysstat not found via /etc/default/sysstat or /etc/cron.d/sysstat" - Display --indent 2 --text "- Checking sysstat accounting data" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)" fi fi @@ -142,7 +142,7 @@ IsRunning auditd if [ ${RUNNING} -eq 1 ]; then LogText "Result: auditd running" - Display --indent 2 --text "- Checking auditd" --result ENABLED --color GREEN + Display --indent 2 --text "- Checking auditd" --result "${STATUS_ENABLED}" --color GREEN LINUX_AUDITD_RUNNING=1 AUDIT_DAEMON_RUNNING=1 Report "audit_trail_tool[]=auditd" @@ -150,7 +150,7 @@ AddHP 4 4 else LogText "Result: auditd not active" - Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking auditd" --result "${STATUS_NOT_FOUND}" --color WHITE if [ ! "${VMTYPE}" = "openvz" ]; then ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information" fi @@ -170,12 +170,12 @@ FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"` if [ "${FIND}" = "" ]; then LogText "Result: auditd rules empty" - Display --indent 4 --text "- Checking audit rules" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking audit rules" --result "${STATUS_SUGGESTION}" --color YELLOW AddHP 0 2 ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules" else LogText "Result: found auditd rules" - Display --indent 4 --text "- Checking audit rules" --result OK --color GREEN + Display --indent 4 --text "- Checking audit rules" --result "${STATUS_OK}" --color GREEN # Log audit daemon rules FIND=`${AUDITCTLBINARY} -l | sed 's/ /!space!/g'` for I in ${FIND}; do @@ -203,10 +203,10 @@ done # Check if we discovered the configuration file. It should be there is the binaries are available and process is running if [ ! "${AUDITD_CONF_FILE}" = "" ]; then - Display --indent 4 --text "- Checking audit configuration file" --result OK --color GREEN + Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_OK}" --color GREEN else LogText "Result: could not find auditd configuration file" - Display --indent 4 --text "- Checking audit configuration file" --result WARNING --color RED + Display --indent 4 --text "- Checking audit configuration file" --result "${STATUS_WARNING}" --color RED ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file" fi fi @@ -225,16 +225,16 @@ LogText "Defined value: ${FIND}" if [ -f ${FIND} ]; then LogText "Result: log file ${FIND} exists on disk" - Display --indent 4 --text "- Checking auditd log file" --result FOUND --color GREEN + Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_FOUND}" --color GREEN Report "logfile[]=${FIND}" else LogText "Result: can't find log file ${FIND} on disk" - Display --indent 4 --text "- Checking auditd log file" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Check auditd log file location" fi else LogText "Result: no log file found" - Display --indent 4 --text "- Checking auditd log file" --result WARNING --color RED + Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "L" "Auditd log file is defined but can not be found on disk" fi fi @@ -248,7 +248,7 @@ FILE="/lib/snoopy.so" if [ -f ${FILE} ]; then LogText "Result: found ${FILE}" - Display --indent 2 --text "- Checking Snoopy" --result FOUND --color GREEN + Display --indent 2 --text "- Checking Snoopy" --result "${STATUS_FOUND}" --color GREEN if [ -f /etc/ld.so.preload ]; then LogText "Result: found /etc/ld.so.preload, testing if snoopy.so is listed" FIND=`grep ${FILE} /etc/ld.so.preload` @@ -258,13 +258,13 @@ Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN Report "audit_trail_tool[]=snoopy" else - Display --indent 6 --text "- Library in ld.so.preload" --result "NOT FOUND" --color YELLOW + Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via /etc/ld.so.preload" AddHP 3 3 fi else LogText "Result: /etc/ld.so.preload does not exist" - Display --indent 6 --text "- Library in ld.so.preload" --result "UNKNOWN" --color PURPLE + Display --indent 6 --text "- Library in ld.so.preload" --result "${STATUS_UNKNOWN}" --color PURPLE ReportException "${TEST_NO}:1" "Unsure how Snoopy might be loaded as ld.so.preload does not exist" fi fi @@ -282,10 +282,10 @@ LogText "Result: Solaris audit daemon is running" SOLARIS_AUDITD_RUNNING=1 AUDIT_DAEMON_RUNNING=1 - Display --indent 2 --text "- Checking Solaris audit daemon status" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking Solaris audit daemon status" --result "${STATUS_RUNNING}" --color GREEN else LogText "Result: Solaris audit daemon is not running" - Display --indent 2 --text "- Checking Solaris audit daemon status" --result "NOT RUNNING" --color YELLOW + Display --indent 2 --text "- Checking Solaris audit daemon status" --result "${STATUS_NOT_RUNNING}" --color YELLOW fi fi # @@ -300,7 +300,7 @@ FIND=`/usr/bin/svcs svc:/system/auditd:default | grep "^online"` if [ ! "${FIND}" = "" ]; then LogText "Result: auditd service is online" - Display --indent 4 --text "- Checking Solaris audit daemon status" --result ONLINE --color GREEN + Display --indent 4 --text "- Checking Solaris audit daemon status" --result "${STATUS_ON}"LINE --color GREEN else Display --indent 4 --text "- Checking Solaris audit daemon status" --result "NOT ONLINE" --color YELLOW ReportSuggestion "${TEST_NO}" "Check status of audit daemon" @@ -319,9 +319,9 @@ FIND=`grep 'set c2audit:audit_load = 1' /etc/system` if [ ! "${FIND}" = "" ]; then LogText "Result: BSM is enabled in /etc/system" - Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result ENABLED --color GREEN + Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "${STATUS_ENABLED}" --color GREEN else - Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "${STATUS_NOT_FOUND}" --color YELLOW fi else LogText "Result: /etc/system does not exist" @@ -340,10 +340,10 @@ FIND=`/usr/sbin/modinfo | grep c2audit` if [ ! "${FIND}" = "" ]; then LogText "Result: c2audit found in modinfo output" - Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result ENABLED --color GREEN + Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: c2audit not found in modinfo output" - Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "${STATUS_NOT_FOUND}" --color YELLOW fi else LogText "Result: /usr/sbin/modinfo does not exist, skipping test" @@ -366,20 +366,20 @@ LogText "Test: Checking if location is a valid directory" if [ -d ${FIND} ]; then LogText "Result: location ${FIND} is valid" - Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN + Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: location ${FIND} does not exist" - Display --indent 4 --text "- Checking Solaris audit location" --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available" fi else LogText "Result: unknown event location" - Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW + Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_UNKNOWN}" --color YELLOW ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured" fi else LogText "Result: could not find /etc/security/audit_control" - Display --indent 4 --text "- Checking Solaris audit location" --result SKIPPED --color YELLOW + Display --indent 4 --text "- Checking Solaris audit location" --result "${STATUS_SKIPPED}" --color YELLOW fi fi # @@ -396,10 +396,10 @@ for I in ${FIND}; do LogText "Output: ${I}" done - Display --indent 4 --text "- Checking Solaris audit statistics" --result DONE --color GREEN + Display --indent 4 --text "- Checking Solaris audit statistics" --result "${STATUS_DONE}" --color GREEN else LogText "Result: /usr/sbin/auditstat not found, skipping test" - Display --indent 4 --text "- Checking Solaris audit statistics" --result SKIPPED --color YELLOW + Display --indent 4 --text "- Checking Solaris audit statistics" --result "${STATUS_SKIPPED}" --color YELLOW fi fi # diff --git a/include/tests_authentication b/include/tests_authentication index c82a1fb9..4e13231a 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -42,7 +42,7 @@ LogText "Test: Searching accounts with UID 0" FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'` if [ ! "${FIND}" = "" ]; then - Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED + Display --indent 2 --text "- Search administrator accounts" --result "${STATUS_WARNING}" --color RED LogText "Result: Found more than one administrator accounts" ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file" for I in ${FIND}; do @@ -54,7 +54,7 @@ fi done else - Display --indent 2 --text "- Search administrator accounts" --result OK --color GREEN + Display --indent 2 --text "- Search administrator accounts" --result "${STATUS_OK}" --color GREEN LogText "Result: No accounts found with UID 0 other than root." fi fi @@ -75,16 +75,16 @@ if [ -f ${PASSWD_FILE} ]; then FIND=`grep -v '^#' ${PASSWD_FILE} | cut -d ':' -f3 | sort | uniq -d` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking for non-unique UIDs" --result OK --color GREEN + Display --indent 2 --text "- Checking for non-unique UIDs" --result "${STATUS_OK}" --color GREEN LogText "Result: all accounts found in ${PASSWD_FILE} are unique" else - Display --indent 2 --text "- Checking for non-unique UIDs" --result WARNING --color RED + Display --indent 2 --text "- Checking for non-unique UIDs" --result "${STATUS_WARNING}" --color RED LogText "Result: found multiple accounts with same UID" LogText "Output (non-unique UIDs): ${FIND}" ReportWarning ${TEST_NO} "Multiple accounts found with same UID" fi else - Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE + Display --indent 2 --text "- Checking UIDs" --result "${STATUS_SKIPPED}" --color WHITE LogText "Result: test skipped, ${PASSWD_FILE} file not available" fi LogText "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake" @@ -97,15 +97,15 @@ if [ -f /usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 2 --text "- Checking chkgrp tool" --result FOUND --color GREEN + Display --indent 2 --text "- Checking chkgrp tool" --result "${STATUS_FOUND}" --color GREEN LogText "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)." LogText "Test: Testing consistency of /etc/group file" FIND=`/usr/sbin/chkgrp | grep -v 'is fine'` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking consistency of /etc/group file" --result OK --color GREEN + Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_OK}" --color GREEN LogText "Result: chkgrp test performed, Group file seems to be ok." else - Display --indent 4 --text "- Checking consistency of /etc/group file" --result WARNING --color RED + Display --indent 4 --text "- Checking consistency of /etc/group file" --result "${STATUS_WARNING}" --color RED LogText "Result: chkgrp found some errors. Run the tool manually to see details." LogText "chkgrp output: ${FIND}" ReportWarning ${TEST_NO} "M" "chkgrp reported inconsistencies in /etc/group file" @@ -139,10 +139,10 @@ # Check exit-code if [ "${FIND}" = "0" ]; then - Display --indent 2 --text "- Checking consistency of group files (grpck)" --result OK --color GREEN + Display --indent 2 --text "- Checking consistency of group files (grpck)" --result "${STATUS_OK}" --color GREEN LogText "Result: grpck binary didn't find any errors in the group files" else - Display --indent 2 --text "- Checking consistency of group files (grpck)" --result WARNING --color RED + Display --indent 2 --text "- Checking consistency of group files (grpck)" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "M" "grpck binary found errors in one or more group files" ReportSuggestion ${TEST_NO} "Run grpck manually and check your group files" fi @@ -161,9 +161,9 @@ # Check for all shells, except: (/usr)/sbin/nologin /nonexistent FIND=`grep "[a-z]:\*:" /etc/master.passwd | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking login shells" --result OK --color GREEN + Display --indent 2 --text "- Checking login shells" --result "${STATUS_OK}" --color GREEN else - Display --indent 2 --text "- Checking login shells" --result WARNING --color RED + Display --indent 2 --text "- Checking login shells" --result "${STATUS_WARNING}" --color RED for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` J=`echo ${I} | awk -F: '{ print $10 }'` @@ -186,7 +186,7 @@ fi fi else - Display --indent 2 --text "- Checking login shells" --result SKIPPED --color WHITE + Display --indent 2 --text "- Checking login shells" --result "${STATUS_SKIPPED}" --color WHITE LogText "Result: No /etc/master.passwd file found" fi fi @@ -200,10 +200,10 @@ LogText "Test: Checking for non unique group ID's in /etc/group" FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking non unique group ID's" --result OK --color GREEN + Display --indent 2 --text "- Checking non unique group ID's" --result "${STATUS_OK}" --color GREEN LogText "Result: All group ID's are unique" else - Display --indent 2 --text "- Checking non unique group ID's" --result WARNING --color RED + Display --indent 2 --text "- Checking non unique group ID's" --result "${STATUS_WARNING}" --color RED LogText "Result: Found the same group ID multiple times" LogText "Output: ${FIND}" ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID" @@ -221,10 +221,10 @@ LogText "Test: Checking for non unique group names in /etc/group" FIND=`grep -v '^#' /etc/group | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking non unique group names" --result OK --color GREEN + Display --indent 2 --text "- Checking non unique group names" --result "${STATUS_OK}" --color GREEN LogText "Result: All group names are unique" else - Display --indent 2 --text "- Checking non unique group names" --result WARNING --color WARNING + Display --indent 2 --text "- Checking non unique group names" --result "${STATUS_WARNING}" --color WARNING LogText "Result: Found the same group name multiple times" LogText "Output: ${FIND}" ReportWarning ${TEST_NO} "M" "Found inconsistencies in group file (multiple occurences of a single group)" @@ -257,11 +257,11 @@ esac # Only display if this test has been executed if [ ${TESTED} -eq 1 -a "${FIND}" = "0" ]; then - Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN + Display --indent 2 --text "- Checking password file consistency" --result "${STATUS_OK}" --color GREEN LogText "Result: pwck check didn't find any problems" AddHP 2 2 else - Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED + Display --indent 2 --text "- Checking password file consistency" --result "${STATUS_WARNING}" --color RED LogText "Result: pwck found one or more errors/warnings in the password file." ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." @@ -318,9 +318,9 @@ if [ "${FIND}" = "" ]; then Display --indent 4 --text "Result: No users found/unknown result" LogText "Result: Querying of system users skipped" - Display --indent 2 --text "- Query system users (non daemons)" --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_UNKNOWN}" --color YELLOW else - Display --indent 2 --text "- Query system users (non daemons)" --result DONE --color GREEN + Display --indent 2 --text "- Query system users (non daemons)" --result "${STATUS_DONE}" --color GREEN for I in ${FIND}; do LogText "Real user: ${I}" Report "real_user[]=${I}" @@ -344,7 +344,7 @@ FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"` if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then LogText "Result: NIS+ authentication enabled" - Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN + Display --indent 2 --text "- Checking NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: NIS+ authentication not enabled" Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE @@ -371,7 +371,7 @@ FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"` if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then LogText "Result: NIS authentication enabled" - Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN + Display --indent 2 --text "- Checking NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: NIS authentication not enabled" Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE @@ -401,10 +401,10 @@ done if [ ${FOUND} -eq 1 ]; then LogText "Result: sudoers file found (${SUDOERS_FILE})" - Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN + Display --indent 2 --text "- Checking sudoers file" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: sudoers file NOT found" - Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi # @@ -420,10 +420,10 @@ LogText "Result: Found file permissions: ${FIND}" if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then LogText "Result: file ${SUDOERS_FILE} has correct permissions" - Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN + Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_OK}" --color GREEN else LogText "Result: file has possibly unsafe file permissions" - Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED + Display --indent 4 --text "- Check sudoers file permissions" --result "${STATUS_WARNING}" --color RED fi fi # @@ -436,12 +436,12 @@ FIND=`logins -p | awk '{ print $1 }'` if [ "${FIND}" = "" ]; then LogText "Result: no passwordless accounts found" - Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN + Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result "${STATUS_OK}" --color GREEN else for I in ${FIND}; do ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})" done - Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result WARNING --color RED + Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result "${STATUS_WARNING}" --color RED fi fi # @@ -504,12 +504,12 @@ fi if [ ${FOUND} -eq 0 ]; then - Display --indent 2 --text "- Checking PAM password strength tools" --result "SUGGESTION" --color YELLOW + Display --indent 2 --text "- Checking PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: no PAM modules for password strength testing found" ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc" AddHP 0 3 else - Display --indent 2 --text "- Checking PAM password strength tools" --result OK --color GREEN + Display --indent 2 --text "- Checking PAM password strength tools" --result "${STATUS_OK}" --color GREEN LogText "Result: found at least one PAM module for password strength testing" AddHP 3 3 fi @@ -524,7 +524,7 @@ LogText "Test: Checking file /etc/pam.conf" if [ -f /etc/pam.conf ]; then LogText "Result: file /etc/pam.conf exists" - Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN + Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN LogText "Test: searching PAM configuration files" FIND=`grep -v "^#" /etc/pam.conf | grep -v "^$" | sed 's/[[:space:]]/ /g' | sed 's/ / /g' | sed 's/ /:space:/g'` if [ "${FIND}" = "" ]; then @@ -538,7 +538,7 @@ fi else LogText "Result: file /etc/pam.conf could not be found" - Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -551,7 +551,7 @@ LogText "Test: Checking directory /etc/pam.d" if [ -d /etc/pam.d ]; then LogText "Result: directory /etc/pam.d exists" - Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN + Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN LogText "Test: searching PAM configuration files" FIND=`find /etc/pam.d -type f -print | sort` for I in ${FIND}; do @@ -559,7 +559,7 @@ done else LogText "Result: directory /etc/pam.d could not be found" - Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -590,10 +590,10 @@ done # Check if we found at least one module if [ ${FOUND} -eq 0 ]; then - Display --indent 2 --text "- Checking PAM modules" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking PAM modules" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: no PAM modules found" else - Display --indent 2 --text "- Checking PAM modules" --result FOUND --color GREEN + Display --indent 2 --text "- Checking PAM modules" --result "${STATUS_FOUND}" --color GREEN fi fi # @@ -611,12 +611,12 @@ if [ ! "${FIND}" = "" ]; then LogText "Result: LDAP module present" LogText "Output: ${FIND}" - Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN + Display --indent 2 --text "- Checking LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN LDAP_AUTH_ENABLED=1 LDAP_PAM_ENABLED=1 else LogText "Result: LDAP module not found" - Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE fi else LogText "Result: file /etc/pam.d/common-auth not found, skipping test" @@ -660,13 +660,13 @@ LogText "Test: Checking Linux version and password expire date status" if [ "${FIND}" = "" ]; then LogText "Result: all accounts seem to have an expire date" - Display --indent 2 --text "- Checking accounts without expire date" --result OK --color GREEN + Display --indent 2 --text "- Checking accounts without expire date" --result "${STATUS_OK}" --color GREEN else LogText "Result: found one or more accounts with expire date set" for I in ${FIND}; do LogText "Account without expire date: ${I}" done - Display --indent 2 --text "- Checking accounts without expire date" --result SUGGESTION --color YELLOW + Display --indent 2 --text "- Checking accounts without expire date" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts" fi fi @@ -677,14 +677,14 @@ LogText "Test: Checking passwordless accounts" if [ "${FIND2}" = "" ]; then LogText "Result: all accounts seem to have a password" - Display --indent 2 --text "- Checking accounts without password" --result OK --color GREEN + Display --indent 2 --text "- Checking accounts without password" --result "${STATUS_OK}" --color GREEN else LogText "Result: found one or more accounts without password" for I in ${FIND2}; do LogText "Account without password: ${I}" Report "account_without_password=${I}" done - Display --indent 2 --text "- Checking accounts without password" --result WARNING --color RED + Display --indent 2 --text "- Checking accounts without password" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "Found accounts without password" fi fi @@ -702,7 +702,7 @@ FIND=`grep "^PASS_MIN_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MIN_DAYS") { print $2 } }'` if [ "${FIND}" = "" -o "${FIND}" = "0" ]; then LogText "Result: password minimum age is not configured" - Display --indent 2 --text "- Checking user password aging (minimum)" --result DISABLED --color YELLOW + Display --indent 2 --text "- Checking user password aging (minimum)" --result "${STATUS_DISABLED}" --color YELLOW ReportSuggestion ${TEST_NO} "Configure minimum password age in /etc/login.defs" AddHP 0 1 else @@ -716,7 +716,7 @@ FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'` if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then LogText "Result: password aging limits are not configured" - Display --indent 2 --text "- Checking user password aging (maximum)" --result DISABLED --color YELLOW + Display --indent 2 --text "- Checking user password aging (maximum)" --result "${STATUS_DISABLED}" --color YELLOW ReportSuggestion ${TEST_NO} "Configure maximum password age in /etc/login.defs" AddHP 0 1 else @@ -747,15 +747,15 @@ Report "account_password_expired[]=${ACCOUNT}" done AddHP 0 10 - Display --indent 2 --text "- Checking expired passwords" --result FOUND --color RED + Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_FOUND}" --color RED ReportSuggestion "${TEST_NO}" "Delete accounts which are no longer used" else LogText "Result: good, no passwords have been expired" - Display --indent 2 --text "- Checking expired passwords" --result OK --color GREEN + Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_OK}" --color GREEN AddHP 10 10 fi else - Display --indent 2 --text "- Checking expired passwords" --result SKIPPED --color YELLOW + Display --indent 2 --text "- Checking expired passwords" --result "${STATUS_SKIPPED}" --color YELLOW fi fi # @@ -773,11 +773,11 @@ FIND=`grep "^PASSREQ=NO" /etc/default/sulogin` if [ "${FIND}" = "" ]; then LogText "Result: option not present or configured to request a password at single user mode login" - Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN + Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_OK}" --color GREEN AddHP 1 1 else LogText "Result: option present, no password needed at single user mode login" - Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED + Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "H" "No password needed for single user mode login" AddHP 0 1 fi @@ -803,11 +803,11 @@ FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default` if [ "${FIND}" = "" ]; then LogText "Result: option not set, password is needed at boot" - Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN + Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_OK}" --color GREEN AddHP 1 1 else LogText "Result: option present, no password needed at single user mode login" - Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW + Display --indent 2 --text "- Checking HP-UX boot authentication" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Set password for system boot" AddHP 0 1 fi @@ -886,13 +886,13 @@ if [ ${TEST_PERFORMED} -eq 1 ]; then if [ ${FOUND} -eq 0 ]; then LogText "Result: option not set, no password needed at single user mode boot" - Display --indent 2 --text "- Checking Linux single user mode authentication" --result WARNING --color RED + Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "L" "No password set for single mode" ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface" AddHP 0 2 else LogText "Result: option set, password is needed at single user mode boot" - Display --indent 2 --text "- Checking Linux single user mode authentication" --result OK --color GREEN + Display --indent 2 --text "- Checking Linux single user mode authentication" --result "${STATUS_OK}" --color GREEN AddHP 2 2 fi else @@ -952,17 +952,17 @@ if [ ${FOUND_UMASK} -eq 1 ]; then if [ ${WEAK_UMASK} -eq 0 ]; then - Display --indent 4 --text "- Checking umask (/etc/profile)" --result OK --color GREEN + Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else - Display --indent 4 --text "- Checking umask (/etc/profile)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/profile could be more strict like 027" AddHP 0 2 fi else # Some operating systems don't have a default umask defined in /etc/profile (Debian) LogText "Result: found no umask. Please check if this is correct" - Display --indent 4 --text "- Checking umask (/etc/profile)" --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/profile)" --result "${STATUS_NOT_FOUND}" --color YELLOW fi else LogText "Result: file /etc/profile does not exist" @@ -989,16 +989,16 @@ FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: umask value is not configured (most likely it will have the default 022 value)" - Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then LogText "Result: umask is ${FIND}, which is fine" - Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result OK --color GREEN + Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else LogText "Result: found umask ${FIND}, which could be improved" - Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027" AddHP 0 2 fi @@ -1014,14 +1014,14 @@ FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: umask is not configured" - Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result NONE --color WHITE + Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_NONE}" --color WHITE elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then LogText "Result: umask is ${FIND}, which is fine" - Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result OK --color GREEN + Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else LogText "Result: found umask ${FIND}, which could be improved" - Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result "${STATUS_SUGGESTION}" --color YELLOW AddHP 0 2 fi else @@ -1036,16 +1036,16 @@ FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" - Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then LogText "Result: umask is ${FIND}, which is fine" - Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result OK --color GREEN + Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else LogText "Result: found umask ${FIND}, which could be improved" - Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027" AddHP 0 2 fi @@ -1078,14 +1078,14 @@ fi if [ ${FOUND} -eq 1 ]; then if [ ${WEAK_UMASK} -eq 0 ]; then - Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result OK --color GREEN + Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "${STATUS_OK}" --color GREEN else Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result WEAK --color YELLOW ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027" fi else LogText "Result: no umask setting found in /etc/login.conf, which is unexpected" - Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result NONE --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "${STATUS_NONE}" --color YELLOW fi fi @@ -1099,16 +1099,16 @@ FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'` if [ "${FIND2}" = "" ]; then LogText "Result: UMASK value is not configured (most likely it will have the default 022 value)" - Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027" AddHP 1 2 elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then LogText "Result: umask is ${FIND2}, which is fine" - Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result OK --color GREEN + Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else LogText "Result: found umask ${FIND2}, which could be improved" - Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027" AddHP 0 2 fi @@ -1167,7 +1167,7 @@ fi fi if [ ${FOUND} -eq 1 ]; then - Display --indent 2 --text "- Checking account locking" --result "ENABLED" --color GREEN + Display --indent 2 --text "- Checking account locking" --result "${STATUS_ENABLED}" --color GREEN else Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW fi @@ -1186,7 +1186,7 @@ Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE else LogText "Result: LDAP authentication enabled" - Display --indent 2 --text "- Checking LDAP authentication support" --result "ENABLED" --color GREEN + Display --indent 2 --text "- Checking LDAP authentication support" --result "${STATUS_ENABLED}" --color GREEN LDAP_AUTH_ENABLED=1 fi else @@ -1233,11 +1233,11 @@ if [ "${FIND}" = "yes" ]; then AUTH_FAILED_LOGINS_LOGGED=1 LogText "Result: failed login attempts are logged in /var/log/faillog" - Display --indent 2 --text "- Logging failed login attempts" --result ENABLED --color GREEN + Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_ENABLED}" --color GREEN AddHP 3 3 else LogText "Result: failed login attempts are not logged" - Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW + Display --indent 2 --text "- Logging failed login attempts" --result "${STATUS_DISABLED}" --color YELLOW #ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog" AddHP 0 1 fi diff --git a/include/tests_banners b/include/tests_banners index 7537fa5e..f0fe981c 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -37,26 +37,26 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT" if [ -f /COPYRIGHT ]; then - Display --indent 2 --text "- /COPYRIGHT" --result FOUND --color GREEN + Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN if [ -s /COPYRIGHT ]; then LogText "Result: /COPYRIGHT available and contains text" else LogText "Result: /COPYRIGHT available, but empty" fi else - Display --indent 2 --text "- /COPYRIGHT" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- /COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: /COPYRIGHT not found" fi if [ -f /etc/COPYRIGHT ]; then - Display --indent 2 --text "- /etc/COPYRIGHT" --result FOUND --color GREEN + Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN if [ -s /etc/COPYRIGHT ]; then LogText "Result: /etc/COPYRIGHT available and contains text" else LogText "Result: /etc/COPYRIGHT available, but empty" fi else - Display --indent 2 --text "- /etc/COPYRIGHT" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- /etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: /etc/COPYRIGHT not found" fi fi @@ -70,14 +70,14 @@ # LogText "Test: Testing existence /etc/motd" # if [ -f /etc/motd ]; then # LogText "Result: file /etc/motd exists" - # Display --indent 2 --text "- /etc/motd" --result FOUND --color GREEN + # Display --indent 2 --text "- /etc/motd" --result "${STATUS_FOUND}" --color GREEN # if [ ! -L /etc/motd ]; then # if IsWorldWritable /etc/motd; then - # Display --indent 4 --text "- /etc/motd permissions" --result WARNING --color RED + # Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_WARNING}" --color RED # LogText "Result: /etc/motd is world writable. Users can change this file!" # ReportWarning ${TEST_NO} "H" "/etc/motd is world writable" # else - # Display --indent 4 --text "- /etc/motd permissions" --result OK --color GREEN + # Display --indent 4 --text "- /etc/motd permissions" --result "${STATUS_OK}" --color GREEN # LogText "Result: /etc/motd is not world writable." # fi # else @@ -85,7 +85,7 @@ # fi # else # LogText "Result: File /etc/motd not found" - # Display --indent 2 --text "- /etc/motd" --result "NOT FOUND" --color WHITE + # Display --indent 2 --text "- /etc/motd" --result "${STATUS_NOT_FOUND}" --color WHITE # fi #fi # @@ -109,7 +109,7 @@ # # Check if we have 5 or more key words # if [ ${N} -gt 4 ]; then # LogText "Result: Found ${N} key words, to warn unauthorized users" - # Display --indent 4 --text "- /etc/motd contents" --result OK --color GREEN + # Display --indent 4 --text "- /etc/motd contents" --result "${STATUS_OK}" --color GREEN # AddHP 2 2 # else # LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased" @@ -132,11 +132,11 @@ LogText "Result: file /etc/issue exists (symlink)" Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN else - Display --indent 2 --text "- /etc/issue" --result FOUND --color GREEN + Display --indent 2 --text "- /etc/issue" --result "${STATUS_FOUND}" --color GREEN fi else LogText "Result: file /etc/issue does not exist" - Display --indent 2 --text "- /etc/issue" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- /etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -160,7 +160,7 @@ # Check if we have 5 or more key words if [ ${N} -gt 4 ]; then LogText "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users" - Display --indent 4 --text "- /etc/issue contents" --result OK --color GREEN + Display --indent 4 --text "- /etc/issue contents" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else LogText "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased" @@ -184,11 +184,11 @@ Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN else LogText "Result: file /etc/issue.net exists" - Display --indent 2 --text "- /etc/issue.net" --result FOUND --color GREEN + Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_FOUND}" --color GREEN fi else LogText "Result: file /etc/issue.net does not exist" - Display --indent 2 --text "- /etc/issue.net" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- /etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -212,7 +212,7 @@ # Check if we have 5 or more key words if [ ${N} -gt 4 ]; then LogText "Result: Found ${N} key words, to warn unauthorized users" - Display --indent 4 --text "- /etc/issue.net contents" --result OK --color GREEN + Display --indent 4 --text "- /etc/issue.net contents" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased" diff --git a/include/tests_boot_services b/include/tests_boot_services index 015f5c8b..3b858d14 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -45,12 +45,12 @@ FIND=`/usr/sbin/bootinfo -b` if [ ! "${FIND}" = "" ]; then LogText "Result: found boot device ${FIND}" - Display --indent 2 --text "- Checking boot device (bootinfo)" --result FOUND --color GREEN + Display --indent 2 --text "- Checking boot device (bootinfo)" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="ROS" BOOT_LOADER_FOUND=1 else LogText "Result: no data received from bootinfo, most likely boot device not found" - #Display --indent 4 --text "- Checking boot device (bootinfo)" --result "NOT FOUND" --color YELLOW + #Display --indent 4 --text "- Checking boot device (bootinfo)" --result "${STATUS_NOT_FOUND}" --color YELLOW #ReportSuggestion ${TEST_NO} "Only use root (not sudo account) to query properly boot device" fi fi @@ -126,7 +126,7 @@ esac LogText "Result: service manager found = ${SERVICE_MANAGER}" if [ "${SERVICE_MANAGER}" = "" -o "${SERVICE_MANAGER}" = "unknown" ]; then - Display --indent 2 --text "- Service Manager" --result "UNKNOWN" --color YELLOW + Display --indent 2 --text "- Service Manager" --result "${STATUS_UNKNOWN}" --color YELLOW else Display --indent 2 --text "- Service Manager" --result "${SERVICE_MANAGER}" --color GREEN fi @@ -193,15 +193,15 @@ ;; esac if [ ${UEFI_BOOTED} -eq 1 ]; then - Display --indent 2 --text "- Checking UEFI boot" --result ENABLED --color GREEN + Display --indent 2 --text "- Checking UEFI boot" --result "${STATUS_ENABLED}" --color GREEN if [ ${UEFI_BOOTED_SECURE} -eq 1 ]; then - Display --indent 2 --text "- Checking Secure Boot" --result ENABLED --color GREEN + Display --indent 2 --text "- Checking Secure Boot" --result "${STATUS_ENABLED}" --color GREEN else - Display --indent 2 --text "- Checking Secure Boot" --result DISABLED --color YELLOW + Display --indent 2 --text "- Checking Secure Boot" --result "${STATUS_DISABLED}" --color YELLOW fi else if [ ${UEFI_TESTS_PERFORMED} -eq 1 ]; then - Display --indent 2 --text "- Checking UEFI boot" --result DISABLED --color WHITE + Display --indent 2 --text "- Checking UEFI boot" --result "${STATUS_DISABLED}" --color WHITE fi fi fi @@ -220,7 +220,7 @@ BOOT_LOADER="GRUB" BOOT_LOADER_FOUND=1 GRUB_VERSION=1 - Display --indent 2 --text "- Checking presence GRUB" --result "OK" --color GREEN + Display --indent 2 --text "- Checking presence GRUB" --result "${STATUS_OK}" --color GREEN if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi fi @@ -230,7 +230,7 @@ BOOT_LOADER="GRUB2" BOOT_LOADER_FOUND=1 GRUB_VERSION=2 - Display --indent 2 --text "- Checking presence GRUB2" --result FOUND --color GREEN + Display --indent 2 --text "- Checking presence GRUB2" --result "${STATUS_FOUND}" --color GREEN if [ -f /boot/grub/grub.cfg ]; then GRUBCONFFILE="/boot/grub/grub.cfg" elif [ -f /boot/grub2/grub.cfg ]; then @@ -277,11 +277,11 @@ FOUND=1 fi if [ ${FOUND} -eq 1 ]; then - Display --indent 4 --text "- Checking for password protection" --result OK --color GREEN + Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN LogText "Result: GRUB has password protection." AddHP 4 4 else - Display --indent 4 --text "- Checking for password protection" --result WARNING --color RED + Display --indent 4 --text "- Checking for password protection" --result "${STATUS_WARNING}" --color RED LogText "Result: Didn't find hashed password line in GRUB boot file!" ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)" AddHP 0 2 @@ -300,7 +300,7 @@ BOOT_LOADER_SEARCHED=1 if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then LogText "Result: found boot1, boot2 and loader files in /boot" - Display --indent 2 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN + Display --indent 2 --text "- Checking presence FreeBSD loader" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="FreeBSD" BOOT_LOADER_FOUND=1 else @@ -317,7 +317,7 @@ BOOT_LOADER_SEARCHED=1 if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then LogText "Result: found NetBSD secondary bootstrap" - Display --indent 2 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN + Display --indent 2 --text "- Checking presence NetBSD loader" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="NetBSD" BOOT_LOADER_FOUND=1 else @@ -341,18 +341,18 @@ if [ ${CANREAD} -eq 1 ]; then BOOT_LOADER="LILO" BOOT_LOADER_FOUND=1 - Display --indent 2 --text "- Checking presence LILO" --result "OK" --color GREEN + Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN LogText "Checking password option LILO" FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | grep -v "^#"` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Password option presence " --result "WARNING" --color RED + Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED LogText "Result: no password set for LILO. Bootloader is unprotected to" LogText "dropping to single user mode or unauthorized access to devices/data." ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=': password=" ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader" AddHP 0 2 else - Display --indent 4 --text "- Password option presence " --result "OK" --color GREEN + Display --indent 4 --text "- Password option presence " --result "${STATUS_OK}" --color GREEN LogText "Result: LILO password option set" AddHP 4 4 fi @@ -373,7 +373,7 @@ BOOT_LOADER_SEARCHED=1 if [ -f /etc/silo.conf ]; then LogText "Result: Found SILO configuration file (/etc/silo.conf)" - Display --indent 2 --text "- Checking boot loader SILO" --result FOUND --color GREEN + Display --indent 2 --text "- Checking boot loader SILO" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="SILO" BOOT_LOADER_FOUND=1 else @@ -392,11 +392,11 @@ # FIND=`/sbin/silo | grep "appears to be valid"` # if [ ! "${FIND}" = "" ]; then # LogText "Result: Found SILO configuration file (/etc/silo.conf)" -# Display --indent 6 --text "- Checking SILO consistency" --result OK --color GREEN +# Display --indent 6 --text "- Checking SILO consistency" --result "${STATUS_OK}" --color GREEN # else # LogText "Result: no positive result received from silo binary" # ReportWarning ${TEST_NO} "Possible issue with boot loader (SILO)" -# Display --indent 6 --text "- Checking SILO consistency" --result WARNING --color RED +# Display --indent 6 --text "- Checking SILO consistency" --result "${STATUS_WARNING}" --color RED # fi # fi # fi @@ -411,7 +411,7 @@ LogText "Test: Check for /etc/yaboot.conf" if [ -f /etc/yaboot.conf ]; then LogText "Result: Found YABOOT configuration file (/etc/yaboot.conf)" - Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN + Display --indent 4 --text "- Checking boot loader YABOOT" --result "${STATUS_FOUND}" --color GREEN BOOT_LOADER="YABOOT" BOOT_LOADER_FOUND=1 else @@ -437,18 +437,18 @@ # Configuration file if [ -f /etc/boot.conf ]; then FOUND=1 - Display --indent 2 --text "- Checking /etc/boot.conf" --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking /etc/boot.conf" --result "${STATUS_FOUND}" --color GREEN FIND=`grep '^boot' /etc/boot.conf` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking boot option" --result WARNING --color RED + Display --indent 4 --text "- Checking boot option" --result "${STATUS_WARNING}" --color RED #ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode." ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password" else - Display --indent 4 --text "- Checking boot option" --result OK --color GREEN + Display --indent 4 --text "- Checking boot option" --result "${STATUS_OK}" --color GREEN LogText "Ok, boot option is enabled." fi else - Display --indent 2 --text "- Checking /etc/boot.conf" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking /etc/boot.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW LogText "Result: no /etc/boot.conf found. When using the default boot loader, physical" LogText "access to the server can be used to possibly enter single user mode." ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time." @@ -491,7 +491,7 @@ Report "boottask[]=${I}" N=$((N + 1)) done - Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "DONE" --color GREEN + Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "${STATUS_DONE}" --color GREEN Display --indent 6 --text "Result: found $N services/options set" LogText "Found $N services/options to run at startup" fi @@ -519,7 +519,7 @@ N=$((N + 1)) done LogText "Note: Run systemctl --full --type=service to see all services" - Display --indent 2 --text "- Check running services (systemctl)" --result "DONE" --color GREEN + Display --indent 2 --text "- Check running services (systemctl)" --result "${STATUS_DONE}" --color GREEN Display --indent 8 --text "Result: found $N running services" LogText "Result: Found $N enabled services" @@ -534,7 +534,7 @@ N=$((N + 1)) done LogText "Note: Run systemctl list-unit-files --type=service to see all services" - Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "DONE" --color GREEN + Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "${STATUS_DONE}" --color GREEN Display --indent 8 --text "Result: found $N enabled services" LogText "Result: Found $N running services" @@ -552,7 +552,7 @@ N=$((N + 1)) done LogText "Hint: Run chkconfig --list to see all services and disable unneeded services" - Display --indent 2 --text "- Check services at startup (chkconfig)" --result "DONE" --color GREEN + Display --indent 2 --text "- Check services at startup (chkconfig)" --result "${STATUS_DONE}" --color GREEN Display --indent 8 --text "Result: found $N services" LogText "Result: Found $N services at startup" else @@ -581,7 +581,7 @@ LogText "Found service (at boot, runlevel 2): ${I}" N=$((N + 1)) done - Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE + Display --indent 2 --text "- Check services at startup (rc2.d)" --result "${STATUS_DONE}" --color WHITE Display --indent 4 --text "Result: found $N services" LogText "Result: found $N services" fi @@ -667,12 +667,12 @@ # Check results if [ ${FOUND} -eq 1 ]; then - Display --indent 2 --text "- Check startup files (permissions)" --result "WARNING" --color RED + Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-" LogText "Result: found one or more scripts which are possibly writable by other users" AddHP 0 3 else - Display --indent 2 --text "- Check startup files (permissions)" --result "OK" --color GREEN + Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_OK}" --color GREEN AddHP 3 3 fi fi @@ -691,7 +691,7 @@ if [ -f /proc/uptime ]; then FIND=`cat /proc/uptime | cut -d ' ' -f1 | cut -d '.' -f1` else - Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW + Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:1" "No uptime test available for this operating system (/proc/uptime missing)" fi ;; @@ -700,7 +700,7 @@ if [ ! "${SYSCTLBINARY}" = "" ]; then FIND=`${SYSCTLBINARY} kern.boottime | awk '{ print $5 }' | sed -e 's/,//' | grep "[0-9]"` else - Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW + Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)" fi ;; @@ -717,7 +717,7 @@ ReportException "${TEST_NO}:5" "Most likely kern.boottime empty, unable to determine uptime" fi else - Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW + Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:4" "No uptime test available for this operating system (sysctl missing)" fi ;; @@ -726,13 +726,13 @@ if [ ! "${KSTATBINARY}" = "" ]; then FIND=`${KSTATBINARY} -p unix:0:system_misc:snaptime | grep "^unix" | awk '{print $2}' | cut -d "." -f1` else - Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW + Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)" fi ;; *) - Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW + Display --indent 2 --text "- Checking uptime" --result "${STATUS_SKIPPED}" --color YELLOW # Want to help improving Lynis? Share your operating system and a way to determine the uptime (in seconds) ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system" @@ -769,7 +769,7 @@ else LogText "Result: did not find sulogin in rescue.service" AddHP 1 3 - Display --indent 2 --text "- Checking sulogin in rescue.service" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking sulogin in rescue.service" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Protect rescue.service by using sulogin" fi else diff --git a/include/tests_containers b/include/tests_containers index 6c5ddc1a..dd745126 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -50,7 +50,7 @@ Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN else LogText "Result: no running zones found" - Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE + Display --indent 2 --text "- Checking Solaris Zones" --result "${STATUS_NONE}" --color WHITE fi fi # @@ -82,7 +82,7 @@ Report "docker_daemon_running=1" DOCKER_DAEMON_RUNNING=1 Display --indent 4 --text "- Docker" - Display --indent 6 --text "- Docker daemon" --result RUNNING --color GREEN + Display --indent 6 --text "- Docker daemon" --result "${STATUS_RUNNING}" --color GREEN fi fi # @@ -109,7 +109,7 @@ AddHP 3 4 else LogText "Result: no warnings found from 'docker info' output" - Display --indent 8 --text "- Docker info output (warnings)" --result "NONE" --color GREEN + Display --indent 8 --text "- Docker info output (warnings)" --result "${STATUS_NONE}" --color GREEN AddHP 1 1 fi fi @@ -136,7 +136,7 @@ if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then LogText "Result: difference detected, which is unexpected" ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers" - Display --indent 8 --text "- Total containers" --result "UNKNOWN" --color RED + Display --indent 8 --text "- Total containers" --result "${STATUS_UNKNOWN}" --color RED else Display --indent 8 --text "- Total containers" --result "${DOCKER_CONTAINERS_TOTAL}" --color WHITE fi @@ -190,10 +190,10 @@ fi done if [ ${DOCKER_FILE_PERMISSIONS_WARNINGS} -gt 0 ]; then - Display --indent 4 --text "- File permissions" --result WARNINGS --color YELLOW + Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}"S --color YELLOW AddHP 0 5 else - Display --indent 4 --text "- File permissions" --result OK --color GREEN + Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN AddHP 5 5 fi fi diff --git a/include/tests_crypto b/include/tests_crypto index 7294c8a8..0fbcf454 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -78,9 +78,9 @@ done if [ ${FOUNDPROBLEM} -eq 0 ]; then - Display --indent 2 --text "- Checking for expired SSL certificates" --result NONE --color GREEN + Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_NONE}" --color GREEN else - Display --indent 2 --text "- Checking for expired SSL certificates" --result FOUND --color RED + Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_FOUND}" --color RED ReportSuggestion ${TEST_NO} "Check available certificates for expiration" fi fi diff --git a/include/tests_custom.template b/include/tests_custom.template index 6486956b..284c4a67 100644 --- a/include/tests_custom.template +++ b/include/tests_custom.template @@ -23,9 +23,9 @@ # --text text to be displayed on screen # --result text at end of line # --color color of result text - Display --indent 2 --text "- Checking if everything is OK..." --result OK --color GREEN - Display --indent 4 --text "This shows one level deeper " --result NOTICE --color YELLOW - Display --indent 6 --text "And even deeper" --result WARNING --color RED + Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_OK}" --color GREEN + Display --indent 4 --text "This shows one level deeper " --result "${STATUS_NO}"TICE --color YELLOW + Display --indent 6 --text "And even deeper" --result "${STATUS_WARNING}" --color RED # Here we could add specific tests, like testing for a directory # Most tests use the "if-then-else". If something is true, take one step, otherwise the other. @@ -54,12 +54,12 @@ # Only match one value "Linux") LogText "Found Linux" - Display --indent 2 --text "OS: Linux" --result OK --color GREEN + Display --indent 2 --text "OS: Linux" --result "${STATUS_OK}" --color GREEN ;; # Matching several platforms "FreeBSD" | "NetBSD" | "OpenBSD") LogText "Found an operating system based on BSD" - Display --indent 2 --text "OS: *BSD" --result OK --color GREEN + Display --indent 2 --text "OS: *BSD" --result "${STATUS_OK}" --color GREEN ;; # Catch-all for unknown values *) @@ -96,9 +96,9 @@ fi if [ ${FOUNDPROBLEM} -eq 0 ]; then - Display --indent 2 --text "- Checking if everything is OK..." --result OK --color GREEN + Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_OK}" --color GREEN else - Display --indent 2 --text "- Checking if everything is OK..." --result WARNING --color RED + Display --indent 2 --text "- Checking if everything is OK..." --result "${STATUS_WARNING}" --color RED ReportSuggestion ${TEST_NO} "This is a suggestion" fi fi diff --git a/include/tests_databases b/include/tests_databases index b2cc3b74..22b7f346 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -37,10 +37,10 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"` if [ "${FIND}" = "" ]; then - if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "NOT FOUND" --color WHITE --debug; fi + if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: MySQL process not active" else - Display --indent 2 --text "- MySQL process status" --result "FOUND" --color GREEN + Display --indent 2 --text "- MySQL process status" --result "${STATUS_FOUND}" --color GREEN LogText "Result: MySQL is active" MYSQL_RUNNING=1 Report "mysql_running=${MYSQL_RUNNING}" @@ -76,11 +76,11 @@ if [ "${FIND}" = "0" ]; then LogText "Result: Login succeeded, no MySQL root password set!" ReportWarning ${TEST_NO} "H" "No MySQL root password set" - Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED + Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED AddHP 0 5 else LogText "Result: Login did not succeed, so a MySQL root password is set" - Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN + Display --indent 4 --text "- Checking MySQL root password" --result "${STATUS_OK}" --color GREEN AddHP 2 2 fi else @@ -94,12 +94,12 @@ Register --test-no DBS-1826 --weight L --network NO --description "Checking active PostgreSQL processes" if [ ${SKIPTEST} -eq 0 ]; then if IsRunning "postgres:"; then - Display --indent 2 --text "- PostgreSQL processes status" --result "FOUND" --color GREEN + Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN LogText "Result: PostgreSQL is active" POSTGRESQL_RUNNING=1 Report "postgresql_running=${POSTGRESQL_RUNNING}" else - if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "NOT FOUND" --color WHITE --debug; fi + if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: PostgreSQL process not active" fi fi @@ -120,10 +120,10 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"` if [ "${FIND}" = "" ]; then - if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "NOT FOUND" --color WHITE --debug; fi + if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: Oracle process(es) not active" else - Display --indent 2 --text "- Oracle processes status" --result "FOUND" --color GREEN + Display --indent 2 --text "- Oracle processes status" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Oracle is active" ORACLE_RUNNING=1 Report "oracle_running=${ORACLE_RUNNING}" @@ -148,12 +148,12 @@ Register --test-no DBS-1860 --weight L --network NO --description "Checking active DB2 instances" if [ ${SKIPTEST} -eq 0 ]; then if IsRunning db2sysc; then - Display --indent 2 --text "- DB2 instance running" --result "FOUND" --color GREEN + Display --indent 2 --text "- DB2 instance running" --result "${STATUS_FOUND}" --color GREEN LogText "Result: At least one DB2 instance is running" DB2_RUNNING=1 Report "db2_running=${DB2_RUNNING}" else - if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- DB2 instance running" --result "NOT FOUND" --color WHITE --debug; fi + if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- DB2 instance running" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: No DB2 instances are running" fi fi diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 408cf301..972cf283 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -39,10 +39,10 @@ Report "file_integrity_tool[]=afick" FILE_INT_TOOL="afick" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- AFICK" --result FOUND --color GREEN + Display --indent 4 --text "- AFICK" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: AFICK is not installed" - if IsVerbose; then Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE; fi + if IsVerbose; then Display --indent 4 --text "- AFICK" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # @@ -58,10 +58,10 @@ Report "file_integrity_tool[]=aide" FILE_INT_TOOL="aide" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- AIDE" --result FOUND --color GREEN + Display --indent 4 --text "- AIDE" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: AIDE is not installed" - if IsVerbose; then Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE; fi + if IsVerbose; then Display --indent 4 --text "- AIDE" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # @@ -81,14 +81,14 @@ fi done if [ "${AIDECONFIG}" = "" ]; then - Display --indent 6 --text "- AIDE config file" --result "NOT FOUND" --color YELLOW + Display --indent 6 --text "- AIDE config file" --result "${STATUS_NOT_FOUND}" --color YELLOW else LogText "Checking configuration file ${AIDECONFIG} for errors" FIND=$(${AIDEBINARY} --config=${AIDECONFIG} -D) if [ $? -eq 0 ]; then - Display --indent 6 --text "- AIDE config file" --result FOUND --color GREEN + Display --indent 6 --text "- AIDE config file" --result "${STATUS_FOUND}" --color GREEN else - Display --indent 6 --text "- AIDE config file" --result WARNING --color YELLOW + Display --indent 6 --text "- AIDE config file" --result "${STATUS_WARNING}" --color YELLOW ReportSuggestion "${TEST_NO}" "Check the AIDE configuratio file as it may contain errors" fi fi @@ -106,10 +106,10 @@ Report "file_integrity_tool[]=osiris" FILE_INT_TOOL="osiris" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- Osiris" --result FOUND --color GREEN + Display --indent 4 --text "- Osiris" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: Osiris is not installed" - if IsVerbose; then Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE; fi + if IsVerbose; then Display --indent 4 --text "- Osiris" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # @@ -125,10 +125,10 @@ Report "file_integrity_tool[]=samhain" FILE_INT_TOOL="samhain" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- Samhain" --result FOUND --color GREEN + Display --indent 4 --text "- Samhain" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: Samhain is not installed" - if IsVerbose; then Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE; fi + if IsVerbose; then Display --indent 4 --text "- Samhain" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # @@ -144,10 +144,10 @@ Report "file_integrity_tool[]=tripwire" FILE_INT_TOOL="tripwire" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN + Display --indent 4 --text "- Tripwire" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: Tripwire is not installed" - if IsVerbose; then Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE; fi + if IsVerbose; then Display --indent 4 --text "- Tripwire" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # @@ -164,10 +164,10 @@ Report "file_integrity_tool[]=ossec" FILE_INT_TOOL="ossec-syscheck" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN + Display --indent 4 --text "- OSSEC (syscheck)" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: syscheck (OSSEC) not installed" - if IsVerbose; then Display --indent 4 --text "- OSSEC" --result "NOT FOUND" --color WHITE; fi + if IsVerbose; then Display --indent 4 --text "- OSSEC" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # @@ -184,10 +184,10 @@ Report "file_integrity_tool[]=mtree" FILE_INT_TOOL="mtree" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- mtree" --result FOUND --color GREEN + Display --indent 4 --text "- mtree" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: mtree is not installed" - if IsVerbose; then Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE; fi + if IsVerbose; then Display --indent 4 --text "- mtree" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # @@ -198,16 +198,16 @@ if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN + Display --indent 4 --text "- lfd (CSF)" --result "${STATUS_FOUND}" --color GREEN IsRunning 'lfd ' if [ ${RUNNING} -eq 1 ]; then LogText "Result: lfd daemon is running (CSF)" Report "file_integrity_tool[]=csf-lfd" - Display --indent 6 --text "- LFD (CSF) daemon" --result RUNNING --color GREEN + Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_RUNNING}" --color GREEN FILE_INT_TOOL="csf-lfd" FILE_INT_TOOL_FOUND=1 else - Display --indent 6 --text "- LFD (CSF) daemon" --result "NOT RUNNING" --color YELLOW + Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_NOT_RUNNING}" --color YELLOW fi fi # @@ -222,24 +222,24 @@ ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}` if [ ! "${ENABLED}" = "" ]; then LogText "Result: lfd service is configured to run" - Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN + Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: lfd service is configured NOT to run" - Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW + Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW fi ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then LogText "Result: lfd directory watching is enabled (value: ${ENABLED})" - Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN + Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: lfd directory watching is disabled" - Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW + Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW fi ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then - Display --indent 6 --text "- Directory/File watches" --result ENABLED --color GREEN + Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN else - Display --indent 6 --text "- Directory/File watches" --result DISABLED --color YELLOW + Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW fi fi # @@ -256,10 +256,10 @@ Report "file_integrity_tool[]=osquery" FILE_INT_TOOL="osquery" FILE_INT_TOOL_FOUND=1 - Display --indent 4 --text "- osquery daemon (syscheck)" --result FOUND --color GREEN + Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: syscheck (osquery) not installed" - if IsVerbose; then Display --indent 4 --text "- osquery daemon (syscheck)" --result "NOT FOUND" --color WHITE; fi + if IsVerbose; then Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # @@ -278,7 +278,7 @@ AddHP 1 3 else LogText "Result: Found SHA256 or SHA512 found for creating checksums" - Display --indent 6 --text "- AIDE config (Checksum)" --result OK --color GREEN + Display --indent 6 --text "- AIDE config (Checksum)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 fi fi @@ -292,11 +292,11 @@ LogText "Test: Check if at least on file integrity tool is available/installed" if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then LogText "Result: found at least one file integrity tool" - Display --indent 2 --text "- Checking presence integrity tool" --result FOUND --color GREEN + Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_FOUND}" --color GREEN AddHP 5 5 else LogText "Result: No file integrity tools found" - Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files" AddHP 0 5 fi diff --git a/include/tests_file_permissions b/include/tests_file_permissions index 612aa325..859dbaca 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -42,11 +42,11 @@ LogText " Actual permissions: ${FILEVALUE}" LogText " Result: $PERMS" if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then - Display --indent 4 --text "${I}" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "${I}" --result "${STATUS_NOT_FOUND}" --color WHITE elif [ "${PERMS}" = "OK" ]; then - Display --indent 4 --text "${I}" --result OK --color GREEN + Display --indent 4 --text "${I}" --result "${STATUS_OK}" --color GREEN elif [ "${PERMS}" = "BAD" ]; then - Display --indent 4 --text "${I}" --result WARNING --color RED + Display --indent 4 --text "${I}" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "M" "Incorrect permissions for file ${I}" else LogText "UNKNOWN status for file" diff --git a/include/tests_filesystems b/include/tests_filesystems index 7b59e39a..5dcb8b86 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -51,11 +51,11 @@ FIND=`mount | grep "${I}"` if [ ! "${FIND}" = "" ]; then LogText "Result: found ${I} as a separated mount point" - Display --indent 4 --text "- Checking ${I} mount point" --result OK --color GREEN + Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_OK}" --color GREEN AddHP 10 10 else LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system" - Display --indent 4 --text "- Checking ${I} mount point" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition" AddHP 9 10 fi @@ -92,10 +92,10 @@ Report "lvm_volume_group[]=${I}" done LVM_VG_USED=1 - Display --indent 2 --text "- Checking LVM volume groups" --result FOUND --color GREEN + Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: no LVM volume groups found" - if IsVerbose; then Display --indent 2 --text "- Checking LVM volume groups" --result NONE --color WHITE; fi + if IsVerbose; then Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_NONE}" --color WHITE; fi fi fi # @@ -125,10 +125,10 @@ LogText "Found LVM volume: ${I}" Report "lvm_volume[]=${I}" done - Display --indent 4 --text "- Checking LVM volumes" --result FOUND --color GREEN + Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: no LVM volume groups found" - Display --indent 4 --text "- Checking LVM volumes" --result NONE --color WHITE + Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_NONE}" --color WHITE fi fi # @@ -172,10 +172,10 @@ LogText "Test: Query /etc/fstab for available FFS/UFS mount points" FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab` if [ "${FIND}" = "" ]; then - if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result NONE --color WHITE; fi + if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_NONE}" --color WHITE; fi LogText "Result: unable to find any single mount point (FFS/UFS)" else - Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result FOUND --color GREEN + Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_FOUND}" --color GREEN Report "filesystem[]=ufs" for I in ${FIND}; do LogText "FFS/UFS mount found: ${I}" @@ -193,10 +193,10 @@ LogText "Test: Query /etc/fstab for available ZFS mount points" FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result NONE --color WHITE + Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE LogText "Result: unable to find any single mount point (ZFS)" else - Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result FOUND --color GREEN + Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_FOUND}" --color GREEN Report "filesystem[]=zfs" for I in ${FIND}; do LogText "ZFS mount found: ${I}" @@ -257,9 +257,9 @@ Report "swap_partition[]=${I},${REAL}," done if [ ${FOUND} -eq 1 ]; then - Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN + Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_OK}" --color GREEN else - Display --indent 2 --text "- Query swap partitions (fstab)" --result NONE --color YELLOW + Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_NONE}" --color YELLOW LogText "Result: no swap partitions found in /etc/fstab" fi fi @@ -278,7 +278,7 @@ #FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab` if [ ! "${FIND}" = "" ]; then - Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN + Display --indent 2 --text "- Testing swap partitions" --result "${STATUS_OK}" --color GREEN LogText "Result: all swap partitions have correct options (sw or swap)" else Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW @@ -300,10 +300,10 @@ # Search for files only in /tmp, with an access time older than X days FIND=`find /tmp -xdev -type f -atime +${TMP_OLD_DAYS} | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN + Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN LogText "Result: no files found in /tmp which are older than 3 months" else - Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED + Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED N=0 for I in ${FIND}; do FILE=`echo ${I} | sed 's/!space!/ /g'` @@ -329,11 +329,11 @@ # Depending on OS, number of field with 'tmp' differs FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10` if [ "${FIND}" = "t" -o "${FIND}" = "T" ]; then - Display --indent 2 --text "- Checking /tmp sticky bit" --result OK --color GREEN + Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_OK}" --color GREEN LogText "Result: Sticky bit (${FIND}) found on /tmp directory" AddHP 3 3 else - Display --indent 2 --text "- Checking /tmp sticky bit" --result WARNING --color RED + Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!" ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory." AddHP 0 3 @@ -402,11 +402,11 @@ LogText "Result: ACL option NOT enabled on root file system" LogText "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option" LogText "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file" - Display --indent 2 --text "- ACL support root file system" --result DISABLED --color YELLOW + Display --indent 2 --text "- ACL support root file system" --result "${STATUS_DISABLED}" --color YELLOW AddHP 0 1 else LogText "Result: ACL option enabled on root file system" - Display --indent 2 --text "- ACL support root file system" --result ENABLED --color GREEN + Display --indent 2 --text "- ACL support root file system" --result "${STATUS_ENABLED}" --color GREEN AddHP 3 3 fi fi @@ -427,7 +427,7 @@ if [ ! "${FIND}" = "" ]; then LogText "Result: mount system / is configured with options: ${FIND}" if [ "${FIND}" = "defaults" ]; then - Display --indent 2 --text "- Mount options of /" --result OK --color GREEN + Display --indent 2 --text "- Mount options of /" --result "${STATUS_OK}" --color GREEN else Display --indent 2 --text "- Mount options of /" --result "NON DEFAULT" --color YELLOW fi @@ -522,7 +522,7 @@ if [ ! "${FIND}" = "" ]; then LogText "Result: mount system /var/tmp is configured with options: ${FIND}" if [ "${BIND}" = "YES" ]; then - Display --indent 2 --text "- /var/tmp is bound to /tmp" --result OK --color GREEN + Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN LogText "Result : /var/tmp is bind to /tmp" else Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "NON DEFAULT" --color YELLOW @@ -599,11 +599,11 @@ fi done if [ ${FOUND} -eq 1 ]; then - Display --indent 2 --text "- Checking Locate database" --result FOUND --color GREEN + Display --indent 2 --text "- Checking Locate database" --result "${STATUS_FOUND}" --color GREEN Report "locate_db=${LOCATE_DB}" else LogText "Result: database not found" - Display --indent 2 --text "- Checking Locate database" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking Locate database" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file." fi fi diff --git a/include/tests_firewalls b/include/tests_firewalls index b1153934..c6fd5d0d 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -46,13 +46,13 @@ FIREWALL_SOFTWARE="iptables" IPTABLES_ACTIVE=1 IPTABLES_MODULE_ACTIVE=1 - Display --indent 2 --text "- Checking iptables kernel module" --result FOUND --color GREEN + Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found iptables in loaded kernel modules" for I in ${FIND}; do LogText "Found module: ${I}" done else - Display --indent 2 --text "- Checking iptables kernel module" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking iptables kernel module" --result "${STATUS_NOT_FOUND}" --color WHITE # If we can't find an active module, try to find the Linux configuration file and check that if [ -f /proc/config.gz ]; then @@ -80,13 +80,13 @@ IPTABLES_INKERNEL_ACTIVE=1 FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="iptables" - Display --indent 2 --text "- Checking iptables in config file" --result FOUND --color GREEN + Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: no iptables found in Linux kernel config file" fi else LogText "Result: no Linux configuration file found" - Display --indent 2 --text "- Checking iptables in config file" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking iptables in config file" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi fi @@ -102,7 +102,7 @@ if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --description "Check used policies of iptables chains" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 4 --text "- Checking iptables policies of chains" --result FOUND --color GREEN + Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN TABLES="filter" for TABLE in ${TABLES}; do LogText "Test: gathering information from table ${TABLE}" @@ -155,11 +155,11 @@ # Firewall is active, but clearly needs configuration FIREWALL_EMPTY_RULESET=1 LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)" - Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED + Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active" else LogText "Result: one or more rules are available (${FIND} rules)" - Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN + Display --indent 4 --text "- Checking for empty ruleset" --result "${STATUS_OK}" --color GREEN fi fi fi @@ -173,10 +173,10 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN + Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_OK}" --color GREEN LogText "Result: There are no unused rules present" else - Display --indent 4 --text "- Checking for unused rules" --result FOUND --color YELLOW + Display --indent 4 --text "- Checking for unused rules" --result "${STATUS_FOUND}" --color YELLOW LogText "Result: Found one or more possible unused rules" LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." @@ -201,17 +201,17 @@ if [ ! "${PFCTLBINARY}" = "" ]; then FIND=`${PFCTLBINARY} -sa 2>&1 | grep "^Status" | head -1 | awk '{ print $2 }'` if [ "${FIND}" = "Enabled" ]; then - Display --indent 2 --text "- Checking pf status (pfctl)" --result ENABLED --color GREEN + Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_ENABLED}" --color GREEN LogText "Result: pf is enabled" PFFOUND=1 AddHP 3 3 else if [ "${FIND}" = "Disabled" ]; then - Display --indent 2 --text "- Checking pf status (pfctl)" --result DISABLED --color RED + Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_DISABLED}" --color RED LogText "Result: pf is disabled" AddHP 0 3 else - Display --indent 2 --text "- Checking pf status (pfctl)" --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Checking pf status (pfctl)" --result "${STATUS_UNKNOWN}" --color YELLOW ReportException ${TEST_NO} "Unknown status of pf firewall" fi fi @@ -236,7 +236,7 @@ IsRunning pflogd if [ ${RUNNING} -eq 1 ]; then LogText "Result: found pflog daemon in process list" - Display --indent 4 --text "- Checking pflogd status" --result ACTIVE --color GREEN + Display --indent 4 --text "- Checking pflogd status" --result "ACTIVE" --color GREEN PFFOUND=1 PFLOGDFOUND=1 else @@ -267,10 +267,10 @@ # Check results from pfctl PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | grep -i 'warning'` if [ "${PFWARNINGS}" = "" ]; then - Display --indent 4 --text "- Checking pf configuration consistency" --result OK --color GREEN + Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_OK}" --color GREEN LogText "Result: no pf filter warnings found" else - Display --indent 4 --text "- Checking pf configuration consistency" --result WARNING --color RED + Display --indent 4 --text "- Checking pf configuration consistency" --result "${STATUS_WARNING}" --color RED LogText "Result: found one or more warnings in the pf filter rules" ReportWarning ${TEST_NO} "H" "Found one or more warnings in pf configuration file" ReportSuggestion ${TEST_NO} "Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings" @@ -298,7 +298,7 @@ FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="csf" Report "firewall_software[]=csf" - Display --indent 2 --text "- Checking CSF status (configuration file)" --result FOUND --color GREEN + Display --indent 2 --text "- Checking CSF status (configuration file)" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: ${FILE} does NOT exist" fi @@ -313,13 +313,13 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'` if [ "${FIND}" = "yes" ]; then - Display --indent 4 --text "- Checking ipf status" --result RUNNING --color GREEN + Display --indent 4 --text "- Checking ipf status" --result "${STATUS_RUNNING}" --color GREEN LogText "Result: ipf is enabled and running" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipf" Report "firewall_software[]=ipf" else - Display --indent 4 --text "- Checking ipf status" --result "NOT RUNNING" --color YELLOW + Display --indent 4 --text "- Checking ipf status" --result "${STATUS_NOT_RUNNING}" --color YELLOW LogText "Result: ipf is not running" fi fi @@ -334,25 +334,25 @@ # For now, only check for IPv4. FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` if [ "${FIND}" = "1" ]; then - Display --indent 2 --text "- Checking IPFW status" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_RUNNING}" --color GREEN LogText "Result: IPFW is running for IPv4" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipfw" Report "firewall_software[]=ipfw" IPFW_ENABLED=`service -e | grep -o ipfw` if [ "${IPFW_ENABLED}" = "ipfw" ]; then - Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result YES --color GREEN + Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result "${STATUS_YES}" --color GREEN LogText "Result: IPFW is enabled at start-up for IPv4" else - Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW + Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result "${STATUS_NO}" --color YELLOW LogText "Result: IPFW is disabled at start-up for IPv4" fi else - Display --indent 2 --text "- Checking IPFW status" --result "NOT RUNNING" --color YELLOW + Display --indent 2 --text "- Checking IPFW status" --result "${STATUS_NOT_RUNNING}" --color YELLOW LogText "Result: IPFW is not running for IPv4" fi else - Display --indent 2 --text "- Checking IPFW" --result SKIPPED --color YELLOW + Display --indent 2 --text "- Checking IPFW" --result "${STATUS_SKIPPED}" --color YELLOW ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)" fi fi @@ -366,13 +366,13 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null | grep "Firewall is enabled"` if [ ! "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result ENABLED --color GREEN + Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result "${STATUS_ENABLED}" --color GREEN AddHP 3 3 LogText "Result: application firewall of Mac OS X is enabled" APPLICATION_FIREWALL_ACTIVE=1 Report "app_fw[]=macosx-app-fw" else - Display --indent 2 --text "- Checking IPFW" --result DISABLED --color YELLOW + Display --indent 2 --text "- Checking IPFW" --result "${STATUS_DISABLED}" --color YELLOW AddHP 1 3 LogText "Result: application firewall of Mac OS X is disabled" fi @@ -422,7 +422,7 @@ Register --test-no FIRE-4590 --weight L --network NO --description "Check firewall status" if [ ${SKIPTEST} -eq 0 ]; then if [ ${FIREWALL_ACTIVE} -eq 1 ]; then - Display --indent 2 --text "- Checking host based firewall" --result ACTIVE --color GREEN + Display --indent 2 --text "- Checking host based firewall" --result "ACTIVE" --color GREEN LogText "Result: host based firewall or packet filter is active" Report "manual[]=Verify if there is a formal process for testing and applying firewall rules" Report "manual[]=Verify all traffic is filtered the right way between the different security zones" diff --git a/include/tests_hardening b/include/tests_hardening index 663477c8..b7f0b7a3 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -33,11 +33,11 @@ LogText "Test: Check if one or more compilers can be found on the system" if [ ${COMPILER_INSTALLED} -eq 0 ]; then LogText "Result: no compilers found" - Display --indent 4 --text "- Installed compiler(s)" --result "NOT FOUND" --color GREEN + Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_NOT_FOUND}" --color GREEN AddHP 3 3 else LogText "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'" - Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED + Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED AddHP 1 3 fi fi @@ -84,7 +84,7 @@ fi #YYY check if compilers have a specific group (like compiler, or NOT root/wheel) -# Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED +# Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED # /usr/bin/*cc* # /usr/bin/*++* # /usr/bin/ld @@ -101,11 +101,11 @@ LogText "Test: Check if a malware scanner is installed" if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then LogText "Result: found at least one malware scanner" - Display --indent 4 --text "- Installed malware scanner" --result "FOUND" --color GREEN + Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else LogText "Result: no malware scanner found" - Display --indent 4 --text "- Installed malware scanner" --result "NOT FOUND" --color RED + Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED ReportSuggestion ${TEST_NO} "Harden the system by installing at least one malware scanner, to perform periodic file system scans" AddHP 1 3 fi diff --git a/include/tests_homedirs b/include/tests_homedirs index 019dc717..f0828c85 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -63,10 +63,10 @@ FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" ! -type f -print` fi if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking shell history files" --result OK --color GREEN + Display --indent 2 --text "- Checking shell history files" --result "${STATUS_OK}" --color GREEN LogText "Result: Ok, history files are type 'file'." else - Display --indent 2 --text "- Checking shell history files" --result WARNING --color RED + Display --indent 2 --text "- Checking shell history files" --result "${STATUS_WARNING}" --color RED LogText "Result: the following files seem to be of the wrong file type:" LogText "Output: ${FIND}" LogText "Info: above files could be redirected files to avoid logging and should be investigated" @@ -74,7 +74,7 @@ fi LogText "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful." else - Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE + Display --indent 2 --text "- Checking shell history files" --result "${STATUS_SKIPPED}" --color WHITE LogText "Result: Homedirs is empty, test will be skipped" fi fi diff --git a/include/tests_insecure_services b/include/tests_insecure_services index c26734be..4b181d42 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -40,7 +40,7 @@ IsRunning inetd if [ ${RUNNING} -eq 1 ]; then LogText "Result: inetd is running" - Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN + Display --indent 2 --text "- Checking inetd status" --result "ACTIVE" --color GREEN INETD_ACTIVE=1 else LogText "Result: inetd is NOT running" @@ -59,10 +59,10 @@ LogText "Test: Searching for file ${INETD_CONFIG_FILE}" if [ -f ${INETD_CONFIG_FILE} ]; then LogText "Result: ${INETD_CONFIG_FILE} exists" - Display --indent 4 --text "- Checking inetd.conf" --result FOUND --color WHITE + Display --indent 4 --text "- Checking inetd.conf" --result "${STATUS_FOUND}" --color WHITE else LogText "Result: ${INETD_CONFIG_FILE} does not exist" - Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking inetd.conf" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -77,9 +77,9 @@ LogText "Test: check if all services are disabled if inetd is disabled" FIND=`grep -v "^#" ${INETD_CONFIG_FILE} | grep -v "^$"` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking inetd.conf services" --result OK --color GREEN + Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_OK}" --color GREEN else - Display --indent 4 --text "- Checking inetd.conf services" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}" fi fi @@ -95,11 +95,11 @@ FIND=`grep "^telnet" ${INETD_CONFIG_FILE}` if [ "${FIND}" = "" ]; then LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}" - Display --indent 2 --text "- Checking inetd (telnet)" --result "NOT FOUND" --color GREEN + Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_NOT_FOUND}" --color GREEN AddHP 3 3 else LogText "Result: telnet enabled in ${INETD_CONFIG_FILE}" - Display --indent 2 --text "- Checking inetd (telnet)" --result WARNING --color RED + Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_WARNING}" --color RED ReportSuggestion "${TEST_NO}" "Disable telnet in inetd configuration and use SSH instead" AddHP 1 3 fi diff --git a/include/tests_kernel b/include/tests_kernel index cc7c64a2..524fd4c2 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -61,7 +61,7 @@ fi else LogText "Result: No readlink binary, can't determine where symlink is pointing to" - Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW fi else LogText "Result: no systemd found, so trying inittab" @@ -71,7 +71,7 @@ LogText "Test: Checking default Linux run level" FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking default runlevel" --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW LogText "Result: Can't determine default run level from /etc/inittab" else Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN @@ -89,7 +89,7 @@ Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN else LogText "Result: Can't determine default run level from who -r" - Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW fi fi fi @@ -140,13 +140,13 @@ fi fi if [ ${FOUND} -eq 1 ]; then - Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result FOUND --color GREEN + Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result "${STATUS_FOUND}" --color GREEN else - Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result NONE --color YELLOW + Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result "${STATUS_NONE}" --color YELLOW ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support" fi else - Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result SKIPPED --color YELLOW + Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result "${STATUS_SKIPPED}" --color YELLOW LogText "Result: /proc/cpuinfo not found" fi fi @@ -172,7 +172,7 @@ LINUX_KERNEL_VERSION=`uname -v` Report "linux_kernel_version=${LINUX_KERNEL_VERSION}" LogText "Result: found kernel version ${LINUX_KERNEL_VERSION}" - Display --indent 2 --text "- Checking kernel version and release" --result DONE --color GREEN + Display --indent 2 --text "- Checking kernel version and release" --result "${STATUS_DONE}" --color GREEN fi # ################################################################################# @@ -185,7 +185,7 @@ LogText "Test: checking if kernel is monolithic or modular" # Checking if any modules are loaded FIND=`${LSMODBINARY} | grep -v "^Module" | wc -l | tr -s ' ' | tr -d ' '` - Display --indent 2 --text "- Checking kernel type" --result DONE --color GREEN + Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN if [ "${FIND}" = "0" ]; then LogText "Result: Found monolithic kernel" Report "linux_kernel_type=monolithic" @@ -208,7 +208,7 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then FIND=`${LSMODBINARY} | awk '{ if ($1!="Module") print $1 }' | sort` - Display --indent 2 --text "- Checking loaded kernel modules" --result DONE --color GREEN + Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN if [ ! "${FIND}" = "" ]; then LogText "Loaded modules according lsmod:" N=0 @@ -237,15 +237,15 @@ if [ -f ${CHECKFILE} ]; then LINUXCONFIGFILE="${CHECKFILE}" LogText "Result: found config (${LINUXCONFIGFILE})" - Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN + Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN elif [ -f /proc/config.gz ]; then LINUXCONFIGFILE="${CHECKFILE}" LINUXCONFIGFILE_ZIPPED=1 LogText "Result: found config: /proc/config.gz (compressed)" - Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN + Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: no Linux kernel configuration file found in /boot" - Display --indent 2 --text "- Checking Linux kernel configuration file" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE fi if [ ! "${LINUXCONFIGFILE}" = "" ]; then Report "linux_config_file=${LINUXCONFIGFILE}" @@ -270,11 +270,11 @@ LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | awk -F= '{ print $2 }' | sed s/\"//g` if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'" - Display --indent 2 --text "- Checking default I/O kernel scheduler" --result FOUND --color GREEN + Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}" else LogText "Result: no default i/o kernel scheduler found" - Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE fi else ReportException "${TEST_NO}" "No valid grep tool found to search kernel settings" @@ -301,9 +301,9 @@ Report "loaded_kernel_module[]=${I}" N=$((N + 1)) done - Display --indent 4 --text "Found ${N} kernel modules" --result DONE --color GREEN + Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN else - Display --indent 4 --text "Test failed" --result WARNING --color RED + Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED LogText "Result: Problem with executing kldstat" fi else @@ -325,10 +325,10 @@ LogText "Found module: ${I}" Report "loaded_kernel_module[]=${I}" done - Display --indent 2 --text "- Checking Solaris active kernel modules" --result DONE --color GREEN + Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_DONE}" --color GREEN else LogText "Result: no output" - Display --indent 2 --text "- Checking Solaris active kernel modules" --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_UNKNOWN}" --color YELLOW fi fi # @@ -363,7 +363,7 @@ LogText "Kernel installed: ${FINDINST}" LogText "Kernel candidate: ${FINDCAND}" if [ "${FINDINST}" = "" ]; then - Display --indent 2 --text "- Checking for available kernel update" --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW LogText "Result: Exception occured, no output from apt-cache policy" ReportException "${TEST_NO}:01" LogText "Exception: apt-cache policy did not return an installed kernel version" @@ -375,7 +375,7 @@ LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" else - Display --indent 2 --text "- Checking for available kernel update" --result OK --color GREEN + Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN LogText "Result: no kernel update available" fi else @@ -403,12 +403,12 @@ FIND2=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'` if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then LogText "Result: core dumps (soft or hard) are enabled" - Display --indent 2 --text "- Checking core dumps configuration" --result ENABLED --color YELLOW + Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW AddSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system" AddHP 1 2 else LogText "Result: core dumps (soft and hard) are both disabled" - Display --indent 2 --text "- Checking core dumps configuration" --result DISABLED --color GREEN + Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN CORE_DUMPS_DISABLED=1 AddHP 3 3 fi @@ -583,14 +583,14 @@ # Display discovered status if [ ${REBOOT_NEEDED} -eq 0 ]; then - Display --indent 2 --text "- Check if reboot is needed" --result NO --color GREEN + Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_NO}" --color GREEN AddHP 5 5 elif [ ${REBOOT_NEEDED} -eq 1 ]; then - Display --indent 2 --text "- Check if reboot is needed" --result YES --color RED + Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_YES}" --color RED ReportWarning ${TEST_NO} "H" "Reboot of system is most likely needed" AddHP 0 5 else - Display --indent 2 --text "- Check if reboot is needed" --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_UNKNOWN}" --color YELLOW fi fi # diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 11d7f952..40a31940 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -46,7 +46,7 @@ if [ ! "${tFINDcurvalue}" = "" ]; then if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})" - Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result OK --color GREEN + Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_OK}" --color GREEN AddHP ${tFINDhp} ${tFINDhp} else LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}" diff --git a/include/tests_ldap b/include/tests_ldap index 14e19598..1034fd67 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -39,10 +39,10 @@ #YYY add additional slash IsRunning slapd if [ ${RUNNING} -eq 0 ]; then - Display --indent 2 --text "- Checking OpenLDAP instance" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: No running slapd process found." else - Display --indent 2 --text "- Checking OpenLDAP instance" --result FOUND --color GREEN + Display --indent 2 --text "- Checking OpenLDAP instance" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found running slapd process" SLAPDFOUND=1 SLAPD_RUNNING=1 @@ -67,9 +67,9 @@ done # Check if we found a valid location if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then - Display --indent 4 --text "- Checking slapd.conf" --result FOUND --color GREEN + Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_FOUND}" --color GREEN else - Display --indent 4 --text "- Checking slapd.conf" --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Checking slapd.conf" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi # diff --git a/include/tests_logging b/include/tests_logging index dfd63679..37f3eeb6 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -45,13 +45,13 @@ LogText "Test: Searching for a logging daemon" FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking for a running log daemon" --result WARNING --color RED + Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured." ReportWarning ${TEST_NO} "H" "No syslog daemon found" AddHP 0 3 else - Display --indent 2 --text "- Checking for a running log daemon" --result OK --color GREEN + Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_OK}" --color GREEN LogText "Result: Found a logging daemon" SYSLOG_DAEMON_PRESENT=1 SYSLOG_DAEMON_RUNNING=1 @@ -69,12 +69,12 @@ IsRunning syslog-ng if [ ${RUNNING} -eq 1 ]; then LogText "Result: Found syslog-ng in process list" - Display --indent 4 --text "- Checking Syslog-NG status" --result FOUND --color GREEN + Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_FOUND}" --color GREEN SYSLOG_DAEMON_PRESENT=1 SYSLOG_NG_RUNNING=1 else LogText "Result: Syslog-ng NOT found in process list" - Display --indent 4 --text "- Checking Syslog-NG status" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -88,10 +88,10 @@ FIND=`${SYSLOGNGBINARY} -s; echo $?` if [ "${FIND}" = "0" ]; then LogText "Result: Syslog-NG configuration file seems to be consistent" - Display --indent 6 --text "- Checking Syslog-NG consistency" --result OK --color GREEN + Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_OK}" --color GREEN else LogText "Result: Syslog-NG configuration file seems NOT to be consistent" - Display --indent 6 --text "- Checking Syslog-NG consistency" --result WARNING --color RED + Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file" ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s" fi @@ -106,10 +106,10 @@ LogText "Test: Searching for systemd journal daemon in process list" IsRunning systemd-journal if [ ${RUNNING} -eq 1 ]; then - Display --indent 4 --text "- Checking systemd journal status" --result FOUND --color GREEN + Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_FOUND}" --color GREEN SYSTEMD_JOURNAL_RUNNING=1 else - Display --indent 4 --text "- Checking systemd journal status" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -123,12 +123,12 @@ IsRunning metalog if [ ${RUNNING} -eq 1 ]; then LogText "Result: Found metalog in process list" - Display --indent 4 --text "- Checking Metalog status" --result FOUND --color GREEN + Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_FOUND}" --color GREEN SYSLOG_DAEMON_PRESENT=1 METALOG_RUNNING=1 else LogText "Result: metalog NOT found in process list" - Display --indent 4 --text "- Checking Metalog status" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -142,12 +142,12 @@ IsRunning rsyslogd if [ ${RUNNING} -eq 1 ]; then LogText "Result: Found rsyslogd in process list" - Display --indent 4 --text "- Checking RSyslog status" --result FOUND --color GREEN + Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_FOUND}" --color GREEN SYSLOG_DAEMON_PRESENT=1 RSYSLOG_RUNNING=1 else LogText "Result: rsyslogd NOT found in process list" - Display --indent 4 --text "- Checking RSyslog status" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -161,12 +161,12 @@ IsRunning rfc3195d if [ ${RUNNING} -eq 1 ]; then LogText "Result: Found rfc3195d in process list" - Display --indent 4 --text "- Checking RFC 3195 daemon status" --result FOUND --color GREEN + Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_FOUND}" --color GREEN SYSLOG_DAEMON_PRESENT=1 RFC3195D_RUNNING=1 else LogText "Result: rfc3195d NOT found in process list" - Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -187,10 +187,10 @@ IsRunning klogd if [ ${RUNNING} -eq 1 ]; then LogText "Result: klogd running" - Display --indent 4 --text "- Checking klogd" --result FOUND --color GREEN + Display --indent 4 --text "- Checking klogd" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: No klogd found" - Display --indent 4 --text "- Checking klogd" --result "NOT FOUND" --color RED + Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files" fi else @@ -208,10 +208,10 @@ # Search for minilogd. It shouldn't be running normally, if another syslog daemon is started IsRunning minilogd if [ ${RUNNING} -eq 0 ]; then - Display --indent 4 --text "- Checking minilogd instances" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: No minilogd is running" else - Display --indent 4 --text "- Checking minilogd instances" --result WARNING --color RED + Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED LogText "Result: minilogd found in process list" # minilogd daemon seems to be running ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running" @@ -241,10 +241,10 @@ LogText "Result: /etc/logrotate.conf found" fi if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then - Display --indent 2 --text "- Checking logrotate presence" --result OK --color GREEN + Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_OK}" --color GREEN LogText "Result: logrotate configuration found" else - Display --indent 2 --text "- Checking logrotate presence" --result WARNING --color RED + Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_WARNING}" --color RED LogText "Result: No logrotate configuration found" ReportSuggestion ${TEST_NO} "Check if files are properly rotated by a some tool instead of logrotate" fi @@ -323,9 +323,9 @@ if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then LogText "Result: loghost entry found and most likely used to send syslog messages" - Display --indent 2 --text "- Checking loghost entry" --result OK --color GREEN + Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_OK}" --color GREEN else - Display --indent 2 --text "- Checking loghost entry" --result WARNING --color RED + Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED LogText "Result: No loghost entry found" ReportWarning ${TEST_NO} "L" "No loghost entry found" ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services" @@ -369,7 +369,7 @@ Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW else AddHP 5 5 - Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN + Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN fi else LogText "Result: test skipped, file ${SYSLOGD_CONF} not found" @@ -384,7 +384,7 @@ Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf" if [ ${SKIPTEST} -eq 0 ]; then LogText "Result: /etc/newsyslog.conf found" - Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result FOUND --color GREEN + Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result "${STATUS_FOUND}" --color GREEN LOGROTATE_CONFIG_FOUND=1 LOGROTATE_TOOL="newsyslog" fi @@ -406,7 +406,7 @@ LogText "Result: Item ${I} is not a directory" fi done - Display --indent 4 --text "- Checking log directories (newsyslog.conf)" --result DONE --color GREEN + Display --indent 4 --text "- Checking log directories (newsyslog.conf)" --result "${STATUS_DONE}" --color GREEN fi # ################################################################################# @@ -425,7 +425,7 @@ LogText "Result: Item ${I} is not a file" fi done - Display --indent 4 --text "- Checking log files (newsyslog.conf)" --result DONE --color GREEN + Display --indent 4 --text "- Checking log files (newsyslog.conf)" --result "${STATUS_DONE}" --color GREEN fi # ################################################################################# @@ -443,7 +443,7 @@ LogText "Result: directory ${I} can't be found" fi done - Display --indent 2 --text "- Checking log directories (static list)" --result DONE --color GREEN + Display --indent 2 --text "- Checking log directories (static list)" --result "${STATUS_DONE}" --color GREEN fi # ################################################################################# @@ -459,10 +459,10 @@ LogText "Found logfile: ${I}" Report "open_logfile[]=${I}" done - Display --indent 2 --text "- Checking open log files" --result DONE --color GREEN + Display --indent 2 --text "- Checking open log files" --result "${STATUS_DONE}" --color GREEN else LogText "Result: lsof not installed, skipping test" - Display --indent 2 --text "- Checking open log files" --result SKIPPED --color YELLOW + Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color YELLOW # Add suggestion fi fi @@ -497,7 +497,7 @@ ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why." else LogText "Result: no deleted files found" - Display --indent 2 --text "- Checking deleted files in use" --result DONE --color GREEN + Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_DONE}" --color GREEN fi fi # diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 6ee373de..c4150611 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -34,11 +34,11 @@ if [ "${AASTATUSBINARY}" = "" ]; then APPARMORFOUND=0 LogText "Result: aa-status binary not found, AppArmor not installed" - Display --indent 2 --text "- Checking presence AppArmor" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_NOT_FOUND}" --color WHITE else APPARMORFOUND=1 LogText "Result: aa-status binary found, AppArmor is installed" - Display --indent 2 --text "- Checking presence AppArmor" --result FOUND --color GREEN + Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_FOUND}" --color GREEN fi fi # @@ -60,22 +60,22 @@ if [ ${FIND} -eq 0 ]; then MAC_FRAMEWORK_ACTIVE=1 LogText "Result: AppArmor is enabled and a policy is loaded" - Display --indent 4 --text "- Checking AppArmor status" --result "ENABLED" --color GREEN + Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_ENABLED}" --color GREEN elif [ ${FIND} -eq 4 ]; then LogText "Result: Can not determine status, most likely due to lacking permissions" - Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED + Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED elif [ ${FIND} -eq 3 ]; then LogText "Result: Can not check control files" - Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED + Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED elif [ ${FIND} -eq 2 ]; then LogText "Result: AppArmor is enabled, but no policy is loaded" ReportSuggestion ${TEST_NO} "Disable AppArmor or load a policy" Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN elif [ ${FIND} -eq 1 ]; then LogText "Result: AppArmor is disabled" - Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW + Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_DISABLED}" --color YELLOW else - Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED + Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected" fi fi @@ -90,10 +90,10 @@ LogText "Test: checking if we have sestatus binary" if [ ! "${SESTATUSBINARY}" = "" ]; then LogText "Result: found sestatus binary (${SESTATUSBINARY})" - Display --indent 2 --text "- Checking presence SELinux" --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: sestatus binary NOT found" - Display --indent 2 --text "- Checking presence SELinux" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -111,7 +111,7 @@ LogText "Result: SELinux framework is enabled" Report "selinux_status=1" SELINUXFOUND=1 - Display --indent 4 --text "- Checking SELinux status" --result "ENABLED" --color GREEN + Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN FIND=`${SESTATUSBINARY} | grep "^Current mode" | awk '{ print $3 }'` Report "selinux_mode=${FIND}" FIND2=`${SESTATUSBINARY} | grep "^Mode from config file" | awk '{ print $5 }'` @@ -119,16 +119,16 @@ LogText "Result: mode configured in config file is ${FIND2}" if [ "${FIND}" = "${FIND2}" ]; then LogText "Result: Current SELinux mode is the same as in config file." - Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN + Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN else LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})." ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" - Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED + Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED fi Display --indent 8 --text "Current SELinux mode: ${FIND}" else LogText "Result: SELinux framework is disabled" - Display --indent 4 --text "- Checking SELinux status" --result "DISABLED" --color YELLOW + Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW fi fi # @@ -150,10 +150,10 @@ fi fi if [ ${GRSEC_FOUND} -eq 1 ]; then - Display --indent 2 --text "- Checking presence grsecurity" --result FOUND --color GREEN + Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else - Display --indent 2 --text "- Checking presence grsecurity" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -164,11 +164,11 @@ Register --test-no MACF-6290 --weight L --network NO --description "Check for implemented MAC framework" if [ ${SKIPTEST} -eq 0 ]; then if [ ${MAC_FRAMEWORK_ACTIVE} -eq 1 ]; then - Display --indent 2 --text "- Checking for implemented MAC framework" --result OK --color GREEN + Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_OK}" --color GREEN AddHP 3 3 LogText "Result: found implemented MAC framework" else - Display --indent 2 --text "- Checking for implemented MAC framework" --result NONE --color YELLOW + Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_NONE}" --color YELLOW AddHP 2 3 LogText "Result: found no implemented MAC framework" fi diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index f9e707f2..7a9597ba 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -44,12 +44,12 @@ IsRunning exim if [ ${RUNNING} -eq 1 ]; then LogText "Result: found running Exim process" - Display --indent 2 --text "- Checking Exim status" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking Exim status" --result "${STATUS_RUNNING}" --color GREEN EXIM_RUNNING=1 SMTP_DAEMON="exim" else LogText "Result: no running Exim processes found" - Display --indent 2 --text "- Checking Exim status" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking Exim status" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -67,12 +67,12 @@ #FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"` if [ ! "${FIND1}" = "" ]; then LogText "Result: found running Postfix process" - Display --indent 2 --text "- Checking Postfix status" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_RUNNING}" --color GREEN POSTFIX_RUNNING=1 SMTP_DAEMON="postfix" else LogText "Result: no running Postfix processes found" - Display --indent 2 --text "- Checking Postfix status" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking Postfix status" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -83,7 +83,7 @@ if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 2 --text "- Checking Postfix configuration" --result FOUND --color GREEN + Display --indent 2 --text "- Checking Postfix configuration" --result "${STATUS_FOUND}" --color GREEN POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | grep '^config_directory' | awk '{ print $3 }'` POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf" LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}" @@ -110,11 +110,11 @@ if [ ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then SHOWWARNING=1 else - Display --indent 4 --text "- Checking Postfix banner" --result OK --color GREEN + Display --indent 4 --text "- Checking Postfix banner" --result "${STATUS_OK}" --color GREEN fi fi if [ ${SHOWWARNING} -eq 1 ]; then - Display --indent 4 --text "- Checking Postfix banner" --result WARNING --color RED + Display --indent 4 --text "- Checking Postfix banner" --result "${STATUS_WARNING}" --color RED LogText "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'." ReportWarning ${TEST_NO} "L" "Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'" ReportSuggestion ${TEST_NO} "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})" @@ -131,13 +131,13 @@ IsRunning dovecot if [ ${RUNNING} -eq 1 ]; then LogText "Result: found running dovecot process" - Display --indent 2 --text "- Checking Dovecot status" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking Dovecot status" --result "${STATUS_RUNNING}" --color GREEN DOVECOT_RUNNING=1 IMAP_DAEMON="dovecot" POP3_DAEMON="dovecot" else LogText "Result: dovecot not found" - Display --indent 2 --text "- Checking Dovecot status" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking Dovecot status" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -151,12 +151,12 @@ IsRunning qmail-smtpd if [ ${RUNNING} -eq 1 ]; then LogText "Result: found running Qmail process" - Display --indent 2 --text "- Checking Qmail status" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking Qmail status" --result "${STATUS_RUNNING}" --color GREEN QMAIL_RUNNING=1 SMTP_DAEMON="qmail" else LogText "Result: no running Qmail processes found" - Display --indent 2 --text "- Checking Qmail status" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking Qmail status" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -170,12 +170,12 @@ IsRunning sendmail if [ ${RUNNING} -eq 1 ]; then LogText "Result: found running Sendmail process" - Display --indent 2 --text "- Checking Sendmail status" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking Sendmail status" --result "${STATUS_RUNNING}" --color GREEN SENDMAIL_RUNNING=1 SMTP_DAEMON="sendmail" else LogText "Result: no running Sendmail processes found" - Display --indent 2 --text "- Checking Sendmail status" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking Sendmail status" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -190,12 +190,12 @@ FIND=`${PSBINARY} ax | egrep "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then LogText "Result: found running smtpd process" - Display --indent 2 --text "- Checking OpenSMTPD status" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN OPENSMTPD_RUNNING=1 SMTP_DAEMON="opensmtpd" else LogText "Result: smtpd not found" - Display --indent 2 --text "- Checking OpenSMTPD status" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking OpenSMTPD status" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # diff --git a/include/tests_malware b/include/tests_malware index 3f78e138..4572e9f0 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Software: Malware scanners" + InsertSection "Software: ${SECTION_MALWARE}" # ################################################################################# # @@ -42,7 +42,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking presence chkrootkit" if [ ! "${CHKROOTKITBINARY}" = "" ]; then - Display --indent 2 --text "- Checking chkrootkit" --result "FOUND" --color GREEN + Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found ${CHKROOTKITBINARY}" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 @@ -60,7 +60,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking presence Rootkit Hunter" if [ ! "${RKHUNTERBINARY}" = "" ]; then - Display --indent 2 --text "- Checking Rootkit Hunter" --result "FOUND" --color GREEN + Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found ${RKHUNTERBINARY}" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 @@ -78,7 +78,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking presence LMD" if [ ! "${LMDBINARY}" = "" ]; then - Display --indent 2 --text "- Checking LMD (Linux Malware Detect)" --result "FOUND" --color GREEN + Display --indent 2 --text "- ${GEN_CHECKING} LMD (Linux Malware Detect)" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found ${LMDBINARY}" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 @@ -101,7 +101,7 @@ IsRunning esets_daemon if [ ${RUNNING} -eq 1 ]; then FOUND=1 - Display --indent 2 --text "- Checking ESET daemon" --result "FOUND" --color GREEN + Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found ESET security product" ESET_DAEMON_RUNNING=1 MALWARE_SCANNER_INSTALLED=1 @@ -121,7 +121,7 @@ fi if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then FOUND=1 - Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN + Display --indent 2 --text "- ${GEN_CHECKING} McAfee" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found McAfee" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 @@ -142,7 +142,7 @@ SOPHOS_SCANNER_RUNNING=1 fi if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then - Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN + Display --indent 2 --text "- ${GEN_CHECKING} Sophos" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found Sophos" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 @@ -162,7 +162,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking presence clamscan" if [ ! "${CLAMSCANBINARY}" = "" ]; then - Display --indent 2 --text "- Checking ClamAV scanner" --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking ClamAV scanner" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found ${CLAMSCANBINARY}" MALWARE_SCANNER_INSTALLED=1 CLAMSCAN_INSTALLED=1 @@ -181,7 +181,7 @@ LogText "Test: checking running ClamAV daemon (clamd)" IsRunning clamd if [ ${RUNNING} -eq 1 ]; then - Display --indent 2 --text "- Checking ClamAV daemon" --result "FOUND" --color GREEN + Display --indent 2 --text "- ${GEN_CHECKING} ClamAV daemon" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found running clamd process" MALWARE_SCANNER_INSTALLED=1 CLAMD_RUNNING=1 @@ -201,11 +201,11 @@ IsRunning freshclam if [ ${RUNNING} -eq 1 ]; then FRESHCLAM_DAEMON_RUNNING=1 - Display --indent 4 --text "- Checking freshclam" --result "FOUND" --color GREEN + Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found running freshclam process" AddHP 2 2 else - Display --indent 4 --text "- Checking freshclam" --result "SUGGESTION" --color YELLOW + Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: freshclam is not running" ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database" fi @@ -221,7 +221,7 @@ CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'` if [ ! "${CLAMSCANBINARY}" = "" ]; then LogText "Result: Found ClamXav clamscan installed" - Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN + Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN MALWARE_SCANNER_INSTALLED=1 CLAMSCAN_INSTALLED=1 AddHP 3 3 diff --git a/include/tests_memory_processes b/include/tests_memory_processes index 05199738..93b385e6 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Memory and processes" + InsertSection "${SECTION_MEMORY_AND_PROCESSES}" # ################################################################################# # @@ -32,7 +32,7 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ -f /proc/meminfo ]; then LogText "Result: found /proc/meminfo" - Display --indent 2 --text "- Checking /proc/meminfo" --result FOUND --color GREEN + Display --indent 2 --text "- Checking /proc/meminfo" --result "${STATUS_FOUND}" --color GREEN FIND=`awk '/^MemTotal/ { print $2, $3 }' /proc/meminfo` MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'` MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'` @@ -52,14 +52,14 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching /usr/sbin/prtconf" if [ -x /usr/sbin/prtconf ]; then - Display --indent 2 --text "- Querying prtconf for installed memory" --result DONE --color GREEN + Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_DONE}" --color GREEN MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3` MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4` LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory" Report "memory_size=${MEMORY_SIZE}" Report "memory_units=${MEMORY_UNITS}" else - Display --indent 2 --text "- Querying prtconf for installed memory" --result SKIPPED --color WHITE + Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_SKIPPED}" --color WHITE LogText "Result: /usr/sbin/prtconf not found" fi fi @@ -79,11 +79,11 @@ fi if [ "${FIND}" = "" ]; then LogText "Result: no zombie processes found" - Display --indent 2 --text "- Searching for dead/zombie processes" --result OK --color GREEN + Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_OK}" --color GREEN else LogText "Result: found one or more dead or zombie processes" LogText "Output: PIDs ${FIND}" - Display --indent 2 --text "- Searching for dead/zombie processes" --result WARNING --color RED + Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_WARNING}" --color RED ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes" fi fi @@ -103,12 +103,12 @@ fi if [ "${FIND}" = "" ]; then LogText "Result: No processes were waiting for IO requests to be handled first" - Display --indent 2 --text "- Searching for IO waiting processes" --result OK --color GREEN + Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_OK}" --color GREEN else LogText "Result: found one or more processes which were waiting to get IO requests handled first" LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured." LogText "Output: PIDs ${FIND}" - Display --indent 2 --text "- Searching for IO waiting processes" --result WARNING --color RED + Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_WARNING}" --color RED ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests" fi fi diff --git a/include/tests_nameservices b/include/tests_nameservices index 50bb1a39..2eeb33ec 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -49,12 +49,12 @@ FIND=`awk '/^domain/ { print $2 }' /etc/resolv.conf` if [ "${FIND}" = "" ]; then LogText "Result: no default domain found" - if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result NONE --color WHITE; fi + if IsVerbose; then Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_NONE}" --color WHITE; fi else LogText "Result: found default domain" LogText "Output: ${FIND}" Report "resolv_conf_domain=${FIND}" - Display --indent 2 --text "- Checking default DNS search domain" --result FOUND --color GREEN + Display --indent 2 --text "- Checking default DNS search domain" --result "${STATUS_FOUND}" --color GREEN RESOLV_DOMAINNAME="${FIND}" fi fi @@ -83,16 +83,16 @@ # Warn if we have more than 6 search domains, which is maximum in most resolvers if [ ${N} -gt 6 ]; then LogText "Result: Found ${N} search domains" - Display --indent 2 --text "- Checking search domains" --result WARNING --color YELLOW + Display --indent 2 --text "- Checking search domains" --result "${STATUS_WARNING}" --color YELLOW ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers" else LogText "Result: Found ${N} search domains" - Display --indent 2 --text "- Checking search domains" --result FOUND --color GREEN + Display --indent 2 --text "- Checking search domains" --result "${STATUS_FOUND}" --color GREEN fi fi else LogText "Result: /etc/resolv.conf does not exist, skipping test" - Display --indent 2 --text "- Checking search domains" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking search domains" --result "${STATUS_NOT_FOUND}" --color YELLOW fi # Check amount of search domains (max 1) @@ -118,7 +118,7 @@ FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: no specific other options configured in /etc/resolv.conf" - if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NONE" --color WHITE; fi + if IsVerbose; then Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NONE}" --color WHITE; fi else for I in ${FIND}; do LogText "Found option: ${I}" @@ -126,11 +126,11 @@ #rotate --> add performance tune point #timeout <3 --> add performe tune point done - Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_FOUND}" --color GREEN fi else LogText "Result: /etc/resolv.conf not found, test skipped" - Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi # @@ -142,7 +142,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`uname -n` LogText "Result: 'uname -n' returned ${FIND}" - Display --indent 2 --text "- Checking uname -n output" --result DONE --color GREEN + Display --indent 2 --text "- Checking uname -n output" --result "${STATUS_DONE}" --color GREEN fi # ################################################################################# @@ -157,7 +157,7 @@ LogText "Result: file /etc/nodename exists" FIND=`cat /etc/nodename` LogText "Output: ${FIND}" - Display --indent 2 --text "- Checking /etc/nodename" --result "DONE" --color GREEN + Display --indent 2 --text "- Checking /etc/nodename" --result "${STATUS_DONE}" --color GREEN else LogText "Result: file /etc/nodename could not be found" Display --indent 2 --text "- Checking /etc/nodename" --result "NONE FOUND" --color YELLOW @@ -216,10 +216,10 @@ if [ ! "${DOMAINNAME}" = "" ]; then LogText "Result: found domain name" Report "domainname=${DOMAINNAME}" - Display --indent 2 --text "- Searching DNS domain name" --result "FOUND" --color GREEN + Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_FOUND}" --color GREEN Display --indent 6 --text "Domain name: ${DOMAINNAME}" else - Display --indent 2 --text "- Searching DNS domain name" --result "UNKNOWN" --color YELLOW + Display --indent 2 --text "- Searching DNS domain name" --result "${STATUS_UNKNOWN}" --color YELLOW ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name" fi fi @@ -235,10 +235,10 @@ if [ ${RUNNING} -eq 1 ]; then NAME_CACHE_USED=1 LogText "Result: nscd is running" - Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking nscd status" --result "${STATUS_RUNNING}" --color GREEN else LogText "Result: nscd is not running" - if IsVerbose; then Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE; fi + if IsVerbose; then Display --indent 2 --text "- Checking nscd status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # @@ -254,10 +254,10 @@ UNBOUND_RUNNING=1 NAME_CACHE_USED=1 LogText "Result: Unbound daemon is running" - Display --indent 2 --text "- Checking Unbound status" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_RUNNING}" --color GREEN else LogText "Result: Unbound daemon is not running" - if IsVerbose; then Display --indent 2 --text "- Checking Unbound status" --result "NOT FOUND" --color WHITE; fi + if IsVerbose; then Display --indent 2 --text "- Checking Unbound status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # @@ -276,7 +276,7 @@ if [ $? -eq 0 ]; then UNBOUND_CONFIG_OK=1 LogText "Result: Configuration is fine" - Display --indent 2 --text "- Checking configuration file" --result OK --color GREEN + Display --indent 2 --text "- Checking configuration file" --result "${STATUS_OK}" --color GREEN else LogText "Result: Unbound daemon is not running" Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW @@ -297,11 +297,11 @@ IsRunning named if [ ${RUNNING} -eq 1 ]; then LogText "Result: found BIND process" - Display --indent 2 --text "- Checking BIND status" --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking BIND status" --result "${STATUS_FOUND}" --color GREEN BIND_RUNNING=1 else LogText "Result: BIND not running" - if IsVerbose; then Display --indent 2 --text "- Checking BIND status" --result "NOT FOUND" --color WHITE; fi + if IsVerbose; then Display --indent 2 --text "- Checking BIND status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # @@ -320,9 +320,9 @@ fi done if [ ! "${BIND_CONFIG_LOCATION}" = "" ]; then - Display --indent 4 --text "- Checking BIND configuration file" --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_FOUND}" --color GREEN else - Display --indent 4 --text "- Checking BIND configuration file" --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Checking BIND configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi # @@ -339,10 +339,10 @@ FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?` if [ "${FIND}" = "0" ]; then LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine" - Display --indent 4 --text "- Checking BIND configuration consistency" --result "OK" --color GREEN + Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_OK}" --color GREEN else LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}" - Display --indent 4 --text "- Checking BIND configuration consistency" --result WARNING --color RED + Display --indent 4 --text "- Checking BIND configuration consistency" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file" fi else @@ -368,11 +368,11 @@ FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"` if [ "${FIND}" = "" ]; then LogText "Result: no useful information in banner found" - Display --indent 4 --text "- Checking BIND version in banner" --result "OK" --color GREEN + Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else LogText "Result: possible BIND version available in version banner" - Display --indent 4 --text "- Checking BIND version in banner" --result WARNING --color RED + Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "M" "Found BIND version in banner" ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file" AddHP 0 2 @@ -410,11 +410,11 @@ IsRunning pdns_server if [ ${RUNNING} -eq 1 ]; then LogText "Result: found PowerDNS process" - Display --indent 2 --text "- Checking PowerDNS status" --result "RUNNING" --color GREEN + Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_RUNNING}" --color GREEN POWERDNS_RUNNING=1 else LogText "Result: PowerDNS not running" - if IsVerbose; then Display --indent 2 --text "- Checking PowerDNS status" --result "NOT FOUND" --color WHITE; fi + if IsVerbose; then Display --indent 2 --text "- Checking PowerDNS status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # @@ -433,9 +433,9 @@ fi done if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then - Display --indent 4 --text "- Checking PowerDNS configuration file" --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_FOUND}" --color GREEN else - Display --indent 4 --text "- Checking PowerDNS configuration file" --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Checking PowerDNS configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi # @@ -461,10 +461,10 @@ for I in ${FIND}; do LogText "Found backend: ${I}" done - Display --indent 4 --text "- Checking PowerDNS backends" --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: no PowerDNS backends found" - Display --indent 4 --text "- Checking PowerDNS backends" --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Checking PowerDNS backends" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi # @@ -507,18 +507,18 @@ IsRunning ypbind if [ ${RUNNING} -eq 1 ]; then LogText "Result: ypbind is running" - Display --indent 2 --text "- Checking ypbind status" --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_FOUND}" --color GREEN YPBIND_RUNNING=1 IsRunning ypldap if [ ${RUNNING} -eq 1 ]; then LogText "Result: ypldap is running" - Display --indent 2 --text "- Checking ypldap status" --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN else ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead" fi else LogText "Result: ypbind is not active" - if IsVerbose; then Display --indent 2 --text "- Checking ypbind status" --result "NOT FOUND" --color WHITE; fi + if IsVerbose; then Display --indent 2 --text "- Checking ypbind status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # @@ -579,10 +579,10 @@ if [ ! "${NISDOMAIN}" = "" ]; then LogText "Found NIS domain: ${NISDOMAIN}" Report "nisdomain=${NISDOMAIN}" - Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: No NIS domain found" - Display --indent 4 --text "- Checking NIS domain" --result "UNKNOWN" --color YELLOW + Display --indent 4 --text "- Checking NIS domain" --result "${STATUS_UNKNOWN}" --color YELLOW fi fi # @@ -601,16 +601,16 @@ sFIND=`egrep -v '^(#|$)' /etc/hosts | awk '{ print $1, $2 }' | sort | uniq -d` if [ "${sFIND}" = "" ]; then LogText "Result: OK, no duplicate lines found" - Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result OK --color GREEN + Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN else LogText "Found duplicate line: ${sFIND}" LogText "Result: found duplicate line" - Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion "${TEST_NO}" "Remove duplicate lines in /etc/hosts" fi else LogText "Result: /etc/hosts not found, test skipped" - Display --indent 4 --text "Searching duplicate line" --result "SKIPPED" --color YELLOW + Display --indent 4 --text "Searching duplicate line" --result "${STATUS_SKIPPED}" --color YELLOW fi fi # @@ -626,10 +626,10 @@ sFIND=`egrep -v '^(#|$|^::1\s|localhost)' /etc/hosts | grep -i ${HOSTNAME}` if [ "${sFIND}" != "" ]; then LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts" - Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN + Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_OK}" --color GREEN else LogText "Result: No entry found for ${HOSTNAME} in /etc/hosts" - Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving" LogText "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections" fi @@ -648,12 +648,12 @@ if [ ! "${sFIND}" = "" ]; then LogText "Result: Found this server hostname mapped to a local address" LogText "Output: ${sFIND}" - Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW + Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface." ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system" else LogText "Result: this server hostname is not mapped to a local address" - Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result OK --color GREEN + Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result "${STATUS_OK}" --color GREEN fi fi # diff --git a/include/tests_networking b/include/tests_networking index 5902d174..70a2fe30 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -87,20 +87,20 @@ LogText "Result: IPV6 mode is ${IPV6_MODE}" if [ ${IPV6_CONFIGURED} -eq 1 ]; then - Display --indent 2 --text "- Checking IPv6 configuration" --result "ENABLED" --color WHITE + Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE STATUS=`echo ${IPV6_MODE} | tr '[:lower:]' '[:upper:]'` Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi LogText "Result: IPv6 only configuration: ${STATUS}" Display --indent 6 --text "IPv6 only" --result "${STATUS}" --color WHITE else - Display --indent 2 --text "- Checking IPv6 configuration" --result "DISABLED" --color WHITE + Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_DISABLED}" --color WHITE fi # Configuration errors if [ ${IPV6_MISCONFIGURED_MTU} -eq 1 ]; then IPV6_MISCONFIGURED=1 LogText "Result: MTU of IPv6 interfaces should be 1280 or higher" - Display --indent 6 --text "Error: MTU is too low" --result "WARNING" --color RED + Display --indent 6 --text "Error: MTU is too low" --result "${STATUS_WARNING}" --color RED ReportSuggestion "${TEST_NO}" "Check your MTU configuration of IPv6 interfaces" fi @@ -138,7 +138,7 @@ # 0=good, other=bad DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?` if [ "${DNSRESPONSE}" = "0" ]; then - Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN + Display --indent 8 --text "Nameserver: ${I}" --result "${STATUS_OK}" --color GREEN LogText "Nameserver ${I} seems to respond to queries from this host." # Count responsive nameservers NUMBERACTIVENS=$((NUMBERACTIVENS + 1)) @@ -151,7 +151,7 @@ fi else LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed" - Display --indent 6 --text "Nameserver: ${I}" --result SKIPPED --color YELLOW + Display --indent 6 --text "Nameserver: ${I}" --result "${STATUS_SKIPPED}" --color YELLOW fi done fi @@ -167,19 +167,19 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${DIGBINARY}" = "" ]; then if [ ${NUMBERACTIVENS} -lt 2 ]; then - Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result WARNING --color RED + Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_WARNING}" --color RED LogText "Result: less than 2 responsive nameservers found" ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers" LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc." ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible" AddHP 1 2 else - Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result OK --color GREEN + Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_OK}" --color GREEN LogText "Result: found at least 2 responsive nameservers" AddHP 3 3 fi else - Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result SKIPPED --color YELLOW + Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result "${STATUS_SKIPPED}" --color YELLOW LogText "Result: dig not installed, test can't be fully performed" fi else @@ -201,7 +201,7 @@ LogText "Result: Found default gateway ${I}" Report "default_gateway[]=${I}" done - Display --indent 2 --text "- Checking default gateway" --result DONE --color GREEN + Display --indent 2 --text "- Checking default gateway" --result "${STATUS_DONE}" --color GREEN else LogText "Result: No default gateway found" Display --indent 2 --text "- Checking default gateway" --result "NONE FOUND" --color WHITE @@ -455,9 +455,9 @@ done fi if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then - Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result SKIPPED --color YELLOW + Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW else - Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result DONE --color GREEN + Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN Display --indent 6 --text "* Found ${N} ports" fi fi @@ -497,10 +497,10 @@ # Show result if [ ${FOUNDPROMISC} -eq 0 ]; then - Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN + Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN LogText "Result: No promiscuous interfaces found" else - Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED + Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED fi fi # @@ -533,10 +533,10 @@ # Show result if [ ${FOUNDPROMISC} -eq 0 ]; then - Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN + Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN LogText "Result: No promiscuous interfaces found" else - Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED + Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED fi fi # @@ -576,10 +576,10 @@ if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})." if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then - Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW + Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_WARNING}" --color YELLOW ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})" else - Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN + Display --indent 2 --text "- Checking waiting connections" --result "${STATUS_OK}" --color GREEN LogText "Result: ${FIND} connections are in WAIT state" fi fi @@ -592,7 +592,7 @@ if [ ${SKIPTEST} -eq 0 ]; then IsRunning dhclient if [ ${RUNNING} -eq 1 ]; then - Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE + Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE DHCP_CLIENT_RUNNING=1 else Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE @@ -608,9 +608,9 @@ IsRunning arpwatch if [ ${RUNNING} -eq 1 ]; then ARPWATCH_RUNNING=1 - Display --indent 2 --text "- Checking for ARP monitoring software" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_RUNNING}" --color GREEN else - Display --indent 2 --text "- Checking for ARP monitoring software" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Checking for ARP monitoring software" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Install ARP monitoring software like arpwatch" fi fi diff --git a/include/tests_php b/include/tests_php index daff864f..685a3165 100644 --- a/include/tests_php +++ b/include/tests_php @@ -79,11 +79,11 @@ done if [ ! "${PHPINIFILE}" = "" ]; then - Display --indent 2 --text "- Checking PHP" --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking PHP" --result "${STATUS_FOUND}" --color GREEN LogText "Result: using single file ${PHPINIFILE} for main php.ini tests" LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests" else - Display --indent 2 --text "- Checking PHP" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking PHP" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: no php.ini file found" fi fi @@ -116,13 +116,13 @@ done if [ ${FOUND} -eq 0 ]; then LogText "Result: all PHP functions can be executed" - Display --indent 4 --text "- Checking PHP disabled functions" --result "NONE" --color YELLOW + Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_NONE}" --color YELLOW ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions" LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)" AddHP 0 1 else LogText "Result: one or more PHP functions are disabled/blacklisted" - Display --indent 4 --text "- Checking PHP disabled functions" --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 fi fi @@ -154,13 +154,13 @@ LogText "Test: Checking PHP register_globals option" FIND=`egrep -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;'` if [ ! "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking register_globals option" --result WARNING --color RED + Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off" LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting." AddHP 1 2 else - Display --indent 4 --text "- Checking register_globals option" --result OK --color GREEN + Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_OK}" --color GREEN LogText "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value." ReportManual ${TEST_NO}:01 AddHP 2 2 @@ -178,13 +178,13 @@ LogText "Test: Checking expose_php option" FIND=`egrep -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking expose_php option" --result ON --color RED + Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers." ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off" Report "Result: expose_php option is turned on, which can expose useful information for an attacker" AddHP 1 2 else - Display --indent 4 --text "- Checking expose_php option" --result OFF --color GREEN + Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_OFF}" --color GREEN LogText "Result: Found 'expose_php' in disabled state (0, no, or off)" AddHP 2 2 fi @@ -202,12 +202,12 @@ LogText "Test: Checking PHP enable_dl option" FIND=`egrep -i 'enable_dl.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking enable_dl option" --result ON --color YELLOW + Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW Report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP" AddHP 0 1 else - Display --indent 4 --text "- Checking enable_dl option" --result OFF --color GREEN + Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_OFF}" --color GREEN LogText "Result: Found 'enable_dl' in disabled state (0, no, or off)" AddHP 2 2 fi @@ -225,12 +225,12 @@ LogText "Test: Checking PHP allow_url_fopen option" FIND=`egrep -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking allow_url_fopen option" --result ON --color YELLOW + Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW Report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP" AddHP 0 1 else - Display --indent 4 --text "- Checking allow_url_fopen option" --result OFF --color GREEN + Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_OFF}" --color GREEN LogText "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)" AddHP 2 2 fi @@ -248,12 +248,12 @@ LogText "Test: Checking PHP allow_url_include option" FIND=`egrep -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'` if [ "${FIND}" = "" ]; then - Display --indent 4 --text "- Checking allow_url_include option" --result ON --color YELLOW + Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP" AddHP 0 1 else - Display --indent 4 --text "- Checking allow_url_include option" --result OFF --color GREEN + Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_OFF}" --color GREEN LogText "Result: Found 'allow_url_include' in disabled state (0, no, or off)" AddHP 2 2 fi diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 9981faf9..f104ec53 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -42,7 +42,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`pkg -N 2>&1; echo $?` if [ "${FIND}" = "0" ]; then - Display --indent 4 --text "- Searching packages with pkg" --result FOUND --color GREEN + Display --indent 4 --text "- Searching packages with pkg" --result "${STATUS_FOUND}" --color GREEN Report "package_manager[]=pkg" PACKAGE_MGR_PKG=1 LogText "Result: Found pkg" @@ -67,7 +67,7 @@ Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD/NetBSD pkg_info" if [ ${SKIPTEST} -eq 0 ]; then N=0 - Display --indent 4 --text "- Checking pkg_info" --result FOUND --color GREEN + Display --indent 4 --text "- Checking pkg_info" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found pkg_info" Report "package_manager[]=pkg_info" LogText "Test: Querying pkg_info to get package list" @@ -93,7 +93,7 @@ if [ ! "${FIND}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query brew package manager" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 4 --text "- Searching brew" --result FOUND --color GREEN + Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found brew" Report "package_manager[]=brew" LogText "Test: Querying brew to get package list" @@ -115,7 +115,7 @@ if [ -x /usr/bin/emerge -a -x /usr/bin/equery ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Gentoo packages" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 4 --text "- Searching emerge" --result FOUND --color GREEN + Display --indent 4 --text "- Searching emerge" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found Gentoo emerge" Report "package_manager[]=emerge" LogText "Test: Querying portage to get package list" @@ -138,7 +138,7 @@ if [ -x /usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 4 --text "- Searching pkginfo" --result FOUND --color GREEN + Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found Solaris pkginfo" Report "package_manager[]=pkginfo" LogText "Test: Querying pkginfo to get package list" @@ -162,7 +162,7 @@ Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with RPM" if [ ${SKIPTEST} -eq 0 ]; then N=0 - Display --indent 4 --text "- Searching RPM package manager" --result FOUND --color GREEN + Display --indent 4 --text "- Searching RPM package manager" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found rpm binary (${RPMBINARY})" Report "package_manager[]=rpm" LogText "Test: Querying 'rpm -qa' to get package list" @@ -195,7 +195,7 @@ Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with pacman" if [ ${SKIPTEST} -eq 0 ]; then N=0 - Display --indent 4 --text "- Searching pacman package manager" --result FOUND --color GREEN + Display --indent 4 --text "- Searching pacman package manager" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found pacman binary (${PACMANBINARY})" Report "package_manager[]=pacman" LogText "Test: Querying 'pacman -Q' to get package list" @@ -309,9 +309,9 @@ FIND=`${ZYPPERBINARY} -n pchk | grep "(0 security patches)"` if [ ! "${FIND}" = "" ]; then LogText "Result: No security updates found with Zypper" - Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result NONE --color GREEN + Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN else - Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result WARNING --color RED + Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED LogText "Result: Zypper found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages installed" # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line @@ -335,7 +335,7 @@ Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying dpkg" if [ ${SKIPTEST} -eq 0 ]; then N=0 - Display --indent 4 --text "- Searching dpkg package manager" --result FOUND --color GREEN + Display --indent 4 --text "- Searching dpkg package manager" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found dpkg binary" Report "package_manager[]=dpkg" LogText "Test: Querying dpkg -l to get package list" @@ -366,10 +366,10 @@ LogText "Test: Querying dpkg -l to get unpurged packages" SPACKAGES=`dpkg -l 2>/dev/null | grep "^rc" | cut -d ' ' -f3 | sort` if [ "${SPACKAGES}" = "" ]; then - Display --indent 4 --text "- Query unpurged packages" --result NONE --color GREEN + Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN LogText "Result: no packages found with left overs" else - Display --indent 4 --text "- Query unpurged packages" --result FOUND --color YELLOW + Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_FOUND}" --color YELLOW LogText "Result: found one or more packages with left over configuration files, cron jobs etc" LogText "Output:" for J in ${SPACKAGES}; do @@ -394,10 +394,10 @@ if [ -x /usr/local/sbin/portsclean ]; then FIND=`/usr/local/sbin/portsclean -n -DD | grep 'Delete' | wc -l | tr -d ' '` if [ ${FIND} -eq 0 ]; then - Display --indent 2 --text "- Checking presence old distfiles" --result OK --color GREEN + Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN LogText "Result: no unused distfiles found" else - Display --indent 2 --text "- Checking presence old distfiles" --result WARNING --color YELLOW + Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_WARNING}" --color YELLOW LogText "Result: found ${FIND} unused distfiles" ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD." fi @@ -412,7 +412,7 @@ if [ ! "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for installed packages with DNF utility" if [ ${SKIPTEST} -eq 0 ]; then - Display --indent 4 --text "- Searching DNF package manager" --result FOUND --color GREEN + Display --indent 4 --text "- Searching DNF package manager" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found DNF (Dandified YUM) utility (binary: ${DNFBINARY})" Report "package_manager[]=dnf" Display --indent 6 --text "- Querying DNF package manager" @@ -448,11 +448,11 @@ AddHP 1 2 done ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages. Run: dnf upgrade" - Display --indent 2 --text "- Using DNF to find vulnerable packages" --result WARNING --color RED + Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_WARNING}" --color RED else LogText "Result: no security updates found" - Display --indent 2 --text "- Using DNF to find vulnerable packages" --result NONE --color GREEN + Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN AddHP 5 5 fi fi @@ -490,24 +490,24 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${DEBSECANBINARY}" = "" ]; then LogText "Result: debsecan utility is installed" - Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN + Display --indent 4 --text "- debsecan utility" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="debsecan" FIND=`find /etc/cron* -name debsecan` if [ ! ${FIND} = "" ]; then LogText "Result: cron job is configured for debsecan" - Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN + Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else LogText "Result: no cron job is configured for debsecan" - Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- debsecan cron job" --result "${STATUS_NOT_FOUND}" --color YELLOW AddHP 1 3 ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled" fi else LogText "Result: debsecan is not installed." - Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- debsecan utility" --result "${STATUS_NOT_FOUND}" --color YELLOW AddHP 0 2 ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages." fi @@ -523,17 +523,17 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${DEBSUMSBINARY}" = "" ]; then LogText "Result: debsums utility is installed" - Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN + Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN AddHP 1 1 # Check in /etc/cron.hourly, daily, weekly, monthly etc COUNT=`find /etc/cron* -name debsums | wc -l` if [ ${COUNT} -gt 0 ]; then LogText "Result: Cron job is configured for debsums utility." - Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN + Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else LogText "Result: Cron job is not configured for debsums utility." - Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW + Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW AddHP 1 3 ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job." fi @@ -562,9 +562,9 @@ Report "upgrade_available_count=${N}" if [ ${N} -eq 0 ]; then LogText "Result: no upgrades found" - Display --indent 2 --text "- Checking portmaster for updates" --result NONE --color GREEN + Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_NONE}" --color GREEN else - Display --indent 2 --text "- Checking portmaster for updates" --result FOUND --color YELLOW + Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_FOUND}" --color YELLOW fi fi # @@ -581,10 +581,10 @@ FIND=`/usr/sbin/pkg_admin audit` if [ "${FIND}" = "" ]; then LogText "Result: pkg audit results are clean" - Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result NONE --color GREEN + Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN AddHP 2 2 else - Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result WARNING --color RED + Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." LogText "List of vulnerable packages/version:" @@ -602,7 +602,7 @@ fi else - Display --indent 2 --text "- pkg_admin audit not installed" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- pkg_admin audit not installed" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: pkg_admin audit not installed, skipping this vulnerability test." fi fi @@ -620,13 +620,13 @@ PACKAGE_AUDIT_TOOL="pkg audit" if [ "${FIND}" = "" ]; then LogText "Result: pkg audit results are clean" - Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN + Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN else LogText "Result: ${FIND}" VULNERABLE_PACKAGES_FOUND=1 - Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result FOUND --color YELLOW + Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Check output of pkg audit" - #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED + #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED #LogText "Result: pkg audit found one or more installed packages which are vulnerable." #ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." #ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" @@ -639,7 +639,7 @@ #done fi else - Display --indent 2 --text "- pkg audit not installed" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- pkg audit not installed" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: pkg audit not installed, skipping this vulnerability test." fi fi @@ -656,9 +656,9 @@ FIND=`/usr/local/sbin/portaudit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'` if [ "${FIND}" = "" ]; then LogText "Result: Portaudit results are clean" - Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result NONE --color GREEN + Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN else - Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result WARNING --color RED + Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result "${STATUS_WARNING}" --color RED LogText "Result: Portaudit found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" @@ -685,12 +685,12 @@ sFIND=`${YUMBINARY} repolist 2>/dev/null | grep repolist | sed 's/ //g' | sed 's/[,.]//g' | awk -F ":" '{print $2}'` if [ "$(echo ${sFIND} | egrep "^[0-9]+$")" -a "${sFIND}" = "0" ]; then LogText "Result: YUM package update management failed" - Display --indent 2 --text "- Checking YUM package management consistency" --result WARNING --color RED + Display --indent 2 --text "- Checking YUM package management consistency" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "M" "YUM is not properly configured or registered for this platform (no repolist found)" #ReportSuggestion ${TEST_NO} "Check YUM registration for repository configuration (repolist)" else LogText "Result: YUM repository available (${sFIND})" - Display --indent 2 --text "- Checking YUM package management consistency" --result OK --color GREEN + Display --indent 2 --text "- Checking YUM package management consistency" --result "${STATUS_OK}" --color GREEN fi fi # @@ -708,10 +708,10 @@ FIND=`/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?` if [ "${FIND}" = "0" ]; then LogText "Result: No duplicate packages found" - Display --indent 2 --text "- Checking package database duplicates" --result OK --color GREEN + Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN else LogText "Result: One or more duplicate packages found" - Display --indent 2 --text "- Checking package database duplicates" --result WARNING --color RED + Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "L" "Found one or more duplicate packages installed" ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems" fi @@ -721,15 +721,15 @@ FIND=`/usr/bin/package-cleanup --problems > /dev/null; echo $?` if [ "${FIND}" = "0" ]; then LogText "Result: No package database problems found" - Display --indent 2 --text "- Checking package database for problems" --result OK --color GREEN + Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN else LogText "Result: One or more problems found in package database" - Display --indent 2 --text "- Checking package database for problems" --result WARNING --color RED + Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "L" "Found one or more problems in the package database" ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems" fi else - Display --indent 2 --text "- yum-utils package not installed" --result SUGGESTION --color YELLOW + Display --indent 2 --text "- yum-utils package not installed" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: YUM utils package not found" ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database" fi @@ -793,10 +793,10 @@ FIND2=`/usr/bin/yum list-sec security | awk '{ if($2=="security" || $2~"Sec") print $3","$5 }'` if [ "${FIND2}" = "" ]; then LogText "Result: no vulnerable packages found" - Display --indent 2 --text "- Checking missing security packages" --result OK --color GREEN + Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_OK}" --color GREEN else LogText "Result: found vulnerable package(s)" - Display --indent 2 --text "- Checking missing security packages" --result WARNING --color RED + Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_WARNING}" --color RED for I in ${FIND2}; do VULNERABLE_PACKAGES_FOUND=1 Report "vulnerable_package[]=${I}" @@ -808,7 +808,7 @@ fi else LogText "Result: yum-security package not found" - Display --indent 2 --text "- Checking missing security packages" --result SKIPPED --color YELLOW + Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_SKIPPED}" --color YELLOW ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)" fi fi @@ -827,9 +827,9 @@ SearchItem "^gpgcheck=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi if [ ${FOUND} -eq 1 ]; then LogText "Result: GPG check is enabled" - Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result OK --color GREEN + Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_OK}" --color GREEN else - Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result DISABLED --color RED + Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED ReportWarning ${TEST_NO} "M" "No GPG signing option found in yum.conf" fi fi @@ -849,7 +849,7 @@ FIND=`egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | grep -v '#' | sed 's/ /!space!/g'` if [ ! "${FIND}" = "" ]; then FOUND=1 - Display --indent 2 --text "- Checking security repository in sources.list file" --result OK --color GREEN + Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN LogText "Result: Found security repository in /etc/apt/sources.list" for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` @@ -862,7 +862,7 @@ FIND=`egrep -r "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d | grep -v '#' | sed 's/ /!space!/g'` if [ ! "${FIND}" = "" ]; then FOUND=1 - Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result OK --color GREEN + Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d" for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` @@ -874,7 +874,7 @@ LogText "Result: security repository was found" AddHP 3 3 else - Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result WARNING --color RED + Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "M" "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory" AddHP 0 3 fi @@ -893,11 +893,11 @@ LogText "Test: Package database consistency by running apt-get check" FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?` if [ "${FIND}" = "0" ]; then - Display --indent 2 --text "- Checking APT package database" --result OK --color GREEN + Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN LogText "Result: package database seems to be consistent." else LogText "Result: package database is most likely NOT consistent" - Display --indent 2 --text "- Checking APT package database" --result WARNING --color RED + Display --indent 2 --text "- Checking APT package database" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code." ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check." fi @@ -965,13 +965,13 @@ if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades" - Display --indent 2 --text "- Checking vulnerable packages" --result WARNING --color RED + Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_WARNING}" --color RED else - Display --indent 2 --text "- Checking vulnerable packages" --result OK --color GREEN + Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_OK}" --color GREEN LogText "Result: no vulnerable packages found" fi else - Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result DONE --color GREEN + Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result "${STATUS_DONE}" --color GREEN LogText "Result: test not fully executed (missing apt-check output)" fi fi @@ -1007,10 +1007,10 @@ else if [ "${FIND}" = "0" ]; then LogText "Result; no vulnerable packages found via glsa-check" - Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result OK --color GREEN + Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result "${STATUS_OK}" --color GREEN else VULNERABLE_PACKAGES_FOUND=1 - Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result FOUND --color RED + Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result "${STATUS_FOUND}" --color RED LogText "Result: found ${FIND} security updates with glsa-check" ReportWarning "${TEST_NO}" "H" "Found ${FIND} security update(s) with glsa-check." LogText "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified." @@ -1037,11 +1037,11 @@ FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then LogText "Result: no packages found which can be upgraded" - Display --indent 2 --text "- Checking upgradeable packages" --result NONE --color GREEN + Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN AddHP 3 3 else LogText "Result: found one or more packages which can be upgraded" - Display --indent 2 --text "- Checking upgradeable packages" --result FOUND --color YELLOW + Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_FOUND}" --color YELLOW # output: program/repository upgradeable from version X to Y for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` @@ -1050,7 +1050,7 @@ fi else LogText "Result: /usr/bin/apt-show-versions not found" - Display --indent 2 --text "- Checking upgradeable packages" --result SKIPPED --color WHITE + Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes" fi fi @@ -1064,7 +1064,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking for package audit tool" if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then - Display --indent 2 --text "- Checking package audit tool" --result NONE --color RED + Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_NONE}" --color RED ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages" LogText "Result: no package audit tool found" else diff --git a/include/tests_printers_spools b/include/tests_printers_spools index 6d41b98c..050ff36f 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -44,17 +44,17 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching /usr/sbin/chkprintcap" if [ ! -f /usr/sbin/chkprintcap ]; then - Display --indent 2 --text "- Checking chkprintcap" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking chkprintcap" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: /usr/sbin/chkprintcap NOT found, test skipped." else LogText "Result: /usr/sbin/chkprintcap found" FIND=`/usr/sbin/chkprintcap > /dev/null ; echo $?` # Only an exit code of zero should come back. Use string instead of integer, due unexpected trash if [ "${FIND}" = "0" ]; then - Display --indent 2 --text "- Integrity check of printcap file" --result OK --color GREEN + Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_OK}" --color GREEN LogText "Result: chkprintcap did NOT gave any warnings" else - Display --indent 2 --text "- Integrity check of printcap file" --result WARNING --color RED + Display --indent 2 --text "- Integrity check of printcap file" --result "${STATUS_WARNING}" --color RED ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file" LogText "Output from chkprintcap: ${FIND}" LogText "Run chkprintcap and check the /etc/printcap file." @@ -72,11 +72,11 @@ #FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd` IsRunning cupsd if [ ${RUNNING} -eq 1 ]; then - Display --indent 2 --text "- Checking cups daemon" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_RUNNING}" --color GREEN LogText "Result: cups daemon running" CUPSD_RUNNING=1; PRINTING_DAEMON="cups" else - Display --indent 2 --text "- Checking cups daemon" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking cups daemon" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: cups daemon not running, cups daemon tests skipped" fi fi @@ -96,11 +96,11 @@ fi done if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then - Display --indent 2 --text "- Checking CUPS configuration file" --result OK --color GREEN + Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_OK}" --color GREEN LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})" CUPSD_FOUND=1 else - Display --indent 2 --text "- Checking CUPS configuration file" --result "NOT FOUND" --color RED + Display --indent 2 --text "- Checking CUPS configuration file" --result "${STATUS_NOT_FOUND}" --color RED LogText "Result: configuration file not found" LogText "Development: no CUPS configuration file found" fi @@ -118,10 +118,10 @@ FIND=`ls -l ${CUPSD_CONFIG_FILE} | cut -c 2-10` LogText "Result: found ${FIND}" if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then - Display --indent 4 --text "- File permissions" --result "OK" --color GREEN + Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN AddHP 1 1 else - Display --indent 4 --text "- File permissions" --result "WARNING" --color RED + Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict." AddHP 1 2 fi @@ -173,10 +173,10 @@ done if [ ${N} -eq 0 ]; then - Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "NONE" --color WHITE + Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_NONE}" --color WHITE LogText "Result: no addresses found on which CUPS daemon is listening" else - Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "${STATUS_FOUND}" --color GREEN LogText "Result: CUPS daemon is listening on network/socket" fi fi @@ -190,11 +190,11 @@ LogText "Test: Checking lpd status" IsRunning lpd if [ ${RUNNING} -eq 1 ]; then - Display --indent 2 --text "- Checking lp daemon" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_RUNNING}" --color GREEN LogText "Result: lp daemon running" LPD_RUNNING=1; PRINTING_DAEMON="lp" else - Display --indent 2 --text "- Checking lp daemon" --result "NOT RUNNING" --color WHITE + Display --indent 2 --text "- Checking lp daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE LogText "Result: lp daemon not running" AddHP 4 4 fi @@ -225,7 +225,7 @@ FIND=`grep -v "^\*" ${QDAEMON_CONFIG_FILE} | egrep "backend|device"` if [ ! "${FIND}" = "" ]; then LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}" - Display --indent 2 --text "- Checking /etc/qconfig file" --result FOUND --color GREEN + Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN QDAEMON_CONFIG_ENABLED=1 else LogText "Result: ${QDAEMON_CONFIG_FILE} is empty. No printers are defined" @@ -246,16 +246,16 @@ IsRunning qdaemon if [ ${RUNNING} -eq 1 ]; then LogText "Result: qdaemon daemon running" - Display --indent 2 --text "- Checking qdaemon daemon" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_RUNNING}" --color GREEN QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon" else if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then LogText "Result: qdaemon daemon not running" - Display --indent 2 --text "- Checking qdaemon daemon" --result "NOT RUNNING" --color RED + Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color RED ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs" else LogText "Result: qdaemon daemon not running" - Display --indent 2 --text "- Checking qdaemon daemon" --result "NOT RUNNING" --color WHITE + Display --indent 2 --text "- Checking qdaemon daemon" --result "${STATUS_NOT_RUNNING}" --color WHITE fi fi fi @@ -278,12 +278,12 @@ N=$((N + 1)) done LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir" - Display --indent 4 --text "- Checking old print jobs" --result FOUND --color YELLOW + Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed" LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed" else LogText "Result: Old print jobs not found in /var/spool/lpd/qdir" - Display --indent 4 --text "- Checking old print jobs" --result "NONE" --color GREEN + Display --indent 4 --text "- Checking old print jobs" --result "${STATUS_NONE}" --color GREEN fi fi fi diff --git a/include/tests_scheduling b/include/tests_scheduling index 78a5f958..08cf0650 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -169,12 +169,12 @@ # Show warning when an issue shows up. Even if *both* the permissions and ownership are wrong, just show one (prevent overload of warnings). if [ ${BAD_FILE_PERMISSIONS} -eq 1 ]; then ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect file permissions (see log for details)" - Display --indent 2 --text "- Checking crontab/cronjob" --result WARNING --color RED + Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED elif [ ${BAD_FILE_OWNERSHIP} -eq 1 ]; then ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect ownership (see log for details)" - Display --indent 2 --text "- Checking crontab/cronjob" --result WARNING --color RED + Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED else - Display --indent 2 --text "- Checking crontab/cronjob" --result DONE --color GREEN + Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_DONE}" --color GREEN fi fi @@ -189,12 +189,12 @@ FIND=$(${PSBINARY} ax | grep "/atd" | grep -v "grep") if [ ! "${FIND}" = "" ]; then LogText "Result: at daemon active" - Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN + Display --indent 2 --text "- Checking atd status" --result "${STATUS_RUNNING}" --color GREEN ATD_RUNNING=1 Report "scheduler[]=atd" else LogText "Result: at daemon not active" - if IsVerbose; then Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE; fi + if IsVerbose; then Display --indent 2 --text "- Checking atd status" --result "${STATUS_NOT_RUNNING}" --color WHITE; fi fi fi # @@ -259,9 +259,9 @@ AddHP 1 1 fi fi - Display --indent 4 --text "- Checking at users" --result DONE --color GREEN + Display --indent 4 --text "- Checking at users" --result "${STATUS_DONE}" --color GREEN else - Display --indent 4 --text "- Checking at users" --result SKIPPED --color YELLOW + Display --indent 4 --text "- Checking at users" --result "${STATUS_SKIPPED}" --color YELLOW fi fi # @@ -280,10 +280,10 @@ VALUE=$(echo ${I} | sed 's/!space!/ /g') LogText "Found at job: ${VALUE}" done - Display --indent 4 --text "- Checking at jobs" --result FOUND --color GREEN + Display --indent 4 --text "- Checking at jobs" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: no pending at jobs" - Display --indent 4 --text "- Checking at jobs" --result NONE --color GREEN + Display --indent 4 --text "- Checking at jobs" --result "${STATUS_NONE}" --color GREEN fi fi # diff --git a/include/tests_shells b/include/tests_shells index c267cf2b..9a060927 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -53,10 +53,10 @@ LogText "Test: Checking console TTYs" FIND=`egrep '^console' /etc/ttys | grep -v 'insecure'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking console TTYs" --result OK --color GREEN + Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN LogText "Result: console is secured against single user mode without password." else - Display --indent 2 --text "- Checking console TTYs" --result WARNING --color RED + Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_WARNING}" --color RED LogText "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!" LogText "Output /etc/ttys:" LogText "${FIND}" @@ -208,10 +208,10 @@ fi if [ ${IDLE_TIMEOUT} -eq 1 ]; then - Display --indent 4 --text "- Session timeout settings/tools" --result "FOUND" --color GREEN + Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else - Display --indent 4 --text "- Session timeout settings/tools" --result "NONE" --color YELLOW + Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_NONE}" --color YELLOW AddHP 1 3 fi fi @@ -234,7 +234,7 @@ FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "Result: did not find umask configured in ${FILE}" - Display --indent 4 --text "- Checking default umask in ${FILE}" --result NONE --color YELLOW + Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW else for UMASKVALUE in ${FIND}; do LogText "Result: found umask ${UMASKVALUE} in ${FILE}" @@ -249,7 +249,7 @@ esac done if [ ${HARDENING_POSSIBLE} -eq 0 ]; then - Display --indent 4 --text "- Checking default umask in ${FILE}" --result OK --color GREEN + Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_OK}" --color GREEN AddHP 3 3 else Display --indent 4 --text "- Checking default umask in ${FILE}" --result WEAK --color YELLOW @@ -263,7 +263,7 @@ #if [ ${FOUND} -eq 1 ]; then # if [ ${HARDENING_POSSIBLE} -eq 0 ]; then # LogText "Result: all shell files found, contain a proper umask" - # Display --indent 4 --text "- Default umask" --result OK --color GREEN + # Display --indent 4 --text "- Default umask" --result "${STATUS_OK}" --color GREEN # fi #fi fi @@ -300,11 +300,11 @@ if [ ! "${VULNERABLE}" = "" ]; then LogText "Output: ${VULNERABLE}" LogText "Result: Vulnerable to original shellshock (CVE-2014-6271)" - Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "WARNING" --color RED + Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "${STATUS_WARNING}" --color RED FOUND=1 else LogText "Result: Not vulnerable to original shellshock (CVE-2014-6271)" - #Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "OK" --color GREEN + #Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "${STATUS_OK}" --color GREEN fi # CVE-2014-6277 (disabled, as this test was giving too much false positives) @@ -317,11 +317,11 @@ if [ ! "${VULNERABLE}" = "" ]; then LogText "Output: ${VULNERABLE}" LogText "Result: Vulnerable to CVE-2014-6278" - Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "WARNING" --color RED + Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "${STATUS_WARNING}" --color RED FOUND=1 else LogText "Result: Not vulnerable to CVE-2014-6278" - #Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "OK" --color GREEN + #Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "${STATUS_OK}" --color GREEN fi # CVE-2014-7169 @@ -332,11 +332,11 @@ if [ ! "${VULNERABLE}" = "" ]; then LogText "Output: ${VULNERABLE}" LogText "Result: Vulnerable to taviso bug (CVE-2014-7169)" - Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "WARNING" --color RED + Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "${STATUS_WARNING}" --color RED FOUND=1 else LogText "Result: Not vulnerable to taviso bug (CVE-2014-7169)" - #Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "OK" --color GREEN + #Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "${STATUS_OK}" --color GREEN fi # CVE-2014-7186 @@ -347,11 +347,11 @@ if [ ! "${VULNERABLE}" = "" ]; then LogText "Output: ${VULNERABLE}" LogText "Result: Vulnerable to CVE-2014-7186" - Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "WARNING" --color RED + Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "${STATUS_WARNING}" --color RED FOUND=1 else LogText "Result: Not vulnerable to CVE-2014-7186" - #Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "OK" --color GREEN + #Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "${STATUS_OK}" --color GREEN fi # CVE-2014-7187 @@ -362,11 +362,11 @@ if [ ! "${VULNERABLE}" = "" ]; then LogText "Output: ${VULNERABLE}" LogText "Result: Vulnerable to CVE-2014-7187" - Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "WARNING" --color RED + Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "${STATUS_WARNING}" --color RED FOUND=1 else LogText "Result: Not vulnerable to CVE-2014-7187" - #Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "OK" --color GREEN + #Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "${STATUS_OK}" --color GREEN fi # CVE-2014-//// @@ -377,11 +377,11 @@ if [ ! "${VULNERABLE}" = "" ]; then LogText "Output: ${VULNERABLE}" LogText "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)" - Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "WARNING" --color RED + Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "${STATUS_WARNING}" --color RED FOUND=1 else LogText "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)" - #Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "OK" --color GREEN + #Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "${STATUS_OK}" --color GREEN fi else LogText "Result: bash binary found, but not executable, or it is symlinked" diff --git a/include/tests_snmp b/include/tests_snmp index f1931c9e..96588ec9 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -40,10 +40,10 @@ if [ ${RUNNING} -eq 1 ]; then SNMP_DAEMON_RUNNING=1 LogText "Result: SNMP daemon is running" - Display --indent 2 --text "- Checking running SNMP daemon" --result FOUND --color GREEN + Display --indent 2 --text "- Checking running SNMP daemon" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: No running SNMP daemon found" - Display --indent 2 --text "- Checking running SNMP daemon" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking running SNMP daemon" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -63,10 +63,10 @@ done if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then LogText "Result: No snmpd configuration found" - Display --indent 4 --text "- Checking SNMP configuration" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_NOT_FOUND}" --color WHITE else LogText "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}" - Display --indent 4 --text "- Checking SNMP configuration" --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking SNMP configuration" --result "${STATUS_FOUND}" --color GREEN fi fi # @@ -91,10 +91,10 @@ # Check status of test if [ ${WARN} -eq 0 ]; then - Display --indent 2 --text "- Checking SNMP community strings" --result OK --color GREEN + Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_OK}" --color GREEN AddHP 2 2 else - Display --indent 2 --text "- Checking SNMP community strings" --result WARNING --color RED + Display --indent 2 --text "- Checking SNMP community strings" --result "${STATUS_WARNING}" --color RED ReportWarning ${TEST_NO} "M" "Found easy guessable SNMP community string" fi fi diff --git a/include/tests_solaris b/include/tests_solaris index 1a38bfb3..96c23899 100644 --- a/include/tests_solaris +++ b/include/tests_solaris @@ -36,10 +36,10 @@ # if [ ! "${FIND}" = "" ]; then # SSH_DAEMON_RUNNING=1 # LogText "Result: Stop-A is disabled" -# Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN +# Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN # else # LogText "Result: Stop-A is NOT disabled" -# Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE +# Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE # fi # fi # @@ -55,10 +55,10 @@ # if [ ! "${FIND}" = "" ]; then # SSH_DAEMON_RUNNING=1 # LogText "Result: Stop-A is disabled" -# Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN +# Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN # else # LogText "Result: Stop-A is NOT disabled" -# Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE +# Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE # fi # fi diff --git a/include/tests_squid b/include/tests_squid index f9f9507b..ee5e2b09 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -46,10 +46,10 @@ if [ ! "${FIND}" = "" ]; then SQUID_DAEMON_RUNNING=1 LogText "Result: Squid daemon is running" - Display --indent 2 --text "- Checking running Squid daemon" --result FOUND --color GREEN + Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: No running Squid daemon found" - Display --indent 2 --text "- Checking running Squid daemon" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking running Squid daemon" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -75,10 +75,10 @@ done if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then LogText "Result: No Squid configuration file found" - Display --indent 4 --text "- Searching Squid configuration file" --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Searching Squid configuration file" --result "${STATUS_NOT_FOUND}" --color YELLOW else LogText "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}" - Display --indent 4 --text "- Searching Squid configuration" --result FOUND --color GREEN + Display --indent 4 --text "- Searching Squid configuration" --result "${STATUS_FOUND}" --color GREEN fi fi # @@ -95,11 +95,11 @@ FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print` if [ "${FIND}" = "" ]; then FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'` - Display --indent 4 --text "- Checking Squid version" --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking Squid version" --result "${STATUS_FOUND}" --color GREEN SQUID_VERSION="${FIND2}" else LogText "Result: test skipped for security reasons, setuid/setgid bit set" - Display --indent 4 --text "- Checking Squid version" --result "SKIPPED" --color RED + Display --indent 4 --text "- Checking Squid version" --result "${STATUS_SKIPPED}" --color RED fi else LogText "Result: no Squid binary found" @@ -120,7 +120,7 @@ LogText "Found Squid option: ${I}" Report "squid_option=${I}" done - Display --indent 4 --text "- Checking defined Squid options" --result "DONE" --color GREEN + Display --indent 4 --text "- Checking defined Squid options" --result "${STATUS_DONE}" --color GREEN fi # ################################################################################# @@ -134,13 +134,13 @@ FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)` if [ ! "${FIND}" = "" ]; then LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" - Display --indent 4 --text "- Checking Squid configuration file permissions" --result WARNING --color RED + Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access" ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive" AddHP 0 2 else LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions" - Display --indent 4 --text "- Checking Squid configuration file permissions" --result OK --color GREEN + Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_OK}" --color GREEN AddHP 2 2 fi fi @@ -162,9 +162,9 @@ FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)" - Display --indent 6 --text "- Checking Squid authentication methods" --result "NONE" --color YELLOW + Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_NONE}" --color YELLOW else - Display --indent 6 --text "- Checking Squid authentication methods" --result "FOUND" --color GREEN + Display --indent 6 --text "- Checking Squid authentication methods" --result "${STATUS_FOUND}" --color GREEN for I in ${FIND}; do LogText "Result: found authentication method ${I}" Report "squid_auth_method=${I}" @@ -183,9 +183,9 @@ FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}` if [ "${FIND}" = "" ]; then LogText "No external_acl_type found" - Display --indent 6 --text "- Checking Squid external authentication methods" --result "NONE" --color YELLOW + Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_NONE}" --color YELLOW else - Display --indent 6 --text "- Checking Squid external authentication methods" --result "FOUND" --color GREEN + Display --indent 6 --text "- Checking Squid external authentication methods" --result "${STATUS_FOUND}" --color GREEN for I in ${FIND}; do LogText "Result: found external authentication method helper" LogText "Output: ${FIND}" @@ -206,7 +206,7 @@ FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then LogText "Result: No ACLs found" - Display --indent 6 --text "- Checking Access Control Lists" --result "NONE" --color RED + Display --indent 6 --text "- Checking Access Control Lists" --result "${STATUS_NONE}" --color RED else for I in ${FIND}; do N=$((N + 1)) @@ -231,7 +231,7 @@ FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"` if [ "${FIND}" = "" ]; then LogText "Result: no Safe_ports found" - Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "NOT FOUND" --color YELLOW + Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports" else LogText "Result: checking ACL safe ports" @@ -245,7 +245,7 @@ for I in ${FIND}; do LogText "Found safe port: ${I}" done - Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "FOUND" --color GREEN + Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "${STATUS_FOUND}" --color GREEN AddHP 1 1 fi #SQUID_DAEMON_UNSAFE_PORTS_LIST @@ -253,10 +253,10 @@ LogText "Test: Checking port ${I} in Safe_ports list" FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` if [ "${FIND2}" = "" ]; then - Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN + Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_NOT_FOUND}" --color GREEN AddHP 1 1 else - Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "FOUND" --color RED + Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "${STATUS_FOUND}" --color RED ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}" AddHP 0 1 fi @@ -282,13 +282,13 @@ FIND=`grep "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then LogText "Result: option reply_body_max_size not configured" - Display --indent 6 --text "- Checking option: reply_body_max_size" --result "NONE" --color RED + Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_NONE}" --color RED AddHP 1 2 ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests." else LogText "Result: option reply_body_max_size configured" LogText "Output: ${FIND}" - Display --indent 6 --text "- Checking option: reply_body_max_size" --result "FOUND" --color GREEN + Display --indent 6 --text "- Checking option: reply_body_max_size" --result "${STATUS_FOUND}" --color GREEN AddHP 2 2 fi fi @@ -309,13 +309,13 @@ FIND=`grep "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | grep " on"` if [ "${FIND}" = "" ]; then LogText "Result: option httpd_suppress_version_string not configured" - Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "NOT FOUND" --color YELLOW + Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "${STATUS_NOT_FOUND}" --color YELLOW AddHP 1 2 ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version." else LogText "Result: option httpd_suppress_version_string configured" LogText "Output: ${FIND}" - Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "FOUND" --color GREEN + Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "${STATUS_FOUND}" --color GREEN AddHP 2 2 fi fi diff --git a/include/tests_ssh b/include/tests_ssh index bcbdf0c4..708c05f1 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -42,13 +42,13 @@ IsRunning sshd if [ ${RUNNING} -eq 1 ] || PortIsListening "TCP" 22; then SSH_DAEMON_RUNNING=1 - Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN + Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN # Store settings in a temporary file CreateTempFile SSH_DAEMON_OPTIONS_FILE="${TEMP_FILE}" ${SSHDBINARY} -T 2> /dev/null > ${SSH_DAEMON_OPTIONS_FILE} else - Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -79,11 +79,11 @@ done if [ "${SSH_DAEMON_CONFIG}" = "" ]; then LogText "Result: No sshd configuration found" - Display --indent 4 --text "- Searching SSH configuration" --result "NOT FOUND" --color YELLOW + Display --indent 4 --text "- Searching SSH configuration" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found" else LogText "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}" - Display --indent 4 --text "- Searching SSH configuration" --result FOUND --color GREEN + Display --indent 4 --text "- Searching SSH configuration" --result "${STATUS_FOUND}" --color GREEN fi fi # @@ -202,19 +202,19 @@ if [ "${RESULT}" = "GOOD" ]; then LogText "Result: SSH option ${OPTIONNAME} is configured very well" - Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result OK --color GREEN + Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_OK}" --color GREEN AddHP 3 3 elif [ "${RESULT}" = "MIDSCORED" ]; then LogText "Result: SSH option ${OPTIONNAME} is configured reasonably" ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}" - Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "MEDIUM" --color YELLOW + Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW AddHP 1 3 elif [ "${RESULT}" = "WEAK" ]; then LogText "Result: SSH option ${OPTIONNAME} is in a weak configuration state and should be fixed" ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}" - Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result SUGGESTION --color RED + Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW AddHP 0 3 elif [ "${RESULT}" = "UNKNOWN" ]; then LogText "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)" @@ -222,7 +222,7 @@ Report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|" else LogText "Result: Option ${OPTIONNAME} not found in output" - Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_NOT_FOUND}" --color WHITE fi else if IsVerbose; then Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "SKIPPED (via config)" --color WHITE; fi @@ -243,22 +243,22 @@ FIND=`egrep -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'` if [ ! "${FIND}" = "" ]; then LogText "Result: AllowUsers set, with value ${FIND}" - Display --indent 4 --text "- SSH option: AllowUsers" --result FOUND --color GREEN + Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN FOUND=1 else LogText "Result: AllowUsers is not set" - Display --indent 4 --text "- SSH option: AllowUsers" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_NOT_FOUND}" --color WHITE fi # AllowGroups FIND=`egrep -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | awk '{ print $2 }'` if [ ! "${FIND}" = "" ]; then LogText "Result: AllowUsers set ${FIND}" - Display --indent 4 --text "- SSH option: AllowGroups" --result FOUND --color GREEN + Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN FOUND=1 else LogText "Result: AllowGroups is not set" - Display --indent 4 --text "- SSH option: AllowGroups" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_NOT_FOUND}" --color WHITE fi if [ ${FOUND} -eq 1 ]; then diff --git a/include/tests_storage b/include/tests_storage index 3ba38e57..1f95699b 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -61,7 +61,7 @@ AddHP 2 3 else LogText "Result: usb-storage driver is disabled" - Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "DISABLED" --color GREEN + Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN AddHP 3 3 fi fi @@ -91,13 +91,13 @@ if [ ${FOUND} -eq 1 ]; then LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system" - Display --indent 2 --text "- Checking USB devices authorization" --result "ENABLED" --color YELLOW + Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW # To-Be-Added: create documentation and enable the suggestion #ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft" AddHP 0 3 else LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system" - Display --indent 2 --text "- Checking USB devices authorization" --result "DISABLED" --color GREEN + Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN AddHP 3 3 fi fi @@ -141,7 +141,7 @@ AddHP 2 3 else LogText "Result: firewire ohci driver is disabled" - Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "DISABLED" --color GREEN + Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN AddHP 3 3 fi fi diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index b541920c..154b688b 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -41,7 +41,7 @@ for I in ${FIND}; do LogText "rpcinfo: ${I}" done - Display --indent 2 --text "- Query rpc registered programs" --result "DONE" --color GREEN + Display --indent 2 --text "- Query rpc registered programs" --result "${STATUS_DONE}" --color GREEN fi # ################################################################################# @@ -56,7 +56,7 @@ for I in ${FIND}; do LogText "Found version: ${I}" done - Display --indent 2 --text "- Query NFS versions" --result "DONE" --color GREEN + Display --indent 2 --text "- Query NFS versions" --result "${STATUS_DONE}" --color GREEN fi # ################################################################################# @@ -84,7 +84,7 @@ if [ "${FIND}" = "" ]; then LogText "Output: no NFS port number found" fi - Display --indent 2 --text "- Query NFS protocols" --result "DONE" --color GREEN + Display --indent 2 --text "- Query NFS protocols" --result "${STATUS_DONE}" --color GREEN fi # ################################################################################# @@ -97,10 +97,10 @@ FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"` if [ "${FIND}" = "" ]; then LogText "Output: NFS daemon is not running" - Display --indent 2 --text "- Check running NFS daemon" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE else LogText "Output: NFS daemon is running" - Display --indent 2 --text "- Check running NFS daemon" --result "FOUND" --color GREEN + Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_FOUND}" --color GREEN NFS_DAEMON_RUNNING=1 fi fi @@ -132,10 +132,10 @@ LogText "Result: /etc/exports does not contain exported file systems" NFS_EXPORTS_EMPTY=1 fi - Display --indent 4 --text "- Checking /etc/exports" --result "FOUND" --color GREEN + Display --indent 4 --text "- Checking /etc/exports" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: file /etc/exports does not exist" - Display --indent 4 --text "- Checking /etc/exports" --result "NOT FOUND" --color WHITE + Display --indent 4 --text "- Checking /etc/exports" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -147,7 +147,7 @@ Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports" if [ ${SKIPTEST} -eq 0 ]; then if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then - Display --indent 6 --text "- Checking empty /etc/exports" --result SUGGESTION --color YELLOW + Display --indent 6 --text "- Checking empty /etc/exports" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: /etc/exports seems to have no exported file systems" ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system" fi @@ -169,7 +169,7 @@ AddHP 2 3 else LogText "Result: only some clients are allowed to access a NFS share" - Display --indent 4 --text "- Checking NFS client access" --result OK --color GREEN + Display --indent 4 --text "- Checking NFS client access" --result "${STATUS_OK}" --color GREEN AddHP 3 3 fi fi diff --git a/include/tests_time b/include/tests_time index 77fcb79e..4b91ef2b 100644 --- a/include/tests_time +++ b/include/tests_time @@ -58,7 +58,7 @@ IsRunning chronyd if [ ${RUNNING} -eq 1 ]; then FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd" - Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN + Display --indent 2 --text "- NTP daemon found: chronyd" --result "${STATUS_FOUND}" --color GREEN fi fi @@ -66,7 +66,7 @@ IsRunning dntpd if [ ${RUNNING} -eq 1 ]; then FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd" - Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN + Display --indent 2 --text "- NTP daemon found: dntpd" --result "${STATUS_FOUND}" --color GREEN fi # Check running processes @@ -75,14 +75,14 @@ FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1 NTP_DAEMON="ntpd" LogText "Result: found running NTP daemon in process list" - Display --indent 2 --text "- NTP daemon found: ntpd" --result FOUND --color GREEN + Display --indent 2 --text "- NTP daemon found: ntpd" --result "${STATUS_FOUND}" --color GREEN fi # Check time daemon (eg NetBSD) IsRunning timed if [ ${RUNNING} -eq 1 ]; then FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timed" - Display --indent 2 --text "- NTP daemon found: timed" --result FOUND --color GREEN + Display --indent 2 --text "- NTP daemon found: timed" --result "${STATUS_FOUND}" --color GREEN fi # Check timedate daemon (systemd) @@ -92,7 +92,7 @@ # Check for systemd-timesyncd if [ -f /etc/systemd/timesyncd.conf ]; then FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" - Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "FOUND" --color GREEN + Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN SYSTEMD_NTP_ENABLED=1 fi else @@ -109,10 +109,10 @@ FIND=`${EGREPBINARY} "ntpdate|rdate" ${I} | grep -v '^#'` if [ ! "${FIND}" = "" ]; then FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 - Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN + Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found ntpdate or rdate reference in crontab file ${I}" else - #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE + #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: no ntpdate or rdate reference found in crontab file ${I}" fi else @@ -144,10 +144,10 @@ done if [ ${FOUND_IN_CRON} -eq 1 ]; then - Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN + Display --indent 2 --text "- Checking NTP client in cron files" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found ntpdate or rdate in cron directory" else - #Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE + #Display --indent 2 --text "- Checking NTP client in cron.d files" --result "${STATUS_NOT_FOUND}" --color WHITE LogText "Result: no ntpdate or rdate found in cron directories" fi @@ -157,7 +157,7 @@ LogText "Result: found ntpdate action when network interface comes up" FOUND=1 NTP_CONFIG_TYPE_EVENTBASED=1 - Display --indent 2 --text "- Checking event based ntpdate (if-up)" --result FOUND --color GREEN + Display --indent 2 --text "- Checking event based ntpdate (if-up)" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: file /etc/network/if-up.d/ntpdate does not exist" fi @@ -183,13 +183,13 @@ if [ ${ISVIRTUALMACHINE} -eq 1 ]; then LogText "Result: Skipping display warning, as virtual machines usually don't need time synchronization in the VM itself" else - Display --indent 2 --text "- Checking for a running NTP daemon or client" --result WARNING --color RED + Display --indent 2 --text "- Checking for a running NTP daemon or client" --result "${STATUS_WARNING}" --color RED LogText "Result: Could not find a NTP daemon or client" ReportSuggestion ${TEST_NO} "Use NTP daemon or NTP client to prevent time issues." AddHP 0 2 fi else - Display --indent 2 --text "- Checking for a running NTP daemon or client" --result OK --color GREEN + Display --indent 2 --text "- Checking for a running NTP daemon or client" --result "${STATUS_OK}" --color GREEN LogText "Result: Found a time syncing daemon/client." AddHP 3 3 fi @@ -220,10 +220,10 @@ LogText "Test: Checking for NTP association ID's from ntpq peers list" FIND=`${NTPQBINARY} -p -n | grep "No association ID's returned"` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking valid association ID's" --result FOUND --color GREEN + Display --indent 2 --text "- Checking valid association ID's" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found one or more association ID's" else - Display --indent 2 --text "- Checking valid association ID's" --result WARNING --color RED + Display --indent 2 --text "- Checking valid association ID's" --result "${STATUS_WARNING}" --color RED ReportSuggestion ${TEST_NO} "Check ntp.conf for properly configured NTP servers and a correctly functioning name service." fi fi @@ -239,7 +239,7 @@ LogText "Test: Checking stratum 16 sources from ntpq peers list" FIND=`${NTPQBINARY} -p -n | awk '{ if ($3=="16") { print $1 } }'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN + Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN LogText "Result: All peers are lower than stratum 16" else for I in ${FIND}; do @@ -253,10 +253,10 @@ done # Check if one or more high stratum time servers are found if [ ${N} -eq 0 ]; then - Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN + Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_OK}" --color GREEN LogText "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile" else - Display --indent 2 --text "- Checking high stratum ntp peers" --result WARNING --color RED + Display --indent 2 --text "- Checking high stratum ntp peers" --result "${STATUS_WARNING}" --color RED LogText "Result: Found one or more high stratum (16) peers)" ReportSuggestion ${TEST_NO} "Check ntpq peers output" ReportWarning ${TEST_NO} "L" "Found one or more stratum 16 peers" @@ -276,10 +276,10 @@ LogText "Test: Checking unreliable ntp peers" FIND=`${NTPQBINARY} -p -n | egrep "^(-|#)" | awk '{ print $1 }' | sed 's/^-//g'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking unreliable ntp peers" --result NONE --color GREEN + Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN LogText "Result: No unreliable peers found" else - Display --indent 2 --text "- Checking unreliable ntp peers" --result FOUND --color YELLOW + Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_FOUND}" --color YELLOW LogText "Result: Found one or more unreliable peers (marked with a minus or dash sign)" for I in ${FIND}; do LogText "Unreliable peer: ${I}" @@ -300,11 +300,11 @@ FIND=`${NTPQBINARY} -p -n | grep '^*' | awk '{ if ($4=="l") { print $1 } }'` FIND2=`${NTPQBINARY} -p -n | grep '^*' | awk '{ print $1 }'` if [ "${FIND}" = "" -a ! "${FIND2}" = "" ]; then - Display --indent 2 --text "- Checking selected time source" --result OK --color GREEN + Display --indent 2 --text "- Checking selected time source" --result "${STATUS_OK}" --color GREEN FIND2=`echo ${FIND2} | sed 's/*//g'` LogText "Result: Found selected time source (value: ${FIND2})" else - Display --indent 2 --text "- Checking selected time source" --result WARNING --color RED + Display --indent 2 --text "- Checking selected time source" --result "${STATUS_WARNING}" --color RED LogText "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with." LogText "Local source: ${FIND}" ReportSuggestion ${TEST_NO} "Check ntpq peers output for selected time source" @@ -321,11 +321,11 @@ LogText "Test: Checking preferred time source" FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking time source candidates" --result NONE --color YELLOW + Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_NONE}" --color YELLOW LogText "Result: No other time source candidates found" ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates" else - Display --indent 2 --text "- Checking time source candidates" --result OK --color GREEN + Display --indent 2 --text "- Checking time source candidates" --result "${STATUS_OK}" --color GREEN LogText "Result: Found one or more candidates to synchronize time with." for I in ${FIND}; do I=`echo ${I} | sed 's/+//g'` @@ -344,10 +344,10 @@ LogText "Test: Checking preferred time source" FIND=`${NTPQBINARY} -p -n | grep '^x'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking falsetickers" --result OK --color GREEN + Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN LogText "Result: No falsetickers found (items preceeding with an 'x')" else - Display --indent 2 --text "- Checking falsetickers" --result NONE --color YELLOW + Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_NONE}" --color YELLOW LogText "Result: Found one or more falsetickers (items preceeding with an 'x')" for I in ${FIND}; do I=`echo ${I} | sed 's/x//g'` @@ -368,11 +368,11 @@ LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)" FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'` if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Checking NTP version" --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Checking NTP version" --result "${STATUS_UNKNOWN}" --color YELLOW LogText "Result: No NTP version found" ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version" else - Display --indent 2 --text "- Checking NTP version" --result FOUND --color GREEN + Display --indent 2 --text "- Checking NTP version" --result "${STATUS_FOUND}" --color GREEN LogText "Result: Found NTP version ${FIND}" Report "ntp_version=${FIND}" fi @@ -404,7 +404,7 @@ ReportSuggestion ${TEST_NO} "Use step-rickers file for quicker time synchronization" else LogText "Result: /etc/ntp/step-tickers is not empty, which is fine" - Display --indent 2 --text "- Checking NTP step-tickers file" --result "OK" --color GREEN + Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN sFIND=`${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0'` for I in ${sFIND}; do FIND=`${GREPBINARY} ^${I} ${FILE} | wc -l` @@ -420,7 +420,7 @@ ReportSuggestion ${TEST_NO} "Some time servers missing in step-tickers file" AddHP 3 4 else - Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result OK --color GREEN + Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "${STATUS_OK}" --color GREEN LogText "Result: all time servers are in step-tickers file" AddHP 4 4 fi diff --git a/include/tests_tooling b/include/tests_tooling index aedd9728..5ee29b8e 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -54,7 +54,7 @@ AUTOMATION_TOOL_FOUND=1 CFENGINE_AGENT_FOUND=1 Report "automation_tool_running[]=cf-agent" - Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN + Display --indent 4 --text "Found: Cfengine (cfagent)" --result "${STATUS_FOUND}" --color GREEN fi OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin" for I in ${OTHER_CFENGINE_LOCATIONS}; do @@ -64,7 +64,7 @@ AUTOMATION_TOOL_FOUND=1 CFENGINE_AGENT_FOUND=1 Report "automation_tool_running[]=cf-agent" - Display --indent 4 --text "Found: CFEngine (cf-agent)" --result FOUND --color GREEN + Display --indent 4 --text "Found: CFEngine (cf-agent)" --result "${STATUS_FOUND}" --color GREEN fi IsRunning "cf-server" if [ ${RUNNING} -eq 1 ]; then @@ -72,7 +72,7 @@ AUTOMATION_TOOL_FOUND=1 CFENGINE_SERVER_RUNNING=1 Report "automation_tool_running[]=cf-server" - Display --indent 4 --text "Found: CFEngine (cf-server)" --result FOUND --color GREEN + Display --indent 4 --text "Found: CFEngine (cf-server)" --result "${STATUS_FOUND}" --color GREEN fi fi done @@ -85,7 +85,7 @@ CHEFCLIENTBINARY="${I}/chef-client" AUTOMATION_TOOL_FOUND=1 Report "automation_tool_running[]=chef-client" - Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN + Display --indent 4 --text "Found: Chef client (chef-client)" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found chef-client (chef client daemon) in ${I}" fi if [ -f ${I}/erchef ]; then @@ -93,7 +93,7 @@ LogText "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})" AUTOMATION_TOOL_FOUND=1 Report "automation_tool_running[]=chef-server" - Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN + Display --indent 4 --text "Found: Chef Server (erchef)" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found erchef (chef server daemon) in ${I}" fi fi @@ -104,14 +104,14 @@ LogText "Result: Puppet is installed (${PUPPETBINARY})" AUTOMATION_TOOL_FOUND=1 Report "automation_tool_running[]=puppet-agent" - Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN + Display --indent 4 --text "Found: Puppet (agent)" --result "${STATUS_FOUND}" --color GREEN fi IsRunning "puppet master" if [ ${RUNNING} -eq 1 ]; then LogText "Result: found puppet master" PUPPET_MASTER_RUNNING=1 Report "automation_tool_running[]=puppet-master" - Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN + Display --indent 4 --text "Found: Puppet (master)" --result "${STATUS_FOUND}" --color GREEN fi # SaltStack @@ -120,14 +120,14 @@ AUTOMATION_TOOL_FOUND=1 SALT_MINION_RUNNING=1 Report "automation_tool_running[]=saltstack-minion" - Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result FOUND --color GREEN + Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result "${STATUS_FOUND}" --color GREEN fi if [ ! "${SALTMASTERBINARY}" = "" ]; then LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})" AUTOMATION_TOOL_FOUND=1 SALT_MASTER_RUNNING=1 Report "automation_tool_running[]=saltstack-minion" - Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN + Display --indent 4 --text "Found: SaltStack master (salt-master)" --result "${STATUS_FOUND}" --color GREEN else IsRunning "salt-master" if [ ${RUNNING} -eq 1 ]; then @@ -135,14 +135,14 @@ AUTOMATION_TOOL_FOUND=1 SALT_MASTER_RUNNING=1 Report "automation_tool_running[]=saltstack-master" - Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN + Display --indent 4 --text "Found: SaltStack (master)" --result "${STATUS_FOUND}" --color GREEN fi fi if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then - Display --indent 2 --text "- Automation tooling" --result FOUND --color GREEN + Display --indent 2 --text "- Automation tooling" --result "${STATUS_FOUND}" --color GREEN else - Display --indent 2 --text "- Automation tooling" --result "NOT FOUND" --color YELLOW + Display --indent 2 --text "- Automation tooling" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management" fi fi @@ -164,7 +164,7 @@ IDS_IPS_TOOL_FOUND=1 LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})" Report "ids_ips_tooling[]=fail2ban" - Display --indent 2 --text "- Checking presence of Fail2ban" --result FOUND --color GREEN + Display --indent 2 --text "- Checking presence of Fail2ban" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: Fail2ban not present (fail2ban-server not found)" fi @@ -202,14 +202,14 @@ if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then LogText "No registered actions found in ${FAIL2BAN_CONFIG}" - Display --indent 4 --text "- Checking Fail2ban actions" --result NONE --color RED + Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color RED ReportWarning "${TEST_NO}" "M" "${FAIL2BAN_CONFIG}" "There are no actions configured for Fail2ban." AddHP 0 3 fi if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then LogText "All actions in ${FAIL2BAN_CONFIG} are configured to send email alerts" - Display --indent 4 --text "- Checking Fail2ban actions" --result OK --color GREEN + Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_OK}" --color GREEN AddHP 3 3 fi @@ -222,7 +222,7 @@ if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then LogText "None of the actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts" - Display --indent 4 --text "- Checking Fail2ban actions" --result NONE --color YELLOW + Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color YELLOW ReportSuggestion "${TEST_NO}" "None of the Fail2ban jails are configured to send email notifications. Consider changing these to emailed alerts." AddHP 1 3 fi @@ -233,11 +233,11 @@ FIND=`egrep "^enabled\s*=\s*true" ${FAIL2BAN_CONFIG}` if [ ! "${FIND}" = "" ]; then LogText "Result: found at least one enabled jail" - Display --indent 4 --text "- Checking Fail2ban jails" --result ENABLED --color GREEN + Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_ENABLED}" --color GREEN AddHP 3 3 else LogText "Result: Fail2ban installed but completely disabled" - Display --indent 4 --text "- Checking Fail2ban jails" --result DISABLED --color RED + Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_DISABLED}" --color RED AddHP 0 3 ReportWarning "${TEST_NO}" "M" "All jails in Fail2ban are disabled" "${FAIL2BAN_CONFIG}" fi @@ -250,15 +250,15 @@ CHECK_CHAINS=`${IPTABLESBINARY} -L 2>&1 | grep fail2ban` if [ ! "${CHECK_CHAINS}" = "" ]; then LogText "Result: found at least one iptables chain for fail2ban" - Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result OK --color GREEN + Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN else LogText "Result: Fail2ban installed but iptables chain not present - fail2ban will not work" - Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result WARNING --color RED + Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED AddHP 0 3 ReportSuggestion "${TEST_NO}" "M" "Check config to see why iptables does not have a fail2ban chain" "${FAIL2BAN_CONFIG}" fi else - Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result WARNING --color RED + Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED ReportSuggestion "${TEST_NO}" "H" "iptables doesn't seem to be installed; Fail2ban will not work. Remove Fail2ban or install iptables" "${FAIL2BAN_CONFIG}" fi fi @@ -272,10 +272,10 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then - Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result FOUND --color GREEN + Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result "${STATUS_FOUND}" --color GREEN AddHP 2 2 else - Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result NONE --color YELLOW + Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result "${STATUS_NONE}" --color YELLOW #ReportSuggestion ${TEST_NO} "Ensure that automatic intrusion detection/prevention tools are installed" AddHP 0 2 fi diff --git a/include/tests_virtualization b/include/tests_virtualization index 1055097f..c8d9cc8e 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -40,9 +40,9 @@ # if [ ! "${VMWARETOOLSBINARY}" = "" ]; then # LogText "Result: VMware tools binary found" # VMWARE_GUEST=1 -# Display --indent 4 --text "- Checking VMware tools daemon" --result FOUND --color GREEN +# Display --indent 4 --text "- Checking VMware tools daemon" --result "${STATUS_FOUND}" --color GREEN # else -# Display --indent 4 --text "- Checking VMware tools daemon" --result "NOT FOUND" --color WHITE +# Display --indent 4 --text "- Checking VMware tools daemon" --result "${STATUS_NOT_FOUND}" --color WHITE # fi # # fi diff --git a/include/tests_webservers b/include/tests_webservers index c824d0aa..0cbfb4a3 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -56,7 +56,7 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then HTTPDBINARY=""; fi if [ "${HTTPDBINARY}" = "" ]; then - Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE else LogText "Test: Scanning for Apache binary" IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | egrep '[aA]pache'` @@ -64,7 +64,7 @@ LogText "Result: ${HTTPDBINARY} is not Apache" Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE else - Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "FOUND" --color GREEN + Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "${STATUS_FOUND}" --color GREEN LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon" APACHE_INSTALLED=1 APACHE_VERSION=`${HTTPDBINARY} -v 2> /dev/null | grep "^Server version:" | awk '{ print $3 }' | awk -F/ '{ print $2 }'` @@ -205,7 +205,7 @@ # # Check if option ServerTokens is configured # SERVERTOKENSTEST=`grep ServerTokens ${APACHE_CONFIGFILE} | grep -v '^#'` # if [ ! "${SERVERTOKENSTEST}" = "" ]; then -# Display --indent 4 --text "- Checking option ServerTokens" --result FOUND --color WHITE +# Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_FOUND}" --color WHITE # SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '` # LogText "Option ServerTokens found: ${SERVERTOKENSTEST}" # SERVERTOKENSEXPECTED=`grep 'apache' ${PROFILE} | grep 'ServerTokens' | cut -d ':' -f3` @@ -218,7 +218,7 @@ # LogText "Expected: ${SERVERTOKENSEXPECTED}" # fi # else -# Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE +# Display --indent 4 --text "- Checking option ServerTokens" --result "${STATUS_NOT_FOUND}" --color WHITE # fi # # else @@ -229,9 +229,9 @@ # # # Display results from checks # if [ ${SERVERTOKENSFOUND} -eq 1 ]; then -# Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN +# Display --indent 6 --text "- Value of ServerTokens" --result "${STATUS_OK}" --color GREEN # else -# Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED +# Display --indent 6 --text "- Value of ServerTokens" --result "${STATUS_WARNING}" --color RED # ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template" # fi # fi @@ -280,10 +280,10 @@ fi done if [ ${N} -eq 0 ]; then - Display --indent 4 --text "* Loadable modules" --result "NONE" --color WHITE + Display --indent 4 --text "* Loadable modules" --result "${STATUS_NONE}" --color WHITE ReportException "${TEST_NO}:1" "No loadable Apache modules found" else - Display --indent 4 --text "* Loadable modules" --result "FOUND" --color GREEN + Display --indent 4 --text "* Loadable modules" --result "${STATUS_FOUND}" --color GREEN Display --indent 8 --text "- Found ${N} loadable modules" fi fi @@ -298,10 +298,10 @@ # Check modules, module CheckItem "apache_module" "/mod_evasive([0-9][0-9])?.so" if [ ${ITEM_FOUND} -eq 1 ]; then - Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result FOUND --color GREEN + Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else - Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "NOT FOUND" --color WHITE + Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "${STATUS_NOT_FOUND}" --color WHITE AddHP 2 3 ReportSuggestion ${TEST_NO} "Install Apache mod_evasive to guard webserver against DoS/brute force attempts" fi @@ -317,10 +317,10 @@ # Check modules, module CheckItem "apache_module" "/mod_qos.so" if [ ${ITEM_FOUND} -eq 1 ]; then - Display --indent 10 --text "mod_qos: anti-Slowloris" --result FOUND --color GREEN + Display --indent 10 --text "mod_qos: anti-Slowloris" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else - Display --indent 10 --text "mod_qos: anti-Slowloris" --result "NOT FOUND" --color WHITE + Display --indent 10 --text "mod_qos: anti-Slowloris" --result "${STATUS_NOT_FOUND}" --color WHITE AddHP 2 3 ReportSuggestion ${TEST_NO} "Install Apache mod_qos to guard webserver against Slowloris attacks" fi @@ -337,10 +337,10 @@ # # Check modules, module # CheckItem "apache_module" "/mod_spamhaus.so" # if [ ${ITEM_FOUND} -eq 1 ]; then - # Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result FOUND --color GREEN + # Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "${STATUS_FOUND}" --color GREEN # AddHP 3 3 # else - # Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "NOT FOUND" --color WHITE + # Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "${STATUS_NOT_FOUND}" --color WHITE # AddHP 2 3 # ReportSuggestion ${TEST_NO} "Install Apache mod_spamhaus to guard webserver against spammers" # fi @@ -356,10 +356,10 @@ # Check modules, module CheckItem "apache_module" "/mod_security2.so" if [ ${ITEM_FOUND} -eq 1 ]; then - Display --indent 10 --text "ModSecurity: web application firewall" --result FOUND --color GREEN + Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else - Display --indent 10 --text "ModSecurity: web application firewall" --result "NOT FOUND" --color WHITE + Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_NOT_FOUND}" --color WHITE AddHP 2 3 ReportSuggestion ${TEST_NO} "Install Apache modsecurity to guard webserver against web application attacks" fi @@ -381,11 +381,11 @@ FIND=`${PSBINARY} ax | grep "/nginx" | grep "master" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then LogText "Result: found running nginx process(es)" - Display --indent 2 --text "- Checking nginx" --result FOUND --color GREEN + Display --indent 2 --text "- Checking nginx" --result "${STATUS_FOUND}" --color GREEN NGINX_RUNNING=1 else LogText "Result: no running nginx process found" - Display --indent 2 --text "- Checking nginx" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Checking nginx" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -406,10 +406,10 @@ if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then LogText "Result: found nginx configuration file" Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}" - Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN + Display --indent 4 --text "- Searching nginx configuration file" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: no nginx configuration file found" - Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE + Display --indent 2 --text "- Searching nginx configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -486,39 +486,39 @@ NGINX_SSL_SUGGESTION=0 if [ ${NGINX_SSL_ON} -eq 1 ]; then LogText "Result: SSL is configured in nginx on one or more virtual hosts" - Display --indent 6 --text "- SSL configured" --result "YES" --color GREEN + Display --indent 6 --text "- SSL configured" --result "${STATUS_YES}" --color GREEN AddHP 5 5 # Cipher tests if [ ${NGINX_SSL_CIPHERS} -eq 1 ]; then - Display --indent 8 --text "- Ciphers configured" --result "YES" --color GREEN + Display --indent 8 --text "- Ciphers configured" --result "${STATUS_YES}" --color GREEN else - Display --indent 8 --text "- Ciphers configured" --result "NO" --color RED + Display --indent 8 --text "- Ciphers configured" --result "${STATUS_NO}" --color RED NGINX_SSL_SUGGESTION=1 fi if [ ${NGINX_SSL_PREFER_SERVER_CIPHERS} -eq 1 ]; then - Display --indent 8 --text "- Prefer server ciphers" --result "YES" --color GREEN + Display --indent 8 --text "- Prefer server ciphers" --result "${STATUS_YES}" --color GREEN else - Display --indent 8 --text "- Prefer server ciphers" --result "NO" --color RED + Display --indent 8 --text "- Prefer server ciphers" --result "${STATUS_NO}" --color RED NGINX_SSL_SUGGESTION=1 fi if [ ${NGINX_SSL_PROTOCOLS} -eq 1 ]; then - Display --indent 8 --text "- Protocols configured" --result "YES" --color GREEN + Display --indent 8 --text "- Protocols configured" --result "${STATUS_YES}" --color GREEN if [ ${NGINX_WEAK_SSL_PROTOCOL_FOUND} -eq 0 ]; then - Display --indent 10 --text "- Insecure protocols found" --result "NO" --color GREEN + Display --indent 10 --text "- Insecure protocols found" --result "${STATUS_NO}" --color GREEN else - Display --indent 10 --text "- Insecure protocols found" --result "YES" --color RED + Display --indent 10 --text "- Insecure protocols found" --result "${STATUS_YES}" --color RED ReportSuggestion "${TEST_NO}" "Disable weak protocol in nginx configuration" fi else - Display --indent 8 --text "- Protocols configured" --result "NO" --color RED + Display --indent 8 --text "- Protocols configured" --result "${STATUS_NO}" --color RED NGINX_SSL_SUGGESTION=1 fi else LogText "Result: No SSL configuration found" - Display --indent 6 --text "- SSL configured" --result "NO" --color RED + Display --indent 6 --text "- SSL configured" --result "${STATUS_NO}" --color RED NGINX_SSL_SUGGESTION=1 AddHP 1 5 fi @@ -542,19 +542,19 @@ # Check for missing access log if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then NGINX_LOG_SUGGESTION=1 - Display --indent 8 --text "- Missing log files (access_log)" --result "YES" --color RED + Display --indent 8 --text "- Missing log files (access_log)" --result "${STATUS_YES}" --color RED else - Display --indent 8 --text "- Missing log files (access_log)" --result "NO" --color GREEN + Display --indent 8 --text "- Missing log files (access_log)" --result "${STATUS_NO}" --color GREEN fi # Access log disabled if [ ${NGINX_ACCESS_LOG_DISABLED} -eq 1 ]; then NGINX_LOG_SUGGESTION=1 LogText "Result: found one or more virtual hosts which have their access log disabled" - Display --indent 8 --text "- Disabled access logging" --result "YES" --color RED + Display --indent 8 --text "- Disabled access logging" --result "${STATUS_YES}" --color RED AddHP 2 3 else LogText "Result: no virtual hosts found which have their access log disabled" - Display --indent 8 --text "- Disabled access logging" --result "NO" --color GREEN + Display --indent 8 --text "- Disabled access logging" --result "${STATUS_NO}" --color GREEN AddHP 3 3 fi # Report suggestion @@ -574,9 +574,9 @@ # Check for missing access log if [ ${NGINX_ERROR_LOG_MISSING} -eq 1 ]; then NGINX_LOG_SUGGESTION=1 - Display --indent 8 --text "- Missing log files (error_log)" --result "YES" --color RED + Display --indent 8 --text "- Missing log files (error_log)" --result "${STATUS_YES}" --color RED else - Display --indent 8 --text "- Missing log files (error_log)" --result "NO" --color GREEN + Display --indent 8 --text "- Missing log files (error_log)" --result "${STATUS_NO}" --color GREEN fi # Report suggestion if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then @@ -596,11 +596,11 @@ if [ ${NGINX_ERROR_LOG_DEBUG} -eq 1 ]; then NGINX_LOG_SUGGESTION=1 LogText "Result: found one or more virtual hosts which have their error log in debug mode" - Display --indent 8 --text "- Debugging mode on error_log" --result "YES" --color RED + Display --indent 8 --text "- Debugging mode on error_log" --result "${STATUS_YES}" --color RED AddHP 2 3 else LogText "Result: no virtual hosts found which have their access log disabled" - Display --indent 8 --text "- Debugging mode on error_log" --result "NO" --color GREEN + Display --indent 8 --text "- Debugging mode on error_log" --result "${STATUS_NO}" --color GREEN AddHP 3 3 fi # Report suggestion @@ -626,7 +626,7 @@ # done # if [ ${N} -eq 0 ]; then # LogText "Result: no reverse proxying functionality found" -# Display --indent 4 --text "- Searching reverse proxy functionality" --result "NOT FOUND" --color WHITE +# Display --indent 4 --text "- Searching reverse proxy functionality" --result "${STATUS_NOT_FOUND}" --color WHITE # else # LogText "Result: found ${N} addresses for which nginx will be a reverse proxy" # Display --indent 4 --text "- Searching reverse proxy functionality" --result "${N} FOUND" --color GREEN @@ -652,7 +652,7 @@ # done # if [ ${N} -eq 0 ]; then # LogText "Result: no virtual hosts found" -# Display --indent 4 --text "- Searching virtual hosts" --result "NOT FOUND" --color WHITE +# Display --indent 4 --text "- Searching virtual hosts" --result "${STATUS_NOT_FOUND}" --color WHITE # else # LogText "Result: found ${N} virtual hosts" # Display --indent 4 --text "- Searching virtual hosts" --result "${N} FOUND" --color GREEN